Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 5, 2021, 9:05 a.m.	Nov. 5, 2021, 9:18 a.m.

Size	403.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7c53b803484c308fa9e64a81afba9608`
SHA256	`a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0`
CRC32	`926C475F`
ssdeep	`6144:fkP3bQ/UCg7m1ugaSIv1pE0EAPMrGWsWDWidF0HQszCZ2Ftppb9Y81+k7pq7FLfM:f23k/b1ugajS2zt`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Cube_WW14.bmp "C:\Users\test22\AppData\Local\Temp\Cube_WW14.bmp"
2328
- jm9WZqU48OXjZDKC5i0a7tT4.exe "C:\Users\test22\Pictures\Adobe Films\jm9WZqU48OXjZDKC5i0a7tT4.exe"
  2492
- MN92omWtlXm59ZZLlrxY1Nfj.exe "C:\Users\test22\Pictures\Adobe Films\MN92omWtlXm59ZZLlrxY1Nfj.exe"
  2572
- uUg6Uopi0cC3fPYtgUana1B9.exe "C:\Users\test22\Pictures\Adobe Films\uUg6Uopi0cC3fPYtgUana1B9.exe"
  2620
  - uUg6Uopi0cC3fPYtgUana1B9.exe "C:\Users\test22\Pictures\Adobe Films\uUg6Uopi0cC3fPYtgUana1B9.exe" -u
    2700
- NjPCD84QAGvJgwTSdwlcfFXM.exe "C:\Users\test22\Pictures\Adobe Films\NjPCD84QAGvJgwTSdwlcfFXM.exe"
  2840
- koJ0QS7kzMBOVLlshkrNuyJs.exe "C:\Users\test22\Pictures\Adobe Films\koJ0QS7kzMBOVLlshkrNuyJs.exe"
  2896
- qNCY_EOBar1MnuVc9oiDPLRw.exe "C:\Users\test22\Pictures\Adobe Films\qNCY_EOBar1MnuVc9oiDPLRw.exe"
  3028
  - qNCY_EOBar1MnuVc9oiDPLRw.tmp "C:\Users\test22\AppData\Local\Temp\is-8LAQS.tmp\qNCY_EOBar1MnuVc9oiDPLRw.tmp" /SL5="$A0026,506127,422400,C:\Users\test22\Pictures\Adobe Films\qNCY_EOBar1MnuVc9oiDPLRw.exe"
    1584
    - DYbALA.exe "C:\Users\test22\AppData\Local\Temp\is-IOJ5E.tmp\DYbALA.exe" /S /UID=2709
      2200
      - Rufaecolufo.exe "C:\Users\test22\AppData\Local\Temp\32-a9548-5f9-374be-9d560cdb36c56\Rufaecolufo.exe"
        2488
      - Roshovubysae.exe "C:\Users\test22\AppData\Local\Temp\6e-0db4f-5d3-56daa-9764bf68c6570\Roshovubysae.exe"
        2548
      - foldershare.exe "C:\Program Files\7-Zip\MKTPOZJMHE\foldershare.exe" /VERYSILENT
        1060
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
requestimedout.com	A 162.255.117.78	162.255.117.78
iplogger.org	A 88.99.66.31	88.99.66.31
dataonestorage.com	A 45.142.182.152	45.142.182.152
apps.identrust.com	A 23.76.153.211 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 23.76.153.107 A 182.162.106.42 A 182.162.106.26	23.216.159.9
f.gogamef.com	A 172.67.136.94 A 104.21.72.228	104.21.72.228
www.hzradiant.com	A 194.163.158.120	194.163.158.120
ipinfo.io	A 34.117.59.81	34.117.59.81
eguntong.com	A 194.87.185.127	194.87.185.127
connectini.net	A 162.0.210.44	162.0.210.44
el5en1977834657.s3.ap-south-1.amazonaws.com	A 52.219.158.38 CNAME s3-r-w.ap-south-1.amazonaws.com	52.219.66.51
t.gogamec.com	A 104.21.85.99 A 172.67.204.112	172.67.204.112
ip-api.com	A 208.95.112.1	208.95.112.1
staticimg.youtuuee.com	A 45.136.151.102	45.136.151.102
fouratlinks.com	A 199.192.17.247	199.192.17.247
imgs.googlwaa.com	A 45.136.113.13	45.136.113.13
d.gogamed.com	A 172.67.185.110 A 104.21.59.236	104.21.59.236
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.134.233
iplis.ru	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
104.21.85.99	Active	Moloch
162.0.210.44	Active	Moloch
162.159.130.233	Active	Moloch
162.255.117.78	Active	Moloch
164.124.101.2	Active	Moloch
172.67.136.94	Active	Moloch
172.67.185.110	Active	Moloch
172.67.204.112	Active	Moloch
182.162.106.42	Active	Moloch
194.163.158.120	Active	Moloch
194.87.185.127	Active	Moloch
199.192.17.247	Active	Moloch
208.95.112.1	Active	Moloch
212.192.241.15	Active	Moloch
23.76.153.107	Active	Moloch
34.117.59.81	Active	Moloch
45.133.1.107	Active	Moloch
45.136.113.13	Active	Moloch
45.136.151.102	Active	Moloch
45.142.182.152	Active	Moloch
52.219.158.38	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 162.159.130.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49164 -> 162.159.130.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.130.233:80 -> 192.168.56.103:49166	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49168 -> 162.159.130.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 162.159.130.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49165 -> 162.159.130.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49170 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.103:49170	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49179 -> 162.159.130.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49162 -> 212.192.241.15:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49184 -> 172.67.185.110:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49184 -> 172.67.185.110:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 172.67.185.110:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49162 -> 212.192.241.15:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 162.159.130.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.130.233:80 -> 192.168.56.103:49174	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49178 -> 162.159.130.233:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49178 -> 162.159.130.233:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.133.1.107:80 -> 192.168.56.103:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.133.1.107:80 -> 192.168.56.103:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 172.67.185.110:80 -> 192.168.56.103:49185	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 194.87.185.127:80 -> 192.168.56.103:49193	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49195 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 172.67.136.94:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49192 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 162.159.130.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 172.67.185.110:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49176 -> 172.67.185.110:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 212.192.241.15:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 45.136.113.13:80 -> 192.168.56.103:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49198 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.142.182.152:443 -> 192.168.56.103:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49202 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49210 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49205 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49204 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49216 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49221 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49225 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49244 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49224 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49247 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49230 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49251 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49237 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49254 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49258 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49213 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49262 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49223 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49214 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 52.219.158.38:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49229 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49267 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49252 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49268 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49235 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49261 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49236 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49274 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49238 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49250 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49259 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49263 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49281 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49219 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49222 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49226 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49239 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49231 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49240 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49241 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49232 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49245 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.192.17.247:80 -> 192.168.56.103:49279	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49246 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49233 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49227 -> 52.219.158.38:80	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49257 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49260 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49269 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49275 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49283 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49286 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49287 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49291 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49296 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49285 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49297 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49248 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49289 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49290 -> 212.192.241.15:80	2034192	ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin	A Network Trojan was detected
TCP 192.168.56.103:49292 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49253 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49293 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49302 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49303 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49255 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49308 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49299 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49305 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49264 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49309 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49265 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49272 -> 52.219.158.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.192.17.247:80 -> 192.168.56.103:49298	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 199.192.17.247:80 -> 192.168.56.103:49298	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49280 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49304 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49312 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49314 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49317 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49206 -> 45.142.182.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.142.182.152:443 -> 192.168.56.103:49207	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49211 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49316 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49217 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49284 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49228 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49242 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49243 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49256 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49266 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49270 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49273 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49300 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49288 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49301 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49295 -> 172.67.204.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.192.17.247:80 -> 192.168.56.103:49307	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 199.192.17.247:80 -> 192.168.56.103:49307	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49311 -> 104.21.85.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.192.17.247:80 -> 192.168.56.103:49307	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 199.192.17.247:80 -> 192.168.56.103:49307	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 162.159.130.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49170 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	f0:42:a0:3b:5b:a8:0e:51:f4:13:25:f7:fc:7c:dc:35:63:19:75:63
TLSv1 192.168.56.103:49187 172.67.185.110:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	b0:c4:b1:fe:56:fd:ec:99:f4:dc:0f:3f:36:63:53:f7:6c:3a:26:7b
TLSv1 192.168.56.103:49190 172.67.136.94:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamef.com	5c:36:e8:6e:6d:65:76:95:76:a5:7d:b3:47:fe:54:fe:f3:71:15:1b
TLSv1 192.168.56.103:49183 162.159.130.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.103:49198 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49210 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49205 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49220 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49216 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49221 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49218 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49225 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49212 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49244 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49224 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49247 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49230 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49251 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49237 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49254 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49258 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49213 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49262 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49223 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49214 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49229 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49267 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49234 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49252 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49268 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49235 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49261 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49236 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49274 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49238 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49250 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49259 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49263 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49281 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49219 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49222 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49226 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49239 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49231 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49240 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49241 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49232 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49245 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49246 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49233 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49257 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49260 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49269 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49275 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49283 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49286 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49287 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.103:49291 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49296 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49285 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49297 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49248 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49289 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49292 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49253 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49293 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	92:14:16:9c:56:a1:f2:6a:b9:1d:e1:8d:4c:5f:a4:57:a7:9c:a0:6b
TLSv1 192.168.56.103:49302 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49303 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49255 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49308 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49299 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49305 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49264 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49309 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49265 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49272 52.219.158.38:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=*.s3.ap-south-1.amazonaws.com	c6:36:df:af:09:de:c1:11:cd:93:7d:ef:05:10:32:ae:12:cd:7d:b8
TLSv1 192.168.56.103:49280 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49304 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49312 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49314 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49317 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49211 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49316 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.103:49215 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49217 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49284 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49228 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49242 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49243 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49256 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49266 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49270 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49273 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49300 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49288 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49301 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49295 172.67.204.112:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1
TLSv1 192.168.56.103:49311 104.21.85.99:443	C=US, O=Let's Encrypt, CN=R3	CN=*.gogamec.com	ee:4c:93:4c:ed:a7:33:d6:e8:4b:a4:7f:af:73:91:a4:cf:9b:23:b1

