Edit tour

Windows Analysis Report
Updater.dll.dll

Overview

General Information

Sample name:	Updater.dll.dll (renamed file extension from exe to dll)
Original sample name:	Updater.dll.exe
Analysis ID:	1541313
MD5:	e08edc1510052adc297d6af47022a70b
SHA1:	f08af6d4a2f9655beb8219aca5711400efed8670
SHA256:	915a80abb43f04fcdfb9ba2ced3b38f3524c050b6c0a36d97f4e7827916248b2
Tags:	exeta544warmcookieuser-N3utralZ0ne
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 4208 cmdline: loaddll64.exe "C:\Users\user\Desktop\Updater.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1216 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 940 cmdline: rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

regsvr32.exe (PID: 4956 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

rundll32.exe (PID: 1532 cmdline: rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 4140 cmdline: rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5484 cmdline: rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServerEx MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6200 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\SynergyTop\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6220 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\Solid Digital\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7148 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\Table XI\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5028 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\TECLA\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 4072 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\TECLA\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T17:27:00.861349+0200	2028765	3	Unknown Traffic	192.168.2.5	49704	185.161.251.26	443	TCP
2024-10-24T17:27:01.900634+0200	2028765	3	Unknown Traffic	192.168.2.5	49705	185.161.251.26	443	TCP
2024-10-24T17:27:02.900351+0200	2028765	3	Unknown Traffic	192.168.2.5	49706	185.161.251.26	443	TCP
2024-10-24T17:27:03.873192+0200	2028765	3	Unknown Traffic	192.168.2.5	49707	185.161.251.26	443	TCP
2024-10-24T17:27:04.841551+0200	2028765	3	Unknown Traffic	192.168.2.5	49708	185.161.251.26	443	TCP
2024-10-24T17:27:05.829499+0200	2028765	3	Unknown Traffic	192.168.2.5	49709	185.161.251.26	443	TCP
2024-10-24T17:27:06.822449+0200	2028765	3	Unknown Traffic	192.168.2.5	49710	185.161.251.26	443	TCP
2024-10-24T17:27:07.825290+0200	2028765	3	Unknown Traffic	192.168.2.5	49711	185.161.251.26	443	TCP
2024-10-24T17:27:08.827643+0200	2028765	3	Unknown Traffic	192.168.2.5	49712	185.161.251.26	443	TCP
2024-10-24T17:27:09.826275+0200	2028765	3	Unknown Traffic	192.168.2.5	49713	185.161.251.26	443	TCP
2024-10-24T17:27:10.829765+0200	2028765	3	Unknown Traffic	192.168.2.5	49714	185.161.251.26	443	TCP
2024-10-24T17:27:11.831002+0200	2028765	3	Unknown Traffic	192.168.2.5	49715	185.161.251.26	443	TCP
2024-10-24T17:27:12.850682+0200	2028765	3	Unknown Traffic	192.168.2.5	49716	185.161.251.26	443	TCP
2024-10-24T17:27:13.863347+0200	2028765	3	Unknown Traffic	192.168.2.5	49718	185.161.251.26	443	TCP
2024-10-24T17:27:14.861306+0200	2028765	3	Unknown Traffic	192.168.2.5	49721	185.161.251.26	443	TCP
2024-10-24T17:27:15.829243+0200	2028765	3	Unknown Traffic	192.168.2.5	49724	185.161.251.26	443	TCP
2024-10-24T17:27:16.828726+0200	2028765	3	Unknown Traffic	192.168.2.5	49726	185.161.251.26	443	TCP
2024-10-24T17:27:17.829438+0200	2028765	3	Unknown Traffic	192.168.2.5	49733	185.161.251.26	443	TCP
2024-10-24T17:27:18.817250+0200	2028765	3	Unknown Traffic	192.168.2.5	49739	185.161.251.26	443	TCP
2024-10-24T17:27:19.768396+0200	2028765	3	Unknown Traffic	192.168.2.5	49745	185.161.251.26	443	TCP
2024-10-24T17:27:20.750118+0200	2028765	3	Unknown Traffic	192.168.2.5	49751	185.161.251.26	443	TCP
2024-10-24T17:27:21.719283+0200	2028765	3	Unknown Traffic	192.168.2.5	49756	185.161.251.26	443	TCP
2024-10-24T17:27:22.701406+0200	2028765	3	Unknown Traffic	192.168.2.5	49761	185.161.251.26	443	TCP
2024-10-24T17:27:23.673765+0200	2028765	3	Unknown Traffic	192.168.2.5	49766	185.161.251.26	443	TCP
2024-10-24T17:27:24.944793+0200	2028765	3	Unknown Traffic	192.168.2.5	49771	185.161.251.26	443	TCP
2024-10-24T17:27:25.928245+0200	2028765	3	Unknown Traffic	192.168.2.5	49779	185.161.251.26	443	TCP
2024-10-24T17:27:27.083616+0200	2028765	3	Unknown Traffic	192.168.2.5	49785	185.161.251.26	443	TCP
2024-10-24T17:27:28.062256+0200	2028765	3	Unknown Traffic	192.168.2.5	49790	185.161.251.26	443	TCP
2024-10-24T17:27:29.064948+0200	2028765	3	Unknown Traffic	192.168.2.5	49795	185.161.251.26	443	TCP
2024-10-24T17:27:30.069419+0200	2028765	3	Unknown Traffic	192.168.2.5	49800	185.161.251.26	443	TCP
2024-10-24T17:27:31.059172+0200	2028765	3	Unknown Traffic	192.168.2.5	49805	185.161.251.26	443	TCP
2024-10-24T17:27:32.013380+0200	2028765	3	Unknown Traffic	192.168.2.5	49810	185.161.251.26	443	TCP
2024-10-24T17:27:32.970572+0200	2028765	3	Unknown Traffic	192.168.2.5	49815	185.161.251.26	443	TCP
2024-10-24T17:27:33.946371+0200	2028765	3	Unknown Traffic	192.168.2.5	49820	185.161.251.26	443	TCP
2024-10-24T17:27:34.915373+0200	2028765	3	Unknown Traffic	192.168.2.5	49825	185.161.251.26	443	TCP
2024-10-24T17:27:36.160278+0200	2028765	3	Unknown Traffic	192.168.2.5	49830	185.161.251.26	443	TCP
2024-10-24T17:27:37.378292+0200	2028765	3	Unknown Traffic	192.168.2.5	49834	185.161.251.26	443	TCP
2024-10-24T17:27:38.342698+0200	2028765	3	Unknown Traffic	192.168.2.5	49838	185.161.251.26	443	TCP
2024-10-24T17:27:39.679597+0200	2028765	3	Unknown Traffic	192.168.2.5	49844	185.161.251.26	443	TCP
2024-10-24T17:27:40.658709+0200	2028765	3	Unknown Traffic	192.168.2.5	49851	185.161.251.26	443	TCP
2024-10-24T17:27:41.636982+0200	2028765	3	Unknown Traffic	192.168.2.5	49857	185.161.251.26	443	TCP
2024-10-24T17:27:42.608233+0200	2028765	3	Unknown Traffic	192.168.2.5	49863	185.161.251.26	443	TCP
2024-10-24T17:27:43.591860+0200	2028765	3	Unknown Traffic	192.168.2.5	49868	185.161.251.26	443	TCP
2024-10-24T17:27:44.544412+0200	2028765	3	Unknown Traffic	192.168.2.5	49874	185.161.251.26	443	TCP
2024-10-24T17:27:45.546861+0200	2028765	3	Unknown Traffic	192.168.2.5	49879	185.161.251.26	443	TCP
2024-10-24T17:27:46.512774+0200	2028765	3	Unknown Traffic	192.168.2.5	49884	185.161.251.26	443	TCP
2024-10-24T17:27:48.131213+0200	2028765	3	Unknown Traffic	192.168.2.5	49889	185.161.251.26	443	TCP
2024-10-24T17:27:49.102130+0200	2028765	3	Unknown Traffic	192.168.2.5	49894	185.161.251.26	443	TCP
2024-10-24T17:27:50.087441+0200	2028765	3	Unknown Traffic	192.168.2.5	49899	185.161.251.26	443	TCP
2024-10-24T17:27:51.074039+0200	2028765	3	Unknown Traffic	192.168.2.5	49905	185.161.251.26	443	TCP
2024-10-24T17:27:52.040544+0200	2028765	3	Unknown Traffic	192.168.2.5	49909	185.161.251.26	443	TCP
2024-10-24T17:27:53.005344+0200	2028765	3	Unknown Traffic	192.168.2.5	49913	185.161.251.26	443	TCP
2024-10-24T17:27:53.999882+0200	2028765	3	Unknown Traffic	192.168.2.5	49919	185.161.251.26	443	TCP
2024-10-24T17:27:54.976911+0200	2028765	3	Unknown Traffic	192.168.2.5	49923	185.161.251.26	443	TCP
2024-10-24T17:27:55.974403+0200	2028765	3	Unknown Traffic	192.168.2.5	49926	185.161.251.26	443	TCP
2024-10-24T17:27:56.950050+0200	2028765	3	Unknown Traffic	192.168.2.5	49929	185.161.251.26	443	TCP
2024-10-24T17:27:57.924460+0200	2028765	3	Unknown Traffic	192.168.2.5	49932	185.161.251.26	443	TCP
2024-10-24T17:27:58.929433+0200	2028765	3	Unknown Traffic	192.168.2.5	49935	185.161.251.26	443	TCP
2024-10-24T17:27:59.921916+0200	2028765	3	Unknown Traffic	192.168.2.5	49938	185.161.251.26	443	TCP
2024-10-24T17:28:00.983547+0200	2028765	3	Unknown Traffic	192.168.2.5	49941	185.161.251.26	443	TCP
2024-10-24T17:28:01.925848+0200	2028765	3	Unknown Traffic	192.168.2.5	49944	185.161.251.26	443	TCP
2024-10-24T17:28:02.886536+0200	2028765	3	Unknown Traffic	192.168.2.5	49947	185.161.251.26	443	TCP
2024-10-24T17:28:04.200011+0200	2028765	3	Unknown Traffic	192.168.2.5	49951	185.161.251.26	443	TCP
2024-10-24T17:28:05.164033+0200	2028765	3	Unknown Traffic	192.168.2.5	49956	185.161.251.26	443	TCP
2024-10-24T17:28:06.129457+0200	2028765	3	Unknown Traffic	192.168.2.5	49960	185.161.251.26	443	TCP
2024-10-24T17:28:07.090507+0200	2028765	3	Unknown Traffic	192.168.2.5	49964	185.161.251.26	443	TCP
2024-10-24T17:28:08.073367+0200	2028765	3	Unknown Traffic	192.168.2.5	49968	185.161.251.26	443	TCP
2024-10-24T17:28:09.043718+0200	2028765	3	Unknown Traffic	192.168.2.5	49972	185.161.251.26	443	TCP
2024-10-24T17:28:10.012095+0200	2028765	3	Unknown Traffic	192.168.2.5	49976	185.161.251.26	443	TCP
2024-10-24T17:28:10.981519+0200	2028765	3	Unknown Traffic	192.168.2.5	49980	185.161.251.26	443	TCP
2024-10-24T17:28:11.936657+0200	2028765	3	Unknown Traffic	192.168.2.5	49984	185.161.251.26	443	TCP
2024-10-24T17:28:12.889445+0200	2028765	3	Unknown Traffic	192.168.2.5	49988	185.161.251.26	443	TCP
2024-10-24T17:28:13.854086+0200	2028765	3	Unknown Traffic	192.168.2.5	49993	185.161.251.26	443	TCP
2024-10-24T17:28:14.799401+0200	2028765	3	Unknown Traffic	192.168.2.5	49998	185.161.251.26	443	TCP
2024-10-24T17:28:15.764197+0200	2028765	3	Unknown Traffic	192.168.2.5	50003	185.161.251.26	443	TCP
2024-10-24T17:28:16.754223+0200	2028765	3	Unknown Traffic	192.168.2.5	50008	185.161.251.26	443	TCP
2024-10-24T17:28:17.722313+0200	2028765	3	Unknown Traffic	192.168.2.5	50015	185.161.251.26	443	TCP
2024-10-24T17:28:18.693922+0200	2028765	3	Unknown Traffic	192.168.2.5	50022	185.161.251.26	443	TCP
2024-10-24T17:28:19.659632+0200	2028765	3	Unknown Traffic	192.168.2.5	50028	185.161.251.26	443	TCP
2024-10-24T17:28:20.649119+0200	2028765	3	Unknown Traffic	192.168.2.5	50034	185.161.251.26	443	TCP
2024-10-24T17:28:21.639473+0200	2028765	3	Unknown Traffic	192.168.2.5	50039	185.161.251.26	443	TCP
2024-10-24T17:28:22.599953+0200	2028765	3	Unknown Traffic	192.168.2.5	50044	185.161.251.26	443	TCP
2024-10-24T17:28:23.563284+0200	2028765	3	Unknown Traffic	192.168.2.5	50049	185.161.251.26	443	TCP
2024-10-24T17:28:24.544331+0200	2028765	3	Unknown Traffic	192.168.2.5	50056	185.161.251.26	443	TCP
2024-10-24T17:28:25.502862+0200	2028765	3	Unknown Traffic	192.168.2.5	50060	185.161.251.26	443	TCP
2024-10-24T17:28:27.484891+0200	2028765	3	Unknown Traffic	192.168.2.5	50061	185.161.251.26	443	TCP
2024-10-24T17:28:28.466699+0200	2028765	3	Unknown Traffic	192.168.2.5	50062	185.161.251.26	443	TCP
2024-10-24T17:28:29.436992+0200	2028765	3	Unknown Traffic	192.168.2.5	50063	185.161.251.26	443	TCP
2024-10-24T17:28:30.546879+0200	2028765	3	Unknown Traffic	192.168.2.5	50064	185.161.251.26	443	TCP
2024-10-24T17:28:31.511439+0200	2028765	3	Unknown Traffic	192.168.2.5	50065	185.161.251.26	443	TCP
2024-10-24T17:28:32.482891+0200	2028765	3	Unknown Traffic	192.168.2.5	50066	185.161.251.26	443	TCP
2024-10-24T17:28:33.445772+0200	2028765	3	Unknown Traffic	192.168.2.5	50067	185.161.251.26	443	TCP
2024-10-24T17:28:34.431245+0200	2028765	3	Unknown Traffic	192.168.2.5	50068	185.161.251.26	443	TCP
2024-10-24T17:28:35.397692+0200	2028765	3	Unknown Traffic	192.168.2.5	50069	185.161.251.26	443	TCP
2024-10-24T17:28:36.372111+0200	2028765	3	Unknown Traffic	192.168.2.5	50070	185.161.251.26	443	TCP
2024-10-24T17:28:37.336552+0200	2028765	3	Unknown Traffic	192.168.2.5	50071	185.161.251.26	443	TCP
2024-10-24T17:28:38.307573+0200	2028765	3	Unknown Traffic	192.168.2.5	50072	185.161.251.26	443	TCP
2024-10-24T17:28:39.271400+0200	2028765	3	Unknown Traffic	192.168.2.5	50073	185.161.251.26	443	TCP
2024-10-24T17:28:40.435080+0200	2028765	3	Unknown Traffic	192.168.2.5	50074	185.161.251.26	443	TCP
2024-10-24T17:28:41.409329+0200	2028765	3	Unknown Traffic	192.168.2.5	50075	185.161.251.26	443	TCP
2024-10-24T17:28:42.391225+0200	2028765	3	Unknown Traffic	192.168.2.5	50076	185.161.251.26	443	TCP
2024-10-24T17:28:43.358360+0200	2028765	3	Unknown Traffic	192.168.2.5	50077	185.161.251.26	443	TCP
2024-10-24T17:28:44.341048+0200	2028765	3	Unknown Traffic	192.168.2.5	50078	185.161.251.26	443	TCP
2024-10-24T17:28:45.433447+0200	2028765	3	Unknown Traffic	192.168.2.5	50079	185.161.251.26	443	TCP
2024-10-24T17:28:46.400228+0200	2028765	3	Unknown Traffic	192.168.2.5	50080	185.161.251.26	443	TCP
2024-10-24T17:28:47.635714+0200	2028765	3	Unknown Traffic	192.168.2.5	50081	185.161.251.26	443	TCP
2024-10-24T17:28:48.603339+0200	2028765	3	Unknown Traffic	192.168.2.5	50082	185.161.251.26	443	TCP
2024-10-24T17:28:49.665853+0200	2028765	3	Unknown Traffic	192.168.2.5	50083	185.161.251.26	443	TCP
2024-10-24T17:28:50.622828+0200	2028765	3	Unknown Traffic	192.168.2.5	50084	185.161.251.26	443	TCP
2024-10-24T17:28:51.584433+0200	2028765	3	Unknown Traffic	192.168.2.5	50085	185.161.251.26	443	TCP
2024-10-24T17:28:52.681010+0200	2028765	3	Unknown Traffic	192.168.2.5	50086	185.161.251.26	443	TCP
2024-10-24T17:28:53.665534+0200	2028765	3	Unknown Traffic	192.168.2.5	50087	185.161.251.26	443	TCP
2024-10-24T17:28:54.625132+0200	2028765	3	Unknown Traffic	192.168.2.5	50088	185.161.251.26	443	TCP
2024-10-24T17:28:55.608899+0200	2028765	3	Unknown Traffic	192.168.2.5	50089	185.161.251.26	443	TCP
2024-10-24T17:28:56.577636+0200	2028765	3	Unknown Traffic	192.168.2.5	50090	185.161.251.26	443	TCP
2024-10-24T17:28:57.550356+0200	2028765	3	Unknown Traffic	192.168.2.5	50091	185.161.251.26	443	TCP
2024-10-24T17:28:58.516836+0200	2028765	3	Unknown Traffic	192.168.2.5	50092	185.161.251.26	443	TCP
2024-10-24T17:28:59.492384+0200	2028765	3	Unknown Traffic	192.168.2.5	50093	185.161.251.26	443	TCP
2024-10-24T17:29:00.483191+0200	2028765	3	Unknown Traffic	192.168.2.5	50094	185.161.251.26	443	TCP
2024-10-24T17:29:01.431715+0200	2028765	3	Unknown Traffic	192.168.2.5	50095	185.161.251.26	443	TCP
2024-10-24T17:29:02.404552+0200	2028765	3	Unknown Traffic	192.168.2.5	50096	185.161.251.26	443	TCP

Code function: 7_2_00007FF8B8F71C40 LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,SetLastError,HttpSendRequestW,GetLastError,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetReadFile,InternetReadFile,RtlFreeHeap,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

7_2_00007FF8B8F71C40

Source: rundll32.exe, 00000007.00000003.2492845579.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/
Source: rundll32.exe, 00000007.00000003.2327243119.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/%
Source: rundll32.exe, 00000007.00000003.2155067613.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2205354979.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2215325363.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2185024506.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2225012180.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2235074493.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2492845579.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2175011781.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2164997824.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2557733401.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2531895696.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2195218593.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2606722890.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2327243119.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2483113719.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2596774158.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/(
Source: rundll32.exe, 00000007.00000003.2606722890.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2557733401.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/)
Source: rundll32.exe, 00000007.00000003.2357363077.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2645958802.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2327243119.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26//
Source: rundll32.exe, 00000007.00000003.2357363077.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2367427989.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2396416533.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/0
Source: rundll32.exe, 00000007.00000003.2195218593.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2185024506.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/0.
Source: rundll32.exe, 00000007.00000003.2626459998.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2396416533.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2195218593.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2205354979.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/161.251.26/
Source: rundll32.exe, 00000007.00000003.2616480027.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2626459998.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2606722890.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2645958802.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2596774158.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/161.251.26/8
Source: rundll32.exe, 00000007.00000003.2105449664.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/161.251.26/i
Source: rundll32.exe, 00000007.00000003.2531895696.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2337574602.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2596774158.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/161.251.26/vider
Source: rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2645958802.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/4
Source: rundll32.exe, 00000007.00000003.2450161663.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/5
Source: rundll32.exe, 00000007.00000003.2095713808.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2155067613.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125037011.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/6
Source: rundll32.exe, 00000007.00000003.2327243119.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2531895696.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2656009190.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/8
Source: rundll32.exe, 00000007.00000003.2531895696.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/9
Source: rundll32.exe, 00000007.00000003.2616480027.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/;
Source: rundll32.exe, 00000007.00000003.2293741113.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/;~
Source: rundll32.exe, 00000007.00000003.2626459998.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/?
Source: rundll32.exe, 00000007.00000003.2293741113.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2616480027.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/C
Source: rundll32.exe, 00000007.00000003.2327243119.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/H
Source: rundll32.exe, 00000007.00000002.3283882210.00000200CBFB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125108338.00000200CBFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/I0
Source: rundll32.exe, 00000007.00000003.2645958802.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2656009190.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/P=
Source: rundll32.exe, 00000007.00000003.2596774158.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/Q
Source: rundll32.exe, 00000007.00000002.3283882210.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2396416533.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2645958802.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2492845579.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2450161663.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/W
Source: rundll32.exe, 00000007.00000003.2357363077.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/Y
Source: rundll32.exe, 00000007.00000003.2205354979.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/a
Source: rundll32.exe, 00000007.00000002.3283882210.00000200CBFB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125108338.00000200CBFDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/a02
Source: rundll32.exe, 00000007.00000003.2095713808.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/c
Source: rundll32.exe, 00000007.00000003.2531895696.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/cros
Source: rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2367427989.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/gits
Source: rundll32.exe, 00000007.00000003.2095713808.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2085920371.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/i
Source: rundll32.exe, 00000007.00000003.2215325363.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2195218593.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2205354979.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/j
Source: rundll32.exe, 00000007.00000003.2115247652.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2164997824.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2105449664.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2450161663.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125037011.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2185024506.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2175011781.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/nd
Source: rundll32.exe, 00000007.00000003.2337574602.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2115156132.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125037011.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2483113719.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2450161663.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2492845579.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/ography
Source: rundll32.exe, 00000007.00000003.3110243755.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2185024506.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2557733401.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2175011781.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2164997824.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2531895696.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3283882210.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/p
Source: rundll32.exe, 00000007.00000003.2606722890.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/r
Source: rundll32.exe, 00000007.00000003.2095713808.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/rtificate
Source: rundll32.exe, 00000007.00000003.3110243755.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/s
Source: rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/t
Source: rundll32.exe, 00000007.00000003.3110243755.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/vide
Source: rundll32.exe, 00000007.00000003.2645958802.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2483113719.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2596774158.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2175011781.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/vider
Source: rundll32.exe, 00000007.00000003.2327243119.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2337574602.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2396416533.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/vider4
Source: rundll32.exe, 00000007.00000003.2215325363.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/vider6
Source: rundll32.exe, 00000007.00000003.2557733401.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2531895696.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2606722890.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2596774158.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/viderH
Source: rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/viderl
Source: rundll32.exe, 00000007.00000003.2144999141.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2134964303.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/vider~
Source: rundll32.exe, 00000007.00000003.2105527255.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3283882210.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2195218593.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2205354979.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2185024506.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2367427989.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3110243755.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2483113719.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2396416533.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2164997824.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2606722890.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2155067613.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2115247652.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2531895696.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2085920371.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2616480027.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2626459998.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2235074493.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2337574602.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2357363077.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/y