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 5, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 5, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 5, 2021, 9:07 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:07 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 5, 2021, 9:05 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

DLL

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ Nov. 5, 2021, 9:05 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x3bac6ed 0x3bac79a 0x3bac808 0x3b20a09 0x3b21cba 0x3b21290 0x3b215cd 0x3b38939 0x3b6d9d7 0x3b6ddeb 0x3bcf571 0x3bcf654 cube_ww14+0x2424 @ 0x192424 cube_ww14+0x4658 @ 0x194658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34072436 registers.edi: 0 registers.eax: 0 registers.ebp: 34072476 registers.edx: 32 registers.ebx: 34072780 registers.esi: 0 registers.ecx: 9557744	1
__exception__ Nov. 5, 2021, 9:05 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x3bac6ed 0x3bac79a 0x3bac808 0x3b20a09 0x3b21cba 0x3b2129e 0x3b215cd 0x3b38939 0x3b6d9d7 0x3b6ddeb 0x3bcf571 0x3bcf654 cube_ww14+0x2424 @ 0x192424 cube_ww14+0x4658 @ 0x194658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34072436 registers.edi: 0 registers.eax: 0 registers.ebp: 34072476 registers.edx: 32 registers.ebx: 34072780 registers.esi: 0 registers.ecx: 9557744	1
__exception__ Nov. 5, 2021, 9:05 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x3bac6ed 0x3bac79a 0x3bac808 0x3b20a09 0x3b21cba 0x3b21290 0x3b215cd 0x3b38939 0x3b39831 0x3b66065 0x3b66d41 0x3b6dbbe 0x3b6ddeb 0x3bcf571 0x3bcf654 cube_ww14+0x2424 @ 0x192424 cube_ww14+0x4658 @ 0x194658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34066468 registers.edi: 0 registers.eax: 0 registers.ebp: 34066508 registers.edx: 32 registers.ebx: 34066812 registers.esi: 0 registers.ecx: 9559224	1
__exception__ Nov. 5, 2021, 9:05 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x3bac6ed 0x3bac79a 0x3bac808 0x3b20a09 0x3b21cba 0x3b2129e 0x3b215cd 0x3b38939 0x3b39831 0x3b66065 0x3b66d41 0x3b6dbbe 0x3b6ddeb 0x3bcf571 0x3bcf654 cube_ww14+0x2424 @ 0x192424 cube_ww14+0x4658 @ 0x194658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34066468 registers.edi: 0 registers.eax: 0 registers.ebp: 34066508 registers.edx: 32 registers.ebx: 34066812 registers.esi: 0 registers.ecx: 9559224	1
__exception__ Nov. 5, 2021, 9:05 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x3bac6ed 0x3bac79a 0x3bac808 0x3b20a09 0x3b21cba 0x3b21290 0x3b215cd 0x3b38939 0x3b39095 0x3b66eb3 0x3b6dbbe 0x3b6ddeb 0x3bcf571 0x3bcf654 cube_ww14+0x2424 @ 0x192424 cube_ww14+0x4658 @ 0x194658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34066884 registers.edi: 0 registers.eax: 0 registers.ebp: 34066924 registers.edx: 32 registers.ebx: 34067228 registers.esi: 0 registers.ecx: 8982392	1
__exception__ Nov. 5, 2021, 9:05 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x3bac6ed 0x3bac79a 0x3bac808 0x3b20a09 0x3b21cba 0x3b2129e 0x3b215cd 0x3b38939 0x3b39095 0x3b66eb3 0x3b6dbbe 0x3b6ddeb 0x3bcf571 0x3bcf654 cube_ww14+0x2424 @ 0x192424 cube_ww14+0x4658 @ 0x194658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34066884 registers.edi: 0 registers.eax: 0 registers.ebp: 34066924 registers.edx: 32 registers.ebx: 34067228 registers.esi: 0 registers.ecx: 8982392	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x3bac6ed 0x3bac79a 0x3bac808 0x3b20a09 0x3b21cba 0x3b21290 0x3b215cd 0x3b38939 0x3b619c1 0x3b6b898 0x3b6dbbe 0x3b6ddeb 0x3bcf571 0x3bcf654 cube_ww14+0x2424 @ 0x192424 cube_ww14+0x4658 @ 0x194658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34061940 registers.edi: 0 registers.eax: 0 registers.ebp: 34061980 registers.edx: 32 registers.ebx: 34062284 registers.esi: 0 registers.ecx: 63317984	1
__exception__ Nov. 5, 2021, 9:07 a.m.	stacktrace: CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x73b34f99 0x3bac6ed 0x3bac79a 0x3bac808 0x3b20a09 0x3b21cba 0x3b2129e 0x3b215cd 0x3b38939 0x3b619c1 0x3b6b898 0x3b6dbbe 0x3b6ddeb 0x3bcf571 0x3bcf654 cube_ww14+0x2424 @ 0x192424 cube_ww14+0x4658 @ 0x194658 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44 exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111 exception.exception_code: 0xc0000005 exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2 exception.address: 0x73b334b2 registers.esp: 34061940 registers.edi: 0 registers.eax: 0 registers.ebp: 34061980 registers.edx: 32 registers.ebx: 34062284 registers.esi: 0 registers.ecx: 63317984	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://45.133.1.107/server.txt
suspicious_features	Connection to IP address	suspicious_request	GET http://212.192.241.15/base/api/statistics.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://212.192.241.15/base/api/getData.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.133.1.107/download/NiceProcessX64.bmp
suspicious_features	Connection to IP address	suspicious_request	GET http://45.133.1.107/download/NiceProcessX64.bmp
suspicious_features	POST method with no referer header	suspicious_request	POST http://staticimg.youtuuee.com/api/?sid=600653&key=bfe10d3bf124f043738c20f287bfc0c2
suspicious_features	GET method with no useragent header	suspicious_request	GET http://fouratlinks.com/stockmerchandise/zillaCPM/r4XZt5MYHpEdcdmzqr2D.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://fouratlinks.com/stockmerchandise/serious_punch_upd/HttpTwcyK3R6gQj7t7EY.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://fouratlinks.com/stockmerchandise/total_out_hand/v8hBqWuKscbjZRqNatPw.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://fouratlinks.com/Widgets/FolderShare.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://requestimedout.com/xenocrates/zoroaster
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitouDisc.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=folderlyla1&tesla=7

Performs some HTTP requests (33 events)

request	GET http://45.133.1.107/server.txt
request	GET http://212.192.241.15/base/api/statistics.php
request	POST http://212.192.241.15/base/api/getData.php
request	HEAD http://45.133.1.107/download/NiceProcessX64.bmp
request	GET http://45.133.1.107/download/NiceProcessX64.bmp
request	HEAD http://dataonestorage.com/search_hyperfs_209.exe
request	HEAD http://imgs.googlwaa.com/lqosko/p18j/cust9.exe
request	HEAD http://eguntong.com/pub33.exe
request	HEAD http://www.hzradiant.com/askhelp42/askinstall42.exe
request	GET http://imgs.googlwaa.com/lqosko/p18j/cust9.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://eguntong.com/pub33.exe
request	HEAD http://www.hzradiant.com/askinstall42.exe
request	GET http://www.hzradiant.com/askhelp42/askinstall42.exe
request	GET http://www.hzradiant.com/askinstall42.exe
request	GET http://dataonestorage.com/search_hyperfs_209.exe
request	GET http://ip-api.com/json/
request	GET http://staticimg.youtuuee.com/api/fbtime
request	POST http://staticimg.youtuuee.com/api/?sid=600653&key=bfe10d3bf124f043738c20f287bfc0c2
request	HEAD http://fouratlinks.com/installpartners/ShareFolder.exe
request	GET http://fouratlinks.com/installpartners/ShareFolder.exe
request	GET http://fouratlinks.com/stockmerchandise/zillaCPM/r4XZt5MYHpEdcdmzqr2D.exe
request	GET http://fouratlinks.com/stockmerchandise/serious_punch_upd/HttpTwcyK3R6gQj7t7EY.exe
request	GET http://fouratlinks.com/stockmerchandise/total_out_hand/v8hBqWuKscbjZRqNatPw.exe
request	GET http://fouratlinks.com/Widgets/FolderShare.exe
request	POST http://requestimedout.com/xenocrates/zoroaster
request	GET https://cdn.discordapp.com/attachments/891021838312931420/902505896159113296/PL_Client.bmp
request	GET https://ipinfo.io/widget
request	GET https://cdn.discordapp.com/attachments/891006172130345095/905393686618193921/help0301.bmp
request	GET https://d.gogamed.com/userhome/22/any.exe
request	GET https://el5en1977834657.s3.ap-south-1.amazonaws.com/kak.exe
request	POST https://connectini.net/Series/SuperNitouDisc.php
request	GET https://connectini.net/S2S/Disc/Disc.php?ezok=folderlyla1&tesla=7

Sends data using the HTTP POST Method (4 events)

request	POST http://212.192.241.15/base/api/getData.php
request	POST http://staticimg.youtuuee.com/api/?sid=600653&key=bfe10d3bf124f043738c20f287bfc0c2
request	POST http://requestimedout.com/xenocrates/zoroaster
request	POST https://connectini.net/Series/SuperNitouDisc.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

iplis.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 388 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 5, 2021, 9:05 a.m.	process_identifier: 2328 region_size: 1351680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:05 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 159744 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00abe000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:05 a.m.	process_identifier: 2572 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:05 a.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:05 a.m.	process_identifier: 2896 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 385024 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 1584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ca1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2f1e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00053000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0005c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00054000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00191000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:07 a.m.	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00192000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

Cube_WW14.bmp tried to sleep 204 seconds, actually delayed analysis time by 204 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 5, 2021, 9:07 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 10226479104 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Steals private information from local Internet browsers (50 out of 109 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 36\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 65\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 62\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 24\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 75\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 98\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 28\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 93\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 92\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 97\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 47\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 74\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 21\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 83\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 17\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 69\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 50\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 57\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 63\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 66\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 34\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 80\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 84\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 77\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 64\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 8\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 31\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 35\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 6\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 72\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 13\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 53\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 23\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 25\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 61\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 82\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 12\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 95\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 22\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 70\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 73\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 18\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 56\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 55\Cookies

Foreign language identified in PE resource (9 events)

name

DLL

language

LANG_NEUTRAL

filetype

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00039c30

size

0x0002c000

name

RT_ICON

language

LANG_NEUTRAL

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00039768

size

0x00000468

name

RT_ICON

language

LANG_NEUTRAL

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00039768

size

0x00000468

name

RT_ICON

language

LANG_NEUTRAL

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00039768

size

0x00000468

name

RT_ICON

language

LANG_NEUTRAL

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00039768

size

0x00000468

name

RT_ICON

language

LANG_NEUTRAL

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00039768

size

0x00000468

name

RT_ICON

language

LANG_NEUTRAL

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00039768

size

0x00000468

name

RT_GROUP_ICON

language

LANG_NEUTRAL

filetype

data

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00039bd0

size

0x0000005a

name

RT_VERSION

language

LANG_NEUTRAL

filetype

data

sublanguage

SUBLANG_ARABIC_OMAN

offset

0x00020270

size

0x000002dc

Looks up the external IP address (2 events)

domain	ipinfo.io
domain	ip-api.com

Creates executable files on the filesystem (16 events)

file	C:\Users\test22\Pictures\Adobe Films\jm9WZqU48OXjZDKC5i0a7tT4.exe
file	C:\Program Files (x86)\Windows Photo Viewer\Nunaedobyle.exe
file	C:\Users\test22\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
file	C:\Users\test22\AppData\Local\Temp\6e-0db4f-5d3-56daa-9764bf68c6570\Roshovubysae.exe
file	C:\Users\test22\Documents\T9aZunTSaNJLBVfIkgF5mtQo.dll
file	C:\Users\test22\Pictures\Adobe Films\MN92omWtlXm59ZZLlrxY1Nfj.exe
file	C:\Users\test22\Pictures\Adobe Films\koJ0QS7kzMBOVLlshkrNuyJs.exe
file	C:\Users\test22\AppData\Local\Temp\is-IOJ5E.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\32-a9548-5f9-374be-9d560cdb36c56\Rufaecolufo.exe
file	C:\Users\test22\Pictures\Adobe Films\hxqIswt6ZZXn9eDwf0oo44Y2.exe
file	C:\Program Files\7-Zip\MKTPOZJMHE\foldershare.exe
file	C:\Users\test22\AppData\Local\Temp\is-IOJ5E.tmp\DYbALA.exe
file	C:\Users\test22\AppData\Local\Temp\is-IOJ5E.tmp\idp.dll
file	C:\Users\test22\Pictures\Adobe Films\NjPCD84QAGvJgwTSdwlcfFXM.exe
file	C:\Users\test22\Pictures\Adobe Films\uUg6Uopi0cC3fPYtgUana1B9.exe
file	C:\Users\test22\Pictures\Adobe Films\qNCY_EOBar1MnuVc9oiDPLRw.exe