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 443

Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49868 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49905 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49929 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49932 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49938 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49941 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49944 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49947 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49960 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49964 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49968 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50056 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50061 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50069 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50070 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50073 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50074 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50075 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50077 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50080 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50083 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50085 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50087 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50088 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50092 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50094 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50095 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.5:50096 version: TLS 1.2

Source: C:\Windows\System32\loaddll64.exe	File created: C:\Windows\Tasks\TECLA.job	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\Tasks\SynergyTop.job	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\Tasks\Solid Digital.job	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\Tasks\Table XI.job	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

File deleted: C:\Windows\Tasks\Table XI.job

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F71C40	7_2_00007FF8B8F71C40
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F745E0	7_2_00007FF8B8F745E0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F72C40	7_2_00007FF8B8F72C40
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F768A0	7_2_00007FF8B8F768A0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F818C0	7_2_00007FF8B8F818C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F83508	7_2_00007FF8B8F83508
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F7B310	7_2_00007FF8B8F7B310
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F73F30	7_2_00007FF8B8F73F30
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F7CD38	7_2_00007FF8B8F7CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F82D5C	7_2_00007FF8B8F82D5C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F75160	7_2_00007FF8B8F75160
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F78F68	7_2_00007FF8B8F78F68
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F73170	7_2_00007FF8B8F73170
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F82578	7_2_00007FF8B8F82578
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F71990	7_2_00007FF8B8F71990
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F7EFB0	7_2_00007FF8B8F7EFB0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FF8B8F821C8	7_2_00007FF8B8F821C8

Source: classification engine

Classification label: mal56.evad.winDLL@19/12@0/1

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F77740 CoInitializeEx,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,SysAllocString,SysAllocString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,

7_2_00007FF8B8F77740

Source: C:\Windows\System32\rundll32.exe	Mutant created: \BaseNamedObjects\65abfc80-a660-4691-a919-130dc9b75b98
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\65abfc80-a660-4691-a919-130dc9b75b98
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\461592c6-32a2-4a5a-9542-783ba1348002

Source: Updater.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Updater.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\SynergyTop\Updater.dll",Start /u
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Solid Digital\Updater.dll",Start /u
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServerEx
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Table XI\Updater.dll",Start /u
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\TECLA\Updater.dll",Start /u
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\TECLA\Updater.dll",Start /u
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServerEx	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Updater.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: Updater.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: Updater.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Updater.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Updater.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Updater.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Updater.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F75A20 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,GetSystemMetrics,

7_2_00007FF8B8F75A20

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll

Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\Solid Digital\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\Table XI\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\SynergyTop\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\loaddll64.exe	File created: C:\ProgramData\TECLA\Updater.dll	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\Solid Digital\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\Table XI\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\ProgramData\SynergyTop\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\loaddll64.exe	File created: C:\ProgramData\TECLA\Updater.dll	Jump to dropped file

Source: C:\Windows\System32\loaddll64.exe

File created: C:\Windows\Tasks\TECLA.job

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F75E70 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

7_2_00007FF8B8F75E70

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_7-8404

Source: C:\Windows\System32\rundll32.exe

Window / User API: threadDelayed 9649

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\ProgramData\Solid Digital\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\ProgramData\Table XI\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\ProgramData\SynergyTop\Updater.dll	Jump to dropped file
Source: C:\Windows\System32\loaddll64.exe	Dropped PE file which has not been started: C:\ProgramData\TECLA\Updater.dll	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_7-7647

Source: C:\Windows\System32\loaddll64.exe TID: 5032	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5532	Thread sleep count: 191 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5532	Thread sleep time: -191000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5532	Thread sleep count: 9649 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5532	Thread sleep time: -9649000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\rundll32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F713A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose,

7_2_00007FF8B8F713A0

Source: C:\Windows\System32\rundll32.exe

7_2_00007FF8B8F75A20

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000007.00000002.3283882210.00000200CC00D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125108338.00000200CC00D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3283882210.00000200CBFB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3283882210.00000200CC00D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125108338.00000200CC00D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWD

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

graph_7-7648

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F78C1C __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,

7_2_00007FF8B8F78C1C

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F8036C EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_00007FF8B8F8036C

Source: C:\Windows\System32\rundll32.exe

7_2_00007FF8B8F75A20

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F75980 GetProcessHeap,HeapAlloc,

7_2_00007FF8B8F75980

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F7C538 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00007FF8B8F7C538

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 185.161.251.26 443

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F7BDA8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00007FF8B8F7BDA8

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FF8B8F745E0 GetVolumeInformationW,GetModuleHandleW,GetComputerNameW,GetModuleHandleW,GetComputerNameExW,GetModuleHandleW,GetUserNameW,GetModuleHandleW,OpenMutexW,CloseHandle,GetModuleHandleW,GetTickCount,SleepEx,

7_2_00007FF8B8F745E0

Source: C:\Windows\System32\rundll32.exe

7_2_00007FF8B8F75A20

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	1 DLL Side-Loading	2 Scheduled Task/Job	11 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Native API	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Regsvr32	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Updater.dll.dll	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\ProgramData\Solid Digital\Updater.dll	5%	ReversingLabs
C:\ProgramData\SynergyTop\Updater.dll	5%	ReversingLabs
C:\ProgramData\TECLA\Updater.dll	5%	ReversingLabs
C:\ProgramData\Table XI\Updater.dll	5%	ReversingLabs

Name	Source	Malicious	Reputation
https://185.161.251.26/viderl	rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/a	rundll32.exe, 00000007.00000003.2205354979.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/a02	rundll32.exe, 00000007.00000002.3283882210.00000200CBFB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125108338.00000200CBFDE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/0.	rundll32.exe, 00000007.00000003.2195218593.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2185024506.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/161.251.26/i	rundll32.exe, 00000007.00000003.2105449664.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/c	rundll32.exe, 00000007.00000003.2095713808.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/%	rundll32.exe, 00000007.00000003.2327243119.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/)	rundll32.exe, 00000007.00000003.2606722890.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2557733401.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/i	rundll32.exe, 00000007.00000003.2095713808.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2085920371.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/(	rundll32.exe, 00000007.00000003.2155067613.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2205354979.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2215325363.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2185024506.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2225012180.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2235074493.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2492845579.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2175011781.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2164997824.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2557733401.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2531895696.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2195218593.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2606722890.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2327243119.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2483113719.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2596774158.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/nd	rundll32.exe, 00000007.00000003.2115247652.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2164997824.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2105449664.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2450161663.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125037011.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2185024506.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2175011781.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/j	rundll32.exe, 00000007.00000003.2215325363.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2195218593.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2205354979.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/161.251.26/	rundll32.exe, 00000007.00000003.2626459998.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2396416533.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2195218593.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2205354979.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/vider~	rundll32.exe, 00000007.00000003.2144999141.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2134964303.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26//	rundll32.exe, 00000007.00000003.2357363077.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2645958802.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2327243119.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/0	rundll32.exe, 00000007.00000003.2357363077.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2367427989.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2396416533.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/p	rundll32.exe, 00000007.00000003.3110243755.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2185024506.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2557733401.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2175011781.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2164997824.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2531895696.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3283882210.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/P=	rundll32.exe, 00000007.00000003.2645958802.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2656009190.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/s	rundll32.exe, 00000007.00000003.3110243755.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/r	rundll32.exe, 00000007.00000003.2606722890.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/rtificate	rundll32.exe, 00000007.00000003.2095713808.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/vider4	rundll32.exe, 00000007.00000003.2327243119.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2337574602.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2396416533.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/5	rundll32.exe, 00000007.00000003.2450161663.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/4	rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2645958802.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/t	rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/vider6	rundll32.exe, 00000007.00000003.2215325363.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/6	rundll32.exe, 00000007.00000003.2095713808.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2155067613.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125037011.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/9	rundll32.exe, 00000007.00000003.2531895696.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/y	rundll32.exe, 00000007.00000003.2105527255.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3283882210.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2195218593.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2205354979.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2185024506.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2367427989.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3110243755.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2483113719.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2396416533.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2164997824.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2606722890.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2155067613.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2115247652.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2531895696.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2085920371.00000200CC02E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2616480027.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2626459998.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2235074493.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2337574602.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2357363077.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/8	rundll32.exe, 00000007.00000003.2327243119.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2531895696.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2656009190.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/;	rundll32.exe, 00000007.00000003.2616480027.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/gits	rundll32.exe, 00000007.00000002.3283882210.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2367427989.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/;~	rundll32.exe, 00000007.00000003.2293741113.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/?	rundll32.exe, 00000007.00000003.2626459998.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/	rundll32.exe, 00000007.00000003.2492845579.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/C	rundll32.exe, 00000007.00000003.2293741113.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2616480027.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/viderH	rundll32.exe, 00000007.00000003.2557733401.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2531895696.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2606722890.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2596774158.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/H	rundll32.exe, 00000007.00000003.2327243119.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2316163493.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/vide	rundll32.exe, 00000007.00000003.3110243755.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/vider	rundll32.exe, 00000007.00000003.2645958802.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2483113719.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2596774158.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2175011781.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/161.251.26/vider	rundll32.exe, 00000007.00000003.2531895696.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2337574602.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2596774158.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/cros	rundll32.exe, 00000007.00000003.2531895696.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/Q	rundll32.exe, 00000007.00000003.2596774158.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/ography	rundll32.exe, 00000007.00000003.2337574602.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2115156132.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125037011.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2483113719.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2293741113.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2450161663.00000200CC056000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2492845579.00000200CC056000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/161.251.26/8	rundll32.exe, 00000007.00000003.2616480027.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2626459998.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2606722890.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2645958802.00000200CC059000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2596774158.00000200CC059000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/W	rundll32.exe, 00000007.00000002.3283882210.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2396416533.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2645958802.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2492845579.00000200CC026000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2450161663.00000200CC026000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/I0	rundll32.exe, 00000007.00000002.3283882210.00000200CBFB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2125108338.00000200CBFDE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/Y	rundll32.exe, 00000007.00000003.2357363077.00000200CC02D000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.161.251.26	unknown	United Kingdom		5089	NTLGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541313
Start date and time:	2024-10-24 17:26:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Updater.dll.dll (renamed file extension from exe to dll)
Original Sample Name:	Updater.dll.exe
Detection:	MAL
Classification:	mal56.evad.winDLL@19/12@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 20 Number of non-executed functions: 26

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 93.184.221.240, 20.3.187.198, 13.85.23.206
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Updater.dll.dll

Simulations

Behavior and APIs

Time	Type	Description
11:26:56	API Interceptor	4923980x Sleep call for process: rundll32.exe modified
11:27:05	API Interceptor	2x Sleep call for process: loaddll64.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTLGB	o2YUBeMZW6.elf	Get hash	malicious	Mirai	Browse	86.8.111.22
	G63E6opeS8.elf	Get hash	malicious	Mirai	Browse	62.253.81.1
	ai3eCONS9Q.elf	Get hash	malicious	Mirai	Browse	62.31.100.51
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	80.5.205.110
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	86.13.197.104
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	86.1.9.11
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	82.10.79.183
	botnet.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	213.81.108.104
	na.elf	Get hash	malicious	Unknown	Browse	81.105.12.132
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	81.109.14.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	xxJfSec58P.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	UMrFwHyjUi.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	b157p9L0c1.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	PFlJLzFUqH.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	46QSz6qyKC.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	7ZthFNAqYp.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	M8PoiLFYWM.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	Unlock_Tool_2.3.1.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	aZm1EZ2IYr.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	Unlock_Tool_2.4.exe	Get hash	malicious	Vidar	Browse	185.161.251.26

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.076983096514084
Encrypted:	false
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY3lz:Jhwv55WT7ctiiF5cV
MD5:	E08EDC1510052ADC297D6AF47022A70B
SHA1:	F08AF6D4A2F9655BEB8219ACA5711400EFED8670
SHA-256:	915A80ABB43F04FCDFB9BA2CED3B38F3524C050B6C0A36D97F4E7827916248B2
SHA-512:	2B91019E3D96B57362719B9BDDB7B894239977266D23E2C8B9EBBCD93A9BA748491B96A92C1B4FD1876E74A3B7F3DA99B89BB0E38A463A8AE9F357D9D9F66652
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`.........................................P................P.......0..p............`......................................P...p............P...............................text...42.......4.................. ..`.rdata.......P.......8..............@..@.data....?..........................@....pdata..p....0......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Solid Digital\Updater.dll:Zone.Identifier

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\SynergyTop\Updater.dll

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.076983096514084
Encrypted:	false
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY3lz:Jhwv55WT7ctiiF5cV
MD5:	E08EDC1510052ADC297D6AF47022A70B
SHA1:	F08AF6D4A2F9655BEB8219ACA5711400EFED8670
SHA-256:	915A80ABB43F04FCDFB9BA2CED3B38F3524C050B6C0A36D97F4E7827916248B2
SHA-512:	2B91019E3D96B57362719B9BDDB7B894239977266D23E2C8B9EBBCD93A9BA748491B96A92C1B4FD1876E74A3B7F3DA99B89BB0E38A463A8AE9F357D9D9F66652
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`.........................................P................P.......0..p............`......................................P...p............P...............................text...42.......4.................. ..`.rdata.......P.......8..............@..@.data....?..........................@....pdata..p....0......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\SynergyTop\Updater.dll:Zone.Identifier

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\TECLA\Updater.dll

Download File

Process:	C:\Windows\System32\loaddll64.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.076983096514084
Encrypted:	false
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY3lz:Jhwv55WT7ctiiF5cV
MD5:	E08EDC1510052ADC297D6AF47022A70B
SHA1:	F08AF6D4A2F9655BEB8219ACA5711400EFED8670
SHA-256:	915A80ABB43F04FCDFB9BA2CED3B38F3524C050B6C0A36D97F4E7827916248B2
SHA-512:	2B91019E3D96B57362719B9BDDB7B894239977266D23E2C8B9EBBCD93A9BA748491B96A92C1B4FD1876E74A3B7F3DA99B89BB0E38A463A8AE9F357D9D9F66652
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`.........................................P................P.......0..p............`......................................P...p............P...............................text...42.......4.................. ..`.rdata.......P.......8..............@..@.data....?..........................@....pdata..p....0......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\TECLA\Updater.dll:Zone.Identifier

Download File

Process:	C:\Windows\System32\loaddll64.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Table XI\Updater.dll

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.076983096514084
Encrypted:	false
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY3lz:Jhwv55WT7ctiiF5cV
MD5:	E08EDC1510052ADC297D6AF47022A70B
SHA1:	F08AF6D4A2F9655BEB8219ACA5711400EFED8670
SHA-256:	915A80ABB43F04FCDFB9BA2CED3B38F3524C050B6C0A36D97F4E7827916248B2
SHA-512:	2B91019E3D96B57362719B9BDDB7B894239977266D23E2C8B9EBBCD93A9BA748491B96A92C1B4FD1876E74A3B7F3DA99B89BB0E38A463A8AE9F357D9D9F66652
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`.........................................P................P.......0..p............`......................................P...p............P...............................text...42.......4.................. ..`.rdata.......P.......8..............@..@.data....?..........................@....pdata..p....0......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Table XI\Updater.dll:Zone.Identifier

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\Solid Digital.job

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	346
Entropy (8bit):	3.544372415139204
Encrypted:	false
SSDEEP:	6:+BAU/82On+SkSJkJAWhAlAtLbhEZ28YW67wlPJDiiXqYEp5t/uy0lHk1:8AUhO+fTWlGb9aWwlxuifXVHs
MD5:	8C4774FD3B7DDF25BD1E3CDC5D5A2FCC
SHA1:	FBC47735D0090447ACD23B826AA740211C223953
SHA-256:	A53231D30208ADDB3EC8797E613381219F1ACBF2D0C3986775EE880029B459BB
SHA-512:	48635FA2E40AC1BA53CF64EF3140DEF584F8DCCAC3D96AD2BDB693590E0690AFFC493E3774B5A5A08E3A6D685086A53C5337BC222A32843F3249E746ECAED53F
Malicious:	false
Preview:	....f.&.a\<N...&..5.F.(.....<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...4.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.S.o.l.i.d. .D.i.g.i.t.a.l.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...............................................

C:\Windows\Tasks\SynergyTop.job

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	340
Entropy (8bit):	3.5589303495068174
Encrypted:	false
SSDEEP:	6:kkS5/82On+SkSJkJAWhAlAtmbhEZ29TJDiiXqYEp5t/uy0lHk1:65hO+fTWlrb99NuifXVHs
MD5:	714EFBAB09E986549E25C7D8D32E1908
SHA1:	54308206560A9CE35689C417B8292C21ABCE2C45
SHA-256:	F534FC75696628A37219B9580D120853C467B6D98FB4C33E0D821893C15CEC78
SHA-512:	E6A9BA242016AE0AE9FA53BAB9477B76417702826276607D0FE4DC722EC6499B2C154CE348CFB3CA4CBE055DAD63DA9FFF20E746E00D23BC3EF7CB1E859C5A0D
Malicious:	false
Preview:	......[...}O.$%..d}$F.".....<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...1.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.S.y.n.e.r.g.y.T.o.p.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...............................................

C:\Windows\Tasks\TECLA.job

Download File

Process:	C:\Windows\System32\loaddll64.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.580204928991352
Encrypted:	false
SSDEEP:	6:1aKY8Do/82On+SkSJkJAWhAlAtIlubhEZ7dJDiiXqYEp5t/uy0lHk1:3YgohO+fTWldlubCuifXVHs
MD5:	66AD4E4D5B613C25E3165B6253CF1385
SHA1:	19E4FE9E9BE48AD5DA9B9BDC89DDEDB643A88015
SHA-256:	947A29E2E7C628E49634C3E629207EC78832FD3C86D49A70819B52D8BE045B75
SHA-512:	4A932CEFD5D23BD8A1077D5ECBF14A8DBC64BC0E99320E3CC015CFD45EAA33706B501F5E65D4164A9042170F90E525107FF3A3CD790B1FFA1A7BDFAA5C758F5C
Malicious:	false
Preview:	.......#i..@....;...F.......<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...,.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.T.E.C.L.A.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...............................................