Drops a binary and executes it (9 events)

file	C:\Users\test22\Pictures\Adobe Films\jm9WZqU48OXjZDKC5i0a7tT4.exe
file	C:\Users\test22\Pictures\Adobe Films\MN92omWtlXm59ZZLlrxY1Nfj.exe
file	C:\Users\test22\Pictures\Adobe Films\uUg6Uopi0cC3fPYtgUana1B9.exe
file	C:\Users\test22\Pictures\Adobe Films\NjPCD84QAGvJgwTSdwlcfFXM.exe
file	C:\Users\test22\Pictures\Adobe Films\koJ0QS7kzMBOVLlshkrNuyJs.exe
file	C:\Users\test22\Pictures\Adobe Films\qNCY_EOBar1MnuVc9oiDPLRw.exe
file	C:\Users\test22\AppData\Local\Temp\32-a9548-5f9-374be-9d560cdb36c56\Rufaecolufo.exe
file	C:\Users\test22\AppData\Local\Temp\6e-0db4f-5d3-56daa-9764bf68c6570\Roshovubysae.exe
file	C:\Program Files\7-Zip\MKTPOZJMHE\foldershare.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\6e-0db4f-5d3-56daa-9764bf68c6570\Roshovubysae.exe
file	C:\Users\test22\AppData\Local\Temp\is-IOJ5E.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-IOJ5E.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-8LAQS.tmp\qNCY_EOBar1MnuVc9oiDPLRw.tmp
file	C:\Users\test22\AppData\Local\Temp\is-IOJ5E.tmp\DYbALA.exe
file	C:\Users\test22\AppData\Local\Temp\32-a9548-5f9-374be-9d560cdb36c56\Rufaecolufo.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 5, 2021, 9:05 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\jm9WZqU48OXjZDKC5i0a7tT4.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\jm9WZqU48OXjZDKC5i0a7tT4.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:05 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\MN92omWtlXm59ZZLlrxY1Nfj.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\MN92omWtlXm59ZZLlrxY1Nfj.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:05 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\uUg6Uopi0cC3fPYtgUana1B9.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\uUg6Uopi0cC3fPYtgUana1B9.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:05 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\NjPCD84QAGvJgwTSdwlcfFXM.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\NjPCD84QAGvJgwTSdwlcfFXM.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:05 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\koJ0QS7kzMBOVLlshkrNuyJs.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\koJ0QS7kzMBOVLlshkrNuyJs.exe	1	1
ShellExecuteExW Nov. 5, 2021, 9:07 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures//Adobe Films\qNCY_EOBar1MnuVc9oiDPLRw.exe parameters: filepath: C:\Users\test22\Pictures\Adobe Films\qNCY_EOBar1MnuVc9oiDPLRw.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 5, 2021, 9:05 a.m.	snapshot_handle: 0x00000520 process_name: mobsync.exe process_identifier: 1176	1	1
Process32NextW Nov. 5, 2021, 9:05 a.m.	snapshot_handle: 0x00000520 process_name: pw.exe process_identifier: 2080	1	1
Process32NextW Nov. 5, 2021, 9:05 a.m.	snapshot_handle: 0x00000520 process_name: taskhost.exe process_identifier: 2124	1	1
Process32NextW Nov. 5, 2021, 9:05 a.m.	snapshot_handle: 0x00000520 process_name: cmd.exe process_identifier: 2248	1	1
Process32NextW Nov. 5, 2021, 9:05 a.m.	snapshot_handle: 0x00000520 process_name: conhost.exe process_identifier: 2256	1	1
Process32NextW Nov. 5, 2021, 9:05 a.m.	snapshot_handle: 0x00000520 process_name: Cube_WW14.bmp process_identifier: 2328	1	1
Process32NextW Nov. 5, 2021, 9:05 a.m.	snapshot_handle: 0x00000520 process_name: pw.exe process_identifier: 2336	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm9WZqU48OXjZDKC5i0a7tT4.exe process_identifier: 2492	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: MN92omWtlXm59ZZLlrxY1Nfj.exe process_identifier: 2572	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: uUg6Uopi0cC3fPYtgUana1B9.exe process_identifier: 2620	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2656	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2684	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2764	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2772	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: NjPCD84QAGvJgwTSdwlcfFXM.exe process_identifier: 2840	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: koJ0QS7kzMBOVLlshkrNuyJs.exe process_identifier: 2896	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2988	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2996	1	1
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 3020	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2116	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2176	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2216	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2428	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2412	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2148	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2720	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2728	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2696	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2908	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 300	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2780	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2752	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 200	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: qNCY_EOBar1MnuVc9oiDPLRw.exe process_identifier: 3028	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: inject-x86.exe process_identifier: 776	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: inject-x64.exe process_identifier: 564	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: DYbALA.exe process_identifier: 2200	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: mscorsvw.exe process_identifier: 2424	1	1
Process32NextW Nov. 5, 2021, 8:59 a.m.	snapshot_handle: 0x0000000000000028 process_name: sppsvc.exe process_identifier: 1140	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2112	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 792	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2576	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: Rufaecolufo.exe process_identifier: 2488	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 1976	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1448	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: is32bit.exe process_identifier: 2796	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: inject-x64.exe process_identifier: 108	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: foldershare.exe process_identifier: 1060	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: is32bit.exe process_identifier: 560	1	1
Process32NextW Nov. 5, 2021, 9 a.m.	snapshot_handle: 0x0000000000000028 process_name: inject-x64.exe process_identifier: 2120	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 5, 2021, 9:05 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes cube_ww14.bmp, qncy_eobar1mnuvc9oidplrw.tmp, dybala.exe (10 events)

Time & API	Arguments	Status	Return
InternetReadFile Nov. 5, 2021, 9:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $I4! Uîr Uîr Uîr>êsUîr>ísUîr>ësUîr:êsUîr:ísUîr:ës$Uîr>ïsUîr UïroUîrË:çsUîrË:rUîrË:ìsUîrRich UîrPEd\Ì<að"z\|7@P`TÔ(0è´@Ðµ8¶0¨.text¥yz `.rdataTMN~@@.dataàÌ@À.pdata´Ø@@_RDATA î@@.rsrcè0ð@@.reloc@ò@BH 9yéÌ$ÌÌÌÌHAíÃÌÌÌÌÌÌÌÌHT$LD$LL$ SVWHì0HúHt$`HÙèÊÿÿÿE3ÉHt$ LÇHÓHè<HÄ0_^[ÃÌÌÌÌÌÌÌÌÌÌÌÌ@SHì HÙHÂH õWÀHSHHHèc1HÃHÄ [ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQH%HÒHEÂÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHì HHùHÚHÁè1öÃt ºHÏèì#H\$0HÇHÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQHHÁéY1ÌÌÌÌÌÌÌÌÌÌÌÌÌH±HÇAHAH¾HHÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌHìHHL$ èÂÿÿÿH³ÂHL$ è!3Ì@SHì HÙHÂH ÕWÀHSHHHèC0HXHHÃHÄ [ÃÌÌÌÌ@SHì HÙHÂH WÀHSHHHè0HHHÃHÄ [ÃÌÌÌÌH\$Ht$WHìpHçÍH3ÄH$`3öÿ<~ø3ÒNÿï}HØHD$ HøÿtF3ÒA¸0HL$0è·4ÇD$00HT$0HËÿ}Àt9\|$8tHT$0HËÿÁ}ëæt$PHûÿt HËÿ´}ÆH$`H3ÌèL$pI[IsIã_ÃÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHìHÍH3ÄH$HÙ3ÀHHAHA3ÒHÿ}HøHD$ Høÿ3ÒA¸0HL$Pèâ3ÇD$P0HT$PHÏÿ¬\|Àt_LD$XHT$\|HL$(èÜHÐHKH;Ktè*HC(ëLÂHÑHËè¥HL$(èKHT$PHÏÿ¥\|Àu©Hÿÿt HÏÿ\|HÃH$H3ÌègH$¨HÄ_ÃÌÌÌÌÌÌ@SHì HQHÙHú request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 5, 2021, 9:05 a.m.	buffer: rSÑ<¡ö?ÀÐ:Gö?hhö?g6qö?ù"Qjìaö?£J;ORö?d!YÈBö?ÞÀ¸V3ö?@bwú#ö?®1h³ö?X`ö?ü-)4döõ?çÐ¸[çõ?¥âìÃgØõ?W+Éõ?úGÆ¼ºõ?ÀZk¬õ?ªÌ#ñaõ?íX0Òõ?`XVõ?:kP<íqõ?âR\|ºcõ?UUUUUUõ?þ»æ%Gõ?ëôH 9õ?K¨Vÿõ?øâêõ?ÅÄá"õ?PPõ?LÝbóô?9/§àåô?L,Ü¾CØô?n¯%¸Êô?á¦Ý>½ô?[¿R Ö¯ô?Jv¢ô?gÐ²ã9ô?H"ô?{®Gázô?f`Y4Îmô?ÏõÇË`ô?ÊvÇâÙSô?ûÙbeøFô?Mî«0':ô?Õ%f-ô?QY^&µ ô?ô?feÑô?û°?ûó?¯¥Bîó?©ä¼,âó?ÆuªÙÕó?ç«{¤Éó?U)#Ù`½ó?;±;±ó?"Èz8$¥ó?c,ó?fÓ"ó?88ó?îEÉÑ[uó?HÞóió?ø_Î]ó?Áx+ûRó?Fà¬yFó?²¼W[ä:ó?újí\/ó?¿+Jã#ó?¶ëéXwó?Ñ0 ó?`ÄÈó?h/¡½öò?KÑþ¡Nëò?KÀ%àò? P- Õò? ,MûÉò?7Zù¾ò?@+´ò?Áó©ò?ä)Aò?¥¸[rò?°°ò?MÎ¡8ú}ò?5'¸Psò?'Ö\|³hò?ñp"^ò?²w~Sò?$I$Iò?[`·>ò?ß¼xV4ò? "*ò?xû!·ò?æUHyò?ÙÀgGò? ò?pÁ}÷ñ?L¸<ôìñ?t¸?;ïâñ?½J.gõØñ?¢Ïñ?Yàü"Åñ?)íF@J»ñ?ãºòg\|±ñ?{a¹§ñ?àñ?¢Sñ?Û+°ñ?ñ?Öwñ?ysBnñ?2üPdñ? 'u_[ñ?ÉÕý£¹Qñ?;Í _Hñ?$G4?ñ?È5È5ñ?¬Àí,ñ?30]çX#ñ?&H§0ñ?ñ?¾ûñ?ðþðþð?¢%³úíõð?ækõìð?`Uäð?F¨ Ûð?:5VDÒð?;Ú¼OqÉð?qA§Àð?È%ìæ·ð?µì.r/¯ð?§h ¦ð?`¯¦Ûð?T 9?ð?âeu³«ð?B!ð?âê¸){ð?Æ÷G &sð?ûyµjð?ü©ñÒMbð?ur îYð?4×÷Qð?ÅdÌIIð?AAð?üG·Æ8ð?^µ0ð?é)wüd(ð?@ ð?7zQ6$ð?ð?ð?ð?log10ÿÿÿÿÿÿ?Cÿÿÿÿÿÿ?ÃUnknown exceptionbad array new lengthabcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZpidhtmpfile.tmp.dllpidHTSIGwbTaskmgr.exekernel32.dll%uLoadLibraryAvector too longstring too longMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞévMÞévMÞévMÊrLÕévMÊuLØévMÊsLGévMÕrLÐévMÕuL×évMÕsLýévMÊwLÝévMÞéwM¼évMLßévMMßévMtLßévMRichÞévMPEd Ì<að" ¶øTZ`¬z(àà°ÜðX8ÐX0Ð.textÅµ¶ ` request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 5, 2021, 9:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $AÍå¬h¶¬h¶¬h¶Çl·¬h¶Çk· ¬h¶Çm·½¬h¶½Ým·"¬h¶½Ýk·¬h¶WÙl·¬h¶WÙk·¬h¶WÙm·_¬h¶Çi·¬h¶¬i¶×¬h¶°Ùa· ¬h¶°Ù¶¬h¶°Ùj·¬h¶Rich¬h¶PEdUnoað"P>t.@`LëxÀ8ð¼Ðì @_pa(°_8`0.text@NP `.rdata`T@@.dataDîºò@À.pdata¼ð¾¬@@_RDATAô°j@@.rsrc8Àl@@.relocì Ð"p@BHì(èb H àGHÄ(éÌÌÌHì(H ¨è0ï H mIHÄ(éìH ÅIéàH ]IéÔH &ªéÄ÷ Hì(H ªèìî H ÑIHÄ(é¨Hì(A¹HoªE3ÀH õ©è÷ H IHÄ(éxHì(¹èöfHÐH 8ªèCö H ÔIHÄ(éKÌÌÌHì(H «èlî H ýIHÄ(é(H IéÌÌÌÌ·qH âIf£ï¶nqïéñÌÌÌÌÌÌÌÌÌH )JéÜÌÌÌÌH JéÌÌÌÌÌHì(=ÆÄuèÎ«Æ¸ÄfooHðE3ÀHæÄH çÄóçÄAPèf3ÉHåÄ çÄHÇHÑÄHHH .JHÄ(éMÌÌÌÌÌHì(=FÄuèN«Æ8ÄfoïHpE3ÀHÄH ÄóÄAPèæ¬3ÉHÄ ÄHÇHÄHHH îIHÄ(éÍÌÌÌÌÌHì(=ÆÃuèÎªÆ¸ÃfooHðE3ÀH¶ÃH ·Ãó·ÃAPèf¬3ÉHµÃ ·ÃHH¥ÃHHH ²IHÄ(éQÌÌÌÌÌÌÌÌÌé[ªÌÌÌÌÌÌÌÌÌÌÌHì(E3ÀH 2îAPèy`H=1îH2îv*HÇH "îLîHÁIètIÁà3Òè¾ H wIHÄ(éÖÌÌÌÌÌÌÌÌÌÌÌÌÌÌHì(E3ÀH ¢í3Òè`H IH¥íHÄ(éÌÌÌÌHì(H ½íèàÇH ÐíèÓÇÆäíH IHÄ(édÌÌÌÌÌÌÌÌÌÌÌÌHì(H ÍíèH ðíèsÆîH ÅIHÄ(é request_handle: 0x00cc0018	1	1