C:\Windows\Tasks\Table XI.job

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	336
Entropy (8bit):	3.589826461520751
Encrypted:	false
SSDEEP:	6:R6M/82On+SkSJkJAWhAlAtom0bhEZxksJDiiXqYEp5t/uy0lHk1:/hO+fTWlu0bbmuifXVHs
MD5:	6AEF159ED5F03C8812445A2B7F1556A5
SHA1:	32C78E4EDFA07F9E4C8CD7E634743D74EBBDA66B
SHA-256:	2EA954AC723C9B058E4005FFB56F07DBA3E4ABDA135875D4D3D3AB960AFCCD18
SHA-512:	8DAFFCEC6DB3D068BFE9EC87ACB68AEE5D76BBD7D9CF8D01404B47040661045006C84482CD159AAFCAD06F4151941ED1C661F44BFBECD69F4FD71E49B7C84820
Malicious:	false
Preview:	.........0B.z.G....F.......<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e.../.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.T.a.b.l.e. .X.I.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...............................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.076983096514084
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	Updater.dll.dll
File size:	132'096 bytes
MD5:	e08edc1510052adc297d6af47022a70b
SHA1:	f08af6d4a2f9655beb8219aca5711400efed8670
SHA256:	915a80abb43f04fcdfb9ba2ced3b38f3524c050b6c0a36d97f4e7827916248b2
SHA512:	2b91019e3d96b57362719b9bddb7b894239977266d23e2c8b9ebbcd93a9ba748491b96a92c1b4fd1876e74a3b7f3da99b89bb0e38a463a8ae9f357d9d9f66652
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY3lz:Jhwv55WT7ctiiF5cV
TLSH:	B3D3498B33A150FBD827963AC8A35906E3B6340607B09BDF5B64454A5F373D1AE39B31
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180008abc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5B248368 [Sat Jun 16 03:26:32 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	13a0a4f8e18482fece5db74f0e485dc8

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F0E248D0287h
call 00007F0E248D3550h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F0E248D0288h
int3
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+20h], ebx
dec esp
mov dword ptr [eax+18h], eax
mov dword ptr [eax+10h], edx
dec eax
mov dword ptr [eax+08h], ecx
push esi
push edi
inc ecx
push esi
dec eax
sub esp, 50h
dec ecx
mov esi, eax
mov ebx, edx
dec esp
mov esi, ecx
mov edx, 00000001h
mov dword ptr [eax-48h], edx
test ebx, ebx
jne 00007F0E248D0291h
cmp dword ptr [000180C0h], ebx
jne 00007F0E248D0289h
xor eax, eax
jmp 00007F0E248D0357h
lea eax, dword ptr [ebx-01h]
cmp eax, 01h
jnbe 00007F0E248D02BAh
dec eax
mov eax, dword ptr [0000E8E0h]
dec eax
test eax, eax
je 00007F0E248D028Ch
mov edx, ebx
call eax
mov edx, eax
mov dword ptr [esp+20h], eax
test edx, edx
je 00007F0E248D0299h
dec esp
mov eax, esi
mov edx, ebx
dec ecx
mov ecx, esi
call 00007F0E248D0079h
mov edx, eax
mov dword ptr [esp+20h], eax
test eax, eax
jne 00007F0E248D0289h
xor eax, eax
jmp 00007F0E248D0317h
dec esp
mov eax, esi
mov edx, ebx
dec ecx
mov ecx, esi
call 00007F0E248D91CFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1da50	0xb8	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1db08	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x25000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x23000	0x1170	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0x5c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c550	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x390	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13234	0x13400	862093ad77e963afd99b61075ed339cc	False	0.5498046875	data	6.375620691199119	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x96b8	0x9800	0ae1de3882fc516473a41ceef8f482fa	False	0.4322317023026316	DIY-Thermocam raw data (Lepton 2.x), scale 20079-30309, spot sensor temperature 4543427629910840780059159035904.000000, unit celsius, color scheme 0, calibration: offset 512.000000, slope 4437014241515289928777334784.000000	5.00357346652478	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x3fb8	0x1a00	c6d39839124a24a3674181e3f7604ffe	False	0.2917668269230769	data	3.365447881038233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x23000	0x1170	0x1200	21cc64f597d7a7a7591094f0cd1471d5	False	0.466796875	data	4.955152847884263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x25000	0x1e0	0x200	399816b231dc16da0611f2508f87678f	False	0.52734375	data	4.715442022345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26000	0x5c0	0x600	01f533fcce3c005ecfaf87ad049dbea2	False	0.66796875	data	5.343193155137574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x25060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	CreateThread, GetLastError, SetLastError, ExpandEnvironmentStringsW, SetCurrentDirectoryW, GetCurrentDirectoryW, CreateFileW, DeleteFileW, GetFileAttributesW, GetVolumeInformationW, ReadFile, RemoveDirectoryW, SetFilePointer, WriteFile, SetHandleInformation, CreatePipe, PeekNamedPipe, WaitForSingleObject, Sleep, OpenMutexW, TerminateProcess, CreateProcessW, GlobalMemoryStatusEx, GetTickCount, GetComputerNameExW, GetModuleFileNameW, GetComputerNameW, MultiByteToWideChar, WideCharToMultiByte, HeapAlloc, HeapReAlloc, HeapFree, GetProcessHeap, GetTempFileNameW, GetTempPathW, GetSystemDirectoryW, LocalFree, CloseHandle, LoadLibraryW, GetProcAddress, GetModuleHandleW, CreateMutexW, GetSystemInfo, HeapSize, OutputDebugStringW, WriteConsoleW, SetStdHandle, LoadLibraryExW, LCMapStringW, FlushFileBuffers, GetStringTypeW, GetCommandLineA, GetCurrentThreadId, IsDebuggerPresent, EncodePointer, DecodePointer, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, ExitProcess, GetModuleHandleExW, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, GetCurrentProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RtlUnwindEx, EnterCriticalSection, LeaveCriticalSection, GetConsoleCP, GetConsoleMode, SetFilePointerEx
ADVAPI32.dll	RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, GetUserNameW
SHELL32.dll	SHGetFolderPathW
ole32.dll	CoTaskMemFree, CoCreateInstance, CoUninitialize, CoInitializeEx
OLEAUT32.dll	SysAllocString, SysFreeString, VariantInit, VariantClear
WS2_32.dll	WSAStartup, gethostbyname, inet_ntoa, gethostname

Exports

Name	Ordinal	Address
DllGetClassObject	1	0x180001a70
DllRegisterServer	2	0x180001b50
DllRegisterServerEx	3	0x180001b90
DllUnregisterServer	4	0x180001bd0
Start	5	0x180001c10