InternetReadFile Nov. 5, 2021, 9:05 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $uÀ)1¡GV1¡GV1¡GVg:V%¡GVg*Vh¡GVò®V0¡GVg)V¡GVò®V6¡GV1¡FVR¡GVg5V0¡GVg?V0¡GVRich1¡GVPELlö\|aàÀ`%Ð@@'õP0° request_handle: 0x00cc0034	1	1
InternetReadFile Nov. 5, 2021, 9:05 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ua÷ÀÀÀ~v2À?À~vÀ3À~v3ÀÀx ÀÀÀÀ~v6ÀÀ~vÀÀ~vÀÀRichÀPEL§`à FK0Ð @ O2äÌPPNÑ0O0èÃ@à.textH `.data°J @À.nefaå@N"@À.rsrcÑPNÒ&@@.relocöc0Odø@Bü 8FRbz°¾Øìü(6HVn ¸ÈÜîþ 0 B ` \| ´ Ä Ö ø &6Rh~®ºÒêü >Rjz, 2Hd\|¤¸Ìè@Rb°ÊÚð 8F`zªÀÐæö"4FXn~ª¶ÎÚî:ÖÆòÀÓA°ÜAÀoB0ÅB C1BãB`íCÞA'ga.HÄH¸vscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)fmodTÉAöÙAÙAöÙATÙAöÙAÙAöÙAÙAÙA·ÙAÙAöÙAöÙAÙAöÙAð?ð?33ð¿0Cÿ( (_Stream->_flag & _IOSTRG) \|\| ( fn = _fileno(_Stream), request_handle: 0x00cc0030	1	1
InternetReadFile Nov. 5, 2021, 9:06 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^BàÐø¥°@Ð@@ÐP (¿ðCODE0 `DATAP°¢@ÀBSSÀ¦À.idataP Ð ¦@À.tlsà°À.rdatað°@P.relocÄ@P.rsrc(¿À²@P@è@P string<@m@Ä)@¬(@Ô(@)@$)@Free0)@InitInstanceL)@CleanupInstanceh(@ ClassTypel(@ ClassName(@ClassNameIs¨(@ClassParentÀ)@ ClassInfoø(@InstanceSize°)@InheritsFromÈ)@Dispatchð)@ MethodAddress<@ MethodNamex*@FieldAddressÄ)@DefaultHandler¬(@NewInstanceÔ(@FreeInstanceTObject@Ã@ÿ% Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%(Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%üÐ@Àÿ%øÐ@Àÿ%ôÐ@Àÿ%ðÐ@Àÿ%ìÐ@Àÿ%èÐ@Àÿ%äÐ@Àÿ%àÐ@Àÿ%ÜÐ@Àÿ%ØÐ@Àÿ%ÔÐ@Àÿ%@Ñ@Àÿ%<Ñ@Àÿ%8Ñ@Àÿ%4Ñ@Àÿ%0Ñ@Àÿ%ÐÐ@Àÿ%ÌÐ@Àÿ%ÈÐ@Àÿ%ÄÐ@Àÿ%ÀÐ@Àÿ%¼Ð@Àÿ%¸Ð@Àÿ%´Ð@ÀSV¾8Ä@>u:hDjè¨ÿÿÿÈÉu3À^[Ã¡4Ä@ 4Ä@3ÒÂÀDÁBúduì^[Ã@ÃÀSVòØèÿÿÿÀu3À^[ÃPVPXB°^[ÃP Q8Ä@£8Ä@ÃSVWUQñ$è]$PV;CÐS;uÃè·ÿÿÿCCFëV;Âu ÃèÿÿÿCFß;ëuÂÖÅèUÿÿÿÀu3ÀZ]_^[Ã@SVWUÄøØû2C;ðrlÎJèk;Íw^;ðuBCB)C{uDÃè5ÿÿÿë; rÎø{;Ïu)së& J$+ù request_handle: 0x00cc000c	1	1
InternetReadFile Nov. 5, 2021, 9:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL'þúà"0L¼¾j @ ` @pjKx¸@ H.textÄJ L `.rsrcx¸ºN@@.reloc@ @B jH@æ0+DqÙ),%$KÕ-×sL~%þ½~82êÉTGw7, üm,p^.k-°\|%YàÅ®IT£K¸)Ãý·!É¦QÁðOÄ+d z ÁÓý3äÏ ¥Ð¹>2;ã; L¤ÐöõkðFK}àáÆÉ¶¢¿z*à}ÜÓ ÂåàZxÎy ÏóÚJÊIBÄÖo®8)<ê°²}K÷ø]ÜX4}\|zDxÒ¤XíBÚóùAsñ=>ÂMqôkEñÕª_W ½{Ju¦·C +{øSíj}ºØ]0T°¥q0¯ ÿ7Ê¡{Õkq§OäMiøzØõ¢úOqè¥qþÖCØÕ¬1=j¥ uÄê²ñ=åKrÝwvÓ´-Í@ezÃ²aw^(/µxÄú¥ö°!îËu++-ô1 _eç6À-¾%FÔ~ÏÇÉ8}þùBY¾1ïûð&ÊV¶=G®M/à!Gàá÷Ã?i request_handle: 0x00cc000c	1	1
recv Nov. 5, 2021, 9:07 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 05 Nov 2021 00:18:17 GMT Server: Apache Last-Modified: Mon, 01 Nov 2021 16:41:58 GMT ETag: "59a00-5cfbcdaf76180" Accept-Ranges: bytes Content-Length: 367104 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL aà"0x î @ à@S ØÀ H.textôv x `.rsrcØ z@@.relocÀ@BÐHÐsÈ">Y0¢{¾7îV<Vú8è;Ù´¬4«Ê§a!;Øi×ðSåyñ³)vrd6«ìeJ½UùuCRyØµgSWfW!Jà ®}¸ÒàÒ=¹Á_¡;¼äÒ£Öå ï ^7ÆÍb¢»+ÐO2 ¡% pî'O0\_@Ó²ã=¥ßbòìÇÿx¡sÚü>ÞðjêÂÂBH0çÁËwI¦êÂ-ø½·H"½U»CQùÇÒîvÐI¢bâ°ûï ÕÚÑhýEñòC=Ä7HÇ@,½«F°Äfæìç®ªU¾ ¨zîÐuüª·I â3éR,üÙAÒµ£àgîÖ$Êr,0ûYR9+âÓïENháü[³uô6J¬NÏ××NoÒþH]¢êoÐXaÀDôêì]mÁ£N¯!)äÍ¿Íµoåµ'{Ài5Àð6U·Ià¦E5\ü÷ØTuu~¿í¸IQDÅ»QG°ûB-RÚ\N\¥`ahøüs\|{E¶¼)8¾ÁÀ°bgÞ¶I¾9(#ÂÑùqÞÒOëù«ô1ÌnÒ.õôTñÒÃÂ$¹[ÒûÌûÄCg7qÇ}"D»9 Qé8Þ4AÞM-eOPÄÒÞi Cgë¼æWíYÖæë9.þºïZR/¿òcJîD½]Xn¤IÚWLIødòçáûÙìäp¹-}+îá¯'àEì¼¢$GÞRßD1ðUÀ~{¶T}ÂHkc]»ÿÚ¨b'\|IÛ ÕK÷8´ºØ¥Wõ:òw.+úXQ#3fUÚp/ö:`æ¬Ðã÷£%¿!yVdñXÉLl¥ÐÅC0¶¬ù%Å°óKÑ_´³zH^êúÞæg6×Y¶{t2\|ãâ,éöÔ)ô5ÑãÉ_[Ø¥±c9Ò²¾O§¼ÀÓOÅSO&2¬Þ×ÔÈÏ_@a×½H«ÏÌå¶zìiäÎæ[\|§ÓTãZ?#Fn42¼ÙFÚj7Å ~ÇSumkY³7rS¼Î°&ÞÒ¢w<ÓýÏÀ¡²Ù(^öµàfÆÍWí!Ó=»»;Óùþg8¾"7@^0u!{Ç¡A09.Ór¼2N =à¦Ò#s«~¨?ÇÁE,GÅ½_LSÖ_eµÊgÎºñ¯ðd°2XÍùÌ¤0$3 ÷)$'C9Em#s«~¨?ÇÁE,Ò?(éÐvðß,ãñÆ ¿+HÚ,PÓsÒyoºýÜNÌ)òmLà,bÕ§É#¨`S#×ÛÀÊÈ ££ðí®û¾xÒÒ!mBå.¶«'"¶rÕÛõheæb÷pçÙÓsy=ç·U¸Éé_U%û¤RéWñCP'OwìQ0yÇ 8µ¹ÕU=SÐÿ¿KÏKá´¡1g-fà 6<lRh½aGU¬¾+8$¹)È ÂÏMÎÞîOPðór)¨·¥PÖ;á\|cÖVìµ.î³ô&[ûä¾-àÊùÅÚ5¨SP-¬6QüHu;`ûã5&£¡/Ï%¥Ý¸æh%ê÷äáró`Ú¼wÌ®BdíÜ¾±[Ô¢ÐÛBM,.>^±¾ÙOÝEQ3·¤ó'îß xr«~ÿóZRRg©© &5"LÍA©¿Â½/fÌÔ4+óðHöé·×»bñnböÃëCi¦ø`f ×{{³Ö.\9Çné%Ý9ÌèÃ¾rãûGô!Cÿ&éÌ»^GyK©7â>ì?`jméhÛMï].)Ú.¶àGYì#äËxµ ¶¹ó=]Tó!æèÌÌ%jð¬vbÌ:íV}r â¦LFd®é©çu¹î§%ÁyÎØ»©ÊøÞ¶úÇiåc¸$þ8ØjsÚ%b5vØÿÂhN ¬ó¬# òxÑ~øO¹±ðäU/ÙAº»rE,æ½ªÊ>réÂz·KÕ)Ø¨H píY¡O${~¢üæy#/mØÌ7Ë·ò¹¢z<1(HÜLÓÀXXê4³A) ©ª£ÓcA¤I0Ù¯ÈÅ^M§êwÒúºeò7U^÷bõ±ÖR` #î´¸ê¥¨¦6'4±½¬J¤gt÷Ý xí¾(Ïu¨"®©XÂ&\ß }ïÃÕMÓüO:3¬l¡0]Â>iC\ë=XÁãßk¶ÞþõÍwwQ7ñ,õiè¥}PrYl¶ý î89{º¯Dr£ä=MÄé {àÿ;·þCá9¼ ¥®¡ö,õàûJ¾m5Pbü1'nÆ«S(\&úÁëz`çÓaqßdTBÛ´,¾#-J0müuðYÌYªu»áË&Kú~F8*$°¸Øã{ÐJ received: 2920 socket: 1444	1	2920