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T17:27:00.861349+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49704	185.161.251.26	443	TCP
2024-10-24T17:27:01.900634+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49705	185.161.251.26	443	TCP
2024-10-24T17:27:02.900351+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49706	185.161.251.26	443	TCP
2024-10-24T17:27:03.873192+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49707	185.161.251.26	443	TCP
2024-10-24T17:27:04.841551+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49708	185.161.251.26	443	TCP
2024-10-24T17:27:05.829499+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49709	185.161.251.26	443	TCP
2024-10-24T17:27:06.822449+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49710	185.161.251.26	443	TCP
2024-10-24T17:27:07.825290+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49711	185.161.251.26	443	TCP
2024-10-24T17:27:08.827643+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49712	185.161.251.26	443	TCP
2024-10-24T17:27:09.826275+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49713	185.161.251.26	443	TCP
2024-10-24T17:27:10.829765+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49714	185.161.251.26	443	TCP
2024-10-24T17:27:11.831002+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49715	185.161.251.26	443	TCP
2024-10-24T17:27:12.850682+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49716	185.161.251.26	443	TCP
2024-10-24T17:27:13.863347+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49718	185.161.251.26	443	TCP
2024-10-24T17:27:14.861306+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49721	185.161.251.26	443	TCP
2024-10-24T17:27:15.829243+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49724	185.161.251.26	443	TCP
2024-10-24T17:27:16.828726+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49726	185.161.251.26	443	TCP
2024-10-24T17:27:17.829438+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49733	185.161.251.26	443	TCP
2024-10-24T17:27:18.817250+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49739	185.161.251.26	443	TCP
2024-10-24T17:27:19.768396+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49745	185.161.251.26	443	TCP
2024-10-24T17:27:20.750118+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49751	185.161.251.26	443	TCP
2024-10-24T17:27:21.719283+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49756	185.161.251.26	443	TCP
2024-10-24T17:27:22.701406+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49761	185.161.251.26	443	TCP
2024-10-24T17:27:23.673765+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49766	185.161.251.26	443	TCP
2024-10-24T17:27:24.944793+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49771	185.161.251.26	443	TCP
2024-10-24T17:27:25.928245+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49779	185.161.251.26	443	TCP
2024-10-24T17:27:27.083616+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49785	185.161.251.26	443	TCP
2024-10-24T17:27:28.062256+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49790	185.161.251.26	443	TCP
2024-10-24T17:27:29.064948+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49795	185.161.251.26	443	TCP
2024-10-24T17:27:30.069419+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49800	185.161.251.26	443	TCP
2024-10-24T17:27:31.059172+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49805	185.161.251.26	443	TCP
2024-10-24T17:27:32.013380+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49810	185.161.251.26	443	TCP
2024-10-24T17:27:32.970572+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49815	185.161.251.26	443	TCP
2024-10-24T17:27:33.946371+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49820	185.161.251.26	443	TCP
2024-10-24T17:27:34.915373+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49825	185.161.251.26	443	TCP
2024-10-24T17:27:36.160278+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49830	185.161.251.26	443	TCP
2024-10-24T17:27:37.378292+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49834	185.161.251.26	443	TCP
2024-10-24T17:27:38.342698+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49838	185.161.251.26	443	TCP
2024-10-24T17:27:39.679597+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49844	185.161.251.26	443	TCP
2024-10-24T17:27:40.658709+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49851	185.161.251.26	443	TCP
2024-10-24T17:27:41.636982+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49857	185.161.251.26	443	TCP
2024-10-24T17:27:42.608233+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49863	185.161.251.26	443	TCP
2024-10-24T17:27:43.591860+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49868	185.161.251.26	443	TCP
2024-10-24T17:27:44.544412+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49874	185.161.251.26	443	TCP
2024-10-24T17:27:45.546861+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49879	185.161.251.26	443	TCP
2024-10-24T17:27:46.512774+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49884	185.161.251.26	443	TCP
2024-10-24T17:27:48.131213+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49889	185.161.251.26	443	TCP
2024-10-24T17:27:49.102130+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49894	185.161.251.26	443	TCP
2024-10-24T17:27:50.087441+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49899	185.161.251.26	443	TCP
2024-10-24T17:27:51.074039+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49905	185.161.251.26	443	TCP
2024-10-24T17:27:52.040544+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49909	185.161.251.26	443	TCP
2024-10-24T17:27:53.005344+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49913	185.161.251.26	443	TCP
2024-10-24T17:27:53.999882+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49919	185.161.251.26	443	TCP
2024-10-24T17:27:54.976911+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49923	185.161.251.26	443	TCP
2024-10-24T17:27:55.974403+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49926	185.161.251.26	443	TCP
2024-10-24T17:27:56.950050+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49929	185.161.251.26	443	TCP
2024-10-24T17:27:57.924460+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49932	185.161.251.26	443	TCP
2024-10-24T17:27:58.929433+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49935	185.161.251.26	443	TCP
2024-10-24T17:27:59.921916+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49938	185.161.251.26	443	TCP
2024-10-24T17:28:00.983547+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49941	185.161.251.26	443	TCP
2024-10-24T17:28:01.925848+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49944	185.161.251.26	443	TCP
2024-10-24T17:28:02.886536+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49947	185.161.251.26	443	TCP
2024-10-24T17:28:04.200011+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49951	185.161.251.26	443	TCP
2024-10-24T17:28:05.164033+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49956	185.161.251.26	443	TCP
2024-10-24T17:28:06.129457+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49960	185.161.251.26	443	TCP
2024-10-24T17:28:07.090507+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49964	185.161.251.26	443	TCP
2024-10-24T17:28:08.073367+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49968	185.161.251.26	443	TCP
2024-10-24T17:28:09.043718+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49972	185.161.251.26	443	TCP
2024-10-24T17:28:10.012095+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49976	185.161.251.26	443	TCP
2024-10-24T17:28:10.981519+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49980	185.161.251.26	443	TCP
2024-10-24T17:28:11.936657+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49984	185.161.251.26	443	TCP
2024-10-24T17:28:12.889445+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49988	185.161.251.26	443	TCP
2024-10-24T17:28:13.854086+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49993	185.161.251.26	443	TCP
2024-10-24T17:28:14.799401+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	49998	185.161.251.26	443	TCP
2024-10-24T17:28:15.764197+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50003	185.161.251.26	443	TCP
2024-10-24T17:28:16.754223+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50008	185.161.251.26	443	TCP
2024-10-24T17:28:17.722313+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50015	185.161.251.26	443	TCP
2024-10-24T17:28:18.693922+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50022	185.161.251.26	443	TCP
2024-10-24T17:28:19.659632+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50028	185.161.251.26	443	TCP
2024-10-24T17:28:20.649119+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50034	185.161.251.26	443	TCP
2024-10-24T17:28:21.639473+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50039	185.161.251.26	443	TCP
2024-10-24T17:28:22.599953+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50044	185.161.251.26	443	TCP
2024-10-24T17:28:23.563284+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50049	185.161.251.26	443	TCP
2024-10-24T17:28:24.544331+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50056	185.161.251.26	443	TCP
2024-10-24T17:28:25.502862+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50060	185.161.251.26	443	TCP
2024-10-24T17:28:27.484891+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50061	185.161.251.26	443	TCP
2024-10-24T17:28:28.466699+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50062	185.161.251.26	443	TCP
2024-10-24T17:28:29.436992+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50063	185.161.251.26	443	TCP
2024-10-24T17:28:30.546879+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50064	185.161.251.26	443	TCP
2024-10-24T17:28:31.511439+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50065	185.161.251.26	443	TCP
2024-10-24T17:28:32.482891+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50066	185.161.251.26	443	TCP
2024-10-24T17:28:33.445772+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50067	185.161.251.26	443	TCP
2024-10-24T17:28:34.431245+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50068	185.161.251.26	443	TCP
2024-10-24T17:28:35.397692+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50069	185.161.251.26	443	TCP
2024-10-24T17:28:36.372111+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50070	185.161.251.26	443	TCP
2024-10-24T17:28:37.336552+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50071	185.161.251.26	443	TCP
2024-10-24T17:28:38.307573+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50072	185.161.251.26	443	TCP
2024-10-24T17:28:39.271400+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50073	185.161.251.26	443	TCP
2024-10-24T17:28:40.435080+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50074	185.161.251.26	443	TCP
2024-10-24T17:28:41.409329+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50075	185.161.251.26	443	TCP
2024-10-24T17:28:42.391225+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50076	185.161.251.26	443	TCP
2024-10-24T17:28:43.358360+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50077	185.161.251.26	443	TCP
2024-10-24T17:28:44.341048+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50078	185.161.251.26	443	TCP
2024-10-24T17:28:45.433447+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50079	185.161.251.26	443	TCP
2024-10-24T17:28:46.400228+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50080	185.161.251.26	443	TCP
2024-10-24T17:28:47.635714+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50081	185.161.251.26	443	TCP
2024-10-24T17:28:48.603339+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50082	185.161.251.26	443	TCP
2024-10-24T17:28:49.665853+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50083	185.161.251.26	443	TCP
2024-10-24T17:28:50.622828+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50084	185.161.251.26	443	TCP
2024-10-24T17:28:51.584433+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50085	185.161.251.26	443	TCP
2024-10-24T17:28:52.681010+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50086	185.161.251.26	443	TCP
2024-10-24T17:28:53.665534+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50087	185.161.251.26	443	TCP
2024-10-24T17:28:54.625132+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50088	185.161.251.26	443	TCP
2024-10-24T17:28:55.608899+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50089	185.161.251.26	443	TCP
2024-10-24T17:28:56.577636+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50090	185.161.251.26	443	TCP
2024-10-24T17:28:57.550356+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50091	185.161.251.26	443	TCP
2024-10-24T17:28:58.516836+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50092	185.161.251.26	443	TCP
2024-10-24T17:28:59.492384+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50093	185.161.251.26	443	TCP
2024-10-24T17:29:00.483191+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50094	185.161.251.26	443	TCP
2024-10-24T17:29:01.431715+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50095	185.161.251.26	443	TCP
2024-10-24T17:29:02.404552+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.5	50096	185.161.251.26	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 17:26:59.936995983 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:26:59.937031031 CEST	443	49704	185.161.251.26	192.168.2.5
Oct 24, 2024 17:26:59.937109947 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:00.000051975 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:00.000071049 CEST	443	49704	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:00.861252069 CEST	443	49704	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:00.861349106 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:00.908041000 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:00.908206940 CEST	443	49704	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:00.908268929 CEST	49704	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:01.041013002 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:01.041121006 CEST	443	49705	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:01.041234016 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:01.041498899 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:01.041527033 CEST	443	49705	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:01.900542974 CEST	443	49705	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:01.900634050 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:01.932588100 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:01.932651043 CEST	443	49705	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:01.932713985 CEST	49705	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:02.041127920 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:02.041173935 CEST	443	49706	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:02.041265965 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:02.041599035 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:02.041613102 CEST	443	49706	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:02.900249004 CEST	443	49706	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:02.900351048 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:02.915836096 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:02.915878057 CEST	443	49706	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:02.915945053 CEST	49706	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:03.025580883 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:03.025666952 CEST	443	49707	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:03.025775909 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:03.026010990 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:03.026043892 CEST	443	49707	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:03.873099089 CEST	443	49707	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:03.873192072 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:03.876092911 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:03.876147032 CEST	443	49707	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:03.876218081 CEST	49707	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:03.994283915 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:03.994379997 CEST	443	49708	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:03.994487047 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:03.994745970 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:03.994785070 CEST	443	49708	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:04.841428995 CEST	443	49708	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:04.841551065 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:04.844921112 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:04.844996929 CEST	443	49708	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:04.845072985 CEST	49708	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:04.978738070 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:04.978775024 CEST	443	49709	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:04.978918076 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:04.979180098 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:04.979193926 CEST	443	49709	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:05.829266071 CEST	443	49709	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:05.829499006 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:05.832859993 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:05.832901001 CEST	443	49709	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:05.833008051 CEST	49709	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:05.962974072 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:05.963063002 CEST	443	49710	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:05.963304043 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:05.963639021 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:05.963676929 CEST	443	49710	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:06.822335005 CEST	443	49710	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:06.822448969 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:06.824805975 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:06.824908972 CEST	443	49710	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:06.824978113 CEST	49710	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:06.947287083 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:06.947339058 CEST	443	49711	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:06.947426081 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:06.947665930 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:06.947674990 CEST	443	49711	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:07.825211048 CEST	443	49711	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:07.825289965 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:07.827622890 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:07.827699900 CEST	443	49711	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:07.827775955 CEST	49711	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:07.947788000 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:07.947875977 CEST	443	49712	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:07.948364019 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:07.948501110 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:07.948519945 CEST	443	49712	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:08.827491999 CEST	443	49712	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:08.827642918 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:08.834209919 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:08.834383011 CEST	443	49712	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:08.834464073 CEST	49712	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:08.963150978 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:08.963185072 CEST	443	49713	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:08.963294983 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:08.963572979 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:08.963588953 CEST	443	49713	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:09.826205969 CEST	443	49713	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:09.826275110 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:09.829184055 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:09.829231024 CEST	443	49713	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:09.829294920 CEST	49713	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:09.947367907 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:09.947473049 CEST	443	49714	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:09.947664976 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:09.947985888 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:09.948021889 CEST	443	49714	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:10.829469919 CEST	443	49714	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:10.829765081 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:10.832384109 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:10.832448959 CEST	443	49714	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:10.832516909 CEST	49714	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:10.956830978 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:10.956881046 CEST	443	49715	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:10.956959009 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:10.957396030 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:10.957413912 CEST	443	49715	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:11.830914021 CEST	443	49715	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:11.831001997 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:11.833655119 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:11.833714008 CEST	443	49715	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:11.833775043 CEST	49715	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:11.947597027 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:11.947659016 CEST	443	49716	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:11.947763920 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:11.948050976 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:11.948071003 CEST	443	49716	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:12.850575924 CEST	443	49716	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:12.850682020 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:12.853082895 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:12.853130102 CEST	443	49716	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:12.853197098 CEST	49716	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:12.982309103 CEST	49718	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:12.982355118 CEST	443	49718	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:12.982462883 CEST	49718	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:12.982862949 CEST	49718	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:12.982880116 CEST	443	49718	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:13.863260984 CEST	443	49718	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:13.863347054 CEST	49718	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:13.866568089 CEST	49718	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:13.866803885 CEST	443	49718	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:13.866851091 CEST	49718	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:13.994297028 CEST	49721	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:13.994384050 CEST	443	49721	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:13.994534016 CEST	49721	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:13.994878054 CEST	49721	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:13.994908094 CEST	443	49721	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:14.861119986 CEST	443	49721	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:14.861305952 CEST	49721	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:14.863519907 CEST	49721	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:14.863580942 CEST	443	49721	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:14.863713026 CEST	443	49721	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:14.863775969 CEST	49721	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:14.981244087 CEST	49724	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:14.981297016 CEST	443	49724	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:14.981513023 CEST	49724	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:14.981894016 CEST	49724	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:14.981914043 CEST	443	49724	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:15.829148054 CEST	443	49724	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:15.829242945 CEST	49724	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:15.832410097 CEST	49724	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:15.832458019 CEST	443	49724	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:15.832596064 CEST	443	49724	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:15.832659960 CEST	49724	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:15.832679033 CEST	49724	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:15.979490995 CEST	49726	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:15.979543924 CEST	443	49726	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:15.979724884 CEST	49726	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:15.979983091 CEST	49726	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:15.980000019 CEST	443	49726	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:16.828639030 CEST	443	49726	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:16.828726053 CEST	49726	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:16.838490009 CEST	49726	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:16.838555098 CEST	443	49726	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:16.838613033 CEST	49726	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:16.963419914 CEST	49733	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:16.963463068 CEST	443	49733	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:16.963529110 CEST	49733	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:16.964006901 CEST	49733	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:16.964025974 CEST	443	49733	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:17.829354048 CEST	443	49733	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:17.829437971 CEST	49733	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:17.836741924 CEST	49733	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:17.836815119 CEST	443	49733	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:17.836975098 CEST	443	49733	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:17.837143898 CEST	49733	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:17.837143898 CEST	49733	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:17.947531939 CEST	49739	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:17.947586060 CEST	443	49739	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:17.947689056 CEST	49739	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:17.948004007 CEST	49739	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:17.948016882 CEST	443	49739	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:18.817177057 CEST	443	49739	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:18.817250013 CEST	49739	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:18.820084095 CEST	49739	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:18.820116043 CEST	443	49739	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:18.820221901 CEST	443	49739	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:18.820271969 CEST	49739	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:18.820286036 CEST	49739	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:18.931996107 CEST	49745	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:18.932049990 CEST	443	49745	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:18.932131052 CEST	49745	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:18.932426929 CEST	49745	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:18.932450056 CEST	443	49745	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:19.768215895 CEST	443	49745	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:19.768395901 CEST	49745	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:19.771970034 CEST	49745	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:19.772012949 CEST	443	49745	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:19.772083044 CEST	49745	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:19.885013103 CEST	49751	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:19.885059118 CEST	443	49751	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:19.885126114 CEST	49751	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:19.885381937 CEST	49751	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:19.885395050 CEST	443	49751	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:20.749980927 CEST	443	49751	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:20.750118017 CEST	49751	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:20.753554106 CEST	49751	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:20.753597975 CEST	443	49751	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:20.753676891 CEST	49751	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:20.869618893 CEST	49756	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:20.869713068 CEST	443	49756	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:20.869805098 CEST	49756	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:20.870135069 CEST	49756	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:20.870160103 CEST	443	49756	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:21.719218016 CEST	443	49756	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:21.719283104 CEST	49756	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:21.722950935 CEST	49756	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:21.723002911 CEST	443	49756	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:21.723057985 CEST	49756	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:21.841217995 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:21.841344118 CEST	443	49761	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:21.841525078 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:21.841808081 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:21.841840982 CEST	443	49761	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:22.701313019 CEST	443	49761	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:22.701406002 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:22.705187082 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:22.705241919 CEST	443	49761	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:22.705301046 CEST	49761	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:22.822536945 CEST	49766	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:22.822585106 CEST	443	49766	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:22.822725058 CEST	49766	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:22.823084116 CEST	49766	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:22.823100090 CEST	443	49766	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:23.673656940 CEST	443	49766	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:23.673764944 CEST	49766	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:23.677047014 CEST	49766	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:23.677145958 CEST	443	49766	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:23.677222967 CEST	49766	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:23.791373014 CEST	49771	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:23.791465044 CEST	443	49771	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:23.791749001 CEST	49771	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:23.792152882 CEST	49771	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:23.792190075 CEST	443	49771	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:24.944586039 CEST	443	49771	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:24.944792986 CEST	49771	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:24.947616100 CEST	49771	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:24.947719097 CEST	443	49771	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:24.947799921 CEST	49771	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:25.072495937 CEST	49779	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:25.072578907 CEST	443	49779	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:25.072736979 CEST	49779	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:25.072952032 CEST	49779	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:25.072983027 CEST	443	49779	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:25.928132057 CEST	443	49779	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:25.928245068 CEST	49779	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:26.049274921 CEST	49779	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:26.049346924 CEST	443	49779	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:26.049403906 CEST	49779	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:26.244685888 CEST	49785	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:26.244715929 CEST	443	49785	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:26.244777918 CEST	49785	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:26.245162010 CEST	49785	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:26.245177031 CEST	443	49785	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:27.083529949 CEST	443	49785	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:27.083616018 CEST	49785	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:27.086215019 CEST	49785	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:27.086249113 CEST	443	49785	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:27.086293936 CEST	49785	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:27.213330984 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:27.213383913 CEST	443	49790	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:27.213479996 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:27.213768005 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:27.213782072 CEST	443	49790	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:28.062115908 CEST	443	49790	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:28.062256098 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:28.068905115 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:28.068952084 CEST	443	49790	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:28.069010973 CEST	49790	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:28.181979895 CEST	49795	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:28.182039022 CEST	443	49795	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:28.182183981 CEST	49795	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:28.182543993 CEST	49795	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:28.182564020 CEST	443	49795	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:29.064812899 CEST	443	49795	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:29.064948082 CEST	49795	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:29.067516088 CEST	49795	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:29.067564011 CEST	443	49795	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:29.067641973 CEST	49795	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:29.181972027 CEST	49800	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:29.182024002 CEST	443	49800	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:29.182143927 CEST	49800	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:29.182487011 CEST	49800	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:29.182524920 CEST	443	49800	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:30.069318056 CEST	443	49800	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:30.069418907 CEST	49800	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:30.072009087 CEST	49800	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:30.072057009 CEST	443	49800	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:30.072120905 CEST	49800	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:30.197511911 CEST	49805	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:30.197586060 CEST	443	49805	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:30.197793007 CEST	49805	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:30.198178053 CEST	49805	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:30.198214054 CEST	443	49805	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:31.059076071 CEST	443	49805	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:31.059171915 CEST	49805	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:31.061466932 CEST	49805	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:31.061537027 CEST	443	49805	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:31.061599016 CEST	49805	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:31.166466951 CEST	49810	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:31.166563988 CEST	443	49810	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:31.166662931 CEST	49810	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:31.166939020 CEST	49810	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:31.166968107 CEST	443	49810	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:32.013128996 CEST	443	49810	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:32.013380051 CEST	49810	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:32.015979052 CEST	49810	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:32.016040087 CEST	443	49810	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:32.016099930 CEST	49810	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:32.119751930 CEST	49815	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:32.119797945 CEST	443	49815	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:32.119868994 CEST	49815	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:32.120347977 CEST	49815	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:32.120362043 CEST	443	49815	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:32.970453024 CEST	443	49815	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:32.970571995 CEST	49815	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:32.973066092 CEST	49815	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:32.973118067 CEST	443	49815	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:32.973186970 CEST	49815	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:33.088049889 CEST	49820	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:33.088124037 CEST	443	49820	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:33.088246107 CEST	49820	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:33.088593006 CEST	49820	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:33.088628054 CEST	443	49820	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:33.946255922 CEST	443	49820	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:33.946371078 CEST	49820	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:33.949532032 CEST	49820	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:33.949614048 CEST	443	49820	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:33.949681044 CEST	49820	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:33.949732065 CEST	49820	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:34.056907892 CEST	49825	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:34.056997061 CEST	443	49825	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:34.057091951 CEST	49825	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:34.057390928 CEST	49825	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:34.057426929 CEST	443	49825	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:34.915285110 CEST	443	49825	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:34.915373087 CEST	49825	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:34.917860031 CEST	49825	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:34.917891026 CEST	443	49825	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:34.917934895 CEST	49825	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:35.025609970 CEST	49830	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:35.025655031 CEST	443	49830	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:35.025748968 CEST	49830	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:35.026001930 CEST	49830	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:35.026011944 CEST	443	49830	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:36.160191059 CEST	443	49830	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:36.160278082 CEST	49830	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:36.162719011 CEST	49830	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:36.162760973 CEST	443	49830	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:36.162821054 CEST	49830	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:36.275609016 CEST	49834	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:36.275671005 CEST	443	49834	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:36.275747061 CEST	49834	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:36.275979996 CEST	49834	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:36.275995016 CEST	443	49834	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:37.378213882 CEST	443	49834	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:37.378292084 CEST	49834	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:37.381196022 CEST	49834	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:37.381241083 CEST	443	49834	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:37.381289005 CEST	49834	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:37.494398117 CEST	49838	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:37.494487047 CEST	443	49838	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:37.494577885 CEST	49838	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:37.494771004 CEST	49838	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:37.494788885 CEST	443	49838	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:38.342585087 CEST	443	49838	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:38.342698097 CEST	49838	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:38.345491886 CEST	49838	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:38.345524073 CEST	443	49838	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:38.345592976 CEST	49838	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:38.463068008 CEST	49844	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:38.463104010 CEST	443	49844	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:38.463181019 CEST	49844	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:38.463444948 CEST	49844	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:38.463459015 CEST	443	49844	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:39.679428101 CEST	443	49844	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:39.679596901 CEST	49844	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:39.683911085 CEST	49844	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:39.683959961 CEST	443	49844	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:39.684015036 CEST	49844	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:39.801713943 CEST	49851	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:39.801748991 CEST	443	49851	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:39.801814079 CEST	49851	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:39.802203894 CEST	49851	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:39.802222967 CEST	443	49851	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:40.658582926 CEST	443	49851	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:40.658709049 CEST	49851	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:40.661247969 CEST	49851	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:40.661295891 CEST	443	49851	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:40.661362886 CEST	49851	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:40.775532961 CEST	49857	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:40.775578022 CEST	443	49857	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:40.775651932 CEST	49857	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:40.775891066 CEST	49857	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:40.775907040 CEST	443	49857	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:41.636840105 CEST	443	49857	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:41.636981964 CEST	49857	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:41.639594078 CEST	49857	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:41.639661074 CEST	443	49857	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:41.639750957 CEST	49857	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:41.760417938 CEST	49863	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:41.760507107 CEST	443	49863	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:41.760750055 CEST	49863	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:41.760991096 CEST	49863	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:41.761037111 CEST	443	49863	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:42.608091116 CEST	443	49863	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:42.608232975 CEST	49863	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:42.610691071 CEST	49863	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:42.610733986 CEST	443	49863	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:42.610794067 CEST	49863	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:42.744182110 CEST	49868	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:42.744213104 CEST	443	49868	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:42.744285107 CEST	49868	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:42.744657040 CEST	49868	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:42.744669914 CEST	443	49868	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:43.591783047 CEST	443	49868	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:43.591860056 CEST	49868	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:43.594453096 CEST	49868	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:43.594496965 CEST	443	49868	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:43.594645023 CEST	443	49868	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:43.594697952 CEST	49868	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:43.594712973 CEST	49868	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:43.697410107 CEST	49874	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:43.697444916 CEST	443	49874	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:43.697527885 CEST	49874	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:43.697792053 CEST	49874	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:43.697818995 CEST	443	49874	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:44.544343948 CEST	443	49874	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:44.544411898 CEST	49874	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:44.546557903 CEST	49874	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:44.546703100 CEST	443	49874	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:44.546771049 CEST	49874	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:44.680449963 CEST	49879	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:44.680516958 CEST	443	49879	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:44.680607080 CEST	49879	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:44.680949926 CEST	49879	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:44.680963993 CEST	443	49879	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:45.546745062 CEST	443	49879	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:45.546860933 CEST	49879	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:45.549036980 CEST	49879	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:45.549092054 CEST	443	49879	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:45.549150944 CEST	49879	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:45.653814077 CEST	49884	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:45.653863907 CEST	443	49884	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:45.653928995 CEST	49884	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:45.654366016 CEST	49884	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:45.654378891 CEST	443	49884	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:46.512654066 CEST	443	49884	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:46.512773991 CEST	49884	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:46.516221046 CEST	49884	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:46.516295910 CEST	443	49884	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:46.516454935 CEST	49884	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:46.635112047 CEST	49889	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:46.635159016 CEST	443	49889	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:46.635250092 CEST	49889	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:46.635627031 CEST	49889	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:46.635649920 CEST	443	49889	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:48.131063938 CEST	443	49889	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:48.131212950 CEST	49889	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:48.136128902 CEST	49889	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:48.136233091 CEST	443	49889	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:48.136301994 CEST	49889	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:48.244867086 CEST	49894	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:48.244988918 CEST	443	49894	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:48.245136976 CEST	49894	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:48.245470047 CEST	49894	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:48.245520115 CEST	443	49894	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:49.101970911 CEST	443	49894	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:49.102129936 CEST	49894	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:49.104746103 CEST	49894	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:49.104790926 CEST	443	49894	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:49.104861021 CEST	49894	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:49.244666100 CEST	49899	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:49.244777918 CEST	443	49899	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:49.247265100 CEST	49899	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:49.247601032 CEST	49899	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:49.247641087 CEST	443	49899	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:50.087203026 CEST	443	49899	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:50.087440968 CEST	49899	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:50.089505911 CEST	49899	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:50.089560986 CEST	443	49899	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:50.089620113 CEST	49899	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:50.197496891 CEST	49905	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:50.197534084 CEST	443	49905	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:50.197638035 CEST	49905	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:50.197869062 CEST	49905	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:50.197881937 CEST	443	49905	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:51.073956013 CEST	443	49905	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:51.074038982 CEST	49905	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:51.076616049 CEST	49905	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:51.076673985 CEST	443	49905	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:51.076731920 CEST	49905	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:51.187000036 CEST	49909	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:51.187047005 CEST	443	49909	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:51.187155962 CEST	49909	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:51.187700987 CEST	49909	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:51.187721014 CEST	443	49909	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:52.040426016 CEST	443	49909	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:52.040544033 CEST	49909	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:52.045212984 CEST	49909	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:52.045264959 CEST	443	49909	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:52.045320034 CEST	49909	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:52.151042938 CEST	49913	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:52.151089907 CEST	443	49913	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:52.151199102 CEST	49913	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:52.151470900 CEST	49913	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:52.151489019 CEST	443	49913	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:53.005131960 CEST	443	49913	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:53.005343914 CEST	49913	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:53.008455992 CEST	49913	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:53.008521080 CEST	443	49913	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:53.008589983 CEST	49913	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:53.135931015 CEST	49919	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:53.135971069 CEST	443	49919	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:53.136038065 CEST	49919	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:53.137084961 CEST	49919	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:53.137096882 CEST	443	49919	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:53.999778032 CEST	443	49919	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:53.999881983 CEST	49919	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:54.003627062 CEST	49919	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:54.003720999 CEST	443	49919	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:54.003802061 CEST	49919	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:54.135160923 CEST	49923	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:54.135201931 CEST	443	49923	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:54.135267019 CEST	49923	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:54.135797977 CEST	49923	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:54.135812044 CEST	443	49923	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:54.976829052 CEST	443	49923	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:54.976911068 CEST	49923	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:54.979387045 CEST	49923	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:54.979465961 CEST	443	49923	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:54.979552031 CEST	49923	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:55.120878935 CEST	49926	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:55.120945930 CEST	443	49926	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:55.121023893 CEST	49926	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:55.121329069 CEST	49926	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:55.121344090 CEST	443	49926	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:55.974117041 CEST	443	49926	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:55.974402905 CEST	49926	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:55.977500916 CEST	49926	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:55.977595091 CEST	443	49926	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:55.977788925 CEST	49926	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:56.104088068 CEST	49929	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:56.104141951 CEST	443	49929	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:56.104232073 CEST	49929	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:56.104532957 CEST	49929	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:56.104547024 CEST	443	49929	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:56.949976921 CEST	443	49929	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:56.950050116 CEST	49929	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:56.954798937 CEST	49929	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:56.954844952 CEST	443	49929	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:56.954895973 CEST	49929	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:57.058403015 CEST	49932	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:57.058454990 CEST	443	49932	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:57.058574915 CEST	49932	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:57.058995962 CEST	49932	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:57.059009075 CEST	443	49932	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:57.924262047 CEST	443	49932	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:57.924459934 CEST	49932	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:57.927370071 CEST	49932	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:57.927484035 CEST	443	49932	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:57.927561998 CEST	49932	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:58.057109118 CEST	49935	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:58.057163954 CEST	443	49935	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:58.057281017 CEST	49935	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:58.057641983 CEST	49935	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:58.057661057 CEST	443	49935	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:58.929337025 CEST	443	49935	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:58.929433107 CEST	49935	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:58.932331085 CEST	49935	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:58.932378054 CEST	443	49935	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:58.932451010 CEST	49935	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:59.072596073 CEST	49938	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:59.072664022 CEST	443	49938	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:59.072813988 CEST	49938	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:59.073096037 CEST	49938	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:27:59.073112011 CEST	443	49938	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:59.921833992 CEST	443	49938	185.161.251.26	192.168.2.5
Oct 24, 2024 17:27:59.921916008 CEST	49938	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:00.009476900 CEST	49938	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:00.009726048 CEST	443	49938	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:00.009824038 CEST	49938	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:00.139055014 CEST	49941	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:00.139107943 CEST	443	49941	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:00.139192104 CEST	49941	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:00.139977932 CEST	49941	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:00.139991045 CEST	443	49941	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:00.983460903 CEST	443	49941	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:00.983546972 CEST	49941	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:00.986352921 CEST	49941	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:00.986394882 CEST	443	49941	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:00.986459017 CEST	49941	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:01.088679075 CEST	49944	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:01.088781118 CEST	443	49944	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:01.088886023 CEST	49944	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:01.089317083 CEST	49944	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:01.089345932 CEST	443	49944	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:01.925652981 CEST	443	49944	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:01.925848007 CEST	49944	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:01.933635950 CEST	49944	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:01.933706045 CEST	443	49944	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:01.933780909 CEST	49944	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:02.041527987 CEST	49947	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:02.041568041 CEST	443	49947	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:02.041646004 CEST	49947	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:02.041883945 CEST	49947	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:02.041896105 CEST	443	49947	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:02.886394024 CEST	443	49947	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:02.886535883 CEST	49947	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:03.237401009 CEST	49947	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:03.237520933 CEST	443	49947	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:03.237596989 CEST	49947	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:03.354090929 CEST	49951	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:03.354185104 CEST	443	49951	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:03.354279041 CEST	49951	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:03.354628086 CEST	49951	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:03.354661942 CEST	443	49951	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:04.199909925 CEST	443	49951	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:04.200011015 CEST	49951	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:04.203068972 CEST	49951	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:04.203128099 CEST	443	49951	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:04.203207016 CEST	49951	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:04.307068110 CEST	49956	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:04.307125092 CEST	443	49956	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:04.307277918 CEST	49956	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:04.307619095 CEST	49956	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:04.307638884 CEST	443	49956	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:05.163953066 CEST	443	49956	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:05.164032936 CEST	49956	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:05.167588949 CEST	49956	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:05.167668104 CEST	443	49956	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:05.167736053 CEST	49956	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:05.278875113 CEST	49960	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:05.278985023 CEST	443	49960	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:05.279093027 CEST	49960	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:05.279476881 CEST	49960	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:05.279515028 CEST	443	49960	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:06.129370928 CEST	443	49960	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:06.129456997 CEST	49960	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:06.133444071 CEST	49960	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:06.133482933 CEST	443	49960	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:06.133609056 CEST	49960	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:06.133675098 CEST	443	49960	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:06.133733988 CEST	49960	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:06.246656895 CEST	49964	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:06.246697903 CEST	443	49964	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:06.246809006 CEST	49964	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:06.247251034 CEST	49964	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:06.247262001 CEST	443	49964	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:07.090395927 CEST	443	49964	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:07.090507030 CEST	49964	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:07.094337940 CEST	49964	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:07.094398022 CEST	443	49964	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:07.094479084 CEST	49964	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:07.199620008 CEST	49968	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:07.199671030 CEST	443	49968	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:07.199803114 CEST	49968	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:07.200155973 CEST	49968	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:07.200172901 CEST	443	49968	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:08.073179960 CEST	443	49968	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:08.073367119 CEST	49968	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:08.079267979 CEST	49968	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:08.079334974 CEST	443	49968	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:08.079442024 CEST	49968	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:08.185794115 CEST	49972	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:08.185838938 CEST	443	49972	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:08.186098099 CEST	49972	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:08.186639071 CEST	49972	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:08.186647892 CEST	443	49972	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:09.043627024 CEST	443	49972	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:09.043718100 CEST	49972	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:09.046799898 CEST	49972	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:09.046824932 CEST	443	49972	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:09.046906948 CEST	49972	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:09.153734922 CEST	49976	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:09.153769970 CEST	443	49976	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:09.153951883 CEST	49976	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:09.154275894 CEST	49976	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:09.154288054 CEST	443	49976	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:10.011914015 CEST	443	49976	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:10.012094975 CEST	49976	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:10.014645100 CEST	49976	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:10.014682055 CEST	443	49976	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:10.014843941 CEST	443	49976	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:10.014940023 CEST	49976	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:10.014940023 CEST	49976	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:10.122714996 CEST	49980	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:10.122756958 CEST	443	49980	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:10.123363018 CEST	49980	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:10.123790979 CEST	49980	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:10.123801947 CEST	443	49980	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:10.981441021 CEST	443	49980	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:10.981518984 CEST	49980	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:10.985712051 CEST	49980	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:10.985754967 CEST	443	49980	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:10.985810041 CEST	49980	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:11.091084957 CEST	49984	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:11.091149092 CEST	443	49984	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:11.091213942 CEST	49984	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:11.091614962 CEST	49984	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:11.091631889 CEST	443	49984	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:11.936512947 CEST	443	49984	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:11.936656952 CEST	49984	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:11.943283081 CEST	49984	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:11.943392992 CEST	443	49984	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:11.943533897 CEST	443	49984	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:11.943710089 CEST	49984	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:11.943710089 CEST	49984	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.045778036 CEST	49988	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.045830965 CEST	443	49988	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:12.046228886 CEST	49988	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.046616077 CEST	49988	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.046632051 CEST	443	49988	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:12.889363050 CEST	443	49988	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:12.889445066 CEST	49988	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.892621994 CEST	49988	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.892664909 CEST	443	49988	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:12.892760038 CEST	443	49988	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:12.892786026 CEST	49988	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.892819881 CEST	49988	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.997770071 CEST	49993	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.997812986 CEST	443	49993	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:12.997884035 CEST	49993	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.998208046 CEST	49993	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:12.998215914 CEST	443	49993	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:13.853976011 CEST	443	49993	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:13.854085922 CEST	49993	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:13.856695890 CEST	49993	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:13.856719017 CEST	443	49993	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:13.856806993 CEST	443	49993	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:13.856898069 CEST	49993	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:13.857037067 CEST	49993	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:13.964884043 CEST	49998	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:13.964932919 CEST	443	49998	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:13.965168953 CEST	49998	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:13.965409040 CEST	49998	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:13.965420961 CEST	443	49998	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:14.799277067 CEST	443	49998	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:14.799401045 CEST	49998	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:14.806032896 CEST	49998	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:14.806087971 CEST	443	49998	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:14.806197882 CEST	443	49998	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:14.806288004 CEST	49998	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:14.806288958 CEST	49998	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:14.918580055 CEST	50003	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:14.918646097 CEST	443	50003	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:14.918730974 CEST	50003	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:14.919083118 CEST	50003	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:14.919104099 CEST	443	50003	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:15.764089108 CEST	443	50003	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:15.764197111 CEST	50003	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:15.774379015 CEST	50003	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:15.774476051 CEST	443	50003	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:15.774542093 CEST	50003	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:15.890224934 CEST	50008	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:15.890259027 CEST	443	50008	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:15.890526056 CEST	50008	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:15.890731096 CEST	50008	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:15.890742064 CEST	443	50008	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:16.754087925 CEST	443	50008	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:16.754223108 CEST	50008	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:16.757060051 CEST	50008	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:16.757117987 CEST	443	50008	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:16.757237911 CEST	50008	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:16.874834061 CEST	50015	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:16.874862909 CEST	443	50015	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:16.874984026 CEST	50015	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:16.875318050 CEST	50015	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:16.875328064 CEST	443	50015	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:17.722208977 CEST	443	50015	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:17.722312927 CEST	50015	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:17.724862099 CEST	50015	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:17.724910021 CEST	443	50015	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:17.724982023 CEST	50015	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:17.840085983 CEST	50022	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:17.840136051 CEST	443	50022	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:17.840198994 CEST	50022	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:17.840496063 CEST	50022	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:17.840508938 CEST	443	50022	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:18.693798065 CEST	443	50022	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:18.693922043 CEST	50022	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:18.698308945 CEST	50022	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:18.698355913 CEST	443	50022	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:18.698473930 CEST	443	50022	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:18.698539019 CEST	50022	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:18.698539019 CEST	50022	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:18.809374094 CEST	50028	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:18.809405088 CEST	443	50028	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:18.809497118 CEST	50028	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:18.809784889 CEST	50028	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:18.809796095 CEST	443	50028	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:19.659540892 CEST	443	50028	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:19.659631968 CEST	50028	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:19.662638903 CEST	50028	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:19.662693024 CEST	443	50028	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:19.662751913 CEST	50028	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:19.778331995 CEST	50034	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:19.778403997 CEST	443	50034	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:19.778501987 CEST	50034	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:19.778837919 CEST	50034	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:19.778860092 CEST	443	50034	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:20.649020910 CEST	443	50034	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:20.649118900 CEST	50034	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:20.651931047 CEST	50034	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:20.651973963 CEST	443	50034	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:20.652065039 CEST	443	50034	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:20.652148962 CEST	50034	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:20.652148962 CEST	50034	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:20.763319969 CEST	50039	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:20.763353109 CEST	443	50039	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:20.763500929 CEST	50039	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:20.764206886 CEST	50039	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:20.764218092 CEST	443	50039	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:21.639394045 CEST	443	50039	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:21.639472961 CEST	50039	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:21.642395973 CEST	50039	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:21.642436028 CEST	443	50039	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:21.642489910 CEST	50039	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:21.746259928 CEST	50044	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:21.746289968 CEST	443	50044	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:21.746417046 CEST	50044	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:21.746814013 CEST	50044	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:21.746826887 CEST	443	50044	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:22.599802017 CEST	443	50044	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:22.599952936 CEST	50044	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:22.605611086 CEST	50044	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:22.605647087 CEST	443	50044	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:22.605768919 CEST	443	50044	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:22.605786085 CEST	50044	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:22.605876923 CEST	50044	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:22.716907978 CEST	50049	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:22.716947079 CEST	443	50049	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:22.717060089 CEST	50049	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:22.719310045 CEST	50049	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:22.719320059 CEST	443	50049	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:23.563206911 CEST	443	50049	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:23.563283920 CEST	50049	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:23.565563917 CEST	50049	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:23.565607071 CEST	443	50049	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:23.565674067 CEST	50049	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:23.685306072 CEST	50056	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:23.685331106 CEST	443	50056	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:23.685446978 CEST	50056	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:23.685681105 CEST	50056	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:23.685694933 CEST	443	50056	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:24.544207096 CEST	443	50056	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:24.544331074 CEST	50056	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:24.547616959 CEST	50056	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:24.547669888 CEST	443	50056	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:24.547806025 CEST	443	50056	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:24.547868967 CEST	50056	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:24.547938108 CEST	50056	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:24.652605057 CEST	50060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:24.652637959 CEST	443	50060	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:24.653141022 CEST	50060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:24.653244972 CEST	50060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:24.653254986 CEST	443	50060	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:25.502784967 CEST	443	50060	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:25.502861977 CEST	50060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:25.506429911 CEST	50060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:25.506472111 CEST	443	50060	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:25.506529093 CEST	50060	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:25.622016907 CEST	50061	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:25.622055054 CEST	443	50061	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:25.622126102 CEST	50061	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:25.622474909 CEST	50061	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:25.622492075 CEST	443	50061	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:27.484321117 CEST	443	50061	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:27.484890938 CEST	50061	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:27.493433952 CEST	50061	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:27.493520975 CEST	443	50061	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:27.493645906 CEST	50061	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:27.606324911 CEST	50062	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:27.606357098 CEST	443	50062	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:27.606427908 CEST	50062	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:27.606709957 CEST	50062	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:27.606723070 CEST	443	50062	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:28.466455936 CEST	443	50062	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:28.466698885 CEST	50062	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:28.469295979 CEST	50062	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:28.469386101 CEST	443	50062	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:28.469649076 CEST	50062	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:28.574497938 CEST	50063	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:28.574522972 CEST	443	50063	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:28.574752092 CEST	50063	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:28.577351093 CEST	50063	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:28.577363968 CEST	443	50063	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:29.436897039 CEST	443	50063	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:29.436991930 CEST	50063	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:29.484575987 CEST	50063	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:29.484891891 CEST	443	50063	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:29.484958887 CEST	50063	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:29.659523964 CEST	50064	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:29.659558058 CEST	443	50064	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:29.659626007 CEST	50064	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:29.668561935 CEST	50064	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:29.668581009 CEST	443	50064	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:30.546649933 CEST	443	50064	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:30.546879053 CEST	50064	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:30.549427986 CEST	50064	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:30.549520969 CEST	443	50064	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:30.549994946 CEST	443	50064	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:30.550075054 CEST	50064	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:30.550075054 CEST	50064	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:30.654025078 CEST	50065	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:30.654067039 CEST	443	50065	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:30.654205084 CEST	50065	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:30.658180952 CEST	50065	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:30.658196926 CEST	443	50065	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:31.511367083 CEST	443	50065	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:31.511439085 CEST	50065	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:31.515556097 CEST	50065	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:31.515595913 CEST	443	50065	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:31.515640020 CEST	50065	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:31.622410059 CEST	50066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:31.622436047 CEST	443	50066	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:31.622489929 CEST	50066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:31.622889042 CEST	50066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:31.622900009 CEST	443	50066	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:32.482703924 CEST	443	50066	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:32.482891083 CEST	50066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:32.487360954 CEST	50066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:32.487405062 CEST	443	50066	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:32.487555981 CEST	443	50066	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:32.487641096 CEST	50066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:32.487694025 CEST	50066	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:32.591384888 CEST	50067	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:32.591433048 CEST	443	50067	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:32.595413923 CEST	50067	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:32.595978975 CEST	50067	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:32.596000910 CEST	443	50067	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:33.445688009 CEST	443	50067	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:33.445771933 CEST	50067	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:33.449899912 CEST	50067	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:33.449938059 CEST	443	50067	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:33.449987888 CEST	50067	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:33.559870005 CEST	50068	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:33.559895039 CEST	443	50068	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:33.559962988 CEST	50068	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:33.560297966 CEST	50068	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:33.560309887 CEST	443	50068	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:34.431102037 CEST	443	50068	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:34.431245089 CEST	50068	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:34.433945894 CEST	50068	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:34.433978081 CEST	443	50068	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:34.434068918 CEST	443	50068	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:34.434153080 CEST	50068	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:34.434153080 CEST	50068	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:34.543262959 CEST	50069	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:34.543308973 CEST	443	50069	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:34.543441057 CEST	50069	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:34.546082973 CEST	50069	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:34.546101093 CEST	443	50069	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:35.397619009 CEST	443	50069	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:35.397691965 CEST	50069	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:35.401432991 CEST	50069	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:35.401469946 CEST	443	50069	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:35.401524067 CEST	50069	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:35.512886047 CEST	50070	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:35.512922049 CEST	443	50070	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:35.513001919 CEST	50070	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:35.513318062 CEST	50070	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:35.513331890 CEST	443	50070	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:36.372019053 CEST	443	50070	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:36.372111082 CEST	50070	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:36.377774000 CEST	50070	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:36.377810001 CEST	443	50070	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:36.377919912 CEST	50070	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:36.377923965 CEST	443	50070	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:36.378077984 CEST	50070	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:36.480736971 CEST	50071	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:36.480775118 CEST	443	50071	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:36.481884956 CEST	50071	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:36.481982946 CEST	50071	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:36.481992006 CEST	443	50071	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:37.336484909 CEST	443	50071	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:37.336551905 CEST	50071	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:37.340099096 CEST	50071	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:37.340148926 CEST	443	50071	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:37.340198040 CEST	50071	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:37.450166941 CEST	50072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:37.450232983 CEST	443	50072	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:37.450306892 CEST	50072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:37.450642109 CEST	50072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:37.450689077 CEST	443	50072	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:38.307418108 CEST	443	50072	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:38.307573080 CEST	50072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:38.311362982 CEST	50072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:38.311410904 CEST	443	50072	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:38.311506033 CEST	443	50072	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:38.311579943 CEST	50072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:38.311579943 CEST	50072	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:38.418184042 CEST	50073	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:38.418278933 CEST	443	50073	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:38.418723106 CEST	50073	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:38.418723106 CEST	50073	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:38.418809891 CEST	443	50073	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:39.271220922 CEST	443	50073	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:39.271399975 CEST	50073	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:39.274786949 CEST	50073	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:39.274846077 CEST	443	50073	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:39.274916887 CEST	50073	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:39.387490988 CEST	50074	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:39.387604952 CEST	443	50074	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:39.387701035 CEST	50074	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:39.388005018 CEST	50074	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:39.388045073 CEST	443	50074	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:40.434961081 CEST	443	50074	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:40.435080051 CEST	50074	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:40.438061953 CEST	50074	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:40.438127041 CEST	443	50074	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:40.438220978 CEST	443	50074	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:40.438249111 CEST	50074	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:40.438344955 CEST	50074	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:40.543461084 CEST	50075	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:40.543528080 CEST	443	50075	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:40.543709993 CEST	50075	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:40.544177055 CEST	50075	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:40.544217110 CEST	443	50075	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:41.409133911 CEST	443	50075	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:41.409328938 CEST	50075	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:41.413163900 CEST	50075	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:41.413213968 CEST	443	50075	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:41.413322926 CEST	443	50075	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:41.413325071 CEST	50075	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:41.413430929 CEST	50075	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:41.528686047 CEST	50076	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:41.528789043 CEST	443	50076	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:41.529186964 CEST	50076	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:41.529454947 CEST	50076	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:41.529488087 CEST	443	50076	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:42.391124964 CEST	443	50076	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:42.391225100 CEST	50076	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:42.393929005 CEST	50076	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:42.393984079 CEST	443	50076	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:42.394115925 CEST	443	50076	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:42.394200087 CEST	50076	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:42.394200087 CEST	50076	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:42.511796951 CEST	50077	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:42.511888981 CEST	443	50077	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:42.512053967 CEST	50077	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:42.512351036 CEST	50077	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:42.512376070 CEST	443	50077	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:43.358270884 CEST	443	50077	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:43.358360052 CEST	50077	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:43.369766951 CEST	50077	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:43.369822025 CEST	443	50077	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:43.369884014 CEST	50077	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:43.482040882 CEST	50078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:43.482068062 CEST	443	50078	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:43.482121944 CEST	50078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:43.482506037 CEST	50078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:43.482515097 CEST	443	50078	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:44.340917110 CEST	443	50078	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:44.341048002 CEST	50078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:44.346375942 CEST	50078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:44.346447945 CEST	443	50078	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:44.346553087 CEST	50078	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:44.574167967 CEST	50079	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:44.574265003 CEST	443	50079	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:44.574378967 CEST	50079	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:44.574750900 CEST	50079	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:44.574779987 CEST	443	50079	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:45.433367968 CEST	443	50079	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:45.433446884 CEST	50079	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:45.437155008 CEST	50079	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:45.437192917 CEST	443	50079	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:45.437246084 CEST	50079	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:45.544058084 CEST	50080	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:45.544096947 CEST	443	50080	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:45.544154882 CEST	50080	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:45.544534922 CEST	50080	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:45.544548035 CEST	443	50080	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:46.399858952 CEST	443	50080	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:46.400228024 CEST	50080	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:46.404059887 CEST	50080	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:46.404093027 CEST	443	50080	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:46.404187918 CEST	443	50080	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:46.404228926 CEST	50080	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:46.404395103 CEST	50080	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:46.515352964 CEST	50081	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:46.515393972 CEST	443	50081	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:46.515508890 CEST	50081	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:46.515773058 CEST	50081	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:46.515788078 CEST	443	50081	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:47.635641098 CEST	443	50081	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:47.635714054 CEST	50081	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:47.639190912 CEST	50081	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:47.639233112 CEST	443	50081	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:47.639281988 CEST	50081	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:47.751482010 CEST	50082	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:47.751533985 CEST	443	50082	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:47.751606941 CEST	50082	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:47.751929045 CEST	50082	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:47.751940966 CEST	443	50082	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:48.602650881 CEST	443	50082	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:48.603338957 CEST	50082	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:48.606044054 CEST	50082	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:48.606086969 CEST	443	50082	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:48.606230021 CEST	443	50082	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:48.606395960 CEST	50082	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:48.610332966 CEST	50082	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:48.793973923 CEST	50083	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:48.794028044 CEST	443	50083	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:48.801323891 CEST	50083	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:48.814012051 CEST	50083	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:48.814028978 CEST	443	50083	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:49.665770054 CEST	443	50083	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:49.665796041 CEST	443	50083	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:49.665853024 CEST	50083	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:49.669058084 CEST	50083	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:49.669096947 CEST	443	50083	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:49.669146061 CEST	50083	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:49.780942917 CEST	50084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:49.780994892 CEST	443	50084	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:49.781059027 CEST	50084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:49.781323910 CEST	50084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:49.781342983 CEST	443	50084	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:50.622706890 CEST	443	50084	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:50.622828007 CEST	50084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:50.626035929 CEST	50084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:50.626082897 CEST	443	50084	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:50.626183033 CEST	443	50084	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:50.626306057 CEST	50084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:50.626306057 CEST	50084	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:50.733963013 CEST	50085	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:50.734019041 CEST	443	50085	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:50.734179974 CEST	50085	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:50.737499952 CEST	50085	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:50.737515926 CEST	443	50085	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:51.584335089 CEST	443	50085	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:51.584433079 CEST	50085	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:51.708587885 CEST	50085	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:51.708642006 CEST	443	50085	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:51.708765984 CEST	50085	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:51.825256109 CEST	50086	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:51.825325966 CEST	443	50086	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:51.825416088 CEST	50086	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:51.825788975 CEST	50086	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:51.825824022 CEST	443	50086	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:52.680793047 CEST	443	50086	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:52.681010008 CEST	50086	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:52.687402010 CEST	50086	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:52.687448978 CEST	443	50086	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:52.687539101 CEST	443	50086	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:52.687683105 CEST	50086	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:52.687683105 CEST	50086	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:52.793118000 CEST	50087	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:52.793169975 CEST	443	50087	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:52.793395996 CEST	50087	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:52.793607950 CEST	50087	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:52.793625116 CEST	443	50087	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:53.665467024 CEST	443	50087	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:53.665534019 CEST	50087	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:53.668976068 CEST	50087	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:53.669014931 CEST	443	50087	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:53.669075012 CEST	50087	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:53.780189991 CEST	50088	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:53.780222893 CEST	443	50088	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:53.780309916 CEST	50088	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:53.780555010 CEST	50088	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:53.780564070 CEST	443	50088	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:54.624875069 CEST	443	50088	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:54.625132084 CEST	50088	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:54.629482985 CEST	50088	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:54.629538059 CEST	443	50088	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:54.629652023 CEST	443	50088	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:54.629968882 CEST	50088	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:54.629968882 CEST	50088	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:54.747338057 CEST	50089	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:54.747432947 CEST	443	50089	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:54.750020027 CEST	50089	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:54.753418922 CEST	50089	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:54.753459930 CEST	443	50089	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:55.608700037 CEST	443	50089	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:55.608899117 CEST	50089	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:55.615825891 CEST	50089	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:55.615884066 CEST	443	50089	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:55.615957022 CEST	50089	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:55.731796026 CEST	50090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:55.731889963 CEST	443	50090	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:55.731973886 CEST	50090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:55.732326984 CEST	50090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:55.732362986 CEST	443	50090	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:56.577491045 CEST	443	50090	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:56.577636003 CEST	50090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:56.580811977 CEST	50090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:56.580863953 CEST	443	50090	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:56.580951929 CEST	443	50090	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:56.581041098 CEST	50090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:56.581041098 CEST	50090	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:56.683427095 CEST	50091	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:56.683527946 CEST	443	50091	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:56.687516928 CEST	50091	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:56.688685894 CEST	50091	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:56.688724995 CEST	443	50091	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:57.550271034 CEST	443	50091	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:57.550355911 CEST	50091	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:57.553833008 CEST	50091	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:57.553884029 CEST	443	50091	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:57.553942919 CEST	50091	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:57.668533087 CEST	50092	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:57.668576956 CEST	443	50092	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:57.668643951 CEST	50092	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:57.668941975 CEST	50092	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:57.668960094 CEST	443	50092	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:58.516699076 CEST	443	50092	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:58.516835928 CEST	50092	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:58.520478010 CEST	50092	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:58.520520926 CEST	443	50092	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:58.520649910 CEST	443	50092	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:58.520735025 CEST	50092	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:58.520735025 CEST	50092	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:58.637474060 CEST	50093	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:58.637506962 CEST	443	50093	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:58.641607046 CEST	50093	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:58.647356033 CEST	50093	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:58.647372007 CEST	443	50093	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:59.492257118 CEST	443	50093	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:59.492383957 CEST	50093	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:59.505136013 CEST	50093	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:59.505172968 CEST	443	50093	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:59.505239964 CEST	50093	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:59.623964071 CEST	50094	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:59.624010086 CEST	443	50094	185.161.251.26	192.168.2.5
Oct 24, 2024 17:28:59.624078989 CEST	50094	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:59.624526024 CEST	50094	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:28:59.624543905 CEST	443	50094	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:00.483095884 CEST	443	50094	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:00.483191013 CEST	50094	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:00.487235069 CEST	50094	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:00.487277031 CEST	443	50094	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:00.487427950 CEST	443	50094	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:00.487453938 CEST	50094	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:00.487668037 CEST	50094	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:00.590320110 CEST	50095	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:00.590370893 CEST	443	50095	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:00.590553999 CEST	50095	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:00.590965033 CEST	50095	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:00.590989113 CEST	443	50095	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:01.431582928 CEST	443	50095	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:01.431715012 CEST	50095	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:01.435414076 CEST	50095	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:01.435458899 CEST	443	50095	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:01.435516119 CEST	50095	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:01.543736935 CEST	50096	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:01.543826103 CEST	443	50096	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:01.543905973 CEST	50096	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:01.544320107 CEST	50096	443	192.168.2.5	185.161.251.26
Oct 24, 2024 17:29:01.544357061 CEST	443	50096	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:02.404443026 CEST	443	50096	185.161.251.26	192.168.2.5
Oct 24, 2024 17:29:02.404551983 CEST	50096	443	192.168.2.5	185.161.251.26