recv Nov. 5, 2021, 9:07 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 05 Nov 2021 00:18:25 GMT Server: Apache Last-Modified: Mon, 01 Nov 2021 16:08:48 GMT ETag: "88400-5cfbc645a6400" Accept-Ranges: bytes Content-Length: 558080 Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèaà"0pÎ @ à@K @À H.textÔn p `.rsrc@ r@@.relocÀ@B°HH#8kY×ïdðuÙqøß+8_WCr]E÷Ìx:.1\í(ìÄf5¥Ã[?míjOc¢áÚaÄ¿ãrÓxt7X£VuT´Q<Ð4æ¬ËÝ ±ï=Ó` ÁÈÞrOÖÏävúï&2ìà`ïó÷\|¾nÈ .r0ÞEêj¸×):2Y´ÊØWÀ(b½ÜÿVÄ.ÄCw$9½wmákB"Éa¦Ñ<<nÇâ¡¢4S üü/1:Lzâç8{m0u07¯l={éÏ©êÊã±bëñÌÍ"£3çï\|i.I!dç ó+Oò5õ$÷á»"h¯Ç 4:è,æ¯Ú@¶¸\|¿¶ïNâwÒ+ÛIyvG\|CAãb(Uó§Dáºtüq=î+sÌAãÇùjÌ[ädéõø%¯@3Î^E÷G;hèMvò«³ãÄ¶vwÓ¢QÈßìàÒ^òÝ`oéÇ>AÓÁ^wì~F³T9ÔÔÂéÛ Æ?\|ÊCçoãísøê9Ò¥¡7ÆIº£"ÁØ«ëb¨¨C{/9?TD ÞKÓ¤oÆÓ0ÂKIa[F±íå)$¹E²@âþBÇçmó+Íob>Qªªí+¾$âÄî4 ý»Ô\¥}mÈ0ð?í±ö~~ðdwÒ½iÓ¡©;-¯Á{N$øèk{«Ã^ù×}ü¾µá»Zf[Ë°6ÚÂ~Î<®` íFøJü½ÔÅ"V¾¹ 9ÎÚÈºYòT[]ý!ê¿H¯Ü·ßrµ±SíðYªüú©®Wý®î!X ÿáërÀ`p%¼#3«nö"Ì}vsÛ°A{0UùA°8>£ÿm]t íÓÖK!kúD_ÒæZOÈÔñ`Æ;»ð~O}5Xé%_L]û¢µôî·eÛ }6m+9»i!fÄHK^§sµ¯ÉýèðÛ`ô6^YõåÚÞq£ ü±ÅóÄªÈxÍ?Eè¡É(Í£Fû'ÐÔ?8Â3?x Å¡cJ<hPÌWsÿÑÜKìñS½.\XJÍ8îç7±¯0â«ÇÄ?l»ëp!sZ©=±Å(öð RÞyè6ÒöÎñE@P¶z³©ÿX®¥«ßÜ¿Z}%5%~®7áu<áDiBzÆn(°îÌi`:úU&á Óh¾ÑX;7bzê§·nèÑÛ9uso´î¬ ús&[ÞWðb^ÜÅÈÏ8dgÍUd1ªÎ¬9üEôüý=Õ}¥ÙÉÒåÇ¼%Õ#ev,qiïÐÜLpsjje¦WgnAF~÷{ÒAÎß_=tv±5C4O'ñ²£[ÖxÄ1¤BæQy:µQBóñCYo=7-üG.<XßÄÁ,u"Ê+jºq¦T RÁö¿ÉÑ>{`×EÚÀÖØF¹ê«á_h¿Ôrx~ÖN¸ði®dÄéUOm<gN¶·ÿ6\ñ4'Ô)F±Ñx«è¤È_·ö>êêt¸p¯TCíÀÂA±¼8F/Öp«xÊ²lí,U±"K´Ñ%ëcR©RVmÊÒèIÿ#ÍæºO:º×lu±ýØ3#÷¢rê+×¨Ñ½É¸QÒÙ^îôÚÉ³úiIøæIçfÐ®³£åCö& âOHq,_yóªVÌÿk2Ü0ºí<ìÂ³OÞéP+ÕX·+²®db/&ö ë§õ\¹kxÍ¤±¹Pð-`¯Å7Ä¶Ð6S©Èêû}´¨þP!ÑDéO¬Ï§Ìg×10îô;YHüG¶^1§<^Ei×;Áí+9xá[h}kñþfÊ >µbËâðéñvÞ² ï@váUÑu³¿«¥àt~¥aû¸)pÌëE£ÞÁ/ÿ&C¡öÒÒª\|ÕwBØhX?Tù9äê¹T¡jÅ³ÃÜõCi×öÔô$FîÊÞ4lG!ÿ9Ê R¹rHùÂõ"\| û«íHó¦ñ+(\|\_k[cK@RJ ºòþ!D!«~ï¾ÓÏëýá ?è'J¤&T ~{oª]õ¡ízçCàÀ¶XMÊcÏ>qZ½ ©ÑÅýôJ§8y¡UÙéYUNõÈTSÖå}õùÝ}ñI.ua7©ÕÈ$ ¾s hABy}È¶ävMoå«Qà#`;b6$áæùÇ"gWO¸£È ª§¾ª¾«wSýá]H^ãÓ5óy<oK^ï_Á¦+øMcgå3b¬±çèf`ªËp¾~Qþë þ¼Ì( Pnû!ÕïÊ¤©QÙÞikÃÓ,ä¼güz¯hðÑ'ç38Zx-Ï0ê"äMæ8(¿%bÐ²ÃB #ñ9\|¤Õo×=ÀêJEàÎQ9´jó}ç«¥J received: 2920 socket: 1444	1	2920
recv Nov. 5, 2021, 9:07 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 05 Nov 2021 00:18:30 GMT Server: Apache Last-Modified: Mon, 27 Sep 2021 13:36:56 GMT ETag: "bc800-5ccfa30ca2e00" Accept-Ranges: bytes Content-Length: 772096 Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELå Qaà"0 ¼Ú( @@ @(O@¸P' H.textà `.rsrc¸@º@@.relocÆ@B¼(H´/´hMèÙ6( (0rps %rpo r'po r?po rIpo rSp-o rpo o r]po o ¥1,rups zÞo r«p( &Þ{o {o {o (0(s o 3{o! o" &&ò{o# o$ 1{o# o% o& (&r¹p(' &0Qrñprpr-p(( s) r1po o r]po o ¥1Þ ,o Ü)E (0µ{o+ o, rñprps- s. o/ o0 +co1 t6%r?po2 t6¢%rIpo2 t6¢%r'po2 t6¢s3 {o+ o4 &o5 -Þ,o* Ü,o* Ü1o %ª 0(s o 3{o! o" &&0z{o# o$ 1[{o# o% o6 o7 o8 (9 o6 o7 o8 (9 r?po6 o7 o8 (: &r¹p(' &z,{,{o (; *0IÐ(< s= s> }s? }s? }s? }s@ }s@ }sA }sB } s@ } sB }sC }sA }sA }sD }sC } sB }sD }{oE {oF { oE {oF (E {oG {oH %{¢%{¢%{¢oI {oJ {oK {.sL oM {sN oO {rYpoP { ÜsQ oR {oS {oT {oU {oV {r?poW {hoX {rIpoW { oX {rmpoW {}oX {oY {`sL oM {sN oO {rwpoP {WsQ oR {oT {rpo" {oY {@sL oM {sN oO {r¡poP {WsQ oR {oT {r¯po" {oZ {x<sL oM {sN oO {rÉpoP { _sQ oR {oT {råpo" { o[ { + sL oM { sN oO { rípoP { dsQ oR { oT { rûpo" { o\ { þs] o^ { oY { sL oM { sN oO { rpoP { _sQ oR { oT received: 2920 socket: 1444	1	2920

Expresses interest in specific running processes (2 events)

process	cube_ww14.bmp
process	jm9wzqu48oxjzdkc5i0a7tt4.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 1032 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0
Process32NextW Nov. 5, 2021, 8:58 a.m.	snapshot_handle: 0x0000000000000028 process_name: jm吐眞 process_identifier: 2492		0	0

Communicates with host for which no DNS query was performed (2 events)

host	212.192.241.15
host	45.133.1.107

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover

reg_value

"C:\Program Files (x86)\Windows Photo Viewer\Nunaedobyle.exe"

Network activity contains more than one unique useragent (3 events)

process	Cube_WW14.bmp	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
process	Cube_WW14.bmp	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
process	qNCY_EOBar1MnuVc9oiDPLRw.tmp	useragent	InnoDownloadPlugin/1.5

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Lionic	Trojan.Win32.Stealer.i!c
MicroWorld-eScan	Trojan.AntiSandbox.GenericKDS.37819867
FireEye	Trojan.AntiSandbox.GenericKDS.37819867
CAT-QuickHeal	PUA.GenericRI.S23914449
McAfee	GenericRXQJ-OJ!7C53B803484C
Cylance	Unsafe
Zillya	Downloader.Agent.Win32.451946
Sangfor	Trojan.Win32.Disbuk.gen
K7AntiVirus	Trojan-Downloader ( 005883801 )
Alibaba	TrojanPSW:Win32/Disbuk.323fdab4
K7GW	Trojan-Downloader ( 00588d291 )
BitDefenderTheta	Gen:NN.ZexaF.34236.zu0@a04L9YiO
Cyren	W32/Zusy.JB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.FXP
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.Win32.Disbuk.gen
BitDefender	Trojan.AntiSandbox.GenericKDS.37819867
SUPERAntiSpyware	Trojan.Agent/Gen-Downloader
Avast	Win32:DropperX-gen [Drp]
Ad-Aware	Trojan.AntiSandbox.GenericKDS.37819867
Emsisoft	Trojan.AntiSandbox.GenericKDS.37819867 (B)
TrendMicro	TROJ_GEN.R049C0PJL21
McAfee-GW-Edition	GenericRXQJ-OJ!7C53B803484C
Sophos	Mal/Generic-S
Jiangmin	Trojan.PSW.Stealer.va
Avira	TR/Dldr.Agent.fnplw
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMalwS.34BC1CD
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.sa
ViRobot	Trojan.Win32.Z.Win.412672.A
ZoneAlarm	HEUR:Trojan-PSW.Win32.Disbuk.gen
GData	Trojan.AntiSandbox.GenericKDS.37819867
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R446027
VBA32	BScope.TrojanRansom.FileCryptor
ALYac	Trojan.AntiSandbox.GenericKDS.37819867
Malwarebytes	Trojan.Downloader
TrendMicro-HouseCall	TROJ_GEN.R049C0PJL21
Tencent	Malware.Win32.Gencirc.11d53795
Ikarus	Trojan-Downloader.Win32.Agent
MaxSecure	Trojan.Malware.74142850.susgen
Fortinet	W32/Agent.FXP!tr
AVG	Win32:DropperX-gen [Drp]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/TrojanPSW.Generic.HgIASeYA

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.103:49249
dead_host	192.168.56.103:49227
dead_host	192.168.56.103:49180

Cube_WW14.bmp

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All