Target ID:	0
Start time:	11:26:56
Start date:	24/10/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\Updater.dll.dll"
Imagebase:	0x7ff7fd8f0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:26:56
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:26:56
Start date:	24/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1
Imagebase:	0x7ff71f480000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:26:56
Start date:	24/10/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\Updater.dll.dll
Imagebase:	0x7ff71dcd0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:26:56
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\Updater.dll.dll",#1
Imagebase:	0x7ff70b520000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:26:56
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllGetClassObject
Imagebase:	0x7ff70b520000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:26:59
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\SynergyTop\Updater.dll",Start /u
Imagebase:	0x7ff70b520000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	11:26:59
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServer
Imagebase:	0x7ff6d64d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:27:01
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\Solid Digital\Updater.dll",Start /u
Imagebase:	0x7ff70b520000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:27:02
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Updater.dll.dll,DllRegisterServerEx
Imagebase:	0x7ff70b520000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:27:05
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\Table XI\Updater.dll",Start /u
Imagebase:	0x7ff70b520000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:27:07
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\TECLA\Updater.dll",Start /u
Imagebase:	0x7ff70b520000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:28:00
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\TECLA\Updater.dll",Start /u
Imagebase:	0x7ff70b520000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 6200, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	34.3%
Total number of Nodes:	1585
Total number of Limit Nodes:	34

Executed Functions

Function 00007FF8B8F71C40 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 320
networklibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D
GetProcAddress.KERNEL32 ref: 00007FF8B8F71E44
InternetOpenW.WININET ref: 00007FF8B8F71E68
InternetSetOptionW.WININET ref: 00007FF8B8F71E94
InternetSetOptionW.WININET ref: 00007FF8B8F71EAC
InternetSetOptionW.WININET ref: 00007FF8B8F71EC4
InternetConnectW.WININET ref: 00007FF8B8F71EED
HttpOpenRequestW.WININET ref: 00007FF8B8F71F7B
SetLastError.KERNEL32 ref: 00007FF8B8F7204C
HttpSendRequestW.WININET ref: 00007FF8B8F72066
GetLastError.KERNEL32 ref: 00007FF8B8F72071
InternetQueryOptionW.WININET ref: 00007FF8B8F7209F
InternetSetOptionW.WININET ref: 00007FF8B8F720BF
HttpSendRequestW.WININET ref: 00007FF8B8F720D4

Part of subcall function 00007FF8B8F75980: GetProcessHeap.KERNEL32(?,?,?,00007FF8B8F767BF), ref: 00007FF8B8F75989

InternetReadFile.WININET ref: 00007FF8B8F72101

Part of subcall function 00007FF8B8F759B0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759C0

InternetReadFile.WININET ref: 00007FF8B8F72144
InternetCloseHandle.WININET ref: 00007FF8B8F7216C
InternetCloseHandle.WININET ref: 00007FF8B8F72177
InternetCloseHandle.WININET ref: 00007FF8B8F72180

Strings

`, xrefs: 00007FF8B8F71E8C

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Internet$AddressProc$Option$CloseHandleHttpRequest$ErrorFileHeapLastOpenProcessReadSend$ConnectLibraryLoadQuery
String ID: `
API String ID: 843668234-1850852036
Opcode ID: 02522366f27c775808b765d30ae349cda644d99c1c7bfb127414d2410a869d1f
Instruction ID: 4e1b39f07fe27ec4d94520f65fc4aa8e11516b3b2781063ffac719398598275c
Opcode Fuzzy Hash: 02522366f27c775808b765d30ae349cda644d99c1c7bfb127414d2410a869d1f
Instruction Fuzzy Hash: A2E16C39A09A4282FA50DF59E8546BA77A0FF89BE2F444035DF4E43755EF3CE0468748

Function 00007FF8B8F745E0 Relevance: 19.7, APIs: 13, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 00007FF8B8F74637
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74647
GetComputerNameW.KERNEL32 ref: 00007FF8B8F7465C
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74664
GetComputerNameExW.KERNELBASE ref: 00007FF8B8F74686
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F7468E
GetUserNameW.ADVAPI32 ref: 00007FF8B8F746A6
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F746AE
OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Handle$Module$Name$Computer$CloseCountInformationMutexOpenSleepTickUserVolume
String ID:
API String ID: 2838846479-0
Opcode ID: 8f613cc3c829e87c50055f50a86779bab7fd9bead7c6a792317adaf3c693b8d3
Instruction ID: 051507c9eec5436a0f235b98022e111f0a24c4427424b7ca682fbcebfd28c204
Opcode Fuzzy Hash: 8f613cc3c829e87c50055f50a86779bab7fd9bead7c6a792317adaf3c693b8d3
Instruction Fuzzy Hash: 0AB19F36A08B428AFB10DB68E8406AE3BA4FB487D5F904235DB5E47795EF3CD146CB04

Function 00007FF8B8F75A20 Relevance: 16.7, APIs: 11, Instructions: 178
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F75A50
GetProcAddress.KERNEL32 ref: 00007FF8B8F75A88
LoadLibraryW.KERNEL32 ref: 00007FF8B8F75AB9
GetProcAddress.KERNEL32 ref: 00007FF8B8F75AF1
GetProcAddress.KERNEL32 ref: 00007FF8B8F75B29
LoadLibraryW.KERNEL32 ref: 00007FF8B8F75B5A
GetProcAddress.KERNEL32 ref: 00007FF8B8F75B92
RtlGetVersion.NTDLL ref: 00007FF8B8F75BC6
GetNativeSystemInfo.KERNELBASE ref: 00007FF8B8F75BF9
GetSystemInfo.KERNEL32 ref: 00007FF8B8F75BFD

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$InfoSystem$NativeVersion
String ID:
API String ID: 2883576749-0
Opcode ID: edaa7cecb2ce61e8d08a04a1f2505cbfd62d8f4ea06d9fe782e15e0f68590704
Instruction ID: 041238f2fef29c4ee9774622f91f60744dc95b0306d35040bc99095f59cdd817
Opcode Fuzzy Hash: edaa7cecb2ce61e8d08a04a1f2505cbfd62d8f4ea06d9fe782e15e0f68590704
Instruction Fuzzy Hash: 7D914F34E0CA4386FF649B68E8547B96B90EF887D2F540039D75E86791EF2CE446C708

Function 00007FF8B8F713A0 Relevance: 12.1, APIs: 8, Instructions: 120
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F713D7
GetProcAddress.KERNEL32 ref: 00007FF8B8F7140E
GetProcAddress.KERNEL32 ref: 00007FF8B8F71445
GetProcAddress.KERNEL32 ref: 00007FF8B8F7147C
sprintf_s.LIBCMTD ref: 00007FF8B8F714B3
FindFirstFileW.KERNELBASE ref: 00007FF8B8F714CD
FindNextFileW.KERNELBASE ref: 00007FF8B8F71562
FindClose.KERNELBASE ref: 00007FF8B8F7157F

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressFindProc$File$CloseFirstLibraryLoadNextsprintf_s
String ID:
API String ID: 3482909146-0
Opcode ID: 22d0c2b1a28d00ed540bf15ff744353af3ceb3754b5d0a5077885d68ed8e5c0d
Instruction ID: c32aa9aed136b79455580ebb09e341392bb6cfc727c43d412b7ba251d2e5d00d
Opcode Fuzzy Hash: 22d0c2b1a28d00ed540bf15ff744353af3ceb3754b5d0a5077885d68ed8e5c0d
Instruction Fuzzy Hash: 05515A39A19E4381FB50DB5AE8541B927A0AF89BC2F544135DB5E43396FF3CE84B8308

Function 00007FF8B8F77BB0 Relevance: 10.6, APIs: 7, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77BDF
GetProcAddress.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C16
LoadLibraryW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C46
GetProcAddress.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C7D
GetCommandLineW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C92
CommandLineToArgvW.SHELL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77CA0
LocalFree.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77D0E

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressCommandLibraryLineLoadProc$ArgvFreeLocal
String ID:
API String ID: 1914251671-0
Opcode ID: 055a219286a0850f7018c79609365c8502faa3a2cecd4e08f0dab71379c2a6f4
Instruction ID: c03258ee545f93754c88008a4c894a75218354aaadb7436882018fa40c9d01fa
Opcode Fuzzy Hash: 055a219286a0850f7018c79609365c8502faa3a2cecd4e08f0dab71379c2a6f4
Instruction Fuzzy Hash: 2E411B39E29F02C1FE51DB59E8546792AA0AF89BC6F544035DB4E83352EF3CE446C608

Function 00007FF8B8F74B50 Relevance: 7.7, APIs: 5, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseCountHeapLibraryLoadModuleMutexOpenProcessSleepTick
String ID:
API String ID: 2080402659-0
Opcode ID: 594baf39ca933313acb5142264821842761baf68e37f1fc6fbda7ef8b5896540
Instruction ID: 3cb4fd7f668a3316c429b45ceb23b683578c288a31808555abc01b94ba863530
Opcode Fuzzy Hash: 594baf39ca933313acb5142264821842761baf68e37f1fc6fbda7ef8b5896540
Instruction Fuzzy Hash: BA716D76A08B4286FB10CB28E8446AA7BA4FB457E5F540235DB6D477D5EF3CE046CB08

Function 00007FF8B8F74A6D Relevance: 7.6, APIs: 5, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseCountHeapLibraryLoadModuleMutexOpenProcessSleepTick
String ID:
API String ID: 2080402659-0
Opcode ID: ea58a9971a61916d1f0fbfc1ebc85af45680e262c1c221bf798031a22d59b396
Instruction ID: 5098299e27a22b2134553d17dd927486f1ad54bfca953a40a4f944f1dc131b1e
Opcode Fuzzy Hash: ea58a9971a61916d1f0fbfc1ebc85af45680e262c1c221bf798031a22d59b396
Instruction Fuzzy Hash: 79618F35A08B428AFB50DB28E4446AE7BA4FB457D6F500235DB5D47795EF3CE046CB08

Function 00007FF8B8F7497C Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B8F73020: GetModuleHandleW.KERNEL32 ref: 00007FF8B8F730ED

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$Module$CloseCountHeapLibraryLoadMutexOpenProcessSleepTick
String ID:
API String ID: 2321454388-0
Opcode ID: c1862a4487c3b2ea665ad8fcdab4e0d06fe973e85168553db19bc9e86263fb43
Instruction ID: 9bcb00d82924ccdcfafed82a53993acf99e3e176337de8dad24e1ef450fbe71d
Opcode Fuzzy Hash: c1862a4487c3b2ea665ad8fcdab4e0d06fe973e85168553db19bc9e86263fb43
Instruction Fuzzy Hash: D3517B75A08B428AFB10DB29E8446BA7BA4FB897C6F500135DB5D43795EF3CE046CB08

Function 00007FF8B8F749A3 Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseCountHeapLibraryLoadModuleMutexOpenProcessSleepTick
String ID:
API String ID: 2080402659-0
Opcode ID: e96140bd876d7ffb20593bdd8b131e0c0fd8ae822c2ed3a4cf8f876c39a3e853
Instruction ID: a0fb654b43c1078dd3888a323d9df8d0c7916a158eec84093aadf03359e39556
Opcode Fuzzy Hash: e96140bd876d7ffb20593bdd8b131e0c0fd8ae822c2ed3a4cf8f876c39a3e853
Instruction Fuzzy Hash: 60517B75A08B428AFB10DB29E8446BA7BA4FB897C6F500135DB5D43795EF3CE046CB08

Function 00007FF8B8F749CA Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B8F73F30: CreatePipe.KERNEL32 ref: 00007FF8B8F73F90
Part of subcall function 00007FF8B8F73F30: SetHandleInformation.KERNEL32 ref: 00007FF8B8F73FB2
Part of subcall function 00007FF8B8F73F30: sprintf_s.LIBCMTD ref: 00007FF8B8F7406B
Part of subcall function 00007FF8B8F73F30: GetCurrentDirectoryW.KERNEL32 ref: 00007FF8B8F74084
Part of subcall function 00007FF8B8F73F30: CreateProcessW.KERNEL32 ref: 00007FF8B8F740C9
Part of subcall function 00007FF8B8F73F30: WaitForSingleObject.KERNEL32 ref: 00007FF8B8F740E1

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CreateProcess$CloseCountCurrentDirectoryHeapInformationLibraryLoadModuleMutexObjectOpenPipeSingleSleepTickWaitsprintf_s
String ID:
API String ID: 3732969655-0
Opcode ID: b6fe133894f1fb68516e357d3a675460a5c56f01aeb141ba424706e9e9d1068d
Instruction ID: dd6f2836ad70c29b0f4ff27df054c65444df54a87dafde9f7a96362f38dd4311
Opcode Fuzzy Hash: b6fe133894f1fb68516e357d3a675460a5c56f01aeb141ba424706e9e9d1068d
Instruction Fuzzy Hash: D6517D35A08B428AFB10DB29E8446BA7BA4FB497D6F540135DB5D43796EF3CE046CB08

Function 00007FF8B8F748E2 Relevance: 7.6, APIs: 5, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B8F72C40: WSAStartup.WS2_32 ref: 00007FF8B8F72C84
Part of subcall function 00007FF8B8F72C40: gethostname.WS2_32 ref: 00007FF8B8F72C95
Part of subcall function 00007FF8B8F72C40: gethostbyname.WS2_32 ref: 00007FF8B8F72CA4
Part of subcall function 00007FF8B8F72C40: GetModuleHandleW.KERNEL32 ref: 00007FF8B8F72CBF
Part of subcall function 00007FF8B8F72C40: inet_ntoa.WS2_32 ref: 00007FF8B8F72CC7
Part of subcall function 00007FF8B8F72C40: RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F72D1B
Part of subcall function 00007FF8B8F72C40: RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F72D69
Part of subcall function 00007FF8B8F72C40: RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F72D9F
Part of subcall function 00007FF8B8F72C40: RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F72DD2
Part of subcall function 00007FF8B8F72C40: RegCloseKey.ADVAPI32 ref: 00007FF8B8F72DE1

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Part of subcall function 00007FF8B8F71C40: LoadLibraryExW.KERNELBASE ref: 00007FF8B8F71C8C
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CC3
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71CFA
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D31
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D68
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71D9F
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71DD6
Part of subcall function 00007FF8B8F71C40: GetProcAddress.KERNEL32 ref: 00007FF8B8F71E0D

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleOpen$CloseModule$CountEnumHeapLibraryLoadMutexProcessQuerySleepStartupTickValuegethostbynamegethostnameinet_ntoa
String ID:
API String ID: 51037661-0
Opcode ID: dc84b976c497d7192769be7411e43f7a28b69674cda6dd68f700fc02f0b4a1c6
Instruction ID: f23bdbeb398522aae3dabb59c8de0d246e9af4346d03c1739aff4f5e09301911
Opcode Fuzzy Hash: dc84b976c497d7192769be7411e43f7a28b69674cda6dd68f700fc02f0b4a1c6
Instruction Fuzzy Hash: 3D517C35A08B428AFB10DB29E8446BA7BA4FB497D6F500135DB5D43795EF3CE046CB08

Function 00007FF8B8F74C35 Relevance: 7.6, APIs: 5, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B8F768A0: LoadLibraryW.KERNEL32 ref: 00007FF8B8F768E5
Part of subcall function 00007FF8B8F768A0: GetProcAddress.KERNEL32 ref: 00007FF8B8F7690B
Part of subcall function 00007FF8B8F768A0: GetTempPathW.KERNEL32 ref: 00007FF8B8F76928
Part of subcall function 00007FF8B8F768A0: GetTempFileNameW.KERNEL32 ref: 00007FF8B8F76946
Part of subcall function 00007FF8B8F768A0: DeleteFileW.KERNEL32 ref: 00007FF8B8F76953
Part of subcall function 00007FF8B8F768A0: GetTempFileNameW.KERNEL32 ref: 00007FF8B8F76990
Part of subcall function 00007FF8B8F768A0: DeleteFileW.KERNEL32 ref: 00007FF8B8F7699A

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$Temp$DeleteHandleName$AddressCloseCountHeapLibraryLoadModuleMutexOpenPathProcProcessSleepTick
String ID:
API String ID: 3639944527-0
Opcode ID: 71e1eb6c08b25f3172f544efe9d3800e62a11750d7d853f4d4b714bef4570bb7
Instruction ID: 423ddef2ae812d922c60b698abf495386a2aee596d2426fdbb51fb2c366e80ab
Opcode Fuzzy Hash: 71e1eb6c08b25f3172f544efe9d3800e62a11750d7d853f4d4b714bef4570bb7
Instruction Fuzzy Hash: 67517935A08A4286FB10DB69E8046B97BA0FF487D6F944135DB5E47796EF3CE046CB08

Function 00007FF8B8F74C96 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B8F722D0: LoadLibraryW.KERNEL32 ref: 00007FF8B8F722F9
Part of subcall function 00007FF8B8F722D0: GetProcAddress.KERNEL32 ref: 00007FF8B8F7231F
Part of subcall function 00007FF8B8F722D0: GetProcAddress.KERNEL32 ref: 00007FF8B8F72345
Part of subcall function 00007FF8B8F722D0: GetProcAddress.KERNEL32 ref: 00007FF8B8F7236B
Part of subcall function 00007FF8B8F722D0: GetModuleFileNameW.KERNEL32 ref: 00007FF8B8F72396
Part of subcall function 00007FF8B8F722D0: DeleteFileW.KERNEL32 ref: 00007FF8B8F723D6

Part of subcall function 00007FF8B8F759F0: GetProcessHeap.KERNEL32 ref: 00007FF8B8F759F9

OpenMutexW.KERNEL32 ref: 00007FF8B8F74CF5
CloseHandle.KERNEL32 ref: 00007FF8B8F74D0E
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F74D25
GetTickCount.KERNEL32 ref: 00007FF8B8F74D2B
SleepEx.KERNELBASE ref: 00007FF8B8F74D3C

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$FileHandleModule$CloseCountDeleteHeapLibraryLoadMutexNameOpenProcessSleepTick
String ID:
API String ID: 2411591737-0
Opcode ID: dc23178a08a27ac444460df79868cf7a03fba5b26f8faaba61ea07d9740f1d3c
Instruction ID: c07390a47ea27b1240efdeca9b0d064ed6ad61f937c79de1f2a5a3271df93627
Opcode Fuzzy Hash: dc23178a08a27ac444460df79868cf7a03fba5b26f8faaba61ea07d9740f1d3c
Instruction Fuzzy Hash: 8C419D75A08A428AFB10DB28E8446B93BA0FF487D6F944135DB5E43795EF3CE046CB08

Function 00007FF8B8F71900 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF8B8F71374), ref: 00007FF8B8F7191C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF8B8F71374), ref: 00007FF8B8F71942
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF8B8F71960

Strings

@, xrefs: 00007FF8B8F71958

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressGlobalHandleMemoryModuleProcStatus
String ID: @
API String ID: 2450578220-2766056989
Opcode ID: 0afb79ebcdfbdeb580ecc7f8eacd47776bfb190c1650612288748f96ddd47335
Instruction ID: 8c18079f3eff54cbbc5144aef34919e6b081c41ac2bb865215fa1ce8e2ceffa7
Opcode Fuzzy Hash: 0afb79ebcdfbdeb580ecc7f8eacd47776bfb190c1650612288748f96ddd47335
Instruction Fuzzy Hash: 9DF06D25B18A4682FE10EB6AF8140695790AF88BC1F880134DB4D47756FF2CD0868B08

Function 00007FF8B8F721E0 Relevance: 6.1, APIs: 4, Instructions: 61
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(?,?,?,00007FF8B8F71383), ref: 00007FF8B8F7220A
CreateMutexExW.KERNELBASE(?,?,?,00007FF8B8F71383), ref: 00007FF8B8F72217
GetLastError.KERNEL32(?,?,?,00007FF8B8F71383), ref: 00007FF8B8F72229
CloseHandle.KERNEL32(?,?,?,00007FF8B8F71383), ref: 00007FF8B8F722A8

Part of subcall function 00007FF8B8F77BB0: LoadLibraryW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77BDF
Part of subcall function 00007FF8B8F77BB0: GetProcAddress.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C16
Part of subcall function 00007FF8B8F77BB0: LoadLibraryW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C46
Part of subcall function 00007FF8B8F77BB0: GetProcAddress.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C7D
Part of subcall function 00007FF8B8F77BB0: GetCommandLineW.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77C92
Part of subcall function 00007FF8B8F77BB0: CommandLineToArgvW.SHELL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77CA0
Part of subcall function 00007FF8B8F77BB0: LocalFree.KERNEL32(?,?,00000000,00007FF8B8F77D51,?,?,00000000,00007FF8B8F7228A,?,?,?,00007FF8B8F71383), ref: 00007FF8B8F77D0E

Part of subcall function 00007FF8B8F75670: CreateMutexW.KERNEL32 ref: 00007FF8B8F756A5
Part of subcall function 00007FF8B8F75670: Sleep.KERNEL32 ref: 00007FF8B8F756B8
Part of subcall function 00007FF8B8F75670: CloseHandle.KERNEL32 ref: 00007FF8B8F756C1
Part of subcall function 00007FF8B8F75670: Sleep.KERNEL32 ref: 00007FF8B8F7570F
Part of subcall function 00007FF8B8F75670: GetTickCount.KERNEL32 ref: 00007FF8B8F75715
Part of subcall function 00007FF8B8F75670: rand.LIBCMT ref: 00007FF8B8F75722

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressCloseCommandCreateErrorHandleLastLibraryLineLoadMutexProcSleep$ArgvCountFreeLocalTickrand
String ID:
API String ID: 1739745066-0
Opcode ID: 007474db8946118fe8e355bdae2cebbab7dfe6101b2419ff64d7ce1083001067
Instruction ID: 75e161c0aabb86457b677a467edbd0a1ede9e01255a185c48bbec72c12b15736
Opcode Fuzzy Hash: 007474db8946118fe8e355bdae2cebbab7dfe6101b2419ff64d7ce1083001067
Instruction Fuzzy Hash: 4A215E38E1CE43C1FB44AB6AA91157E5A916F49BC2F540034EF1E86797EF2CE4038368

Function 00007FF8B8F71870 Relevance: 6.0, APIs: 4, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8B8F71354), ref: 00007FF8B8F7188C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8B8F71354), ref: 00007FF8B8F718B2
GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF8B8F71354), ref: 00007FF8B8F718CD
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8B8F71354), ref: 00007FF8B8F718DE

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID:
API String ID: 3433367815-0
Opcode ID: ecfc0f5c20cdda23f03c0372d60a1f9a9daa0108346c0d72a78978d45894affb
Instruction ID: b77935c7d2b104ce4a793f902e8256f6882d6b7d0e2b15a05137694a24b8741b
Opcode Fuzzy Hash: ecfc0f5c20cdda23f03c0372d60a1f9a9daa0108346c0d72a78978d45894affb
Instruction Fuzzy Hash: 32F06D35B18A4693FA00EB5AF904479A3A1BF8CFD2F980034DB4D47756FF2CE4468608

Function 00007FF8B8F715B0 Relevance: 3.0, APIs: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F715DB
GetProcAddress.KERNEL32 ref: 00007FF8B8F71615

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 504d3d5ea27a1ec0ca3ae44b2ac06d5499e97c70d6572123b3758e013bd21691
Instruction ID: 154f2c3a508cefc5e05b4116ca704692a84f4df964a650f44af894f5136a19c6
Opcode Fuzzy Hash: 504d3d5ea27a1ec0ca3ae44b2ac06d5499e97c70d6572123b3758e013bd21691
Instruction Fuzzy Hash: 8D110938E19E4381FA50AB59EC553B923A0BF897C6F880135DB4D477A2EF2CE546C708

Function 00007FF8B8F71AD0 Relevance: 3.0, APIs: 2, Instructions: 18threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF8B8F71AF4
CloseHandle.KERNELBASE(?,?,?,?,?,?,00007FF8B8F78B86), ref: 00007FF8B8F71B02

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: 8cfc052431e2fe914d99a1079fcf1934225668cbea66fe8ac47fcc2c739b686d
Instruction ID: 99fa90b4846c9faa71a63c859da71c4e0f5fe6398e456d3325b98b7f88c6bfcd
Opcode Fuzzy Hash: 8cfc052431e2fe914d99a1079fcf1934225668cbea66fe8ac47fcc2c739b686d
Instruction Fuzzy Hash: 8FE04F35E09B8282FB24CF59A8011A52B60FB88786F904135DB4D02760FF3CD24AC608

Function 00007FF8B8F71300 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B8F715B0: LoadLibraryW.KERNEL32 ref: 00007FF8B8F715DB
Part of subcall function 00007FF8B8F715B0: GetProcAddress.KERNEL32 ref: 00007FF8B8F71615

SHGetFolderPathW.SHELL32 ref: 00007FF8B8F7132C

Part of subcall function 00007FF8B8F713A0: LoadLibraryW.KERNEL32 ref: 00007FF8B8F713D7
Part of subcall function 00007FF8B8F713A0: GetProcAddress.KERNEL32 ref: 00007FF8B8F7140E
Part of subcall function 00007FF8B8F713A0: GetProcAddress.KERNEL32 ref: 00007FF8B8F71445
Part of subcall function 00007FF8B8F713A0: GetProcAddress.KERNEL32 ref: 00007FF8B8F7147C
Part of subcall function 00007FF8B8F713A0: sprintf_s.LIBCMTD ref: 00007FF8B8F714B3
Part of subcall function 00007FF8B8F713A0: FindFirstFileW.KERNELBASE ref: 00007FF8B8F714CD

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$FileFindFirstFolderPathsprintf_s
String ID:
API String ID: 2295756454-0
Opcode ID: a93a366b1067c516a2c5388df4c4fc0c196fb9a44ef68532cc3e3670074d5784
Instruction ID: 386350eb8558547e718e9a000638b24d38bb2ca6794d0eb976a53d3ae8677c0b
Opcode Fuzzy Hash: a93a366b1067c516a2c5388df4c4fc0c196fb9a44ef68532cc3e3670074d5784
Instruction Fuzzy Hash: C3011639D1CD4381FAA06E78A4857B81A609F5A3C3F540431E74EC5B879F2CE1DF4519

Function 00007FF8B8F71C10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 00007FF8B8F71C25

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 354914485c76ce71eee5e368870040763071e6f1620a4b606cf0e1d3c0a82ec0
Instruction ID: 251f6b985fdd83e0768b098e524a4cb8f51b03ab69dd68d72f4390c381ee9db8
Opcode Fuzzy Hash: 354914485c76ce71eee5e368870040763071e6f1620a4b606cf0e1d3c0a82ec0
Instruction Fuzzy Hash: 03D09239D0A64BC7F7941B49EC9876426A1AB953A6F904034C209013E08F3C68DACA4D

Non-executed Functions

Function 00007FF8B8F73F30 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 311pipesleepprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 00007FF8B8F73F90
SetHandleInformation.KERNEL32 ref: 00007FF8B8F73FB2

Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F725DB
Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F72614

sprintf_s.LIBCMTD ref: 00007FF8B8F7406B
GetCurrentDirectoryW.KERNEL32 ref: 00007FF8B8F74084
CreateProcessW.KERNEL32 ref: 00007FF8B8F740C9
WaitForSingleObject.KERNEL32 ref: 00007FF8B8F740E1
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F740FB
PeekNamedPipe.KERNEL32 ref: 00007FF8B8F7411D
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F7413E
Sleep.KERNEL32 ref: 00007FF8B8F7414E
PeekNamedPipe.KERNEL32 ref: 00007FF8B8F74172
GetCurrentDirectoryW.KERNEL32 ref: 00007FF8B8F74198
ReadFile.KERNEL32 ref: 00007FF8B8F742A0
TerminateProcess.KERNEL32 ref: 00007FF8B8F743CB
CloseHandle.KERNEL32 ref: 00007FF8B8F743D6
CloseHandle.KERNEL32 ref: 00007FF8B8F743E1
CloseHandle.KERNEL32 ref: 00007FF8B8F74418
CloseHandle.KERNEL32 ref: 00007FF8B8F74423

Strings

2, xrefs: 00007FF8B8F74144

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Handle$Close$Pipe$ByteCharCreateCurrentDirectoryModuleMultiNamedPeekProcessWide$FileInformationObjectReadSingleSleepTerminateWaitsprintf_s
String ID: 2
API String ID: 1694488271-450215437
Opcode ID: e87bfe1548895a9d50faafd88cc5e5d73a3d6ee48cea4d89d1ba2c65281779bf
Instruction ID: f430dc10ef01cf7b7c3b0d4fa6621abf3305f541fb42c6e3b4cf6f0e2a3a46fc
Opcode Fuzzy Hash: e87bfe1548895a9d50faafd88cc5e5d73a3d6ee48cea4d89d1ba2c65281779bf
Instruction Fuzzy Hash: 39E1B236A08B8286FB50DF69E8406AA7BA0FB98BC5F444134DB4D47B95EF3CD106CB44

Function 00007FF8B8F768A0 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 258filelibraryprocessCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F768E5
GetProcAddress.KERNEL32 ref: 00007FF8B8F7690B
GetTempPathW.KERNEL32 ref: 00007FF8B8F76928
GetTempFileNameW.KERNEL32 ref: 00007FF8B8F76946
DeleteFileW.KERNEL32 ref: 00007FF8B8F76953
GetTempFileNameW.KERNEL32 ref: 00007FF8B8F76990
DeleteFileW.KERNEL32 ref: 00007FF8B8F7699A
GetSystemDirectoryW.KERNEL32 ref: 00007FF8B8F76ABB
sprintf_s.LIBCMTD ref: 00007FF8B8F76AF8
CreateProcessW.KERNEL32 ref: 00007FF8B8F76CA0
CloseHandle.KERNEL32 ref: 00007FF8B8F76CAF
CloseHandle.KERNEL32 ref: 00007FF8B8F76CBA
DeleteFileW.KERNEL32 ref: 00007FF8B8F76CCB

Strings

dat, xrefs: 00007FF8B8F76935, 00007FF8B8F7697F
%ls\%ls "%ls",, xrefs: 00007FF8B8F76AD4
h, xrefs: 00007FF8B8F76BCA

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$DeleteTemp$CloseHandleName$AddressCreateDirectoryLibraryLoadPathProcProcessSystemsprintf_s
String ID: %ls\%ls "%ls",$dat$h
API String ID: 2143415541-650927715
Opcode ID: 890c3cf6db543d81df0a7e9c452c21097b91a992b2c8271ac5e8d7571d7f0290
Instruction ID: e476a8ccf32b9a0c2ffad4f229dc961d141f21b4355412b50775a805fc23a1d1
Opcode Fuzzy Hash: 890c3cf6db543d81df0a7e9c452c21097b91a992b2c8271ac5e8d7571d7f0290
Instruction Fuzzy Hash: A8C16A76A18A8295EB10DF68D8516B977B0FB84B8AF848136DB0D43795EF3CD14AC344

Function 00007FF8B8F72C40 Relevance: 22.7, APIs: 15, Instructions: 238registrynetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF8B8F72C84
gethostname.WS2_32 ref: 00007FF8B8F72C95
gethostbyname.WS2_32 ref: 00007FF8B8F72CA4
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F72CBF
inet_ntoa.WS2_32 ref: 00007FF8B8F72CC7
RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F72D1B
RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F72D69
RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F72D9F
RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F72DD2
RegCloseKey.ADVAPI32 ref: 00007FF8B8F72DE1
RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F72E18
RegCloseKey.ADVAPI32 ref: 00007FF8B8F72E3E
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF8B8F72E57
WideCharToMultiByte.KERNEL32 ref: 00007FF8B8F72E8E
WideCharToMultiByte.KERNEL32 ref: 00007FF8B8F72ED4

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: ByteCharCloseEnumMultiOpenWide$GlobalHandleMemoryModuleQueryStartupStatusValuegethostbynamegethostnameinet_ntoa
String ID:
API String ID: 2767472909-0
Opcode ID: 7cbe3a616c8a3961c0fe7bbccb5f68bfe34a465b70d851c24485fb49a651864c
Instruction ID: 9df8895f0c29a8534eef1ac941decb35fc02e6a637df8998cbbd2fb9ddbda110
Opcode Fuzzy Hash: 7cbe3a616c8a3961c0fe7bbccb5f68bfe34a465b70d851c24485fb49a651864c
Instruction Fuzzy Hash: 7FB19536608B8286E720CF29E8406AEBBA4FB887D5F444135DB9E47B98DF3CD146C704

Function 00007FF8B8F77740 Relevance: 22.6, APIs: 15, Instructions: 101memorycomCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FF8B8F77759
CoCreateInstance.OLE32 ref: 00007FF8B8F77791
VariantInit.OLEAUT32 ref: 00007FF8B8F777A4
VariantInit.OLEAUT32 ref: 00007FF8B8F777AF
VariantInit.OLEAUT32 ref: 00007FF8B8F777BA
VariantInit.OLEAUT32 ref: 00007FF8B8F777C5
SysAllocString.OLEAUT32 ref: 00007FF8B8F7784C
SysAllocString.OLEAUT32 ref: 00007FF8B8F7786E
SysFreeString.OLEAUT32 ref: 00007FF8B8F7788E
SysFreeString.OLEAUT32 ref: 00007FF8B8F77897
VariantClear.OLEAUT32 ref: 00007FF8B8F778AA
VariantClear.OLEAUT32 ref: 00007FF8B8F778B5
VariantClear.OLEAUT32 ref: 00007FF8B8F778C0
VariantClear.OLEAUT32 ref: 00007FF8B8F778CB
CoUninitialize.OLE32 ref: 00007FF8B8F778DB

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Variant$ClearInitString$AllocFree$CreateInitializeInstanceUninitialize
String ID:
API String ID: 2615526013-0
Opcode ID: a3ed77044e1bac965df96e1fa07373414ce81337b406c852ab00482a6af9236a
Instruction ID: 02edc5a0e0baa79b982aa1e729eefc600e18a54f6efcd5c3fcd4755926d92af2
Opcode Fuzzy Hash: a3ed77044e1bac965df96e1fa07373414ce81337b406c852ab00482a6af9236a
Instruction Fuzzy Hash: D5512C32A18E96C6EB01CF79E8445A96371FB89BCAF504121EB4E52625EF38D18AC704

Function 00007FF8B8F75E70 Relevance: 21.3, APIs: 14, Instructions: 270libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F75EA2
GetProcAddress.KERNEL32 ref: 00007FF8B8F75ED9
LoadLibraryW.KERNEL32 ref: 00007FF8B8F75F09
GetProcAddress.KERNEL32 ref: 00007FF8B8F75F40
LoadLibraryW.KERNEL32 ref: 00007FF8B8F75F70
GetProcAddress.KERNEL32 ref: 00007FF8B8F75FA7
GetProcAddress.KERNEL32 ref: 00007FF8B8F75FDE
GetProcAddress.KERNEL32 ref: 00007FF8B8F76015
GetProcAddress.KERNEL32 ref: 00007FF8B8F7604C
GetProcAddress.KERNEL32 ref: 00007FF8B8F76083
GetProcAddress.KERNEL32 ref: 00007FF8B8F760BA
GetProcAddress.KERNEL32 ref: 00007FF8B8F760F1
LoadLibraryW.KERNEL32 ref: 00007FF8B8F76121
GetProcAddress.KERNEL32 ref: 00007FF8B8F76158

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: bb72f0ebc4a4859a88e6630b44dea22cc9f4a18a8d41892b51521cfb05581ff1
Instruction ID: 210e738a05f5865d06c9217709ccf69dccc03417a842436caf9bfe7f72acd8c0
Opcode Fuzzy Hash: bb72f0ebc4a4859a88e6630b44dea22cc9f4a18a8d41892b51521cfb05581ff1
Instruction Fuzzy Hash: A3D10B39A0AE0785FB50EBAAE9545B927A1AF84BD6F440035CB0E47756EF3CE446C348

Function 00007FF8B8F75160 Relevance: 18.3, APIs: 12, Instructions: 307fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF8B8F75336
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF8B8F75350
GetFileAttributesW.KERNEL32 ref: 00007FF8B8F75457
DeleteFileW.KERNEL32 ref: 00007FF8B8F75467
GetFileAttributesW.KERNEL32 ref: 00007FF8B8F75474
DeleteFileW.KERNEL32 ref: 00007FF8B8F75486
GetFileAttributesW.KERNEL32 ref: 00007FF8B8F75598
DeleteFileW.KERNEL32 ref: 00007FF8B8F755A8
GetFileAttributesW.KERNEL32 ref: 00007FF8B8F755B5
DeleteFileW.KERNEL32 ref: 00007FF8B8F755C7
RemoveDirectoryW.KERNEL32 ref: 00007FF8B8F755D4
RemoveDirectoryW.KERNEL32 ref: 00007FF8B8F755E1

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$AttributesDelete$DirectoryEnvironmentExpandRemoveStrings
String ID:
API String ID: 4255994873-0
Opcode ID: e546ce504db48212e5272dbf9f723b57ca87e23394bff795ec25ce4fdcdf01af
Instruction ID: 15d9fb48b400d1ade76ad7fb5511b336046f3c8e38192025e661308e3b402202
Opcode Fuzzy Hash: e546ce504db48212e5272dbf9f723b57ca87e23394bff795ec25ce4fdcdf01af
Instruction Fuzzy Hash: 7DE16A7A62498285EB60DF28D4512BD7771FB94B8AFD49132DB0E472A0EF38D24BC314

Function 00007FF8B8F73170 Relevance: 13.8, APIs: 9, Instructions: 332registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F731C0

Part of subcall function 00007FF8B8F75980: GetProcessHeap.KERNEL32(?,?,?,00007FF8B8F767BF), ref: 00007FF8B8F75989

RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F73291
RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F732C2
RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F732FE

Part of subcall function 00007FF8B8F72500: WideCharToMultiByte.KERNEL32 ref: 00007FF8B8F72535
Part of subcall function 00007FF8B8F72500: WideCharToMultiByte.KERNEL32 ref: 00007FF8B8F72578

RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F733EE
RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F734D0
RegCloseKey.ADVAPI32 ref: 00007FF8B8F73595
RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F735D4
RegCloseKey.ADVAPI32 ref: 00007FF8B8F73653

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: QueryValue$ByteCharCloseEnumMultiOpenWide$HeapProcess
String ID:
API String ID: 2740835775-0
Opcode ID: 98a467fc73382708d91b7040036fc7677f3c41c1d5ff63e39634b8246e5bd8f4
Instruction ID: 8336b00e354fb264ca594377b7cadca0c623f0a3b61375c82af38989fdccfb35
Opcode Fuzzy Hash: 98a467fc73382708d91b7040036fc7677f3c41c1d5ff63e39634b8246e5bd8f4
Instruction Fuzzy Hash: 21F18C76A08BC295EB60CF29E4403A9BBA1FB85789F884135CB8D47795EF3DD10AC714

Function 00007FF8B8F75980 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF8B8F767BF), ref: 00007FF8B8F75989

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f2239b6c7c65b7681f7147bf219d47c8a1c53c4d007d25a0176d686ccf38a12f
Instruction ID: a89b52882091ccc7674be9833906afcd31301c0f45a22662bb001d119eca5891
Opcode Fuzzy Hash: f2239b6c7c65b7681f7147bf219d47c8a1c53c4d007d25a0176d686ccf38a12f
Instruction Fuzzy Hash: 67C08CA1E25A05C2EB54079268116600250A71CFC2F085030CF0C06302AE2C80C64704

Function 00007FF8B8F71990 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce9d91ef6712de882bb66c4feffc82626b6abde2748bdc3da009eb6c5ce1676
Instruction ID: 23ff725af1575ae553eff0502051686949b978247ae59f646e323fddef1363e3
Opcode Fuzzy Hash: 1ce9d91ef6712de882bb66c4feffc82626b6abde2748bdc3da009eb6c5ce1676
Instruction Fuzzy Hash: 3811653B330916076B4D853D9833DB81292C7D66057C9F73DED4ACA785DA2A441A8305

Function 00007FF8B8F763E0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F76404
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F7643B
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F76472
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F764A9
LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F764D9
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F76510
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F76547
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F7657E
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F765B5
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FF8B8F76208), ref: 00007FF8B8F765EC

Strings

, xrefs: 00007FF8B8F7667D

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-3916222277
Opcode ID: a37ed814ba2cf336e4cbddf834b1582fd7b3911756c1b499f3e3b000daf6ff87
Instruction ID: ad74d7a48778b79c03e2b27785fa0a212a2385b7f7cdbf85e8bdce3ec17e3554
Opcode Fuzzy Hash: a37ed814ba2cf336e4cbddf834b1582fd7b3911756c1b499f3e3b000daf6ff87
Instruction Fuzzy Hash: 3C81DC35A09E4281FE51EB59EC1457967A1BF89BE2F440039DB4E86B62EF3CE057834C

Function 00007FF8B8F7B0EC Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,00007FF8B8F78A17,?,?,?,00007FF8B8F78BDB), ref: 00007FF8B8F7B0FD
free.LIBCMT ref: 00007FF8B8F7B11A

Part of subcall function 00007FF8B8F7BD68: HeapFree.KERNEL32(?,?,00000000,00007FF8B8F79E06,?,?,0000000D,00007FF8B8F79BA1,?,?,?,?,00007FF8B8F7F956,?,?,0000000D), ref: 00007FF8B8F7BD7E
Part of subcall function 00007FF8B8F7BD68: _errno.LIBCMT ref: 00007FF8B8F7BD88
Part of subcall function 00007FF8B8F7BD68: GetLastError.KERNEL32(?,?,00000000,00007FF8B8F79E06,?,?,0000000D,00007FF8B8F79BA1,?,?,?,?,00007FF8B8F7F956,?,?,0000000D), ref: 00007FF8B8F7BD90

free.LIBCMT ref: 00007FF8B8F7B12F
free.LIBCMT ref: 00007FF8B8F7B150
free.LIBCMT ref: 00007FF8B8F7B165
free.LIBCMT ref: 00007FF8B8F7B179
free.LIBCMT ref: 00007FF8B8F7B185
free.LIBCMT ref: 00007FF8B8F7B1B0
EncodePointer.KERNEL32(?,?,00000000,00007FF8B8F78A17,?,?,?,00007FF8B8F78BDB), ref: 00007FF8B8F7B1B8
free.LIBCMT ref: 00007FF8B8F7B1D1
free.LIBCMT ref: 00007FF8B8F7B1EA
free.LIBCMT ref: 00007FF8B8F7B21B

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: d50e3eed459c5a564bc60c06b1be1ee3dad7a8f450d3f2393c249fb5f7f75772
Instruction ID: 4503d5acddc58e6bc9e80e6fb1d148412a098c8f71c2690a4354c7310eeeb1ec
Opcode Fuzzy Hash: d50e3eed459c5a564bc60c06b1be1ee3dad7a8f450d3f2393c249fb5f7f75772
Instruction Fuzzy Hash: B4312A3AE0EE0381FE55AB1DE8543782651AF86BD7F480136DB1D463A6DF6DE442C308

Function 00007FF8B8F7DDF4 Relevance: 16.3, APIs: 13, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8B8F7DE12

Part of subcall function 00007FF8B8F7BD68: HeapFree.KERNEL32(?,?,00000000,00007FF8B8F79E06,?,?,0000000D,00007FF8B8F79BA1,?,?,?,?,00007FF8B8F7F956,?,?,0000000D), ref: 00007FF8B8F7BD7E
Part of subcall function 00007FF8B8F7BD68: _errno.LIBCMT ref: 00007FF8B8F7BD88
Part of subcall function 00007FF8B8F7BD68: GetLastError.KERNEL32(?,?,00000000,00007FF8B8F79E06,?,?,0000000D,00007FF8B8F79BA1,?,?,?,?,00007FF8B8F7F956,?,?,0000000D), ref: 00007FF8B8F7BD90

free.LIBCMT ref: 00007FF8B8F7DE24
free.LIBCMT ref: 00007FF8B8F7DE36
free.LIBCMT ref: 00007FF8B8F7DE48
free.LIBCMT ref: 00007FF8B8F7DE5A
free.LIBCMT ref: 00007FF8B8F7DE6C
free.LIBCMT ref: 00007FF8B8F7DE7E
free.LIBCMT ref: 00007FF8B8F7DE90
free.LIBCMT ref: 00007FF8B8F7DEA2
free.LIBCMT ref: 00007FF8B8F7DEB4
free.LIBCMT ref: 00007FF8B8F7DEC9
free.LIBCMT ref: 00007FF8B8F7DEDE
free.LIBCMT ref: 00007FF8B8F7DEF3

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: a8b2a289d4c0a6b6613f778cf812589fef98729b94d43987965d83073c14ea8e
Instruction ID: 31eca4e0ae780ae0f15ca5d4b402b87cbe1f69c3b2ff23325ae3f7e0c4cb8356
Opcode Fuzzy Hash: a8b2a289d4c0a6b6613f778cf812589fef98729b94d43987965d83073c14ea8e
Instruction Fuzzy Hash: 16319B36E09C0291FAA1EB69D8654781761AFD1BC6F840033D70E96795DF6DF882C329

Function 00007FF8B8F77470 Relevance: 15.1, APIs: 10, Instructions: 115libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F774A2
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F774DA
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F77512
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F7754A
LoadLibraryW.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F7757B
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F775B3
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F775EB
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F77623
LoadLibraryW.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F77654
GetProcAddress.KERNEL32(?,?,?,?,00007FF8B8F76E54), ref: 00007FF8B8F7768C

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 0e2ac940d25909e8ea2453ce127a0fa38817dae2df4a139c0689f8913fe7d8ff
Instruction ID: b07e31325a2bdee42e2b46cead6ba03d37e641823f8ebc31b335a1c6e5c32501
Opcode Fuzzy Hash: 0e2ac940d25909e8ea2453ce127a0fa38817dae2df4a139c0689f8913fe7d8ff
Instruction Fuzzy Hash: 71517538D19E03C5FE50EF59EC6577567A0AF89BD6F440039DA4D86362EF3CE0468608

Function 00007FF8B8F74DC0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F74DFC
GetProcAddress.KERNEL32 ref: 00007FF8B8F74E22
GetProcAddress.KERNEL32 ref: 00007FF8B8F74E48
LoadLibraryW.KERNEL32 ref: 00007FF8B8F74E6B
GetProcAddress.KERNEL32 ref: 00007FF8B8F74E91
GetModuleFileNameW.KERNEL32 ref: 00007FF8B8F74FAC
sprintf_s.LIBCMTD ref: 00007FF8B8F75016

Strings

"%ls",%ls %ls, xrefs: 00007FF8B8F74FF5

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$FileModuleNamesprintf_s
String ID: "%ls",%ls %ls
API String ID: 516877753-3684409233
Opcode ID: bfabd3e6904ca4b10914a67c278fe26b76a8ce5c833b3c8ae61e8cc866bba34c
Instruction ID: 21c15f07c3f0c114fd75a548fa753afbb6230b9730bd4c2061371f54bfca3e5c
Opcode Fuzzy Hash: bfabd3e6904ca4b10914a67c278fe26b76a8ce5c833b3c8ae61e8cc866bba34c
Instruction Fuzzy Hash: 8D718179A28A8281FB10DB5AD8555BA67A0FF95BC2F844035DB0E47796EF3CD107C344

Function 00007FF8B8F77900 Relevance: 12.1, APIs: 8, Instructions: 136libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F77927
GetProcAddress.KERNEL32 ref: 00007FF8B8F7795E
GetProcAddress.KERNEL32 ref: 00007FF8B8F77995
LoadLibraryW.KERNEL32 ref: 00007FF8B8F779C5
GetProcAddress.KERNEL32 ref: 00007FF8B8F779FC
GetProcAddress.KERNEL32 ref: 00007FF8B8F77A33
GetProcAddress.KERNEL32 ref: 00007FF8B8F77A6A
GetProcAddress.KERNEL32 ref: 00007FF8B8F77AA1

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 636351352fbaed975c4fb87788d0dfd8245fd8d3ed00a065332eb8d68470195b
Instruction ID: 5752d7b92b0acbbbddfc4a4c76a85dbae47b59334ca69087af3c09b928f6c50f
Opcode Fuzzy Hash: 636351352fbaed975c4fb87788d0dfd8245fd8d3ed00a065332eb8d68470195b
Instruction Fuzzy Hash: 6961B639A19F0282FE40EF5AEC6457967A0AF89BD6F540035DB4D87762EF3CE4468708

Function 00007FF8B8F78DDC Relevance: 12.1, APIs: 8, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 00007FF8B8F78DF9

Part of subcall function 00007FF8B8F7CBCC: _errno.LIBCMT ref: 00007FF8B8F7CBD5
Part of subcall function 00007FF8B8F7CBCC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF8B8F7CBE0

_errno.LIBCMT ref: 00007FF8B8F78E09

Part of subcall function 00007FF8B8F79B98: _getptd_noexit.LIBCMT ref: 00007FF8B8F79B9C

_errno.LIBCMT ref: 00007FF8B8F78E25
_isatty.LIBCMT ref: 00007FF8B8F78E86
_getbuf.LIBCMT ref: 00007FF8B8F78E92
_write.LIBCMT ref: 00007FF8B8F78EC5
_lseeki64.LIBCMT ref: 00007FF8B8F78F14
_write.LIBCMT ref: 00007FF8B8F78F3E

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: _errno$_write$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty_lseeki64
String ID:
API String ID: 2111832858-0
Opcode ID: 7cce346b07e141824153703f7002546526c968b2cadd93361a8cb30d444bcdf2
Instruction ID: 0e4cc85a07d30aedbac97b9cf837bb5fb357330b1471ecbd853840582fe120c7
Opcode Fuzzy Hash: 7cce346b07e141824153703f7002546526c968b2cadd93361a8cb30d444bcdf2
Instruction Fuzzy Hash: 0C41BB76A28A428AFB659F2CD4412BC3AA1EB44BD5F140235DB5D473C6DF3CE852C748

Function 00007FF8B8F77FEC Relevance: 10.6, APIs: 7, Instructions: 122COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF8B8F78017
_errno.LIBCMT ref: 00007FF8B8F7800C

Part of subcall function 00007FF8B8F79B98: _getptd_noexit.LIBCMT ref: 00007FF8B8F79B9C

_errno.LIBCMT ref: 00007FF8B8F780BA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF8B8F780C5

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 6674f68310a896f2c3fef97c531cc157da707083ba8e2f1388e7ea58d2d12ecc
Instruction ID: c5b7d84f08d38515e5b06a9b9733c59f425d635fe62066ed85d5a096611a4024
Opcode Fuzzy Hash: 6674f68310a896f2c3fef97c531cc157da707083ba8e2f1388e7ea58d2d12ecc
Instruction Fuzzy Hash: 6341277AE38A9285FFA1AB1995401BA6AA0EF107D6F884131DB9C137C5DF3CE552830C

Function 00007FF8B8F716C0 Relevance: 10.6, APIs: 7, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F71701
RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F71767
RegOpenKeyExW.ADVAPI32 ref: 00007FF8B8F717A3
RegQueryValueExW.ADVAPI32 ref: 00007FF8B8F717C8
RegCloseKey.ADVAPI32 ref: 00007FF8B8F717DC
RegEnumKeyExW.ADVAPI32 ref: 00007FF8B8F7181A
RegCloseKey.ADVAPI32 ref: 00007FF8B8F71838

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: CloseEnumOpen$QueryValue
String ID:
API String ID: 2548805652-0
Opcode ID: 5d7b43181d3d4d73633ebb36b72b8cfe0eee21ba08ea4b38994a31654aafabc1
Instruction ID: a68d14cd840377a37e7696babe571e1fd13420ec1a0527572a1bc27ea5a5424f
Opcode Fuzzy Hash: 5d7b43181d3d4d73633ebb36b72b8cfe0eee21ba08ea4b38994a31654aafabc1
Instruction Fuzzy Hash: 58415336618AC282EB708F15F8847AA77A4FB88795F400135DACD53B58DF3CD14A9708

Function 00007FF8B8F80674 Relevance: 10.5, APIs: 7, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8B8F80689

Part of subcall function 00007FF8B8F79B98: _getptd_noexit.LIBCMT ref: 00007FF8B8F79B9C

_invalid_parameter_noinfo.LIBCMT ref: 00007FF8B8F80694
_flush.LIBCMT ref: 00007FF8B8F806A3
_freebuf.LIBCMT ref: 00007FF8B8F806AD
_fileno.LIBCMT ref: 00007FF8B8F806B5
_close.LIBCMT ref: 00007FF8B8F806BC

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: _close_errno_fileno_flush_freebuf_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2366826396-0
Opcode ID: 89fb5cea9b6ee5bb09bbb3bb6aa743988ab54a6a14af7b79b44bd93ebf78b2e4
Instruction ID: 496803ba0e060e20b602ea40e140e2e473d58d692b576a1c5a6c7487d7d4d735
Opcode Fuzzy Hash: 89fb5cea9b6ee5bb09bbb3bb6aa743988ab54a6a14af7b79b44bd93ebf78b2e4
Instruction Fuzzy Hash: A601A236E09A4381FB24AA7D845577C16509FD47EAFA80230EB2D463D3EF3CD8428208

Function 00007FF8B8F75670 Relevance: 9.2, APIs: 6, Instructions: 177sleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32 ref: 00007FF8B8F756A5
Sleep.KERNEL32 ref: 00007FF8B8F756B8
CloseHandle.KERNEL32 ref: 00007FF8B8F756C1
Sleep.KERNEL32 ref: 00007FF8B8F7570F
GetTickCount.KERNEL32 ref: 00007FF8B8F75715
rand.LIBCMT ref: 00007FF8B8F75722

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: Sleep$CloseCountCreateHandleMutexTickrand
String ID:
API String ID: 2360725408-0
Opcode ID: a32011b2d91c7620bf13179f0503f160f340ac96adcb2a6ebed98f9122dbb530
Instruction ID: 6083daa78fb4d93feddb9ffd591bdbe94b4391c9dbb2c3c59ce168215cd9f388
Opcode Fuzzy Hash: a32011b2d91c7620bf13179f0503f160f340ac96adcb2a6ebed98f9122dbb530
Instruction Fuzzy Hash: 4B717D7AA28A82C1EB14DB59D4551BAA7A1FF88BC2F848135DB5E43395EF3CE507C304

Function 00007FF8B8F722D0 Relevance: 9.1, APIs: 6, Instructions: 71libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF8B8F722F9
GetProcAddress.KERNEL32 ref: 00007FF8B8F7231F
GetProcAddress.KERNEL32 ref: 00007FF8B8F72345
GetProcAddress.KERNEL32 ref: 00007FF8B8F7236B
GetModuleFileNameW.KERNEL32 ref: 00007FF8B8F72396
DeleteFileW.KERNEL32 ref: 00007FF8B8F723D6

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: AddressProc$File$DeleteLibraryLoadModuleName
String ID:
API String ID: 3615269725-0
Opcode ID: e4ac4f7ceeb8d0e53d313407caf9963976f0c950728a3915b3837e31b5afdf68
Instruction ID: ddcf99b2a31e2bcddea997c20ceb090a33b1f7e64510420172021da02474d26d
Opcode Fuzzy Hash: e4ac4f7ceeb8d0e53d313407caf9963976f0c950728a3915b3837e31b5afdf68
Instruction Fuzzy Hash: 6F313C35A18A4796FE10EB9AE8585A967A0BF88BC6F880035DF4E47756FF3CD106C704

Function 00007FF8B8F7DA54 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF8B8F7DAB6
_isleadbyte_l.LIBCMT ref: 00007FF8B8F7DAE6
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8B8F7970E), ref: 00007FF8B8F7DB25
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8B8F7970E), ref: 00007FF8B8F7DB73
_errno.LIBCMT ref: 00007FF8B8F7DB7D

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: c1980f434cffeb90a237ddd52e95a6ef554b239d004aac1eacc3ead14d471610
Instruction ID: 858eea3b9d75dfaf4fd3f9d4e82263ffc8330b569e0c4b389f5b4f9ed8608b95
Opcode Fuzzy Hash: c1980f434cffeb90a237ddd52e95a6ef554b239d004aac1eacc3ead14d471610
Instruction Fuzzy Hash: 8F41D23560AB8286FB609F1D9580139BFA0FB84BD5F584131EB8C47B99DF3CD8428708

Function 00007FF8B8F73A90 Relevance: 7.6, APIs: 5, Instructions: 81fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F725DB
Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F72614

CreateFileW.KERNEL32 ref: 00007FF8B8F73AF2
SetFilePointer.KERNEL32 ref: 00007FF8B8F73B16
CloseHandle.KERNEL32 ref: 00007FF8B8F73B91

Part of subcall function 00007FF8B8F75980: GetProcessHeap.KERNEL32(?,?,?,00007FF8B8F767BF), ref: 00007FF8B8F75989

SetFilePointer.KERNEL32 ref: 00007FF8B8F73B44
ReadFile.KERNEL32 ref: 00007FF8B8F73B60

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$ByteCharMultiPointerWide$CloseCreateHandleHeapProcessRead
String ID:
API String ID: 1454824168-0
Opcode ID: 9127eb5242bd00c39a66bc88e3e9a5e1c0456f001042777db982966ee6a4143f
Instruction ID: 62225d1dffe55db03cbd5376ae8f5e66bc4605eed7c5c6fa7b977a8c9ce95103
Opcode Fuzzy Hash: 9127eb5242bd00c39a66bc88e3e9a5e1c0456f001042777db982966ee6a4143f
Instruction Fuzzy Hash: F731B335B09A5286FB509B2E641066A76E0FF89BE1F584134DF9D07B95DF3CE4038B48

Function 00007FF8B8F72BA0 Relevance: 7.5, APIs: 5, Instructions: 39networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF8B8F72BB6
gethostname.WS2_32 ref: 00007FF8B8F72BC8
gethostbyname.WS2_32 ref: 00007FF8B8F72BD8
GetModuleHandleW.KERNEL32 ref: 00007FF8B8F72BFB
inet_ntoa.WS2_32 ref: 00007FF8B8F72C03

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: HandleModuleStartupgethostbynamegethostnameinet_ntoa
String ID:
API String ID: 3950597033-0
Opcode ID: 820f33a72edd462d6bbf95b7c83a6fc285ab115bf962e10fae1457ffdc9254b3
Instruction ID: 2ea7ba65745e3bf15ae6ab7dc0203f9954b2a4d00c18f9063c5fdd23891a62e5
Opcode Fuzzy Hash: 820f33a72edd462d6bbf95b7c83a6fc285ab115bf962e10fae1457ffdc9254b3
Instruction Fuzzy Hash: A8115236608B86C3EB119B28E45477977A1FBA8B91F844535C74E43395EF7CD449C704

Function 00007FF8B8F73850 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F725DB
Part of subcall function 00007FF8B8F725B0: MultiByteToWideChar.KERNEL32 ref: 00007FF8B8F72614

CreateFileW.KERNEL32 ref: 00007FF8B8F738B8
SetFilePointer.KERNEL32 ref: 00007FF8B8F738D2
WriteFile.KERNEL32 ref: 00007FF8B8F738EB
CloseHandle.KERNEL32 ref: 00007FF8B8F73905

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$ByteCharMultiWide$CloseCreateHandlePointerWrite
String ID:
API String ID: 2756471129-0
Opcode ID: f5b2faa1c37121d0e5f7e7200a0f1060b628cf56e41c66983ebccc7b6ed44552
Instruction ID: a23dc486d006458ca293356a515af17261438eec021753942c9bbb0841b4ab0c
Opcode Fuzzy Hash: f5b2faa1c37121d0e5f7e7200a0f1060b628cf56e41c66983ebccc7b6ed44552
Instruction Fuzzy Hash: 3611EB35708B4286FB509F2A745572A6AA1FB89BD1F480234EF9E03B95DF3CD4438B44

Function 00007FF8B8F76D90 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF8B8F76DCC
SetFilePointer.KERNEL32 ref: 00007FF8B8F76DE6
WriteFile.KERNEL32 ref: 00007FF8B8F76E04
CloseHandle.KERNEL32 ref: 00007FF8B8F76E17

Memory Dump Source

Source File: 00000007.00000002.3284341055.00007FF8B8F71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000007.00000002.3284312292.00007FF8B8F70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284363115.00007FF8B8F85000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284379624.00007FF8B8F8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3284396727.00007FF8B8F93000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f70000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: b8dd40a9ccc700a02c156772fcb841ebd7cc93f99e9ee328cf72f3f13bff9a5c
Instruction ID: c2d05301c75ca5de116595c5483fddce2f07c6baa6ff6962811d999862386092
Opcode Fuzzy Hash: b8dd40a9ccc700a02c156772fcb841ebd7cc93f99e9ee328cf72f3f13bff9a5c
Instruction Fuzzy Hash: 90018231708B51C3E7108B69B85461AB691FB88BE4F544234EBAD43F98DF3CD4558B44

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49705 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49713 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49707 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49706 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49704 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49711 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49708 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49715 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49712 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49718 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49710 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49709 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49726 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49721 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49739 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49745 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49761 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49733 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49756 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49751 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49790 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49785 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49771 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49779 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49830 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49834 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49810 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49795 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49766 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49825 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49800 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49815 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49724 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49844 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49863 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49868 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49714 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49851 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49874 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49838 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49884 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49805 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49909 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49879 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49899 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49913 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49857 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49889 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49820 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49926 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49923 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49905 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49932 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49944 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49929 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49935 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49960 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49947 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49941 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49956 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49976 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49972 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49980 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49951 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49984 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49968 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49988 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49964 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50015 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50022 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50039 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50034 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49993 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50056 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50065 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50063 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49894 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50073 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50080 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50071 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50083 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50028 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50084 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50062 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50069 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50085 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50088 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50070 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50081 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50068 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50091 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50095 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50077 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50090 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50060 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50067 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50044 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50092 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50064 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50087 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49998 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50082 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50066 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50096 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50072 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50086 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50074 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49919 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50049 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49938 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50076 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50003 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50008 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50075 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50078 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50061 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50089 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50079 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50093 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:50094 -> 185.161.251.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Updater.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Solid Digital\Updater.dll

C:\ProgramData\Solid Digital\Updater.dll:Zone.Identifier

C:\ProgramData\SynergyTop\Updater.dll

C:\ProgramData\SynergyTop\Updater.dll:Zone.Identifier

C:\ProgramData\TECLA\Updater.dll

C:\ProgramData\TECLA\Updater.dll:Zone.Identifier

C:\ProgramData\Table XI\Updater.dll

C:\ProgramData\Table XI\Updater.dll:Zone.Identifier

C:\Windows\Tasks\Solid Digital.job

C:\Windows\Tasks\SynergyTop.job

C:\Windows\Tasks\TECLA.job

C:\Windows\Tasks\Table XI.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Updater.dll.dll

Function 00007FF8B8F71C40 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 320
networklibraryloaderCOMMON

Function 00007FF8B8F745E0 Relevance: 19.7, APIs: 13, Instructions: 228
COMMON

Function 00007FF8B8F75A20 Relevance: 16.7, APIs: 11, Instructions: 178
libraryloaderCOMMON

Function 00007FF8B8F713A0 Relevance: 12.1, APIs: 8, Instructions: 120
libraryloaderfileCOMMON

Function 00007FF8B8F77BB0 Relevance: 10.6, APIs: 7, Instructions: 90
libraryloaderCOMMON

Function 00007FF8B8F74B50 Relevance: 7.7, APIs: 5, Instructions: 156
COMMON

Function 00007FF8B8F74A6D Relevance: 7.6, APIs: 5, Instructions: 145
COMMON